ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 52 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 52
Topic #: 1
[All PCNSE Questions]

An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OSֲ® software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web- browsing traffic from any to any zone.
What must the administrator configure so that the PAN-OSֲ® software can be upgraded?

  • A. Security policy rule
  • B. CRL
  • C. Service route
  • D. Scheduler
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Edu147 at July 24, 2019, 9:52 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Edu147
Highly Voted 5 years, 11 months ago
Correct C https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clp3CAC
upvoted 19 times
...
NSO_Blue
Most Recent 8 months, 2 weeks ago
The default service route uses the management port for all services. Why should we need to touch this configuration section???
upvoted 1 times
NazmulHossain
5 months, 3 weeks ago
You have not understood the question. It says the management port does not have any internet connectivity. It has internet connectivity through a LAN interface.
upvoted 1 times
...
...
NSO_Blue
8 months, 2 weeks ago
Selected Answer: A
PANW updates are not delivered over web-browsing. Therefore, a new security policy must be added allowing app-ID "paloalto-updates", ssl, and web-browsing on application default service/port.
upvoted 1 times
...
bing2021
1 year ago
Selected Answer: C
service route, pick dp interface.
upvoted 1 times
...
Marshpillowz
1 year, 5 months ago
Selected Answer: C
C is correct
upvoted 1 times
...
TeachTrooper
1 year, 5 months ago
Selected Answer: C
Mentioning the extra security rule is just to trick us into picking A. The default ruleset has a intrazone rule that allows any/any. So if the service route points to the ethernet interface providing the internet connection all paloalto-updates etc. requests will be allowed by the default intrazone policy.
upvoted 3 times
...
Caglart
1 year, 7 months ago
Selected Answer: C
Correct C
upvoted 1 times
...
sov4
1 year, 11 months ago
Selected Answer: C
C. intra-zone default rule takes care of the security rule since it'll be sourced from the ethernet interface. Only thing left is the service route.
upvoted 1 times
...
Pretorian
2 years, 11 months ago
This one is another typical PANW malicious test question. We all know that a service route is needed. However, the question states web-browsing is being allowed by the policy. PANW updates are not delivered over web-browsing. Therefore, a new security policy must be added allowing app-ID "paloalto-updates", ssl, and web-browsing on application default service/port. Just something to consider. In summary, I'm not sure if "C" is the correct answer, or "A"
upvoted 4 times
secdaddy
2 years, 9 months ago
Also we know that without the service route it clearly will not work so C is the best answer.
upvoted 2 times
...
secdaddy
2 years, 9 months ago
"...and a rule that allows all web- browsing traffic from any to any zone." There's no mention of app-ID in the question and from this we know that http(s) are allowed outgoing.
upvoted 1 times
...
...
rocioha
4 years, 3 months ago
C Correct
upvoted 4 times
...
shane
4 years, 4 months ago
Answer:C
upvoted 3 times
...
Yelam
4 years, 5 months ago
C is correct answer
upvoted 2 times
...
PacketFairy
4 years, 7 months ago
The management port is an isolated host interface. By default, everything uses this port (DNS, Auth, NTP, updates). If this port has no internet access, "service routes" can be used to perform these services on a router/firewall interface.
upvoted 2 times
...
lol1000
4 years, 8 months ago
c https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clp3CAC
upvoted 1 times
...
KAAK
4 years, 11 months ago
C: Service Route https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clp3CAC
upvoted 3 times
...
Giox
5 years ago
The correct answer is A. Surely the Service Route should be configured to use the Ethernet interface, but from the question we cannot say if it is already configured. Instead, we know about configured security policy rule, and using a data interface we need a policy to permit "paloalto-updates" application, that is missing
upvoted 4 times
Giox
5 years ago
Sorry, traffic should be allowed by the intrazone default policy rule, so C is the correct one.
upvoted 3 times
...
...
Ripu
5 years, 1 month ago
Answer:C
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel