A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones.
The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.
What is the best choice for an SSL Forward Untrust certificate?
A . A web server certificate signed by the organization’s PKI
B . A self-signed certificate generated on the firewall
C . A subordinate Certificate Authority certificate signed by the organization’s PKI
D . A web server certificate signed by an external Certificate Authority
Answer: B
Explanation:
B is the best choice for an SSL Forward Untrust certificate because a self-signed certificate generated on the firewall is not trusted by any client browsers by default1. This means that if the firewall observes an invalid or untrusted security certificate from the server, it will present the self-signed certificate to the client, which will trigger an untrusted certificate warning2. This way, the security admin can ensure that users are aware of any potential risks when accessing HTTPS sites with untrusted certificates.
A web server certificate signed by the organization’s PKI (A) or a subordinate Certificate Authority certificate signed by the organization’s PKI © are not good choices for an SSL Forward Untrust certificate because they are trusted by the client browsers that have the organization’s root CA installed1. This means that if the firewall observes an invalid or untrusted security certificate from the server, it will present the web server or subordinate CA certificate to the client, which will not trigger an untrusted certificate warning2. This way, the security admin cannot ensure that users are aware of any potential risks when accessing HTTPS sites with untrusted certificates.
A web server certificate signed by an external Certificate Authority (D) is not a good choice for an SSL Forward Untrust certificate because it is trusted by most client browsers that have the external CA in their trust store1. This means that if the firewall observes an invalid or untrusted security certificate from the server, it will present the web server certificate to the client, which will not trigger an untrusted certificate warning2. This way, the security admin cannot ensure that users are aware of any potential risks when accessing HTTPS sites with untrusted certificates. Verified
Reference:
1: How to Configure SSL Decryption – Palo Alto Networks Knowledge Base
2: How to Implement and Test SSL Decryption – Palo Alto Networks Knowledge Base
Latest PCNSE Dumps Valid Version with 280 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund