PCNSE · Question #350
PCNSE Question #350: Real Exam Question with Answer & Explanation
The correct answer is A: Obtain an enterprise CA-signed certificate for the Forward Trust certificate. Enterprise CA-signed Certificates-An enterprise CA can issue a signing certificate that the firewall can use to sign the certificates for sites which require SSL decryption. When the firewall trusts the CA that signed the certificate of the destination server, the firewall can se
Question
An engineer is planning an SSL decryption implementation. Which of the following statements is a best practice for SSL decryption?
Options
- AObtain an enterprise CA-signed certificate for the Forward Trust certificate
- BObtain a certificate from a publicly trusted root CA for the Forward Trust certificate
- CUse an enterprise CA-signed certificate for the Forward Untrust certificate
- DUse the same Forward Trust certificate on all firewalls in the network
Explanation
Enterprise CA-signed Certificates-An enterprise CA can issue a signing certificate that the firewall can use to sign the certificates for sites which require SSL decryption. When the firewall trusts the CA that signed the certificate of the destination server, the firewall can send a copy of the destination server certificate to the client, signed by the enterprise CA. This is a best practice because usually all network devices already trust the Enterprise CA (it is usually already installed in the devices’ CA Trust storage), so you don’t need to deploy the certificate on the endpoints, so the rollout process is smoother. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-
Topics
Community Discussion
No community discussion yet for this question.