Palo Alto Networks NGFW Engineer — Question 65

An administrator is designing a public key infrastructure (PKI) integration for a large-scale deployment with thousands of users authenticating via client certificates. A key design goal is to ensure that certificate revocation status is checked efficiently with minimal impact on firewall performance and minimal delay for the connecting user.

What is the primary advantage of using the Online Certificate Status Protocol (OCSP) instead of certificate revocation lists (CRLs) in this scenario?

Answer options

• A. OCSP allows the firewall to act as its own certificate authority (CA), and it simplifies certificate management.
• B. OCSP provides real-time status for a certificate on demand, is more scalable, and uses less firewall memory.
• C. OCSP is an older, more widely supported protocol than CRLs. ensuring compatibility with all client devices.
• D. OCSP bundles all certificate statuses into a single, digitally signed file for faster downloads by the firewall.

Correct answer: B

Explanation

The primary benefit of using OCSP is that it delivers real-time certificate status checks, which enhances scalability and reduces the memory usage on firewalls compared to CRLs. Other options either misrepresent OCSP's functionality or incorrectly state its advantages, such as claiming OCSP bundles statuses or that it acts as a CA, which is not accurate.