Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 120

On the NGFW, how can you generate and block a private key from export and thus harden your security posture and prevent rogue administrators or other bad actors from misusing keys?

Answer options

• A. 1. Select Device > Certificate Management > Certificates > Device > Certificates 2. Import the certificate 3. Select Import Private key 4. Click Generate to generate the new certificate
• B. 1. Select Device > Certificates 2. Select Certificate Profile 3. Generate the certificate 4. Select Block Private Key Export
• C. 1. Select Device > Certificate Management > Certificates > Device > Certificates 2. Generate the certificate 3. Select Block Private Key Export 4. Click Generate to generate the new certificate
• D. 1. Select Device > Certificates 2. Select Certificate Profile 3. Generate the certificate 4. Select Block Private Key Export

Correct answer: C

Explanation

Option C is correct because it outlines the necessary steps to generate a certificate and block the private key from being exported, which is crucial for maintaining security. Options A and B include steps that either import a certificate or do not specify the necessary actions to block key export, making them incorrect. Option D is similar to B and lacks the comprehensive steps needed for the task.