A remote administrator needs firewall access on an untrusted interface. Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two.)
A remote administrator needs firewall access on an untrusted interface. Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two.)
To configure certificate-based administrator authentication to the web interface on a firewall, two essential components are required on the firewall. First, a certificate authority (CA) certificate is necessary to establish a trusted CA that can sign and validate client certificates. Second, a certificate profile is needed to manage and enforce the use of certificates for authentication purposes. The CA certificate ensures that the firewall trusts the certificates presented by administrators, while the certificate profile allows the firewall to utilize those certificates for authentication, securing access to the web interface.
Should be AD. Generate a certificate authority (CA) certificate on the firewall. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-web-interface.html
I agree, you create a cert profile, which specifies the CA cert to use. The client certs are all signed by the CA, so this makes the fw trust them.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-web-interface
Should be AD.
A. certificate authority (CA) certificate D. certificate profile
In the documentation: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/certificate-management/configure-an-ssltls-service-profile It says: Use only signed certificates, not CA certificates, in SSL/TLS service profiles. So I think it is C and D.
you don't need client certificate on the firewall, the question includes "two components are required on the firewall" should be A and D.
A and D Steps Generate a certificate authority (CA) certificate on the firewall. Configure a certificate profile for securing access to the web interface. Configure the firewall to use the certificate profile for authenticating administrators. Configure the administrator accounts to use client certificate authentication. Generate a client certificate for each administrator. Export the client certificate. Import the client certificate into the client system of each administrator who will access the web interface.
Answers are A, D. As a more secure alternative to password-based authentication to the firewall web interface, you can configure certificate-based authentication for administrator accounts that are local to the firewall. Generate a certificate authority (CA) certificate on the firewall. You will use this CA certificate to sign the client certificate of each administrator. Configure a certificate profile for securing access to the web interface. Configure the firewall to use the certificate profile for authenticating administrators.
Question asks "required on the firewall" so it's A and D. Client certificate is required to be on the client device, not on the firewall. Firewall needs to trust client certificate which needs to be assigned by a CA that firewall trusts, therefore CA root certificate needs to be imported to firewall.
signed by a CA that firewall trusts... not assigned.
AD. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-web-interface#id3ec24be4-3aea-4ebd-8e2c-8928ae55fe53
A and D, these two options are required on the firewall. Client certificate only needed on the client system and can be enterprise CA generated.
this is super confusion, C is kinda valid because you generate client certs for each user and is a step in the process.
The client cert doesn't go *on the firewall*. I think that's the key phrasing that makes AD most valid.
Great point, you are right...