Examice

Exam PCNSE All QuestionsBrowse all questions from this exam

Go to Exam

Question 548

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.)

Rename a vsys on a multi-vsys firewall

Change the firewall management IP address

Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode

Add administrator accounts

Configure a device block list

Correct Answer: A, B, C

There are specific tasks that cannot be configured from Panorama using a template stack. Renaming a vsys on a multi-vsys firewall is one such task because it involves changes to the identifier of the virtual system, which requires local access. Changing the firewall management IP address also must be done locally, as it relates to the fundamental network configuration of the firewall which Panorama cannot alter. Enabling operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode cannot be configured from Panorama because these modes involve fundamental changes to the firewall's operation that require direct access and potentially a system reboot.

Discussion

SergioJOptions: ACE

I guess the answer is A C and E https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-firewalls/manage-templates-and-template-stacks/template-capabilities-and-exceptions

Merlin0o

From the link provided: You can use Templates and Template Stacks to define a wide array of settings but you can perform the following tasks only locally on each managed firewall: - Configure a device block list. - Clear logs. - Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode. - Configure the IP addresses of firewalls in an HA pair. - Configure a master key and diagnostics. - Compare configuration files (Config Audit). - Renaming a vsys on a multi-vsys firewall.

homersimpsonOptions: ABC

I have to disagree. You _can’t_ rename a vsys You _can’t_ change the Fw mgt ip You _can’t_ change to FIPS mode, this is done by CLI using the serial cable and it wipes the whole config of the Fw back to defaults, not a small thing You _can_ add administrator accounts. You _can_ configure a device block list. This is in Device/Setup/Interfaces.

skullomania

I agree with you.

Viriathus

You can change the mgt ip!

homersimpson

I stand corrected! However, I guess I don't get what they mean by "Device Block List" because it seems like you can do that too from Panorama.

dgonzOptions: ACE

ACE should be correct

Omid2022Options: ACE

Tested via panaroma the mode can be changed via cli

McMarius11Options: ACE

yes ACE

MarshpillowzOptions: ACE

A, C and E correct

MetgatzOptions: ACE

A, C, E are OK