Exam PCNSE topic 1 question 238 discussion

Should be AD. Generate a certificate authority (CA) certificate on the firewall. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-web-interface.html

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-web-interface.html

A and D Steps Generate a certificate authority (CA) certificate on the firewall. Configure a certificate profile for securing access to the web interface. Configure the firewall to use the certificate profile for authenticating administrators. Configure the administrator accounts to use client certificate authentication. Generate a client certificate for each administrator. Export the client certificate. Import the client certificate into the client system of each administrator who will access the web interface.

Answers are A, D. As a more secure alternative to password-based authentication to the firewall web interface, you can configure certificate-based authentication for administrator accounts that are local to the firewall. Generate a certificate authority (CA) certificate on the firewall. You will use this CA certificate to sign the client certificate of each administrator. Configure a certificate profile for securing access to the web interface. Configure the firewall to use the certificate profile for authenticating administrators.

Question asks "required on the firewall" so it's A and D. Client certificate is required to be on the client device, not on the firewall. Firewall needs to trust client certificate which needs to be assigned by a CA that firewall trusts, therefore CA root certificate needs to be imported to firewall.

In the documentation: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/certificate-management/configure-an-ssltls-service-profile It says: Use only signed certificates, not CA certificates, in SSL/TLS service profiles. So I think it is C and D.

AD. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-web-interface#id3ec24be4-3aea-4ebd-8e2c-8928ae55fe53

Should be AD.

A and D, these two options are required on the firewall. Client certificate only needed on the client system and can be enterprise CA generated.

A. certificate authority (CA) certificate D. certificate profile

this is super confusion, C is kinda valid because you generate client certs for each user and is a step in the process.