Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 438

A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.

What is the best choice for an SSL Forward Untrust certificate?

Answer options

• A. A self-signed certificate generated on the firewall
• B. A web server certificate signed by the organization’s PKI
• C. A web server certificate signed by an external Certificate Authority
• D. A subordinate Certificate Authority certificate signed by the organization’s PKI

Correct answer: A

Explanation

The correct answer is A because a self-signed certificate generated on the firewall allows for the inspection of SSL traffic while presenting a warning for untrusted certificates. Options B and D involve certificates that would not trigger an untrusted warning since they are trusted by the organization’s PKI, while option C involves an external CA which would not fit the requirement of providing an untrusted warning.