PCNSE Exam QuestionsBrowse all questions from this exam
Go to Exam

PCNSE Exam - Question 134

An administrator needs to upgrade an NGFW to the most current version of PAN-OSֲ® software. The following is occurring:

✑ Firewall has internet connectivity through e 1/1.

✑ Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.

✑ Service route is configured, sourcing update traffic from e1/1.

✑ A communication error appears in the System logs when updates are performed.

✑ Download does not complete.

What must be configured to enable the firewall to download the current version of PAN-OS software?

Show Answer
Correct Answer: D

The firewall needs DNS settings to perform name resolution when attempting to download updates. Without proper DNS settings, the firewall cannot resolve the update server’s hostname to its IP address, leading to communication errors and incomplete downloads. Proper DNS configuration allows the firewall to access the necessary update servers to download the latest PAN-OS software.

Discussion

17 comments
Sign in to comment
rammsdoctOption: D
May 28, 2020

D: A cant be, there is no static service route to point to "palo alto updates" question is regarding that there is existing internet connection, so, default route should exist, B: security policy allowing SSL traffic already exist so there is access from any to any C: there is no scheduler involved on errors recurring with communication, D: is the most closer to the issue, so D is correct.

woody_
Dec 17, 2022

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-pan-os/pan-os-upgrade-checklist#id53a2bc2b-f86e-4ee5-93d7-b06aff837a00

cerifyme85
Feb 22, 2024

The main reason it is not be is that Updates happen through mgmt palne.. mgmt plane does not use security policies

tobaja
May 12, 2024

The question literally describes a service route, so it goes through the data plane.

CiscoNinjaOption: D
May 24, 2020

The Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone. covers that (B is wrong) correct ans = D

p48m1Option: B
Mar 26, 2023

B is correct. Palo alto updates are recognized with App-ID "paloalto-updates", which makes implicit use of ssl and web-browsing. Creating a Security Policy with the proper App-ID will solve the download issue. It is not a DNS issue, as "the download does not complete" implies a communication to be in place (then blocked due to App-ID mismatch) and proper name resolution to be succesful.

hz78Option: D
Jun 7, 2023

The communication error and incomplete download of updates suggest that the firewall is unable to resolve the update server's hostname to its IP address. To resolve this issue, the firewall needs proper DNS settings configured. By providing DNS settings, the firewall will be able to perform hostname resolution and establish connectivity with the update servers to download the PAN-OS software.

ARWANGSHOption: B
Jul 6, 2023

Palo Alto requires their update APPIDs to be allowed, this is not mentioned in the question.

kewokil120Option: B
Mar 21, 2023

Not dns. If it started then Dns worked. Palo does have 10+ app id for their saas upgrades etc

sov4Option: D
Jul 29, 2023

Had this question a few weeks ago on the exam... July 2023. I'm going with D.

Betty2022Option: D
Jul 31, 2023

D, as per discussion shared by others here. B: is covered, so this is not the answer because SSL and Web browsing is allowed. Also, https://applipedia.paloaltonetworks.com/ confirms that paloalto-updates would not give us any more access because : Implicit use Applications: ssl, web-browsing

electro165Option: D
Sep 2, 2023

DNS Resolution: When the firewall attempts to download updates or software, it needs to resolve domain names to IP addresses to reach the update servers. If there's an issue with DNS resolution, it can lead to communication errors and incomplete downloads. The other options (A, B, and C) do not directly address the issue of DNS resolution. While static routes, security policies, and scheduled downloads may be important for overall firewall configuration, they are not the primary factor for resolving domain names to IP addresses during the update process.

DatITGuyTho1337Option: D
Dec 20, 2023

I believe D is the answer because the updates must be downloaded from the "updates.paloaltonetworks.com" site, the firewall must have DNS configured to take advantage of this. As DNS configuration was not mentioned during the question preface, I concluded that DNS must not have been configured.

JRKhanOption: D
Jan 12, 2024

Given that question mentions about the communication error, D is the most appropriate answer. If the policy was denying it, the logs will mention traffic dropped/denied due to a configured policy rule or lack of a policy rule.

TeachTrooperOption: D
Jan 23, 2024

B is wrong because of the default ruleset being in use, so the intrazone rule allows paloalto-updates app. D is correct as "generic communication error" on updates is usually a DNS issue

MarshpillowzOption: D
Jan 24, 2024

Answer is D

scanossaOption: D
Feb 26, 2024

It is between B or D: B. Interface is facing the Internet directly, so it would be intranet (allowed by default) D. It is needed to be configured in order to translate PA URL into IP addresses So, D is correct

123XYZTOption: D
May 14, 2024

D is correct

weze1336Option: D
May 29, 2024

D It's NOT B because the security rules already exist any to any zone for SSL

apiloranOption: D
Jul 13, 2024

The key word is default rule.