Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us [email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Palo-Alto-Networks Discussions

Exam PCNSE topic 1 question 52 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 52
Topic #: 1
[All PCNSE Questions]

An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OSֲ® software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web- browsing traffic from any to any zone.
What must the administrator configure so that the PAN-OSֲ® software can be upgraded?

  • A. Security policy rule
  • B. CRL
  • C. Service route
  • D. Scheduler
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clp3CAC
by Edu147 at July 24, 2019, 9:52 a.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
Edu147
Highly Voted 4 years, 9 months ago
Correct C https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clp3CAC
upvoted 17 times
...
Marshpillowz
Most Recent 3 months ago
Selected Answer: C
C is correct
upvoted 1 times
...
TeachTrooper
3 months ago
Selected Answer: C
Mentioning the extra security rule is just to trick us into picking A. The default ruleset has a intrazone rule that allows any/any. So if the service route points to the ethernet interface providing the internet connection all paloalto-updates etc. requests will be allowed by the default intrazone policy.
upvoted 1 times
...
Caglart
5 months, 1 week ago
Selected Answer: C
Correct C
upvoted 1 times
...
sov4
9 months ago
Selected Answer: C
C. intra-zone default rule takes care of the security rule since it'll be sourced from the ethernet interface. Only thing left is the service route.
upvoted 1 times
...
Pretorian
1 year, 8 months ago
This one is another typical PANW malicious test question. We all know that a service route is needed. However, the question states web-browsing is being allowed by the policy. PANW updates are not delivered over web-browsing. Therefore, a new security policy must be added allowing app-ID "paloalto-updates", ssl, and web-browsing on application default service/port. Just something to consider. In summary, I'm not sure if "C" is the correct answer, or "A"
upvoted 4 times
secdaddy
1 year, 6 months ago
Also we know that without the service route it clearly will not work so C is the best answer.
upvoted 2 times
...
secdaddy
1 year, 6 months ago
"...and a rule that allows all web- browsing traffic from any to any zone." There's no mention of app-ID in the question and from this we know that http(s) are allowed outgoing.
upvoted 1 times
...
...
rocioha
3 years, 1 month ago
C Correct
upvoted 4 times
...
shane
3 years, 2 months ago
Answer:C
upvoted 3 times
...
Yelam
3 years, 3 months ago
C is correct answer
upvoted 2 times
...
PacketFairy
3 years, 5 months ago
The management port is an isolated host interface. By default, everything uses this port (DNS, Auth, NTP, updates). If this port has no internet access, "service routes" can be used to perform these services on a router/firewall interface.
upvoted 1 times
...
lol1000
3 years, 6 months ago
c https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clp3CAC
upvoted 1 times
...
KAAK
3 years, 9 months ago
C: Service Route https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clp3CAC
upvoted 3 times
...
Giox
3 years, 10 months ago
The correct answer is A. Surely the Service Route should be configured to use the Ethernet interface, but from the question we cannot say if it is already configured. Instead, we know about configured security policy rule, and using a data interface we need a policy to permit "paloalto-updates" application, that is missing
upvoted 4 times
Giox
3 years, 10 months ago
Sorry, traffic should be allowed by the intrazone default policy rule, so C is the correct one.
upvoted 3 times
...
...
Ripu
3 years, 10 months ago
Answer:C
upvoted 1 times
...
datasec919
3 years, 10 months ago
we can add security rule for management interface IP. so i think correct option is A
upvoted 2 times
...
Silent_Sanctuary
3 years, 11 months ago
Correct Answer is C Service Route > Palo Alto Networks Services > Internet/Untrust Zone
upvoted 1 times
...
Ahmad_Zahran
4 years ago
Correct C
upvoted 1 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel