The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall.
An end-user visits the untrusted website https://www.firewall-do-not-trust-website.com.
Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?
When an end-user visits an untrusted website, the firewall uses a certificate authority (CA) certificate to re-sign the untrusted webserver certificate. In the given table, the 'Forward-Untrust-Certificate' is specifically designed for this purpose as indicated by its name. Despite the comments suggesting otherwise, the correct protocol involves using the 'Forward-Untrust-Certificate' to handle untrusted webserver certificates, ensuring the user receives a proper warning about the untrusted site. Thus, the 'Forward-Untrust-Certificate' will be used to sign the untrusted webserver certificate.
B Just simulated it: (Operation Validate Status Completed Result Successful Warning: vsys1 decryption: forward decrypt untrust cert is not configured, forward decrypt trust cert will be used instead.)
nice, thank you!
Wow, thank you!!
B, It is used by default when there is no untrusted in properties.
Can you provide a link to this please? I am having trouble finding it.
the usage column is blank for the untrusted one , so its not being used , so the trust one is used like you said
This is not a good question. It isn't configured properly as there is no Untrusted Forward ticked. Does anyone know how to answer this?
yes its B. and unfortunately seen this in production more than once.
Additionally, set up a Forward Untrust certificate for the firewall to present to clients when the server certificate is signed by a CA that the firewall does not trust. This ensures that clients are prompted with a certificate warning when attempting to access sites with untrusted certificates.
Yes, I see this from the link below, so why most of them people chose "B? https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
Found this article that proves that if there is no forward untrust cert designated, the firewall is forced to use the designated forward trust certificate. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NGkCAM&lang=en_US
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
It's B
It's B, I lab tested it. See the below reference, for those of you confused like I was, it says the untrust is required but apparently it's not (the comments here made me test it): https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/configure-ssl-forward-proxy.html "After setting up the Forward Trust and Forward Untrust certificates required for SSL Forward Proxy decryption..."
B, Usage has forward trust certificate.
Since Forward Trust Certificate isn't configured, then the Forward Trust Certificate will be used also for untrusted webserver. Answer should be B. Forward-Trust-Certificate
It's B, as there is no untrust set on properties
Option A Additionally, set up a Forward Untrust certificate for the firewall to present to clients when the server certificate is signed by a CA that the firewall does not trust. This ensures that clients are prompted with a certificate warning when attempting to access sites with untrusted certificates. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forward-proxy.html
I don't get it. You are all saying that there is no "Forward-Untrust-Certificate", But in the picture there is clearly a "Forward-Untrust-Certificate" So we know it's configured, So shouldn't the answer be A??
keyword - 'user to sign'
type - 'used to sign'