Examice

Exam PCNSE All QuestionsBrowse all questions from this exam

Question 307

SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www.important-website.com certificate. End-users are receiving the "security certificate is not trusted" warning. Without SSL decryption, the web browser shows that the website certificate is trusted and signed by a well-known certificate chain: Well-Known-Intermediate and Well-Known-Root-CA.

The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

1. End-users must not get the warning for the https://www.very-important-website.com/ website

2. End-users should get the warning for any other untrusted website

Which approach meets the two customer requirements?

Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration

Install the Well-Known-Intermediate-CA and Well-Known-Root-CA certificates on all end-user systems in the user and local computer stores

Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-Known-Intermediate-CA and Well-Known-Root-CA, select the Trusted Root CA check box, and commit the configuration

Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities, import Well-Known-Intermediate-CA and Well-Known- Root-CA, select the Trusted Root CA check box, and commit the configuration

Correct Answer: C

To meet the customer's requirements, the certifying authority trusted by the web browser must also be trusted by the firewall for SSL Forward Proxy. Importing the Well-Known-Intermediate-CA and Well-Known-Root-CA into the firewall’s trusted certificate store and selecting the Trusted Root CA check box will ensure that the firewall can sign the website certificate without causing a warning for end-users when accessing https://www.very-important-website.com. This configuration leaves untrusted websites to prompt warnings, fulfilling both requirements.

Discussion

McDrudgeOption: C

A: Fixes requirement 1 but doesn't meet requirement 2. B: Wouldn't fix the issue as the firewall would still be exposing the forward trust cert to the users (signed by FW or or enterprise PKI) C: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-certificate-management-certificates/manage-default-trusted-certificate-authorities D: No such method to import certs exists.

droideOption: C

see McDrudge answer and for D : You cannot import a certificate in the "Default Trusted Certificate Authorities", only enable, disable and "export certificate"

aatechlerOption: C

I think C since there is no import option under Default Trusted Certificate Authorities.

megretzOption: D

D because the firewall is giving untrusted cert as it doesn't trust the cert presented to it

Pochex

From Default Trusted Certificates Authorities you cannot import a cert, D is no correct.

confusionOption: C

C If you imported + trusted, users shall not receive the browser pop up any more, whilst still getting the warning for other untrusted sites

mysteryzjokerOption: C

I think C. Cannot see an option to import certs to the default trusted certs, only on the device certs

McMarius11Option: C

C is correct!

dogeatdogOption: C

C. The option to import is not available in the

AlquicermOption: D

I think that it's option D