ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 519 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 519
Topic #: 1
[All PCNSE Questions]

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?

  • A. A self-signed certificate generated on the firewall
  • B. A web server certificate signed by the organization’s PKI
  • C. A web server certificate signed by an external Certificate Authority
  • D. A subordinate Certificate Authority certificate signed by the organization’s PKI
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by abanaaba at June 11, 2023, 4:17 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Andromeda1800
Highly Voted 11 months, 1 week ago
Selected Answer: A
It's A, A self-signed certificate generated on the firewall. Client is supposed to present a warning about untrusted certificate and that's what answer A will provide. I am surprised how many people answer wrong even for the simplest questions like this and create too much noise with their comments and create confusion. I hope there are people that really read study guides, admin guides, PAN Beacon study materials before they put comments here with so much confidence claiming something is correct 100% while it's not.
upvoted 10 times
...
MostafaNawar
Most Recent 7 months ago
Selected Answer: A
A of course
upvoted 2 times
...
Marshpillowz
9 months, 1 week ago
Selected Answer: A
A is correct
upvoted 2 times
...
TeachTrooper
9 months, 3 weeks ago
Selected Answer: A
As it needs to be the Forward Untrust Certificate it must not be signed by a trusted source, so self signed it is.
upvoted 2 times
...
brian7857ffs45
11 months, 2 weeks ago
This question was on the exam.. Nov 2023
upvoted 2 times
...
zequel
1 year, 2 months ago
Selected Answer: A
A is the only correct answer since it's supposed to be an untrusted certificate on the browser end.
upvoted 1 times
...
Frightened_Acrobat
1 year, 4 months ago
Selected Answer: A
The only acceptable answer is A. You don't want to pay for the certificate, you don't want it to have a chain of trust and you don't want it trusted anywhere in your network. It's an 'Untrust' certificate after all.
upvoted 2 times
...
Pochex
1 year, 4 months ago
A is correct, if client machines and browsers do not have a self-signed certificate installed by default, then a warning will be triggered.
upvoted 1 times
...
Knowledge33
1 year, 4 months ago
Selected Answer: A
The browser doesn't have to trust the certificate. It's why we need to use a self-signed, which is free, easy to deploy and works well. The user should have a warning message. On this case, only A is correct. D is false because the brower will trust the cert automatically.
upvoted 2 times
...
[Removed]
1 year, 5 months ago
Answer is A, the question is about the Forward untrust certificate.
upvoted 1 times
[Removed]
1 year, 5 months ago
definitely not A. A self-signed CA will not be trusted by the browser as it is not a trusted cert.
upvoted 1 times
Knowledge33
1 year, 4 months ago
Please, read the question again. The browser doesn't have to trust the certificate. It's why we need to use a self-signed, which is free, easy to deploy and works well. The user should have a warning message. On this case, only A is correct. D is false because the brower will trust the cert automatically.
upvoted 1 times
[Removed]
1 year, 4 months ago
you are right. and this is why I failed this exam. I need to slow down and read the questions better.
upvoted 4 times
...
...
[Removed]
1 year, 4 months ago
Exactly, B,C and D would result in a trusted certificate being presented to the users and won't provide the untrusted certificate warning.
upvoted 1 times
...
...
...
abanaaba
1 year, 5 months ago
Selected Answer: D
I will go with D
upvoted 2 times
PaloSteve
1 year, 3 months ago
Please don't go with Answer D. The root cert of the org will be in the Trust store of the enterprise computers and will NOT give warnings about untrusted sites.
upvoted 5 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago