exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam

Exam PCNSE topic 1 question 272 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 272
Topic #: 1
[All PCNSE Questions]

An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate-based, secure authentication to the web
UI? (Choose two.)

  • A. server certificate
  • B. SSL/TLS Service Profile
  • C. certificate profile
  • D. SSH Service Profile
Show Suggested Answer Hide Answer
Suggested Answer: AC 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
SH_
Highly Voted 10 months, 2 weeks ago
Selected Answer: BC
B for secure authentication to webUI, and C for certificate-based authentication.
upvoted 6 times
...
melsg
Most Recent 1 week, 1 day ago
Selected Answer: BC
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-web-interface#:~:text=OS%C2%AE%20Administrator%E2%80%99s%20Guide-,Configure%20Certificate%2DBased%20Administrator%20Authentication%20to%20the%20Web%20Interface,-As%20a%20more. The doc clearly states you need to configure CA cert and a cert profile. So A is incorrect. D is incorrect as it is SSH. So B & C are correct since you do configure SSL /TLS profile in Management.
upvoted 1 times
...
networkingXIV
1 month, 1 week ago
Selected Answer: AC
Answer should be A, C.
upvoted 1 times
...
0d2fdfa
7 months ago
Selected Answer: AC
Correct option is A and C There is no such thing called certificate profile under SSL/TLS service Profile. Server certificate in this context is the local certificate on the firewall.
upvoted 2 times
...
Bubu3k
9 months, 2 weeks ago
Selected Answer: AC
There is no mention of SSL profile: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-web-interface
upvoted 2 times
...
Pacheco
10 months, 1 week ago
Selected Answer: BC
I see a lot of people voting for A and there's no such thing as a "server certificate" needed for auth <<<to>>> the firewall, but you do need B and C to secure access <<<to>>> it. You can always work with the default server (fw) cert, so a server cert isn't really needed. The server cert could be used inside the ssl/tls profile to define the cert <<<the fw will show to end devices>>>, but if you're authenticating <<<to the fw>>> you need the ssl/tls profile to define things like min and max tls versions and protocols supported <<<to access the web interface (that is acting as a web server)>>> The cert profile specifies the CA that signs the client (end device)'s cert and other things like blocking options and CRL/OCSP settings, and has to be attached to a user account for cert-based auth.
upvoted 4 times
...
tertiusgouws
11 months ago
This question doesn’t seem to be worded correctly. It’s asking about authentication, not access. For authentication you need a Certificate Profile and a CA certificate, not a server certificate. When a username is entered that requires Certificate-based authentication, the firewall checks whether the certificate presented by the client is signed by the CA configured in the Certificate Profile. Nowhere in the authentication process is the firewall’s own server certificate involved. So either the question is worded incorrectly and it should read “… secure *access* to the web UI?” instead of “… secure *authentication* to the web UI?” or A should be CA certificate instead of server certificate.
upvoted 2 times
...
JRKhan
11 months ago
Selected Answer: AB
See question 261. Server certificates are most likely to be used with SSL/TLS profile. The question doesnt mention client authentication using certificates (so C is not valid and if you do select C then the best practice is to use a CA certificate not a server certificate); also it doesnt say mutual authentication so BC doest fit either. So I believe AB are the correct options as the minimum you can do is for the firewall to provide a server cert to the client to prove its identity.
upvoted 4 times
...
Whizdhum
1 year ago
Selected Answer: AB
Answers are A, B. SSL/TLS service profiles specify a server certificate and a protocol version or range of versions for firewall or Panorama services that use SSL/TLS (such as administrative access to the web interface). Do not use certificate authority (CA) certificates for SSL/TLS services; use only signed certificates.
upvoted 3 times
...
Pnosuke
1 year, 1 month ago
CA and Cert Profile must be on the FW. Not the server cert. So, C is the only valid answer.
upvoted 3 times
...
Omid2022
1 year, 1 month ago
Selected Answer: AB
For WEB UI Managment secure access on the Firewall, you only need A and B. If you want to config WEB UI secure access with a valid certificate you can import the cert via A and then create a SSL/TLS Service Profile. Finally you must use the TLS profile (B) under Device>Setup>General Settings>Click on Gear and the under SSL/TLS Service Profile select the generated TLS Service Profile :)
upvoted 4 times
...
dgonz
1 year, 2 months ago
Selected Answer: AC
certification profile defines user and device authentication for web interface access to Palo Alto Networks firewalls or Panorama you need a server certificate to set this up
upvoted 1 times
...
Pochex
1 year, 6 months ago
C is the only valid answer, A and B are used for the client to authenticate the firewall (server), and D will not use certs at all.
upvoted 1 times
...
[Removed]
1 year, 7 months ago
A and B!!!!!!!!! https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFGCA0 you need a ssl tls service profile (where you hace to select the SERVER certificate that firewall will use to have https running without problems, In other words, the cert that is going to present to the WEB UI users)
upvoted 4 times
laroux
1 year, 6 months ago
This doesn't seem to be for authentication, just to use a specific certificate for the WEB UI.
upvoted 1 times
...
...
Vahid4900
1 year, 9 months ago
Selected Answer: AC
A and C- Certificate profile is use for verifying client certificates
upvoted 1 times
...
Sarbi
1 year, 11 months ago
100 % sure A and C. Did many times.
upvoted 2 times
...
mz101
2 years ago
Should be AC. Both SSH and SSL/TLS profiles are not necessary for certificate based admin authentication, based on the doc from the web link.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago