Basic Concept: GlobalProtect pre-logon uses a machine certificate before any user logs in. The gateway must be configured to validate that machine certificate through a certificate profile.
Why C is Correct: Assigning a certificate profile that trusts the machine certificate CA in Gateway client authentication enables pre-logon certificate validation.
Why A is Wrong: Create a device-based Security policy that allows traffic from the pre-logon user to an internal management zone. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.
Why B is Wrong: Create an authentication profile that points to the machine certificate's CA and assign it by using the client authentication settings of the GlobalProtect Portal. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.
Why D is Wrong: Configure the Gateway Agent -- > Tunnel Settings to use IPSec with machine certificate authentication for the pre- logon tunnel. relates to VPN configuration, but it does not address the specific PAN-OS requirement for selectors, tunnel interface functions, routing, or Security policy in this scenario.
