ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 223 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 223
Topic #: 1
[All PCNSE Questions]

The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall.

An end-user visits the untrusted website https://www.firewall-do-not-trust-website.com.
Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?

  • A. Forward-Untrust-Certificate
  • B. Forward-Trust-Certificate
  • C. Firewall-CA
  • D. Firewall-Trusted-Root-CA
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Marcyy at Dec. 13, 2021, 12:13 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Abu_Muhammad
Highly Voted 3 years, 2 months ago
Selected Answer: B
B Just simulated it: (Operation Validate Status Completed Result Successful Warning: vsys1 decryption: forward decrypt untrust cert is not configured, forward decrypt trust cert will be used instead.)
upvoted 26 times
confusion
3 years, 2 months ago
nice, thank you!
upvoted 1 times
...
Pretorian
2 years, 11 months ago
Wow, thank you!!
upvoted 1 times
...
...
Hiwanku
Highly Voted 3 years, 7 months ago
B, It is used by default when there is no untrusted in properties.
upvoted 11 times
drrealest
3 years, 7 months ago
the usage column is blank for the untrusted one , so its not being used , so the trust one is used like you said
upvoted 1 times
...
Marcyy
3 years, 7 months ago
Can you provide a link to this please? I am having trouble finding it.
upvoted 2 times
...
...
Yohinar
Most Recent 8 months ago
Selected Answer: B
The Forward Untrust Certificate is installed, but not used and if there is no Forward Untrust Certificate the firewall will use the Forward Trust Certificate
upvoted 1 times
...
apiloran
9 months, 4 weeks ago
Selected Answer: B
The correct answer is B because there is no forward untrust option ticked on any certificates.
upvoted 1 times
...
Kebrape
10 months ago
Selected Answer: A
The Forward-Untrust- certificate is on the picture.
upvoted 1 times
...
weze1336
1 year, 1 month ago
I don't get it. You are all saying that there is no "Forward-Untrust-Certificate", But in the picture there is clearly a "Forward-Untrust-Certificate" So we know it's configured, So shouldn't the answer be A??
upvoted 1 times
...
Sammy3637
1 year, 7 months ago
Selected Answer: B
keyword - 'user to sign'
upvoted 1 times
Sammy3637
1 year, 6 months ago
type - 'used to sign'
upvoted 1 times
...
...
Lexus1323
2 years, 7 months ago
Selected Answer: A
Additionally, set up a Forward Untrust certificate for the firewall to present to clients when the server certificate is signed by a CA that the firewall does not trust. This ensures that clients are prompted with a certificate warning when attempting to access sites with untrusted certificates.
upvoted 4 times
gc999
1 year, 8 months ago
Yes, I see this from the link below, so why most of them people chose "B? https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
upvoted 1 times
DatITGuyTho1337
1 year, 6 months ago
Found this article that proves that if there is no forward untrust cert designated, the firewall is forced to use the designated forward trust certificate. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NGkCAM&lang=en_US
upvoted 4 times
...
...
...
TAKUM1y
2 years, 9 months ago
Selected Answer: B
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
upvoted 3 times
...
AbuHussain
3 years, 3 months ago
Selected Answer: B
It's B
upvoted 3 times
...
Jared28
3 years, 3 months ago
Selected Answer: B
It's B, I lab tested it. See the below reference, for those of you confused like I was, it says the untrust is required but apparently it's not (the comments here made me test it): https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/configure-ssl-forward-proxy.html "After setting up the Forward Trust and Forward Untrust certificates required for SSL Forward Proxy decryption..."
upvoted 3 times
...
GivemeMoney
3 years, 6 months ago
Selected Answer: B
B, Usage has forward trust certificate.
upvoted 3 times
...
zicouille
3 years, 6 months ago
It's B, as there is no untrust set on properties
upvoted 2 times
...
alanouaro
3 years, 6 months ago
Option A Additionally, set up a Forward Untrust certificate for the firewall to present to clients when the server certificate is signed by a CA that the firewall does not trust. This ensures that clients are prompted with a certificate warning when attempting to access sites with untrusted certificates. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forward-proxy.html
upvoted 2 times
...
Micutzu
3 years, 7 months ago
Since Forward Trust Certificate isn't configured, then the Forward Trust Certificate will be used also for untrusted webserver. Answer should be B. Forward-Trust-Certificate
upvoted 3 times
...
Marcyy
3 years, 7 months ago
This is not a good question. It isn't configured properly as there is no Untrusted Forward ticked. Does anyone know how to answer this?
upvoted 5 times
Breyarg
3 years, 6 months ago
yes its B. and unfortunately seen this in production more than once.
upvoted 4 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel