Examice

Exam PCNSE All QuestionsBrowse all questions from this exam

Go to Exam

Question 134

An administrator needs to upgrade an NGFW to the most current version of PAN-OSֲ® software. The following is occurring:

✑ Firewall has internet connectivity through e 1/1.

✑ Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.

✑ Service route is configured, sourcing update traffic from e1/1.

✑ A communication error appears in the System logs when updates are performed.

✑ Download does not complete.

What must be configured to enable the firewall to download the current version of PAN-OS software?

Static route pointing application PaloAlto-updates to the update servers

Security policy rule allowing PaloAlto-updates as the application

Scheduler for timed downloads of PAN-OS software

DNS settings for the firewall to use for resolution

Correct Answer: D

The firewall needs DNS settings to perform name resolution when attempting to download updates. Without proper DNS settings, the firewall cannot resolve the update server’s hostname to its IP address, leading to communication errors and incomplete downloads. Proper DNS configuration allows the firewall to access the necessary update servers to download the latest PAN-OS software.

Discussion

rammsdoctOption: D

D: A cant be, there is no static service route to point to "palo alto updates" question is regarding that there is existing internet connection, so, default route should exist, B: security policy allowing SSL traffic already exist so there is access from any to any C: there is no scheduler involved on errors recurring with communication, D: is the most closer to the issue, so D is correct.

woody_

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-pan-os/pan-os-upgrade-checklist#id53a2bc2b-f86e-4ee5-93d7-b06aff837a00

cerifyme85

The main reason it is not be is that Updates happen through mgmt palne.. mgmt plane does not use security policies

tobaja

The question literally describes a service route, so it goes through the data plane.

CiscoNinjaOption: D

The Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone. covers that (B is wrong) correct ans = D

p48m1Option: B

B is correct. Palo alto updates are recognized with App-ID "paloalto-updates", which makes implicit use of ssl and web-browsing. Creating a Security Policy with the proper App-ID will solve the download issue. It is not a DNS issue, as "the download does not complete" implies a communication to be in place (then blocked due to App-ID mismatch) and proper name resolution to be succesful.

ARWANGSHOption: B

Palo Alto requires their update APPIDs to be allowed, this is not mentioned in the question.

hz78Option: D

The communication error and incomplete download of updates suggest that the firewall is unable to resolve the update server's hostname to its IP address. To resolve this issue, the firewall needs proper DNS settings configured. By providing DNS settings, the firewall will be able to perform hostname resolution and establish connectivity with the update servers to download the PAN-OS software.

apiloranOption: D

The key word is default rule.

weze1336Option: D

D It's NOT B because the security rules already exist any to any zone for SSL

123XYZTOption: D

D is correct

scanossaOption: D

It is between B or D: B. Interface is facing the Internet directly, so it would be intranet (allowed by default) D. It is needed to be configured in order to translate PA URL into IP addresses So, D is correct

MarshpillowzOption: D

Answer is D

TeachTrooperOption: D

B is wrong because of the default ruleset being in use, so the intrazone rule allows paloalto-updates app. D is correct as "generic communication error" on updates is usually a DNS issue

JRKhanOption: D

Given that question mentions about the communication error, D is the most appropriate answer. If the policy was denying it, the logs will mention traffic dropped/denied due to a configured policy rule or lack of a policy rule.

DatITGuyTho1337Option: D

I believe D is the answer because the updates must be downloaded from the "updates.paloaltonetworks.com" site, the firewall must have DNS configured to take advantage of this. As DNS configuration was not mentioned during the question preface, I concluded that DNS must not have been configured.

electro165Option: D

DNS Resolution: When the firewall attempts to download updates or software, it needs to resolve domain names to IP addresses to reach the update servers. If there's an issue with DNS resolution, it can lead to communication errors and incomplete downloads. The other options (A, B, and C) do not directly address the issue of DNS resolution. While static routes, security policies, and scheduled downloads may be important for overall firewall configuration, they are not the primary factor for resolving domain names to IP addresses during the update process.

Betty2022Option: D

D, as per discussion shared by others here. B: is covered, so this is not the answer because SSL and Web browsing is allowed. Also, https://applipedia.paloaltonetworks.com/ confirms that paloalto-updates would not give us any more access because : Implicit use Applications: ssl, web-browsing

sov4Option: D

Had this question a few weeks ago on the exam... July 2023. I'm going with D.

kewokil120Option: B

Not dns. If it started then Dns worked. Palo does have 10+ app id for their saas upgrades etc