ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 341 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 341
Topic #: 1
[All PCNSE Questions]

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 subinterface on a Palo Alto
Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy.
Without changing the existing access to the management interface, how can the engineer fulfill this request?

  • A. Specify the subinterface as a management interface in Setup > Device > Interfaces.
  • B. Add the network segment's IP range to the Permitted IP Addresses list.
  • C. Enable HTTPS in an Interface Management profile on the subinterface.
  • D. Configure a service route for HTTP to use the subinterface.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by confusion at Oct. 29, 2022, 5:29 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Frightened_Acrobat
9 months, 3 weeks ago
Selected Answer: C
Has to be C. Here's why: 1) API access over HTTPS is allowed by default on the management interface. 2) Configuring an Interface Management profile, with the HTTPS allowed, would mimik this access on the subinterface of the network segment. 3) Assigning an Interface Managment profile to a Layer 3 Ethernet interface does not preclude still using the built-in management interface as before. Thus fullfilling the requirement to not change existing access to the mangaement interface. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/about-the-pan-os-xml-api/structure-of-a-pan-os-xml-api-request/api-authentication-and-security#id12582d9a-f80e-42c3-a028-2fdbb5ff0bdd https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/use-interface-management-profiles-to-restrict-access
upvoted 4 times
...
evdw
1 year ago
Selected Answer: C
Correct answer is C
upvoted 3 times
...
awtsuritacuna
1 year ago
Option D Because: The statement says: "Without changing the existing access to the management interface" To which Palo Alto indicates the following: "The firewall uses the management (MGT) interface by default to access external services, such as DNS servers, external authentication servers, Palo Alto Networks® services such as software, URL updates, licenses and AutoFocus. An alternative to using the MGT interface is to configure a data port (a regular interface) to access these services. The path from the interface to the service on a server is known as a service route" https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/service-routes/service-routes-overview
upvoted 4 times
PaloGuy
1 year ago
I agree with you, the question says without changing the existing Management Interface Access A Service Route is the only alternative as per the link you put up
upvoted 1 times
evdw
1 year ago
By changing the service route, you change the existing Management interface Access
upvoted 2 times
...
...
...
confusion
1 year, 2 months ago
Selected Answer: C
C shall be enough
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel