ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 248 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 248
Topic #: 1
[All PCNSE Questions]

While troubleshooting an SSL Forward Proxy decryption issue, which PAN-OS CLI command would you use to check the details of the end entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?

  • A. show system setting ssl-decrypt certs
  • B. show system setting ssl-decrypt certificate
  • C. debug dataplane show ssl-decrypt ssl-stats
  • D. show system setting ssl-decrypt certificate-cache
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by shinichi_88 at Jan. 27, 2022, 6:31 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ConfuzedOne
Highly Voted 1 year, 7 months ago
Selected Answer: D
Read the question - "end entity certificate". Now run the various command options on your firewall. Answer A is invalid syntax Answer B shows you your Certificates installed on your Palo; not end-entity certificates Answer C shows you some various hit counters. Answer D shows you certificate details from "end entities"
upvoted 7 times
...
UFanat
Highly Voted 2 years, 7 months ago
Selected Answer: B
> show system setting ssl-decrypt certificate Certificates for Global SSL Decryption CERT global trusted ssl-decryption x509 certificate version 2 cert algorithm 4 valid 200502004326Z -- 300502005326Z cert pki 1 subject: NAME issuer: NAME serial number(16) 60 c9 5......". rsa key size 4096 bits siglen 512 bytes basic constraints extension CA 1 global untrusted ssl-decryption x509 certificate version 2 cert algorithm 4 valid 200221032Z -- 220500032Z cert pki 1 subject: untrust.xxx.net issuer: untrust.xxx.net serial number(9) 00 b8 db 95 e3 b0 f9 ........ . rsa key size 2048 bits siglen 256 bytes basic constraints extension CA 1 NO INBOUND CERT > show system setting ssl-decrypt certificate-cache Cached 0 certificates
upvoted 6 times
...
apiloran
Most Recent 3 months, 3 weeks ago
Selected Answer: D
> show system setting ssl-decrypt certificate-cache
upvoted 1 times
...
kacper_n99
8 months, 1 week ago
Selected Answer: D
Checked in the lab.
upvoted 1 times
...
Eluis007
9 months, 1 week ago
Selected Answer: D
Checked in the lab
upvoted 1 times
...
Whizdhum
1 year, 1 month ago
Selected Answer: D
Answer is D. The cache space is limited, so you will only see recent certificates cached if you have a busy firewall. But the certificates in that certificate cache are placed there when the firewall retrieves the certificate for a traffic flow that matches an SSL Forward Proxy decryption policy. Note that the end-entity certificate is the final link in the chain of trust.
upvoted 2 times
...
Whizdhum
1 year, 1 month ago
Answer is D. The cache space is limited, so you will only see recent certificates cached if you have a busy firewall. But the certificates in that certificate cache are placed there when the firewall retrieves the certificate for a traffic flow that matches an SSL Forward Proxy decryption policy. Note that the end-entity certificate is the final link in the chain of trust.
upvoted 1 times
...
nguyendtv50
1 year, 7 months ago
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF2CAK
upvoted 1 times
...
tomsui44
1 year, 8 months ago
Selected Answer: B
B. show system setting ssl-decrypt certificate
upvoted 1 times
...
DenskyDen
1 year, 12 months ago
B. just tested it.
upvoted 1 times
...
TAKUM1y
2 years, 2 months ago
Selected Answer: B
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF2CAK
upvoted 2 times
...
ManKing36
2 years, 8 months ago
Selected Answer: D
Verified in lab - correct answer should be D
upvoted 1 times
UFanat
2 years, 7 months ago
No, it's wrong. > show system setting ssl-decrypt certificate-cache Cached 0 certificates
upvoted 1 times
...
...
shinichi_88
2 years, 11 months ago
B should be correct
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago