Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 357

During the implementation of SSL Forward Proxy decryption, an administrator imports the company’s Enterprise Root CA and Intermediate CA certificates onto the firewall. The company’s Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company’s Intermediate CA.

Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

Answer options

• A. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.
• B. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
• C. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.
• D. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust.

Correct answer: B

Explanation

The correct answer is B because a CA certificate for Forward Trust is needed to establish a chain of trust, while a self-signed CA for Forward Untrust is appropriate as it does not need to be trusted by other devices. The other options either create unnecessary additional certificates or do not align with best practices for trust and untrust scenarios.