ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 307 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 307
Topic #: 1
[All PCNSE Questions]

SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www.important-website.com certificate. End-users are receiving the "security certificate is not trusted" warning. Without SSL decryption, the web browser shows that the website certificate is trusted and signed by a well-known certificate chain: Well-Known-Intermediate and Well-Known-Root-CA.
The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1. End-users must not get the warning for the https://www.very-important-website.com/ website
2. End-users should get the warning for any other untrusted website
Which approach meets the two customer requirements?

  • A. Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration
  • B. Install the Well-Known-Intermediate-CA and Well-Known-Root-CA certificates on all end-user systems in the user and local computer stores
  • C. Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-Known-Intermediate-CA and Well-Known-Root-CA, select the Trusted Root CA check box, and commit the configuration
  • D. Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities, import Well-Known-Intermediate-CA and Well-Known- Root-CA, select the Trusted Root CA check box, and commit the configuration
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Alquicerm at Oct. 25, 2022, 2:47 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
McDrudge
Highly Voted 1 year ago
Selected Answer: C
A: Fixes requirement 1 but doesn't meet requirement 2. B: Wouldn't fix the issue as the firewall would still be exposing the forward trust cert to the users (signed by FW or or enterprise PKI) C: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-certificate-management-certificates/manage-default-trusted-certificate-authorities D: No such method to import certs exists.
upvoted 8 times
...
McMarius11
Most Recent 3 months, 2 weeks ago
Selected Answer: C
C is correct!
upvoted 1 times
...
droide
11 months ago
Selected Answer: C
see McDrudge answer and for D : You cannot import a certificate in the "Default Trusted Certificate Authorities", only enable, disable and "export certificate"
upvoted 2 times
...
aatechler
1 year ago
Selected Answer: C
I think C since there is no import option under Default Trusted Certificate Authorities.
upvoted 2 times
...
dogeatdog
1 year, 1 month ago
C. The option to import is not available in the
upvoted 1 times
...
megretz
1 year, 1 month ago
Selected Answer: D
D because the firewall is giving untrusted cert as it doesn't trust the cert presented to it
upvoted 2 times
Pochex
7 months, 2 weeks ago
From Default Trusted Certificates Authorities you cannot import a cert, D is no correct.
upvoted 1 times
...
...
confusion
1 year, 2 months ago
Selected Answer: C
C If you imported + trusted, users shall not receive the browser pop up any more, whilst still getting the warning for other untrusted sites
upvoted 2 times
...
mysteryzjoker
1 year, 2 months ago
I think C. Cannot see an option to import certs to the default trusted certs, only on the device certs
upvoted 2 times
...
Alquicerm
1 year, 2 months ago
I think that it's option D
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago