Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us [email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Palo-Alto-Networks Discussions

Exam PCNSE topic 1 question 134 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 134
Topic #: 1
[All PCNSE Questions]

An administrator needs to upgrade an NGFW to the most current version of PAN-OSֲ® software. The following is occurring:
✑ Firewall has internet connectivity through e 1/1.
✑ Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.
✑ Service route is configured, sourcing update traffic from e1/1.
✑ A communication error appears in the System logs when updates are performed.
✑ Download does not complete.
What must be configured to enable the firewall to download the current version of PAN-OS software?

  • A. Static route pointing application PaloAlto-updates to the update servers
  • B. Security policy rule allowing PaloAlto-updates as the application
  • C. Scheduler for timed downloads of PAN-OS software
  • D. DNS settings for the firewall to use for resolution
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by chongsang at May 23, 2020, 10:29 a.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
rammsdoct
Highly Voted 3 years, 11 months ago
D: A cant be, there is no static service route to point to "palo alto updates" question is regarding that there is existing internet connection, so, default route should exist, B: security policy allowing SSL traffic already exist so there is access from any to any C: there is no scheduler involved on errors recurring with communication, D: is the most closer to the issue, so D is correct.
upvoted 26 times
Woody
1 year, 4 months ago
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-pan-os/pan-os-upgrade-checklist#id53a2bc2b-f86e-4ee5-93d7-b06aff837a00
upvoted 1 times
...
cerifyme85
2 months ago
The main reason it is not be is that Updates happen through mgmt palne.. mgmt plane does not use security policies
upvoted 1 times
...
...
CiscoNinja
Highly Voted 3 years, 11 months ago
The Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone. covers that (B is wrong) correct ans = D
upvoted 10 times
...
scanossa
Most Recent 1 month, 3 weeks ago
Selected Answer: D
It is between B or D: B. Interface is facing the Internet directly, so it would be intranet (allowed by default) D. It is needed to be configured in order to translate PA URL into IP addresses So, D is correct
upvoted 1 times
...
Marshpillowz
2 months, 4 weeks ago
Selected Answer: D
Answer is D
upvoted 1 times
...
TeachTrooper
3 months ago
Selected Answer: D
B is wrong because of the default ruleset being in use, so the intrazone rule allows paloalto-updates app. D is correct as "generic communication error" on updates is usually a DNS issue
upvoted 1 times
...
JRKhan
3 months, 1 week ago
Selected Answer: D
Given that question mentions about the communication error, D is the most appropriate answer. If the policy was denying it, the logs will mention traffic dropped/denied due to a configured policy rule or lack of a policy rule.
upvoted 1 times
...
DatITGuyTho1337
4 months ago
I believe D is the answer because the updates must be downloaded from the "updates.paloaltonetworks.com" site, the firewall must have DNS configured to take advantage of this. As DNS configuration was not mentioned during the question preface, I concluded that DNS must not have been configured.
upvoted 1 times
...
electro165
7 months, 3 weeks ago
Selected Answer: D
DNS Resolution: When the firewall attempts to download updates or software, it needs to resolve domain names to IP addresses to reach the update servers. If there's an issue with DNS resolution, it can lead to communication errors and incomplete downloads. The other options (A, B, and C) do not directly address the issue of DNS resolution. While static routes, security policies, and scheduled downloads may be important for overall firewall configuration, they are not the primary factor for resolving domain names to IP addresses during the update process.
upvoted 1 times
...
Betty2022
8 months, 3 weeks ago
Selected Answer: D
D, as per discussion shared by others here. B: is covered, so this is not the answer because SSL and Web browsing is allowed. Also, https://applipedia.paloaltonetworks.com/ confirms that paloalto-updates would not give us any more access because : Implicit use Applications: ssl, web-browsing
upvoted 1 times
...
sov4
8 months, 4 weeks ago
Had this question a few weeks ago on the exam... July 2023. I'm going with D.
upvoted 1 times
...
ARWANGSH
9 months, 3 weeks ago
Selected Answer: B
Palo Alto requires their update APPIDs to be allowed, this is not mentioned in the question.
upvoted 2 times
...
hz78
10 months, 2 weeks ago
The communication error and incomplete download of updates suggest that the firewall is unable to resolve the update server's hostname to its IP address. To resolve this issue, the firewall needs proper DNS settings configured. By providing DNS settings, the firewall will be able to perform hostname resolution and establish connectivity with the update servers to download the PAN-OS software.
upvoted 2 times
...
p48m1
1 year ago
Selected Answer: B
B is correct. Palo alto updates are recognized with App-ID "paloalto-updates", which makes implicit use of ssl and web-browsing. Creating a Security Policy with the proper App-ID will solve the download issue. It is not a DNS issue, as "the download does not complete" implies a communication to be in place (then blocked due to App-ID mismatch) and proper name resolution to be succesful.
upvoted 5 times
...
kewokil120
1 year, 1 month ago
Selected Answer: B
Not dns. If it started then Dns worked. Palo does have 10+ app id for their saas upgrades etc
upvoted 1 times
...
daytonadave2011
1 year, 1 month ago
Selected Answer: D
The Answer is D. You must be able to resolve updates.paloaltonetworks.com from the CLI and in order to do that, you must have DNS setup under Device > Setup > Services. The easiest thing to do is point to 8.8.8.8 if you don't have an internal DNS server.
upvoted 2 times
...
kewokil120
1 year, 1 month ago
Selected Answer: B
You need dns and app id. Bad question as dns setup was not passed on
upvoted 2 times
...
Rowdy_47
1 year, 1 month ago
Selected Answer: D
I change my answer and agree with Spydog
upvoted 1 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel