An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OSֲ® software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web- browsing traffic from any to any zone.
What must the administrator configure so that the PAN-OSֲ® software can be upgraded?
When upgrading a Palo Alto Networks NGFW to the most current version of PAN-OS software, the firewall must be able to access the internet to download the update. Since the management interface does not have internet access, the administrator must configure a service route to direct traffic through the Ethernet interface which has internet connectivity. A security policy rule and other configurations are already in place allowing web-browsing traffic, so setting up the service route is essential to ensure the updates can be downloaded through the correct interface.
Correct C https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clp3CAC
The correct answer is A. Surely the Service Route should be configured to use the Ethernet interface, but from the question we cannot say if it is already configured. Instead, we know about configured security policy rule, and using a data interface we need a policy to permit "paloalto-updates" application, that is missing
Sorry, traffic should be allowed by the intrazone default policy rule, so C is the correct one.
C Correct
This one is another typical PANW malicious test question. We all know that a service route is needed. However, the question states web-browsing is being allowed by the policy. PANW updates are not delivered over web-browsing. Therefore, a new security policy must be added allowing app-ID "paloalto-updates", ssl, and web-browsing on application default service/port. Just something to consider. In summary, I'm not sure if "C" is the correct answer, or "A"
"...and a rule that allows all web- browsing traffic from any to any zone." There's no mention of app-ID in the question and from this we know that http(s) are allowed outgoing.
Also we know that without the service route it clearly will not work so C is the best answer.
C: Service Route https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clp3CAC
Answer:C
we can add security rule for management interface IP. so i think correct option is A
C is correct answer
Correct Answer is C Service Route > Palo Alto Networks Services > Internet/Untrust Zone
Answer:C
c https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clp3CAC
The management port is an isolated host interface. By default, everything uses this port (DNS, Auth, NTP, updates). If this port has no internet access, "service routes" can be used to perform these services on a router/firewall interface.
C. intra-zone default rule takes care of the security rule since it'll be sourced from the ethernet interface. Only thing left is the service route.
Correct C
Mentioning the extra security rule is just to trick us into picking A. The default ruleset has a intrazone rule that allows any/any. So if the service route points to the ethernet interface providing the internet connection all paloalto-updates etc. requests will be allowed by the default intrazone policy.
C is correct
service route, pick dp interface.