Palo Alto Networks NGFW Engineer — Question 58

An administrator is configuring a GlobalProtect pre-logon VPN. The administrator has already imported the necessary internal certificate authority (CA) certificates for issuing machine certificates onto the firewall.

Which configuration is required on the GlobalProtect Gateway to enable pre-logon using these machine certificates?

Answer options

• A. Create a device-based Security policy that allows traffic from the pre-logon user to an internal management zone.
• B. Create an authentication profile that points to the machine certificate's CA and assign it by using the client authentication settings of the GlobalProtect Portal.
• C. Create a certificate profile that trusts the machine certificate's CA and assign it within the Gateway Agent --> Client Authentication settings.
• D. Configure the Gateway Agent --> Tunnel Settings to use IPSec with machine certificate authentication for the pre- logon tunnel.

Correct answer: C

Explanation

The correct answer is C because setting up a certificate profile that trusts the machine certificate's CA is essential for the GlobalProtect Gateway to validate the machine certificates during pre-logon. Options A and B do not specifically address the requirement for the certificate profile, while option D focuses on tunnel settings rather than the necessary certificate trust configuration.