Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 353

An engineer is configuring SSL Inbound Inspection for public access to a company’s application.

Which certificate(s) need to be installed on the firewall to ensure that inspection is performed successfully?

Answer options

• A. Intermediate CA(s) and End-entity certificate
• B. Root CA and Intermediate CA(s)
• C. Self-signed certificate with exportable private key
• D. Self-signed CA and End-entity certificate

Correct answer: A

Explanation

The correct answer is A, as both the Intermediate CA(s) and the End-entity certificate are necessary for the firewall to validate the SSL connections properly. Option B is incorrect because the Root CA alone is not sufficient for inspection. Options C and D are wrong because self-signed certificates do not establish trust in the same way as certificates issued by a recognized CA.