Exam NGFW-Engineer Topic 2 Question 64 Discussion
Actual exam question for Palo Alto Networks's NGFW-Engineer exam
Question #: 64
Topic #: 2
Question #: 64
Topic #: 2
An administrator is designing a public key infrastructure (PKI) integration for a large-scale deployment with thousands of users authenticating via client certificates. A key design goal is to ensure that certificate revocation status is checked efficiently with minimal impact on firewall performance and minimal delay for the connecting user.
What is the primary advantage of using the Online Certificate Status Protocol (OCSP) instead of certificate revocation lists (CRLs) in this scenario?
What is the primary advantage of using the Online Certificate Status Protocol (OCSP) instead of certificate revocation lists (CRLs) in this scenario?
Suggested Answer: B Vote an answer
Basic Concept: OCSP and CRL both check certificate revocation, but OCSP performs on-demand status checks instead of downloading full revocation lists.
Why B is Correct: OCSP is more scalable for large deployments because it returns real-time status for a certificate with lower memory and download overhead.
Why A is Wrong: OCSP allows the firewall to act as its own certificate authority (CA), and it simplifies certificate management. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.
Why C is Wrong: OCSP is an older, more widely supported protocol than CRLs. ensuring compatibility with all client devices. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.
Why D is Wrong: OCSP bundles all certificate statuses into a single, digitally signed file for faster downloads by the firewall. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.
Why B is Correct: OCSP is more scalable for large deployments because it returns real-time status for a certificate with lower memory and download overhead.
Why A is Wrong: OCSP allows the firewall to act as its own certificate authority (CA), and it simplifies certificate management. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.
Why C is Wrong: OCSP is an older, more widely supported protocol than CRLs. ensuring compatibility with all client devices. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.
Why D is Wrong: OCSP bundles all certificate statuses into a single, digitally signed file for faster downloads by the firewall. is associated with authentication, PKI, or TLS configuration, but it is not the object or step that enforces the certificate validation or service identity requirement being tested.
by Kevin at Jun 24, 2026, 08:02 PM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).