A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall.
Which certificate is the best choice to configure as an SSL Forward Trust certificate?
A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall.
Which certificate is the best choice to configure as an SSL Forward Trust certificate?
To inspect bulk user HTTPS traffic flows at the internet edge firewall, the best choice for configuring an SSL Forward Trust certificate is a subordinate Certificate Authority certificate signed by the organization's PKI. This allows the firewall to act as a trusted proxy that can intercept and inspect SSL/TLS-encrypted traffic by generating trusted certificates for the intercepted connections. Using a subordinate CA signed by the organization's PKI ensures that the certificate is trusted by all devices within the network, thereby simplifying management and deployment processes.
Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.
C - only choice with subordinate cert, can be either from org's PKI or self-signed. Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall.
Correct answer is C You'll need some kind of trusted CA certificate to generate a server certificate that you present to internal clients for each website
C is correct
This question was on the exam.. Nov 2023
Agreed with bearfromdownunder Reference: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
C, if you already have an Enterprise CA, then the clients will have it already installed. Therefore, I'm going with C
Answer D: The firewall can use certificates signed by an enterprise certificate authority (CA) or self-signed certificates generated on the firewall as Forward Trust certificates to authenticate the SSL session with the client. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
While you can use self-signed certificate, the "BEST" choice is C. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy (Best Practice ) Enterprise CA-signed Certificates —An enterprise CA can issue a signing certificate that the firewall can use to sign the certificates for sites that require SSL decryption. When the firewall trusts the CA that signed the certificate of the destination server, the firewall can send a copy of the destination server certificate to the client, signed by the enterprise CA. This is a best practice because usually all network devices already trust the enterprise CA (it is usually already installed in the devices’ CA Trust storage), so you don’t need to deploy the certificate on the endpoints, so the rollout process is smoother.
I think C
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-forward-proxy (Recommended Best Practice) Enterprise CA-signed Certificates
D is correct. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV8CAK Under the first diagram we have "In Forward-Proxy mode, PAN-OS will intercept the SSL traffic which is matching the policy and will be acting as a proxy (MITM) generating a new certificate for the accessed URL. This new certificate will be presented during SSL Handshake to the Client accessing website with SSL. This certificate will be signed with the self-signed CA certificate or another certificate specified as:"
Agreed with bearfromdownunder Reference: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
D is correct Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy : (Best Practice) Enterprise CA-signed Certificates
I think you wanted C not B