Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 370

A company requires the firewall to block expired certificates issued by internet-hosted websites. The company plans to implement decryption in the future, but it does not perform SSL Forward Proxy decryption at this time.

Without the use of SSL Forward Proxy decryption, how is the firewall still able to identify and block expired certificates issued by internet-hosted websites?

Answer options

• A. By having a Certificate profile that contains the website's Root CA assigned to the respective Security policy rule
• B. By using SSL Forward Proxy to decrypt SSL and TLS handshake communication and the server/client session keys in order to validate a certificate's authenticity and expiration
• C. By using SSL Forward Proxy to decrypt SSL and TLS handshake communication in order to validate a certificates authenticity and expiration
• D. By having a Decryption profile that blocks sessions with expired certificates in the No Decryption section and assigning it to a No Decrypt policy rule

Correct answer: D

Explanation

The correct answer is D because it describes the use of a Decryption profile that specifically targets expired certificates while maintaining the No Decrypt policy. Options A, B, and C incorrectly reference SSL Forward Proxy, which is not in use, and therefore cannot be relied upon for certificate validation in this scenario.