ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 179 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 179
Topic #: 1
[All PCNSE Questions]

An engineer is planning an SSL decryption implementation.
Which of the following statements is a best practice for SSL decryption?

  • A. Obtain an enterprise CA-signed certificate for the Forward Trust certificate.
  • B. Use an enterprise CA-signed certificate for the Forward Untrust certificate.
  • C. Use the same Forward Trust certificate on all firewalls in the network.
  • D. Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Plato22 at Dec. 11, 2021, 6:02 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
de7cdfd
2 weeks, 5 days ago
Selected Answer: A
bad question
upvoted 1 times
...
Marshpillowz
5 months, 3 weeks ago
Selected Answer: A
A is correct
upvoted 1 times
...
Chiquitabandita
5 months, 3 weeks ago
I agree it should be A, but why is C wrong? once you add it to the certificate profile, I would think admins would use it on all of their firewalls in their domain?
upvoted 1 times
Pacheco
5 months, 1 week ago
There's a doc somewhere out there that states the best practice is something along the lines of "you could use the same enterprise or self-signed root CA cert for all firewalls, but definitely should use it to generate a specific intermediate CA for each firewall, because if you use the same ones for all of them and something happens and you need to change CAs for your forward trust cert, you're gonna have to change it in all firewalls. If you use an intermediate CA for each firewall, signed by the root CA and something happens on one of your firewalls, you just need to change the intermediate CA cert <<<for that firewall only>>>
upvoted 1 times
...
...
joquin0020
9 months, 4 weeks ago
Selected Answer: B
I don't understand the answers, which is better, 'to Use' or 'to Obtain'? What a confusing question.
upvoted 2 times
DatITGuyTho1337
6 months, 3 weeks ago
You obtain certificates to use them.
upvoted 1 times
...
...
lol12
1 year, 8 months ago
Selected Answer: A
A https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
upvoted 3 times
...
TAKUM1y
1 year, 9 months ago
Selected Answer: A
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
upvoted 4 times
...
UFanat
2 years ago
Selected Answer: A
A. It's better to use Enterprise CA-signed cert
upvoted 3 times
...
alanouaro
2 years, 6 months ago
Option A (Best Practice) Enterprise CA-signed Certificates—An enterprise CA can issue a signing certificate that the firewall can use to sign the certificates for sites which require SSL decryption. When the firewall trusts the CA that signed the certificate of the destination server, the firewall can send a copy of the destination server certificate to the client, signed by the enterprise CA. This is a best practice because usually all network devices already trust the Enterprise CA (it is usually already installed in the devices’ CA Trust storage), so you don’t need to deploy the certificate on the endpoints, so the rollout process is smoother. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forward-proxy.html
upvoted 4 times
...
Plato22
2 years, 7 months ago
A is correct. Just tried on my lab Palo Alto.
upvoted 1 times
homersimpson
2 years, 6 months ago
Yes it's A. cert needs to be a CA so it can create certs for each website visited, and cert needs to be enterprise-CA-signed so that windows clients will trust the certs created.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago