Palo Alto Networks PCNSE Quiz 7 Topic 3 Questions 31-35

Question: 1

SSL Forward Proxy decryption is configured but the firewall uses Untrusted-CA to sign the website https //www important-website com certificate End-users are receiving me 'security certificate is not trusted is warning Without SSL decryption the web browser shows that the website certificate is trusted and signed by a well-known certificate chain Well-Known-lntermediate and Well-Known-Root-

CA.

The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:

2 End-users should get the warning for any other untrusted website

Which approach meets the two customer requirements?

ANavigate to Device > Certificate Management > Certificates > Device Certificates import Well-Known-lntermediate-CA and Well-Known-Root-CA select the Trusted Root CA checkbox and commit the configuration

BInstall the Well-Known-lntermediate-CA and Well-Known-Root-CA certificates on all end-user systems m the user and local computer stores

CNavigate to Device > Certificate Management - Certificates s Default Trusted Certificate Authorities import Well-Known-intermediate-CA and Well-Known-Root-CA select the Trusted Root CA check box and commit the configuration

DClear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration

Show Answer

Question: 2

While troubleshooting an SSL Forward Proxy decryption issue which PAN-OS CLI command would you use to check the details of the end-entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?

Ashow system setting ssl-decrypt certs

Bshow systea setting ssl-decrypt certificate-cache

Cshow systen setting ssl-decrypt certificate

Ddebug dataplane show ssl-decrypt ssl-stats

Show Answer

Question: 3

An engines must configure the Decryption Broker feature To which router must the engineer assign the decryption forwarding interfaces that are used m the Decryption Broker security Chain?

Aa virtual router that has no additional interfaces for passing data-plane traffic and no other configured routes than those used in for the security chain

Bthe virtual router that routes the traffic that the Decryption Broker security chain inspects

Ca virtual router that is configured with at least one dynamic routing protocol and has at least one entry in the RIB

Dthe default virtual router (If there is no default virtual router the engineer must create one during setup)

Show Answer

Question: 4

What are three reasons why an installed session can be identified with the application incomplete' tag? (Choose three.)

AThe TCP connection was terminated without identifying any application data

BThe client sent a TCP segment with the PUSH flag set

CThere is not enough application data after the TCP connection was established

DThe TCP connection did not fully establish

EThere was no application data after the TCP connection was established

Show Answer

Question: 5

A remote administrator needs firewall access on an untrusted interface Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two)

Aclient certificate

Bcertificate profile

Ccertificate authority (CA) certificate

Dserver certificate

Show Answer

Palo Alto Networks PCNSE Quiz:7 Topic:3 Questions:31-35