Examice

Exam PCNSE All QuestionsBrowse all questions from this exam

Question 428

An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer uses a forward trust certificate from the enterprise PKI that expires December 31, 2025.

The validity date on the PA-generated certificate is taken from what?

The root CA

The untrusted certificate

The server certificate

The trusted certificate

Correct Answer: C

The validity date on the PA-generated certificate is taken from the validity date on the real server certificate. When the firewall generates a certificate to proxy the connection, it uses the same validity date as the actual server certificate to ensure transparency and avoid certificate validation issues on client devices.

Discussion

ShoiebOption: C

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8wCAC "The validity date on the Palo Alto Networks firewall generated certificate is taken from the validity date on the real server certificate."

mz101Option: C

Should be C Copied from the destination server.

MR48Option: C

From googling I found the following: "In this case, the firewall proxies outbound SSL connections by intercepting outbound SSL requests and generating a certificate on the fly for the site the user wants to visit. The validity date on the PA-generated certificate is taken from the validity date on the real server certificate." Granted not Palo docs. https://computernetworksecuritis.blogspot.com/2017/05/how-to-implement-and-test-ssl.html

findkeywordcommandOption: C

You can test this by generating a forward trust cert on the PA that is valid for 5 years and then visit a random website and check the validity of the certificate. (decryption enabled) It has the CN of your forward trust cert and the validity of the site you're visiting (server certificate)

Jared28Option: C

Although I agree with C, I think the wording on D is tricky. For the forward trust to show it to you it would be a showing you the expiration on "the trusted certificate", but "the trusted certificate" would also be "the server certificate"

MarshpillowzOption: C

C is correct

alinio11Option: C

The correct answer is C. I've tested in my lab.

sujssOption: C

C would make most sense as the Firewall proxies the traffic and kind of impersonate the Server, and would expect to present the same expiry date for the cert.

djedeenOption: C

C, per Shoeib's link.