Exam PCNSE topic 1 question 217 discussion

Should be B. server certificate Use only signed certificates, not CA certificates, in SSL/TLS service profiles. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/configure-an-ssltls-service-profile.html

Another wrong answer. Should be B, common sense.

Palo Alto Networks firewalls and Panorama appliances use SSL/TLS to secure connections to the Authentication Portal, GlobalProtect portals and gateways, the management interface, HTTPS websites that require password access (URL admin override), and the User-ID™ syslog listening service. You can create an SSL/TLS service profile to define the <<server certificate>>, SSL/TLS protocol versions, and ciphers supported for connections to these services. Cipher suites are automatically selected based on the protocol versions chosen. However, you can disable individual ciphers as needed. If a service request involves a protocol version outside the specified range, the firewall or Panorama appliance downgrades or upgrades the connection to a supported version. To activate an SSL/TLS service profile, attach the profile to the settings for a specific service.

I think the grammar is the confusing bit. I see server certificates as what external servers send to the firewall to establish a session. In fact in the below link someone else provided, the PAN team referred to it as a SIGNED CERTIFICATE. As such if one were to go with the options presented from face value, you are almost forced to select option C, whereas the PAN team really should use better grammar and just say signed certificates which is option B. Good lord!! https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile

Server Certificate as it's a signed cert

B - server cert. Ask your PKI admin to provide one in order to have a properly signed/valid cert. :)

Use only signed certificates, not CA certificates, in SSL/TLS service profiles.

C In the client systems that request firewall services, the certificate trust list (CTL) must include the certificate authority (CA) certificate that issued the certificate specified in the SSL/TLS service profile. Otherwise, users will see a certificate error when requesting firewall services.

I think it is C, as you need a CA cert (enterprise PKI or external CA), else you are going to get cert warnings on the clients when connecting. >>> You must set up the certificate and SSL/TLS Service Profile on the PAN-OS system before you can connect using Privileged Access Service. Once the PAN-OS system is configured, the same certificate must also be trusted in all connector systems that are connected to the PAN-OS system. In most cases, PAN-OS systems should use a certificate obtained from an Enterprise Certificate Authority (CA), or a trusted external CA, like VeriSign. Since the certificate is trusted already, it simplifies the certificate setup on connector systems. You can also export the certificate from the PAN-OS system and import it into all systems running the connector. Self-signed certificates should not be used in production environments. <<<

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile

It should be B

It should be B as SSL/TLS Service Profile usually assigns to an IP which acts like a server, not client. it should not be a CA from official docs: Use only signed certificates, not CA certificates, in SSL/TLS service profiles.

answer is B

Should be B

fomr it is B