Basic Concept: Enterprise certificate authentication requires a consistent trust chain, revocation checking, and scalable certificate enrollment. Panorama templates/shared objects help maintain consistency across many firewalls.

Why B is Correct: The correct approach distributes trusted CAs consistently, uses OCSP for efficient revocation, keeps CRL fallback, separates user and device certificate profiles, and automates endpoint enrollment.

Why A is Wrong: Deploy self-signed certificates at each site to simplify local certificate validation and reduce dependencies on a centralized CTurn off certificate revocation checks for lower overhead, rely on IP-based rules for GlobalProtect authentication, and use a single certificate profile for both users and devices. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why C is Wrong: Configure each firewall independently to trust the root and intermediate CA certificates. Rely only on manual CRL checks for certificate revocation, and import both user and device certificates directly into each firewall’s local certificate store for authentication. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.

Why D is Wrong: Obtain wildcard certificates from a public CA for both user and device authentication, and configure firewalls to perform CRL polling at the default update interval. Manually install user certificates on endpoints and synchronize firewall certificate stores through frequent manual SSH updates to maintain consistency. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.