Examice

Exam PCNSE All QuestionsBrowse all questions from this exam

Question 393

During the implementation of SSL Forward Proxy decryption, an administrator imports the company’s Enterprise Root CA and Intermediate CA certificates onto the firewall. The company’s Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company’s Intermediate CA.

Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.

Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.

Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.

Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust.

Correct Answer: B

To properly implement SSL Forward Proxy decryption, the Forward Trust certificate should be signed by the company's CA to ensure that trusted devices can authenticate it, and the Forward Untrust certificate should be self-signed to indicate that the traffic is untrusted. This separation ensures that end-users' devices correctly trust legitimate certificates while recognizing untrustworthy certificates as such.

Discussion

evdwOption: B

Correct answer is B The idea is that clients will trust the TRUST CERTIFICATE (signed by company CA) and do not trust the UNTRUST CERTIFICATE (self-signed)

mic_micOption: B

Answer B Generate a CA certificate for Forward Trust (step 2) a self-signed CA for Forward Untrust (step 4) https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy

Jared28Option: B

B is the best answer but shouldn't it be a subordinate CA cert from the Enterprise PKI for the forward trust? I guess in stating that it's a CA cert, it's assumed it must be a subordinate if the Enterprise PKI is used.

MarshpillowzOption: B

B appears to be correct

JRKhanOption: B

B is logical. You dont want to sign the untrust certificate with an enterprise CA which all end user devices will inherently trust.

Sammy3637Option: B

B seems more logical

dorf05Option: C

As long as the subordinate certificate is not exported to the CTL of device(s), single subordinate certificate is sufficient for a firewall .... this would reduce resource and prevent error occurring as a result managing two separate subordinates certificate.

Frightened_AcrobatOption: B

Answer B Cannot be A because you don't want clients to trust the untrust certificate. If you use subordinate certificate of the Enterprise CA that is installed on all clients, it is by definition still trusted even if you designated that certificate as the forward untrust. Forward untrust certificate should always be self-signed for this reason.

SarbiOption: A

The answer is A. We can generate one for forward trust and one for forward untrust

DenskyDen

A is wrong. the document mentioned that "Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall." Since the question is about both forward trust and untrust, then it should be the best practice to Generate a CA certificate B. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy