Exam PCNSE topic 1 question 272 discussion

B for secure authentication to webUI, and C for certificate-based authentication.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-web-interface#:~:text=OS%C2%AE%20Administrator%E2%80%99s%20Guide-,Configure%20Certificate%2DBased%20Administrator%20Authentication%20to%20the%20Web%20Interface,-As%20a%20more. The doc clearly states you need to configure CA cert and a cert profile. So A is incorrect. D is incorrect as it is SSH. So B & C are correct since you do configure SSL /TLS profile in Management.

Answer should be A, C.

Correct option is A and C There is no such thing called certificate profile under SSL/TLS service Profile. Server certificate in this context is the local certificate on the firewall.

There is no mention of SSL profile: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-web-interface

I see a lot of people voting for A and there's no such thing as a "server certificate" needed for auth <<<to>>> the firewall, but you do need B and C to secure access <<<to>>> it. You can always work with the default server (fw) cert, so a server cert isn't really needed. The server cert could be used inside the ssl/tls profile to define the cert <<<the fw will show to end devices>>>, but if you're authenticating <<<to the fw>>> you need the ssl/tls profile to define things like min and max tls versions and protocols supported <<<to access the web interface (that is acting as a web server)>>> The cert profile specifies the CA that signs the client (end device)'s cert and other things like blocking options and CRL/OCSP settings, and has to be attached to a user account for cert-based auth.

This question doesn’t seem to be worded correctly. It’s asking about authentication, not access. For authentication you need a Certificate Profile and a CA certificate, not a server certificate. When a username is entered that requires Certificate-based authentication, the firewall checks whether the certificate presented by the client is signed by the CA configured in the Certificate Profile. Nowhere in the authentication process is the firewall’s own server certificate involved. So either the question is worded incorrectly and it should read “… secure *access* to the web UI?” instead of “… secure *authentication* to the web UI?” or A should be CA certificate instead of server certificate.

See question 261. Server certificates are most likely to be used with SSL/TLS profile. The question doesnt mention client authentication using certificates (so C is not valid and if you do select C then the best practice is to use a CA certificate not a server certificate); also it doesnt say mutual authentication so BC doest fit either. So I believe AB are the correct options as the minimum you can do is for the firewall to provide a server cert to the client to prove its identity.

Answers are A, B. SSL/TLS service profiles specify a server certificate and a protocol version or range of versions for firewall or Panorama services that use SSL/TLS (such as administrative access to the web interface). Do not use certificate authority (CA) certificates for SSL/TLS services; use only signed certificates.

CA and Cert Profile must be on the FW. Not the server cert. So, C is the only valid answer.

For WEB UI Managment secure access on the Firewall, you only need A and B. If you want to config WEB UI secure access with a valid certificate you can import the cert via A and then create a SSL/TLS Service Profile. Finally you must use the TLS profile (B) under Device>Setup>General Settings>Click on Gear and the under SSL/TLS Service Profile select the generated TLS Service Profile :)

certification profile defines user and device authentication for web interface access to Palo Alto Networks firewalls or Panorama you need a server certificate to set this up

C is the only valid answer, A and B are used for the client to authenticate the firewall (server), and D will not use certs at all.

A and B!!!!!!!!! https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFGCA0 you need a ssl tls service profile (where you hace to select the SERVER certificate that firewall will use to have https running without problems, In other words, the cert that is going to present to the WEB UI users)

A and C- Certificate profile is use for verifying client certificates

100 % sure A and C. Did many times.

Should be AC. Both SSH and SSL/TLS profiles are not necessary for certificate based admin authentication, based on the doc from the web link.