Exam PCNSE topic 1 question 568 discussion

This question was on exam in June 24.

See hifire’s explanation, it’s could be A or D both use half of the correct name.

It is D because you can modify the authentication portal page in the response page section: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/device/device-response-pages Authentication Portal Comfort Page The firewall displays this page so that users can enter login credentials to access services that are subject to Authentication policy rules (see Policies > Authentication). Enter a message that tells users how to respond to this authentication challenge. The firewall authenticates users based on the Authentication Profile specified in the authentication enforcement object assigned to an Authentication rule (see Objects > Authentication). You can display unique authentication instructions for each Authentication rule by entering a Message in the associated authentication enforcement object. The message defined in the object overrides the message defined in the Authentication Portal Comfort Page.

https://docs.paloaltonetworks.com/content/techdocs/en_US/best-practices/10-2/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment.html Note: "Enterprises don’t control BYOD devices. If you allow BYOD devices on your network, decrypt their traffic and subject it to the same Security policy that you apply to other network traffic. To do this, redirect BYOD users through an Authentication Portal, instruct them how to download and install the CA certificate, and clearly notify users that their traffic will be decrypted. Educate BYOD users about the process and include it in your company’s privacy and computer usage policy."

A portal

Look at 90fa8d0's link.

A, An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet.

https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment "Enterprises don’t control BYOD devices. If you allow BYOD devices on your network, decrypt their traffic and subject it to the same Security policy that you apply to other network traffic. To do this, redirect BYOD users through an Authentication Portal..."

A. Authentication profile

As TeachTrooper says, Comfort Pages will do the instruct and notify part, but not the identification. Authentication Portals can do all of those things.

Voting for A, the question is not only about instructions on how to trust the CA, but also which features enables to identify BYOD users/devices. Comfort pages to not identify users, authentication portals do.

Enterprises don’t control BYOD devices. If you allow BYOD devices on your network, decrypt their traffic and subject it to the same Security policy that you apply to other network traffic. To do this, redirect BYOD users through an Authentication Portal, instruct them how to download and install the CA certificate, and clearly notify users that their traffic will be decrypted. Educate BYOD users about the process and include it in your company’s privacy and computer usage policy.

A. Authentication profile https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment

Enterprises don’t control BYOD devices. If you allow BYOD devices on your network, decrypt their traffic and subject it to the same Security policy that you apply to other network traffic. To do this, redirect BYOD users through a captive portal, instruct them how to download and install the CA certificate, and clearly notify users that their traffic will be decrypted. Educate BYOD users about the process and include it in your company’s privacy and computer usage policy.

This question is a bit tricky because in order to prompt the comfort page (D) you need to configure the authentication portal (A). I would say answer is A because question ask to identify users moreover instruct them and notify them about their traffic being decrypted. You need to configure the authentication portal in order to identify users and prompt the comfort page.

Comfort Page

Captive Portal Comfort Page