Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.
D is correct. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV8CAK
Under the first diagram we have "In Forward-Proxy mode, PAN-OS will intercept the SSL traffic which is matching the policy and will be acting as a proxy (MITM) generating a new certificate for the accessed URL. This new certificate will be presented during SSL Handshake to the Client accessing website with SSL. This certificate will be signed with the self-signed CA certificate or another certificate specified as:"
C - only choice with subordinate cert, can be either from org's PKI or self-signed.
Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall.
Correct answer is C
You'll need some kind of trusted CA certificate to generate a server certificate that you present to internal clients for each website
D is correct
Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
Answer D:
The firewall can use certificates signed by an enterprise certificate authority (CA) or self-signed certificates generated on the firewall as Forward Trust certificates to authenticate the SSL session with the client.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
While you can use self-signed certificate, the "BEST" choice is C.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
(Best Practice
) Enterprise CA-signed Certificates
—An enterprise CA can issue a signing certificate that the firewall can use to sign the certificates for sites that require SSL decryption. When the firewall trusts the CA that signed the certificate of the destination server, the firewall can send a copy of the destination server certificate to the client, signed by the enterprise CA. This is a best practice because usually all network devices already trust the enterprise CA (it is usually already installed in the devices’ CA Trust storage), so you don’t need to deploy the certificate on the endpoints, so the rollout process is smoother.
This section is not available anymore. Please use the main Exam Page.PCNSE Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
bearfromdownunder
Highly Voted 1 year, 9 months agoMarshpillowz
Most Recent 9 months agoKaifus
9 months, 4 weeks agobrian7857ffs45
11 months, 1 week agolildevil
1 year, 4 months agoMarbot
1 year, 8 months agoMarbot
1 year, 8 months agoTheIronSheik
1 year, 8 months agodjedeen
1 year, 9 months agoevdw
1 year, 10 months agoMaryamk
1 year, 10 months agoExamQnA
1 year, 10 months agoShoieb
1 year, 10 months agoKaspinas
1 year, 10 months agoConfuzedOne
1 year, 5 months ago[Removed]
1 year, 10 months ago