Palo Alto Networks NGFW Engineer — Question 36

In a Palo Alto Networks environment, GlobalProtect has been enabled using certificate-based authentication for both users and devices. To ensure proper validation of certificates, one or more certificate profiles are configured.
What function do certificate profiles serve in this context?

Answer options

• A. They store private keys for users and devices, effectively allowing the firewall to issue or reissue certificates if the primary Certificate Authority (CA) becomes unavailable, providing a built-in fallback CA to maintain continuous certificate issuance and authentication.
• B. They define trust anchors (root / intermediate Certificate Authorities (CAs)), specify revocation checks (CRL/OCSP), and map certificate attributes (e.g., CN) for user or device authentication.
• C. They allow the firewall to bypass certificate validation entirely, focusing only on username / password-based authentication.
• D. They provide a one-click mechanism to distribute certificates to all endpoints without relying on external enrollment methods.

Correct answer: B

Explanation

The correct answer is B because certificate profiles are essential for defining trust anchors, specifying revocation methods, and mapping attributes necessary for user or device authentication. Option A is incorrect as it misrepresents the functionality of certificate profiles, which do not issue or reissue certificates. Option C is wrong since certificate profiles do not allow bypassing validation, and option D is not accurate as certificate profiles do not distribute certificates without external methods.