NGFW-ENGINEER · Question #124
NGFW-ENGINEER Question #124: Real Exam Question with Answer & Explanation
The correct answer is D: The firewall's self-signed CA certificate is not deployed to the trusted certificate store on client. SSL Forward Proxy relies on the firewall acting as a trusted certificate authority. If the self-signed forward trust certificate is not installed in the trusted root certificate store of client devices, browsers will not trust the certificates generated by the firewall, resulting
Question
An administrator enables SSL Forward Proxy decryption using a self-signed certificate on a Palo Alto Networks firewall as the forward trust certificate. Shortly after, users report receiving "Your connection is not private" browser errors for all external websites. What is the most likely cause of these widespread certificate errors?
Options
- AThe decryption policy is configured with a "no-decrypt" action, which causes browsers to reject the
- BThe external websites are using TLS 1.3, which cannot be decrypted by the firewall without a
- CThe firewall's forward untrust certificate has expired, preventing it from identifying untrusted sites.
- DThe firewall's self-signed CA certificate is not deployed to the trusted certificate store on client
Explanation
SSL Forward Proxy relies on the firewall acting as a trusted certificate authority. If the self-signed forward trust certificate is not installed in the trusted root certificate store of client devices, browsers will not trust the certificates generated by the firewall, resulting in widespread “connection not private” warnings for all decrypted HTTPS sites.
Topics
Community Discussion
No community discussion yet for this question.