An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate-based, secure authentication to the web UI? (Choose two.)
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-web-interface#:~:text=OS%C2%AE%20Administrator%E2%80%99s%20Guide-,Configure%20Certificate%2DBased%20Administrator%20Authentication%20to%20the%20Web%20Interface,-As%20a%20more. The doc clearly states you need to configure CA cert and a cert profile. So A is incorrect. D is incorrect as it is SSH. So B & C are correct since you do configure SSL /TLS profile in Management.
Correct option is A and C
There is no such thing called certificate profile under SSL/TLS service Profile.
Server certificate in this context is the local certificate on the firewall.
There is no mention of SSL profile:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-web-interface
I see a lot of people voting for A and there's no such thing as a "server certificate" needed for auth <<<to>>> the firewall, but you do need B and C to secure access <<<to>>> it. You can always work with the default server (fw) cert, so a server cert isn't really needed.
The server cert could be used inside the ssl/tls profile to define the cert <<<the fw will show to end devices>>>, but if you're authenticating <<<to the fw>>> you need the ssl/tls profile to define things like min and max tls versions and protocols supported <<<to access the web interface (that is acting as a web server)>>>
The cert profile specifies the CA that signs the client (end device)'s cert and other things like blocking options and CRL/OCSP settings, and has to be attached to a user account for cert-based auth.
This question doesn’t seem to be worded correctly. It’s asking about authentication, not access. For authentication you need a Certificate Profile and a CA certificate, not a server certificate. When a username is entered that requires Certificate-based authentication, the firewall checks whether the certificate presented by the client is signed by the CA configured in the Certificate Profile. Nowhere in the authentication process is the firewall’s own server certificate involved. So either the question is worded incorrectly and it should read “… secure *access* to the web UI?” instead of “… secure *authentication* to the web UI?” or A should be CA certificate instead of server certificate.
See question 261. Server certificates are most likely to be used with SSL/TLS profile. The question doesnt mention client authentication using certificates (so C is not valid and if you do select C then the best practice is to use a CA certificate not a server certificate); also it doesnt say mutual authentication so BC doest fit either. So I believe AB are the correct options as the minimum you can do is for the firewall to provide a server cert to the client to prove its identity.
Answers are A, B. SSL/TLS service profiles specify a server certificate and a protocol version or range of versions for firewall or Panorama services that use SSL/TLS (such as administrative access to the web interface). Do not use certificate authority (CA) certificates for SSL/TLS services; use only signed certificates.
For WEB UI Managment secure access on the Firewall, you only need A and B. If you want to config WEB UI secure access with a valid certificate you can import the cert via A and then create a SSL/TLS Service Profile. Finally you must use the TLS profile (B) under Device>Setup>General Settings>Click on Gear and the under SSL/TLS Service Profile select the generated TLS Service Profile :)
certification profile defines user and device authentication for web interface access to Palo Alto Networks firewalls or Panorama
you need a server certificate to set this up
A and B!!!!!!!!!
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFGCA0
you need a ssl tls service profile (where you hace to select the SERVER certificate that firewall will use to have https running without problems, In other words, the cert that is going to present to the WEB UI users)
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
SH_
Highly Voted 10Â months, 2Â weeks agomelsg
Most Recent 1Â week, 1Â day agonetworkingXIV
1Â month, 1Â week ago0d2fdfa
7Â months agoBubu3k
9Â months, 2Â weeks agoPacheco
10Â months, 1Â week agotertiusgouws
11Â months agoJRKhan
11Â months agoWhizdhum
1Â year agoPnosuke
1Â year, 1Â month agoOmid2022
1Â year, 1Â month agodgonz
1Â year, 2Â months agoPochex
1Â year, 6Â months ago[Removed]
1Â year, 7Â months agolaroux
1Â year, 6Â months agoVahid4900
1Â year, 9Â months agoSarbi
1Â year, 11Â months agomz101
2Â years ago