Palo Alto Networks NGFW Engineer — Question 44

An enterprise uses GlobalProtect with both user- and machine-based certificate authentication and requires pre-logon, OCSP checks, and minimal user disruption. They manage multiple firewalls via Panorama and deploy domain-issued machine certificates via Group Policy.
Which approach ensures continuous, secure connectivity and consistent policy enforcement?

Answer options

• A. Use a wildcard certificate from a public CA, disable all revocation checks to reduce latency, and manage certificate renewals manually on each firewall.
• B. Distribute root and intermediate CAs via Panorama template, use distinct certificate profiles for user versus machine certs, reference an internal OCSP responder, and automate certificate deployment with Group Policy.
• C. Configure a single certificate profile for both user and machine certificates. Rely solely on CRLs for revocation to minimize complexity.
• D. Deploy self-signed certificates on each firewall, allow IP-based authentication to override certificate checks, and use default GlobalProtect settings for user / machine identification.

Correct answer: B

Explanation

Option B is correct because it ensures that the enterprise has a robust certificate management strategy that integrates with Panorama, automates deployment, and maintains OCSP checks for real-time revocation validation. Option A is flawed due to the disabling of revocation checks, which compromises security. Option C oversimplifies the management by not distinguishing between user and machine certificates, while option D undermines security by allowing IP-based authentication and relying on self-signed certificates.