An organization wants to begin decrypting guest and BYOD traffic.
Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?
To identify guests and BYOD users, instruct them on how to download and install the CA certificate, and notify them that their traffic will be decrypted, the correct feature to use is the Authentication Portal. An Authentication Portal displays a web page where users can authenticate before accessing the network or internet. It serves the purpose of both identification and delivering instructions or notifications effectively.
This question was on exam in June 24.
This question is a bit tricky because in order to prompt the comfort page (D) you need to configure the authentication portal (A). I would say answer is A because question ask to identify users moreover instruct them and notify them about their traffic being decrypted. You need to configure the authentication portal in order to identify users and prompt the comfort page.
You cannot notify a user with Authentication portal ! Answer should be D)Comfort pages
You can modify the information of the authentication page my friend!
A portal
Look at 90fa8d0's link.
A, An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet.
https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment "Enterprises don’t control BYOD devices. If you allow BYOD devices on your network, decrypt their traffic and subject it to the same Security policy that you apply to other network traffic. To do this, redirect BYOD users through an Authentication Portal..."
A. Authentication profile
As TeachTrooper says, Comfort Pages will do the instruct and notify part, but not the identification. Authentication Portals can do all of those things.
Voting for A, the question is not only about instructions on how to trust the CA, but also which features enables to identify BYOD users/devices. Comfort pages to not identify users, authentication portals do.
About comfort pages: "The firewall displays this page so that users can enter login credentials to access services that are subject to Authentication policy rules"
Enterprises don’t control BYOD devices. If you allow BYOD devices on your network, decrypt their traffic and subject it to the same Security policy that you apply to other network traffic. To do this, redirect BYOD users through an Authentication Portal, instruct them how to download and install the CA certificate, and clearly notify users that their traffic will be decrypted. Educate BYOD users about the process and include it in your company’s privacy and computer usage policy.
A. Authentication profile https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment
Comfort Page
No! That's not D!
Captive Portal Comfort Page
Captive Portal D I think this should be Enterprises don’t control BYOD devices. If you allow BYOD devices on your network, decrypt their traffic and subject it to the same Security policy that you apply to other network traffic. To do this, redirect BYOD users through a captive portal, instruct them how to download and install the CA certificate, and clearly notify users that their traffic will be decrypted. Educate BYOD users about the process and include it in your company’s privacy and computer usage policy.
https://docs.paloaltonetworks.com/content/techdocs/en_US/best-practices/10-2/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment.html Note: "Enterprises don’t control BYOD devices. If you allow BYOD devices on your network, decrypt their traffic and subject it to the same Security policy that you apply to other network traffic. To do this, redirect BYOD users through an Authentication Portal, instruct them how to download and install the CA certificate, and clearly notify users that their traffic will be decrypted. Educate BYOD users about the process and include it in your company’s privacy and computer usage policy."
Enterprises don’t control BYOD devices. If you allow BYOD devices on your network, decrypt their traffic and subject it to the same Security policy that you apply to other network traffic. To do this, redirect BYOD users through a captive portal, instruct them how to download and install the CA certificate, and clearly notify users that their traffic will be decrypted. Educate BYOD users about the process and include it in your company’s privacy and computer usage policy.
now it's called captive portal
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-web-interface-help/device/device-response-pages