Basic Concept: GlobalProtect pre-logon uses machine certificates before user sign-in, while user authentication can use separate profiles and cloud IdPs. Panorama provides consistent certificate distribution.
Why B is Correct: The correct design uses distinct certificate profiles, internal OCSP, Panorama-distributed CA trust, and Group Policy certificate deployment to support secure pre-logon and user-based connectivity.
Why A is Wrong: Use a wildcard certificate from a public CA, disable all revocation checks to reduce latency, and manage certificate renewals manually on each firewall. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.
Why C is Wrong: Configure a single certificate profile for both user and machine certificates. Rely solely on CRLs for revocation to minimize complexity. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.
Why D is Wrong: Deploy self-signed certificates on each firewall, allow IP-based authentication to override certificate checks, and use default GlobalProtect settings for user / machine identification. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.
