ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 134 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 134
Topic #: 1
[All PCNSE Questions]

An administrator needs to upgrade an NGFW to the most current version of PAN-OSֲ® software. The following is occurring:
✑ Firewall has internet connectivity through e 1/1.
✑ Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.
✑ Service route is configured, sourcing update traffic from e1/1.
✑ A communication error appears in the System logs when updates are performed.
✑ Download does not complete.
What must be configured to enable the firewall to download the current version of PAN-OS software?

  • A. Static route pointing application PaloAlto-updates to the update servers
  • B. Security policy rule allowing PaloAlto-updates as the application
  • C. Scheduler for timed downloads of PAN-OS software
  • D. DNS settings for the firewall to use for resolution
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by chongsang at May 23, 2020, 10:29 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
rammsdoct
Highly Voted 4 years, 7 months ago
D: A cant be, there is no static service route to point to "palo alto updates" question is regarding that there is existing internet connection, so, default route should exist, B: security policy allowing SSL traffic already exist so there is access from any to any C: there is no scheduler involved on errors recurring with communication, D: is the most closer to the issue, so D is correct.
upvoted 27 times
Woody
2 years ago
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-pan-os/pan-os-upgrade-checklist#id53a2bc2b-f86e-4ee5-93d7-b06aff837a00
upvoted 1 times
...
cerifyme85
10 months, 4 weeks ago
The main reason it is not be is that Updates happen through mgmt palne.. mgmt plane does not use security policies
upvoted 1 times
tobaja
8 months, 1 week ago
The question literally describes a service route, so it goes through the data plane.
upvoted 2 times
...
...
...
CiscoNinja
Highly Voted 4 years, 7 months ago
The Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone. covers that (B is wrong) correct ans = D
upvoted 11 times
...
CarlosDV06
Most Recent 1 week, 4 days ago
Selected Answer: D
You have the default rules which will allow intrazone traffic for any app. So the issue could be that DNS cannot resolve correctly the update server.
upvoted 1 times
...
de7cdfd
3 weeks, 1 day ago
Selected Answer: D
D is correct.
upvoted 1 times
...
apiloran
6 months ago
Selected Answer: D
The key word is default rule.
upvoted 1 times
...
weze1336
7 months, 2 weeks ago
Selected Answer: D
D It's NOT B because the security rules already exist any to any zone for SSL
upvoted 1 times
...
123XYZT
8 months ago
D is correct
upvoted 1 times
...
scanossa
10 months, 3 weeks ago
Selected Answer: D
It is between B or D: B. Interface is facing the Internet directly, so it would be intranet (allowed by default) D. It is needed to be configured in order to translate PA URL into IP addresses So, D is correct
upvoted 1 times
...
Marshpillowz
11 months, 3 weeks ago
Selected Answer: D
Answer is D
upvoted 1 times
...
TeachTrooper
11 months, 4 weeks ago
Selected Answer: D
B is wrong because of the default ruleset being in use, so the intrazone rule allows paloalto-updates app. D is correct as "generic communication error" on updates is usually a DNS issue
upvoted 1 times
...
JRKhan
1 year ago
Selected Answer: D
Given that question mentions about the communication error, D is the most appropriate answer. If the policy was denying it, the logs will mention traffic dropped/denied due to a configured policy rule or lack of a policy rule.
upvoted 1 times
...
DatITGuyTho1337
1 year ago
I believe D is the answer because the updates must be downloaded from the "updates.paloaltonetworks.com" site, the firewall must have DNS configured to take advantage of this. As DNS configuration was not mentioned during the question preface, I concluded that DNS must not have been configured.
upvoted 1 times
...
electro165
1 year, 4 months ago
Selected Answer: D
DNS Resolution: When the firewall attempts to download updates or software, it needs to resolve domain names to IP addresses to reach the update servers. If there's an issue with DNS resolution, it can lead to communication errors and incomplete downloads. The other options (A, B, and C) do not directly address the issue of DNS resolution. While static routes, security policies, and scheduled downloads may be important for overall firewall configuration, they are not the primary factor for resolving domain names to IP addresses during the update process.
upvoted 1 times
...
Betty2022
1 year, 5 months ago
Selected Answer: D
D, as per discussion shared by others here. B: is covered, so this is not the answer because SSL and Web browsing is allowed. Also, https://applipedia.paloaltonetworks.com/ confirms that paloalto-updates would not give us any more access because : Implicit use Applications: ssl, web-browsing
upvoted 1 times
...
sov4
1 year, 5 months ago
Had this question a few weeks ago on the exam... July 2023. I'm going with D.
upvoted 1 times
...
ARWANGSH
1 year, 6 months ago
Selected Answer: B
Palo Alto requires their update APPIDs to be allowed, this is not mentioned in the question.
upvoted 2 times
...
hz78
1 year, 7 months ago
The communication error and incomplete download of updates suggest that the firewall is unable to resolve the update server's hostname to its IP address. To resolve this issue, the firewall needs proper DNS settings configured. By providing DNS settings, the firewall will be able to perform hostname resolution and establish connectivity with the update servers to download the PAN-OS software.
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago