Before deployingserver certificatesfrom atrusted third-party Certificate Authority (CA)forGlobalProtect components, two critical pieces of information are required:

Encrypted Private Key and Certificate (PKCS12) (✔️Correct)

ThePKCS12 (.p12 or .pfx) filecontains theprivate key and certificatein an encrypted format.

This ensuressecure installation of the certificateon GlobalProtect portals and gateways.

Subject Alternative Name (SAN) (✔️Correct)

TheSAN field in the certificateensures that it supportsmultiple domain names and IP addresses.

Necessary forGlobalProtect clients to trust the server certificatewhen connecting to different GlobalProtect portals or gateways.

C. Certificate and Key Files❌

While important, certificate and key files aloneare not always sufficient for installation.

UsingPKCS12 format (A) is the best practicesince itencrypts both the private key and certificatetogether.

D. Passphrase for Private Key❌

Not always requiredunlessthe private key is encrypted with a passphrase.

PKCS12 formatalreadyincludes encryption and can be protected with a passphraseif needed.

Firewall Deployment– SSL/TLS certificates secureGlobalProtect VPN portals and gateways.

Security Policies– Ensuressecure certificate-based authenticationfor VPN users.

VPN Configurations– Required forIPsec/SSL VPN authentication and encryption.

Threat Prevention– Protects againstman-in-the-middle (MITM) attacksusingvalid certificates.

WildFire Integration– Ensurescertificate-based security is not bypassed by malware-infected connections.

Panorama– Centralized management ofcertificate deployments across multiple firewalls.

Zero Trust Architectures– Enforcesidentity-based authentication using trusted certificates.

Why Other Options Are Incorrect?References to Firewall Deployment and Security Features:Thus, the correct answers are:✅A. Encrypted private key and certificate (PKCS12)✅B. Subject Alternative Name (SAN)