Palo Alto Networks NGFW Engineer — Question 67

A company is enabling SSL Forward Proxy to inspect encrypted traffic. A security engineer generates a new certificate on the firewall and flags it with the "Forward Trust" certificate property.

What is the critical next step that must be performed for decryption to function correctly without causing security warnings for end users?

Answer options

• A. Set the forward trust certificate as the SSL/TLS Service profile for the management interface.
• B. Create a Security policy rule that allows traffic from the certificate of the firewall to all the zones.
• C. Import the private key of the forward trust certificate onto the domain controller.
• D. Install the public portion of the forward trust certificate into the trust store of all client machines.

Correct answer: D

Explanation

The correct action is to install the public portion of the forward trust certificate into the trust store of all client machines (Option D) so that they trust the certificate and do not receive warnings. Options A, B, and C do not address the client-side trust issue and would not resolve the security warnings for users trying to access decrypted content.