ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 428 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 428
Topic #: 1
[All PCNSE Questions]

An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer uses a forward trust certificate from the enterprise PKI that expires December 31, 2025.

The validity date on the PA-generated certificate is taken from what?

  • A. The root CA
  • B. The untrusted certificate
  • C. The server certificate
  • D. The trusted certificate
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by mz101 at Nov. 28, 2022, 6:40 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
findkeywordcommand
4 months ago
Selected Answer: C
You can test this by generating a forward trust cert on the PA that is valid for 5 years and then visit a random website and check the validity of the certificate. (decryption enabled) It has the CN of your forward trust cert and the validity of the site you're visiting (server certificate)
upvoted 2 times
...
Jared28
4 months, 3 weeks ago
Selected Answer: C
Although I agree with C, I think the wording on D is tricky. For the forward trust to show it to you it would be a showing you the expiration on "the trusted certificate", but "the trusted certificate" would also be "the server certificate"
upvoted 2 times
...
Marshpillowz
5 months, 3 weeks ago
Selected Answer: C
C is correct
upvoted 1 times
...
alinio11
9 months, 4 weeks ago
The correct answer is C. I've tested in my lab.
upvoted 1 times
...
sujss
1 year, 2 months ago
Selected Answer: C
C would make most sense as the Firewall proxies the traffic and kind of impersonate the Server, and would expect to present the same expiry date for the cert.
upvoted 1 times
...
djedeen
1 year, 6 months ago
Selected Answer: C
C, per Shoeib's link.
upvoted 1 times
...
Shoieb
1 year, 7 months ago
Selected Answer: C
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8wCAC "The validity date on the Palo Alto Networks firewall generated certificate is taken from the validity date on the real server certificate."
upvoted 4 times
...
mz101
1 year, 7 months ago
Should be C Copied from the destination server.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago