A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this?
SSL/TLS profile is only the TLS versions, not ciphers.
Decryption Profile is for SSL Inbound and Forward Proxy applications, not mgmt of the PANW Firewall.
There's also KB articles to strengthen SSH, but I couldn't find any for HTTPS, on the mgmt interface:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OOQCA2&lang=en_US%E2%80%A9
So it seems C is the winner.
C is correct, for the SSL/TLS serivce profile you may choose the max and min TLS version burt not specify which cyphers, this option is only available for SSH service profile.
Go to Device >> Certificate Management >> SSH Service Profile >> Add
the ciphers, message authentication codes, or key exchange algorithms the profile will support. So it's C
For GUI (typical option)...SSL/TLS Service Profile, ciphers can be set on CLI... B is Correct
For CLI... SSH Service Profile...C is Correct
Confusing Question
B.
you can use a profile to restrict the cipher suites that are available for securing communication with the clients requesting the services. This improves network security by enabling the firewall or Panorama to avoid SSL/TLS versions that have known weaknesses.
Changing this to C after further review. You cannot specify ciphers on a SSL/TLS profile, only versions of TLS, so to meet the question requirements it will need to be managed via SSH.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssh-service-profile
Step1
4. (Optional) Add the ciphers, message authentication codes, or key exchange algorithms the profile will support.
"use SSL/TLS service profiles...defining the protocol versions, you can use a profile to RESTRICT THE CIPHER SUITES that are available for securing communication with the clients requesting the services. This improves network security by enabling the firewall or Panorama to avoid SSL/TLS versions that have known weaknesses."
Further on this, in Best Practices for Securing Administrative Access there are mentions of both ssh and https but this text seems possibly relevant to this question (in support of C) :
"...in the SSL/TLS profile, set the Min version to TLSv1.2 so you use the strongest protocol and set the Max version to Max so that you continue to use the strongest protocol as stronger versions become available."
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/getting-started/best-practices-for-securing-administrative-access#id1817C0G205Q
Certs provide authentication and then use encryption protocols to provide confidentiality and integrity - using ciphers. https://www.ibm.com/docs/en/ibm-mq/9.1?topic=tls-how-provides-identification-authentication-confidentiality-integrity
Could be either b or c as both are for remotely managing. Maybe B is better as day to day will usually be via https ?
https (B) :
Palo Alto Networks firewalls and Panorama use SSL/TLS service profiles to specify a certificate and the allowed protocol versions for SSL/TLS services. The firewall and Panorama use SSL/TLS for Captive Portal, GlobalProtect portals and gateways, inbound traffic on the management (MGT) interface, the URL Admin Override feature, and the User-ID™ syslog listening service. By defining the protocol versions, you can use a profile to restrict the cipher suites that are available for securing communication with the clients requesting the services.
ssh (C)
By default, SSH supports all ciphers, key exchange algorithms, and message authentication codes, which leaves your connection vulnerable to attack. With an SSH service profile, you can restrict the algorithms your SSH server supports.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/configure-an-ssh-service-profile
upvoted 1 times
...
This section is not available anymore. Please use the main Exam Page.PCNSE Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
nose999
Highly Voted 2 years, 1 month agoConfuzedOne
Highly Voted 1 year, 5 months agolegrandchuck
Most Recent 3 weeks, 3 days agofranko_72
10 months, 3 weeks agoRoamingFo
11 months, 1 week ago[Removed]
1 year, 6 months agoTheIronSheik
1 year, 8 months agoDenskyDen
1 year, 8 months agoDenskyDen
1 year, 8 months agodjedeen
1 year, 9 months agodjedeen
1 year, 9 months agoKaspinas
1 year, 10 months agoPaloSteve
1 year, 3 months agoTAKUM1y
2 years agosecdaddy
2 years agosecdaddy
2 years agomysteryzjoker
2 years, 1 month agosecdaddy
2 years agosecdaddy
2 years agosecdaddy
2 years, 1 month ago