An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version. What is considered best practice for this scenario?
Correct Answer: C
Panorama should be running the same or a later version of a feature release than the firewall (more than two feature versions is supported but not recommended).
Question 123
Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?
Correct Answer: B
Explanation To enable split-tunneling by access route, destination domain, and application, you need to configure a split tunnel based on the domain and application on your GlobalProtect gateway2. This allows you to specify which domains and applications are included or excluded from the VPN tunnel.
Question 124
A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate should the administrator use?
Correct Answer: D
Explanation Use only signed certificates, not CA certificates, in SSL/TLS service profiles.https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/configure-an-ssltls A server certificate is used for the SSL/TLS Service Profile. The server certificate identifies the firewall to clients that initiate SSL/TLS connections to it. References:https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/certificates-and
Question 125
A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning. What is the best choice for an SSL Forward Untrust certificate?
Correct Answer: B
Explanation * B is the best choice for an SSL Forward Untrust certificate because a self-signed certificate generated on the firewall is not trusted by any client browsers by default1. This means that if the firewall observes an invalid or untrusted security certificate from the server, it will present the self-signed certificate to the client, which will trigger an untrusted certificate warning2. This way, the security admin can ensure that users are aware of any potential risks when accessing HTTPS sites with untrusted certificates. * A web server certificate signed by the organization's PKI (A) or a subordinate Certificate Authority certificate signed by the organization's PKI are not good choices for an SSL Forward Untrust certificate because they are trusted by the client browsers that have the organization's root CA installed1. This means that if the firewall observes an invalid or untrusted security certificate from the server, it will present the web server or subordinate CA certificate to the client, which will not trigger an untrusted certificate warning2. This way, the security admin cannot ensure that users are aware of any potential risks when accessing HTTPS sites with untrusted certificates. * A web server certificate signed by an external Certificate Authority (D) is not a good choice for an SSL Forward Untrust certificate because it is trusted by most client browsers that have the external CA in their trust store1. This means that if the firewall observes an invalid or untrusted security certificate from the server, it will present the web server certificate to the client, which will not trigger an untrusted certificate warning2. This way, the security admin cannot ensure that users are aware of any potential risks when accessing HTTPS sites with untrusted certificates. Verified References: * 1: How to Configure SSL Decryption - Palo Alto Networks Knowledge Base * 2: How to Implement and Test SSL Decryption - Palo Alto Networks Knowledge Base
