Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

Palo Alto Networks Exam NGFW-Engineer Topic 1 Question 2 Discussion

Actual exam question for Palo Alto Networks's NGFW-Engineer exam
Question #: 2
Topic #: 1
[All NGFW-Engineer Questions]

An enterprise uses GlobalProtect with both user- and machine-based certificate authentication and requires pre-logon, OCSP checks, and minimal user disruption. They manage multiple firewalls via Panorama and deploy domain-issued machine certificates via Group Policy.

Which approach ensures continuous, secure connectivity and consistent policy enforcement?

Show Suggested Answer Hide Answer
Suggested Answer: B

To ensure continuous, secure connectivity and consistent policy enforcement with GlobalProtect in an enterprise environment that uses user- and machine-based certificate authentication, the approach should:

Distribute root and intermediate CAs via Panorama templates: This ensures that all firewalls managed by Panorama share the same trusted certificate authorities for consistency and security.

Use distinct certificate profiles for user vs. machine certificates: This enables separate handling of user and machine authentication, ensuring that both types of certificates are managed and validated appropriately.

Reference an internal OCSP responder: By integrating OCSP checks, the firewall can validate certificate revocation in real-time, meeting the security requirement while minimizing the overhead and latency associated with traditional CRLs (Certificate Revocation Lists).

Automate certificate deployment with Group Policy: This ensures that machine certificates are deployed in a consistent and scalable manner across the enterprise, reducing manual intervention and minimizing user disruption.

This approach supports the requirements for pre-logon, OCSP checks, and minimal user disruption, while maintaining a secure, automated, and consistent authentication process across all firewalls managed via Panorama.


by Celestine at Apr 07, 2025, 06:09 PM

Limited Time Offer

25%

Off

Get Premium NGFW-Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Kassandra
5 days ago
Hmm, Option C might seem simpler, but without OCSP, you're just playing with fire. Option B is the safest bet.
upvoted 0 times
...
Dacia
10 days ago
Option D is just asking for a security breach. Self-signed certs and IP-based auth? No thanks, I'll stick with Option B.
upvoted 0 times
...
Rasheeda
12 days ago
Ha! Wildcard certs and disabling revocation checks? That's like asking for trouble. Option B is the clear winner here.
upvoted 0 times
...
Hubert
17 days ago
I agree, Option B is the way to go. Automating certificate deployment and management is crucial for reducing complexity and maintaining security.
upvoted 0 times
...
Simona
18 days ago
Option B seems like the best approach. Using distinct certificate profiles and an internal OCSP responder will ensure consistent policy enforcement.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77