Question 9 - Palo Alto Networks NGFW-Engineer Real Exam Questions [March 2026 Update]

Q: 9

Palo Alto Networks NGFWs use SSL/TLS profiles to secure which two types of connections? (Choose two.)

Options

Discussion

QuickNeteng4447 Feb 18, 2026 11:25 am

Maybe B and C here. User Authentication definitely involves encryption sometimes, and GlobalProtect Gateway always needs SSL/TLS. Not totally sure since "user authentication" could mean different features though.

Neha I. Mar 8, 2026 9:30 pm

Its C and D. GlobalProtect Portal and Gateway both require SSL/TLS profiles, pretty standard for Palo setups.

OwenO Mar 2, 2026 11:38 am

B and C tbh, since user authentication could use SSL/TLS profiles during captive portal but depends how strict you read the question.

Jordan K. Mar 6, 2026 7:56 pm

Why does B keep showing up? User Authentication here isn't using the SSL/TLS profile like GlobalProtect Portal and Gateway do.

Morgan C. Feb 24, 2026 11:02 am

Probably C and D, that's what the official admin guide and exam practice both use for SSL/TLS profile scenarios.

Jordan O. Feb 20, 2026 5:51 pm

B tbh

Arjun Feb 20, 2026 7:44 am

C vs B. User Authentication sometimes needs SSL/TLS when enabling certain features, so feels tricky.

SkepticalNeteng3911 Feb 20, 2026 9:59 pm

C. D. I don't think B is right here since SSL/TLS profiles are tied to GlobalProtect Portal and Gateway, not user authentication. Pretty common trap if you're not hands-on with GlobalProtect.

Cameron F. Feb 20, 2026 8:02 am

Probably C and D, saw similar in practice tests. GlobalProtect Portal and Gateway both use SSL/TLS profiles on PAN firewalls.

Taylor S. Feb 22, 2026 6:23 pm

B and C tbh. User Authentication sometimes uses SSL/TLS if you're doing things like Captive Portal, and GlobalProtect Gateway for sure does. Not 100% sure if "User Authentication" here covers all that though.

Be respectful. No spam.

Correct Answer:

C, D

Explanation

An SSL/TLS Service Profile on a Palo Alto Networks NGFW is used to configure the server certificate and protocol settings for services where the firewall acts as an SSL/TLS server. This profile is essential for securing management and access services by authenticating the firewall to the connecting client and encrypting the session. The two most prominent services that utilize SSL/TLS Service Profiles are the GlobalProtect Portal, which provides client configurations, and the GlobalProtect Gateway, which terminates the secure VPN tunnels from clients. Both require a configured profile to establish a trusted and encrypted connection.

Why Incorrect

A. NAT tables: These are networking constructs for translating IP addresses and ports; they are not services or connections secured by SSL/TLS profiles.

B. User Authentication: This is a broad process. While services that perform user authentication (like Captive Portal) use these profiles, GlobalProtect Portal and Gateway are specific, configurable services that directly apply them.

References

1. Palo Alto Networks PAN-OS® Administrator's Guide 10.2: In the section on security profiles

it states

"An SSL/TLS service profile specifies a server certificate and the SSL/TLS protocol versions that a firewall interface will support when it functions as an SSL/TLS server to secure services such as the GlobalProtect portal

GlobalProtect gateways

Captive Portal

and Prisma Access."

Reference: Palo Alto Networks. (2023). PAN-OS® Administrator's Guide Version 10.2. Objects > Security Profiles > SSL/TLS Service Profile.

2. Palo Alto Networks TechDocs - Configure an SSL/TLS Service Profile: This official documentation page explicitly lists the services that use these profiles. The primary examples provided are for securing firewall management interfaces and remote access solutions.

Reference: Palo Alto Networks TechDocs. (n.d.). Configure an SSL/TLS Service Profile. Retrieved from docs.paloaltonetworks.com. The document states

"You can attach an SSL/TLS service profile to any firewall service that requires a server certificate..." and provides examples including "GlobalProtect portal" and "GlobalProtect gateways".

3. Palo Alto Networks TechDocs - Set Up the GlobalProtect Infrastructure: The configuration steps for both the portal and the gateway explicitly require the administrator to select a pre-configured SSL/TLS Service Profile to assign a server certificate for the service.

Reference: Palo Alto Networks TechDocs. (n.d.). Set Up the GlobalProtect Infrastructure in the Web Interface. Retrieved from docs.paloaltonetworks.com. See steps under "Configure the GlobalProtect Portal" and "Configure a GlobalProtect Gateway

" which both include selecting an SSL/TLS Service Profile.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE