Question 9 - Palo Alto Networks NGFW-Engineer Real Exam Questions [Jan 2026 Update]

Q: 9

Palo Alto Networks NGFWs use SSL/TLS profiles to secure which two types of connections? (Choose two.)

Options

Discussion

Arjun Jan 6, 2026 6:05 am

C vs B. User Authentication sometimes needs SSL/TLS when enabling certain features, so feels tricky.

SkepticalNeteng3911 Jan 6, 2026 8:20 pm

C. D. I don't think B is right here since SSL/TLS profiles are tied to GlobalProtect Portal and Gateway, not user authentication. Pretty common trap if you're not hands-on with GlobalProtect.

Ethan Y. Jan 14, 2026 10:18 pm

Not B in this case, it's C and D. SSL/TLS profiles are for GlobalProtect Portal and Gateway, user authentication like Captive Portal uses a different config. B is an easy trap here imo.

NinaG Jan 17, 2026 2:39 pm

C vs D, but I think both are right for this specific question since GlobalProtect Portal and Gateway each need their own SSL/TLS profile for cert management. B (User Authentication) sometimes feels like a gray area if you're thinking about Captive Portal or SAML, but those don't directly attach SSL/TLS profiles like GP does. Anyone else seen user auth directly use the firewall's profile config? I'm pretty sure it's just C and D.

Parker Jan 9, 2026 3:53 pm

C and D

Ravi J. Jan 15, 2026 7:38 pm

C and D imo. SSL/TLS profiles are def required for GlobalProtect Portal and Gateway, since both need certificates for secure access. NAT tables and User Authentication don’t use SSL/TLS profiles directly on the firewall from what I know. Correct me if you’ve seen otherwise.

Emma N. Jan 23, 2026 3:02 am

Its C and D. GlobalProtect needs SSL/TLS profiles for portal and gateways, not for NAT or user auth. Anyone disagree?

Sam B. Jan 9, 2026 8:03 am

Probably C and D. The question's pretty clear for anyone who's set up GlobalProtect before, nice one.

Be respectful. No spam.

Correct Answer:

C, D

Explanation

An SSL/TLS Service Profile on a Palo Alto Networks NGFW is used to configure the server certificate and protocol settings for services where the firewall acts as an SSL/TLS server. This profile is essential for securing management and access services by authenticating the firewall to the connecting client and encrypting the session. The two most prominent services that utilize SSL/TLS Service Profiles are the GlobalProtect Portal, which provides client configurations, and the GlobalProtect Gateway, which terminates the secure VPN tunnels from clients. Both require a configured profile to establish a trusted and encrypted connection.

Why Incorrect

A. NAT tables: These are networking constructs for translating IP addresses and ports; they are not services or connections secured by SSL/TLS profiles.

B. User Authentication: This is a broad process. While services that perform user authentication (like Captive Portal) use these profiles, GlobalProtect Portal and Gateway are specific, configurable services that directly apply them.

References

1. Palo Alto Networks PAN-OS® Administrator's Guide 10.2: In the section on security profiles

it states

"An SSL/TLS service profile specifies a server certificate and the SSL/TLS protocol versions that a firewall interface will support when it functions as an SSL/TLS server to secure services such as the GlobalProtect portal

GlobalProtect gateways

Captive Portal

and Prisma Access."

Reference: Palo Alto Networks. (2023). PAN-OS® Administrator's Guide Version 10.2. Objects > Security Profiles > SSL/TLS Service Profile.

2. Palo Alto Networks TechDocs - Configure an SSL/TLS Service Profile: This official documentation page explicitly lists the services that use these profiles. The primary examples provided are for securing firewall management interfaces and remote access solutions.

Reference: Palo Alto Networks TechDocs. (n.d.). Configure an SSL/TLS Service Profile. Retrieved from docs.paloaltonetworks.com. The document states

"You can attach an SSL/TLS service profile to any firewall service that requires a server certificate..." and provides examples including "GlobalProtect portal" and "GlobalProtect gateways".

3. Palo Alto Networks TechDocs - Set Up the GlobalProtect Infrastructure: The configuration steps for both the portal and the gateway explicitly require the administrator to select a pre-configured SSL/TLS Service Profile to assign a server certificate for the service.

Reference: Palo Alto Networks TechDocs. (n.d.). Set Up the GlobalProtect Infrastructure in the Web Interface. Retrieved from docs.paloaltonetworks.com. See steps under "Configure the GlobalProtect Portal" and "Configure a GlobalProtect Gateway

" which both include selecting an SSL/TLS Service Profile.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE