Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 343

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall.

Which certificate is the best choice to configure as an SSL Forward Trust certificate?

Answer options

• A. A Machine Certificate for the firewall signed by the organization’s PKI
• B. A web server certificate signed by the organization’s PKI
• C. A subordinate Certificate Authority certificate signed by the organization’s PKI
• D. A self-signed Certificate Authority certificate generated by the firewall

Correct answer: C

Explanation

The correct answer is C, as a subordinate Certificate Authority certificate allows the firewall to act as a trusted entity for decrypting SSL traffic. Option A is incorrect because a Machine Certificate is not suitable for this purpose, option B is not appropriate since a web server certificate does not provide the necessary trust for SSL traffic inspection, and option D is wrong as a self-signed CA certificate lacks the required trust from the organization’s PKI.