I agree it should be A, but why is C wrong? once you add it to the certificate profile, I would think admins would use it on all of their firewalls in their domain?
There's a doc somewhere out there that states the best practice is something along the lines of "you could use the same enterprise or self-signed root CA cert for all firewalls, but definitely should use it to generate a specific intermediate CA for each firewall, because if you use the same ones for all of them and something happens and you need to change CAs for your forward trust cert, you're gonna have to change it in all firewalls. If you use an intermediate CA for each firewall, signed by the root CA and something happens on one of your firewalls, you just need to change the intermediate CA cert <<<for that firewall only>>>
Option A
(Best Practice) Enterprise CA-signed Certificates—An enterprise CA can issue a signing certificate that the firewall can use to sign the certificates for sites which require SSL decryption. When the firewall trusts the CA that signed the certificate of the destination server, the firewall can send a copy of the destination server certificate to the client, signed by the enterprise CA. This is a best practice because usually all network devices already trust the Enterprise CA (it is usually already installed in the devices’ CA Trust storage), so you don’t need to deploy the certificate on the endpoints, so the rollout process is smoother.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forward-proxy.html
Yes it's A. cert needs to be a CA so it can create certs for each website visited, and cert needs to be enterprise-CA-signed so that windows clients will trust the certs created.
upvoted 1 times
...
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
de7cdfd
3Â months agoMarshpillowz
8Â months, 1Â week agoChiquitabandita
8Â months, 1Â week agoPacheco
7Â months, 3Â weeks agojoquin0020
1Â year agoDatITGuyTho1337
9Â months, 1Â week agolol12
1Â year, 11Â months agoTAKUM1y
1Â year, 11Â months agoUFanat
2Â years, 3Â months agoalanouaro
2Â years, 9Â months agoPlato22
2Â years, 9Â months agohomersimpson
2Â years, 9Â months ago