PCNSE Questions Bank

The two attributes that a forward trust certificate should have for SSL Forward Proxy decryption are:

B: A private key. This is the key that the firewall uses to sign the certificates that it generates for the decrypted sessions. The private key must be securely stored on the firewall and not shared with anyone1.

D: A certificate authority (CA) certificate. This is the certificate that the firewall uses to issue the certificates for the decrypted sessions. The CA certificate must be trusted by the client browsers and devices that receive the certificates from the firewall1.

To create Security rules in Panorama that reference specific users and groups from Active Directory (AD), the Panorama-managed firewalls need access to user-to-group mapping information. This is achieved through Group Mapping, which relies on User-ID functionality. In a Panorama-managed environment, a "master device" must be designated within the device group to provide this Group Mapping data. The master device is a firewall that retrieves user and group information from AD (via LDAP or User-ID agent) and shares it with other firewalls in the device group. This ensures consistent user-based policies across all devices in the group.

Option B (User-ID Redistribution) is incorrect because redistribution is used to share IP-to-user mappings, not group mappings, and is typically configured between firewalls or via Panorama’s User-ID redistribution feature, not a requirement for selecting users/groups in rules. Option C (User-ID Certificate profile) is unrelated, as it pertains to certificate-based authentication, not AD group mapping. Official documentation specifies that a master device with Group Mapping configured is essential for this scenario.