Which three management interface settings must be configured for functional dynamic updates and administrative access on a Palo Alto Networks firewall? (Choose three.)
Which three management interface settings must be configured for functional dynamic updates and administrative access on a Palo Alto Networks firewall? (Choose three.)
For functional dynamic updates and administrative access on a Palo Alto Networks firewall, the following management interface settings must be configured: IP address, DNS server, and service routes. The IP address is necessary for network communication and to reach external services. The DNS server is required to resolve domain names needed for updates and connections. Service routes are essential in scenarios where the management functions need to traverse the data plane, ensuring proper routing to external update and service servers. NTP, although important for time synchronization, is not mandatory for the core functionalities of dynamic updates and administrative access.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/service-routes
It is : B,D,E
The management interface does not require a service route. This is only if you a re doing management through the data plane. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/service-routes
Correct that they don't REQUIRE service routes, but service routes are needed for updates...NTP isn't.
Correct that they don't REQUIRE service routes, but service routes are needed for updates...NTP isn't.
ABD https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClN7CAK
Bro why would you share a link that does not support your answer? I'm gonna have to say RTFM...
ABD ! FACT : if you do not configure NTP then you cannot do HTTPS because time will be wrong. CONSEQUENCE : and thus, you will not be able to connect to remote secured update PA network update server. end of discussion.
For a Palo Alto Networks firewall to perform dynamic updates and provide administrative access, it crucially needs to have NTP, an IP address, and a DNS server correctly configured. Explanation: The three management interface settings that must be configured for functional dynamic updates and administrative access on a Palo Alto Networks firewall are: NTP (Network Time Protocol): Ensures that the firewall has the correct time, which is crucial for logging, reporting, and synchronization with other devices for security functions. IP address: Necessary for the management interface to be reachable for administrative tasks and to establish communication with external servers for updates. DNS server: Required to resolve hostnames for update servers and other administrative functions, facilitating dynamic updates. While MTU (Maximum Transmission Unit) and service routes are also important settings, they are not as critical as NTP, IP address, and DNS server for the specific functions of dynamic updates and administrative access.
This indicates that is solely on the management interface. Therefore, it doesn't require a service route A B, and D
Let us take a moment here. The question includes the word "must" and the question says also “management interface” i.e. management interface can be “MGT” which it is the default and it can be also a data port (if you decide to use it as a management interface. We also know that NTP is an optional (it is recommended) but it is not a must. We also know that a service route is a must if you need to use a data port as management interface. Therefore, I would go with the answer: IP Address (must) DNS Server (must) Service route (must if you use a data port as a management interface instead using the default MGT). Thanks!
I would go now with the answer ABD since the question mentions the word that says "Functional Update" so stick with NTP, IP address and DNS server.
We all agree on IP and DNS. because it's here: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/getting-started/integrate-the-firewall-into-your-management-network/perform-initial-configuration Having a MGT interface doesn't mean you have internet connectivity because the MGT interface could simply be connected to PC for managing. You will need to setup a service route to hardcode the path to the net.
BDE - is my answer. NTP is not required here.
Some management tasks, such as retrieving licenses and updating the threat and application signatures on the firewall, require access to the internet, typically via the MGT port. If you do not want to enable external access via the MGT port, you can set up an in-band data port on the data plane to provide access to the required external services by using the service routes.
the time can be manually configured to be able to make https requests, no need for NTP
IP address1: The IP address of the management interface is crucial for network communication1. DNS server1: The DNS server is needed to resolve domain names for dynamic updates and other services1. Service routes12: Service routes determine the source IP and interface used by the firewall to access external services, such as dynamic updates12.
ABD is correct
I was thinking on ABD, but then I decided to test on the FW and after delete the NTP configuration I still was able to download the dynamic updates... and knowing that service routes are a "must" when using a data interface, the answer should be BDE https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClN7CAK https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/service-routes
Options ABD
service route you configure it only if you want to use a Layer 3 interface, not the MGMT.