View all questions & answers for the Palo Alto Next-Generation Firewall Engineer Exam Materials exam


Question 85 Discussion

A network engineer is configuring SSL Forward Proxy decryption on a Palo Alto Networks firewall. The company's internal clients trust a corporate root certificate authority (CA). To ensure the firewall can properly validate the certificates of external web servers, the engineer must configure a specific component. Which component defines the mechanism for Online Certificate Status Protocol (OCSP) / certificate revocation list (CRL) status? (Choose one answer)

  • A. Certificate revocation checking
  • B. SSL/TLS service profile
  • C. Decryption profile
  • D. Forward trust certificate
Correct Answer: C

Brave-Dump Clients Votes

A 66.67%
C 33.33%

Comments



Franck 2026-01-11 16:58:07

Selected Answers: A


Why?

For the firewall to validate certificates from external web servers, it must check:

- if the certificate has been revoked

- via OCSP, CRL, or OCSP + CRL fallback

This behavior is defined in:

Device → Certificate Management → Certificate Revocation
or

Device → Setup → Content-ID → Certificate Revocation Checking

Decryption profile is false because:

Decryption profile Checks TLS versions, certificate errors, exclusions…
But not the revocation verification method.

Ayesha 2026-01-24 20:16:29

Selected Answers: C


When configuring SSL Forward Proxy decryption, the Decryption Profile is the specific component that defines how the firewall verifies the external server's certificate.

Location: Inside the Decryption Profile (under Objects > Decryption Profile > SSL Forward Proxy), there is a section specifically for Server Certificate Verification.

The Mechanism: This section contains checkboxes to control validation logic, such as "Block sessions with expired certificates," "Block sessions with untrusted issuers," and importantly, "Block sessions with revoked certificates".

How it works: When enabled in the Decryption Profile, the firewall acts as the client to the external website. It checks the site's certificate against the CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol) URL embedded in the certificate. If the certificate is revoked, the Decryption Profile dictates that the session should be blocked.

Anonymous User 2026-02-04 21:51:52

Selected Answers: A


Certificate revocation checking is a crucial security process that verifies if a digital certificate (e.g., SSL/TLS) is still trustworthy before its expiration date. It ensures that revoked certificates—invalidated by the issuer due to private key compromise, misuse, or employee turnover—are not accepted, preventing attackers from using revoked credentials.

Mechanisms for Checking Revocation:
Certificate Revocation Lists (CRLs): A time-stamped list of revoked certificate serial numbers published by the Certificate Authority (CA).
Online Certificate Status Protocol (OCSP): A faster, real-time protocol that allows clients to query the CA for the status of a specific certificate, returning "good," "revoked," or "unknown".
OCSP Stapling: A mechanism where the web server staples a time-stamped, OCSP-signed response to the certificate, improving performance and privacy.