Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 279

SSL Forward Proxy decryption is configured, but the firewall uses Untrusted-CA to sign the website https://www.important-website.com certificate. End-users are receiving the "security certificate is not trusted" warning. Without SSL decryption, the web browser shows that the website certificate is trusted and signed by a well-known certificate chain: Well-Known-Intermediate and Well-Known-Root-CA.
The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1. End-users must not get the warning for the https://www.very-important-website.com/ website
2. End-users should get the warning for any other untrusted website
Which approach meets the two customer requirements?

Answer options

• A. Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration
• B. Install the Well-Known-Intermediate-CA and Well-Known-Root-CA certificates on all end-user systems in the user and local computer stores
• C. Navigate to Device > Certificate Management > Certificates > Device Certificates, import Well-Known-Intermediate-CA and Well-Known-Root-CA, select the Trusted Root CA check box, and commit the configuration
• D. Navigate to Device > Certificate Management > Certificates > Default Trusted Certificate Authorities, import Well-Known-Intermediate-CA and Well-Known- Root-CA, select the Trusted Root CA check box, and commit the configuration

Correct answer: C

Explanation

The correct answer is C because importing the Well-Known-Intermediate-CA and Well-Known-Root-CA certificates into Device Certificates and marking them as Trusted Root CA ensures that the https://www.very-important-website.com/ site is recognized as valid without warnings. Option A does not address the issue directly, while B would not be feasible for all user systems and D pertains to the wrong section for managing trusted certificates.