Discover the two types of certificates required for SSL Forward Proxy deployment on Palo Alto Networks firewalls: a subordinate CA from your own PKI and a self-signed root CA.
Table of Contents
Question
An administrator has been tasked with deploying SSL Forward Proxy.
Which two types of certificates are used to decrypt the traffic? (Choose two.)
A. Device certificate
B. Subordinate CA from the administrator’s own PKI infrastructure
C. Self-signed root CA
D. External CA certificate
Answer
B. Subordinate CA from the administrator’s own PKI infrastructure
C. Self-signed root CA
Explanation
In an SSL Forward Proxy deployment, the firewall acts as a man-in-the-middle, intercepting SSL/TLS traffic from clients and servers. To decrypt this traffic, the firewall must present a trusted certificate to the client and server.
A Subordinate CA certificate, issued by the organization’s own PKI infrastructure, is used to sign the certificates presented to the servers. This allows the firewall to impersonate the destination server and decrypt the traffic.
A Self-signed root CA certificate is used to establish a trust relationship with the clients. This root CA certificate is installed on the clients, allowing them to trust the certificates presented by the firewall.
Palo Alto Networks Certified Network Security Engineer PCNSE certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Palo Alto Networks Certified Network Security Engineer PCNSE exam and earn Palo Alto Networks Certified Network Security Engineer PCNSE certification.