Palo Alto Networks Certified Network Security Consultant (PCNSC) — Question 9

SSL Forward Proxy decryption is enabled on the firewall. When clients use Chrome to browse to HTTPS sites, the firewall returns the Forward Trust certificate, even when accessing websites with invalid certificates. The clients need to be presented with a browser warning error with the option to proceed to websites with invalid certificates.
Which two options will satisfy this requirement? (Choose two.)

Answer options

• A. Create a PKI signed Forward Untrust enabled certificate.
• B. Create a self-signed Forward Untrust enabled certificate.
• C. Create a Decryption Profile with the “Block sessions with expired certificates” option enabled.
• D. Remove the Forward Untrust option from the Forward Trust certificate.

Correct answer: B, D

Explanation

Option B is correct because a self-signed Forward Untrust certificate will allow the browser to generate a warning for invalid certificates. Option D is also correct as removing the Forward Untrust option from the Forward Trust certificate prevents the forwarding of trust in cases of invalid certificates. Options A and C do not fulfill the requirement of generating a warning for invalid certificates.