ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 393 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 393
Topic #: 1
[All PCNSE Questions]

During the implementation of SSL Forward Proxy decryption, an administrator imports the company’s Enterprise Root CA and Intermediate CA certificates onto the firewall. The company’s Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company’s Intermediate CA.

Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

  • A. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.
  • B. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
  • C. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.
  • D. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Sarbi at Dec. 29, 2022, 6:55 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
evdw
Highly Voted 1 year, 10 months ago
Selected Answer: B
Correct answer is B The idea is that clients will trust the TRUST CERTIFICATE (signed by company CA) and do not trust the UNTRUST CERTIFICATE (self-signed)
upvoted 5 times
...
Jared28
Most Recent 8 months, 1 week ago
Selected Answer: B
B is the best answer but shouldn't it be a subordinate CA cert from the Enterprise PKI for the forward trust? I guess in stating that it's a CA cert, it's assumed it must be a subordinate if the Enterprise PKI is used.
upvoted 2 times
...
Marshpillowz
9 months, 1 week ago
Selected Answer: B
B appears to be correct
upvoted 1 times
...
JRKhan
9 months, 3 weeks ago
Selected Answer: B
B is logical. You dont want to sign the untrust certificate with an enterprise CA which all end user devices will inherently trust.
upvoted 1 times
...
Sammy3637
10 months, 3 weeks ago
Selected Answer: B
B seems more logical
upvoted 1 times
...
dorf05
11 months, 3 weeks ago
Selected Answer: C
As long as the subordinate certificate is not exported to the CTL of device(s), single subordinate certificate is sufficient for a firewall .... this would reduce resource and prevent error occurring as a result managing two separate subordinates certificate.
upvoted 1 times
...
Frightened_Acrobat
1 year, 8 months ago
Answer B Cannot be A because you don't want clients to trust the untrust certificate. If you use subordinate certificate of the Enterprise CA that is installed on all clients, it is by definition still trusted even if you designated that certificate as the forward untrust. Forward untrust certificate should always be self-signed for this reason.
upvoted 1 times
...
mic_mic
1 year, 9 months ago
Selected Answer: B
Answer B Generate a CA certificate for Forward Trust (step 2) a self-signed CA for Forward Untrust (step 4) https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
upvoted 2 times
...
Sarbi
1 year, 10 months ago
The answer is A. We can generate one for forward trust and one for forward untrust
upvoted 1 times
DenskyDen
1 year, 9 months ago
A is wrong. the document mentioned that "Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall." Since the question is about both forward trust and untrust, then it should be the best practice to Generate a CA certificate B. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago