Which certificate is the best choice to configure as an SSL Forward Trust certificate?

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall.

Which certificate is the best choice to configure as an SSL Forward Trust certificate?
A . A self-signed Certificate Authority certificate generated by the firewall
B . A Machine Certificate for the firewall signed by the organization’s PKI
C . A web server certificate signed by the organization’s PKI
D . A subordinate Certificate Authority certificate signed by the organization’s PKI

View Answer

Answer: D

Explanation:

Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate.

Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy