An engineer is planning an SSL decryption implementation.
Which of the following statements is a best practice for SSL decryption?
An engineer is planning an SSL decryption implementation.
Which of the following statements is a best practice for SSL decryption?
Obtaining an enterprise CA-signed certificate for the Forward Trust certificate is considered best practice. This is because an enterprise CA-signed certificate ensures that the firewall can properly sign the certificates for sites requiring SSL decryption. Usually, network devices already trust the enterprise CA, simplifying the rollout process and avoiding the need to manually deploy certificates on endpoints.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
Option A (Best Practice) Enterprise CA-signed Certificates—An enterprise CA can issue a signing certificate that the firewall can use to sign the certificates for sites which require SSL decryption. When the firewall trusts the CA that signed the certificate of the destination server, the firewall can send a copy of the destination server certificate to the client, signed by the enterprise CA. This is a best practice because usually all network devices already trust the Enterprise CA (it is usually already installed in the devices’ CA Trust storage), so you don’t need to deploy the certificate on the endpoints, so the rollout process is smoother. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forward-proxy.html
A https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
A. It's better to use Enterprise CA-signed cert
I don't understand the answers, which is better, 'to Use' or 'to Obtain'? What a confusing question.
You obtain certificates to use them.
A is correct
I agree it should be A, but why is C wrong? once you add it to the certificate profile, I would think admins would use it on all of their firewalls in their domain?
There's a doc somewhere out there that states the best practice is something along the lines of "you could use the same enterprise or self-signed root CA cert for all firewalls, but definitely should use it to generate a specific intermediate CA for each firewall, because if you use the same ones for all of them and something happens and you need to change CAs for your forward trust cert, you're gonna have to change it in all firewalls. If you use an intermediate CA for each firewall, signed by the root CA and something happens on one of your firewalls, you just need to change the intermediate CA cert <<<for that firewall only>>>
A is correct. Just tried on my lab Palo Alto.
Yes it's A. cert needs to be a CA so it can create certs for each website visited, and cert needs to be enterprise-CA-signed so that windows clients will trust the certs created.