Learn about the best choice for an SSL Forward Untrust certificate when inspecting HTTPS traffic through a firewall. Understand why a web server certificate signed by an external Certificate Authority is the optimal choice for avoiding untrusted certificate warnings.
Table of Contents
Question
A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning.
What is the best choice for an SSL Forward Untrust certificate?
A. A self-signed certificate generated on the firewall
B. A web server certificate signed by the organization’s PKI
C. A web server certificate signed by an external Certificate Authority
D. A subordinate Certificate Authority certificate signed by the organization’s PKI
Answer
C. A web server certificate signed by an external Certificate Authority
Explanation
When a network security administrator wants to inspect HTTPS traffic as it egresses through a firewall, they need to decrypt and re-encrypt the traffic. This process is known as SSL Forward Proxy. The firewall acts as a forward proxy, establishing an SSL/TLS session with the client and a separate SSL/TLS session with the server. The firewall then decrypts and inspects the traffic before re-encrypting it and sending it to its destination.
For the SSL Forward Proxy to work, the firewall needs to present a certificate to the client that the client will trust. If the certificate is not trusted, the client will receive an untrusted certificate warning.
A web server certificate signed by an external Certificate Authority (Option C) is the best choice because external Certificate Authorities are inherently trusted by most web browsers and operating systems. This means that when the firewall presents this certificate to the client, the client is likely to trust it, and no untrusted certificate warning will be displayed.
Palo Alto Networks Certified Network Security Engineer PCNSE certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Palo Alto Networks Certified Network Security Engineer PCNSE exam and earn Palo Alto Networks Certified Network Security Engineer PCNSE certification.