Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 100

An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates daily, so it is configured to use a scheduler for the application database. Unfortunately, they required the management network to be isolated so that it cannot reach the Internet.
Which configuration will enable the firewall to download and install application updates automatically?

Answer options

• A. Download and install application updates cannot be done automatically if the MGT port cannot reach the Internet.
• B. Configure a service route for Palo Alto Networks Services that uses a dataplane interface that can route traffic to the Internet, and create a Security policy rule to allow the traffic from that interface to the update servers if necessary.
• C. Configure a Policy Based Forwarding policy rule for the update server IP address so that traffic sourced from the management interfaced destined for the update servers goes out of the interface acting as your Internet connection.
• D. Configure a Security policy rule to allow all traffic to and from the update servers.

Correct answer: B

Explanation

The correct answer is B because configuring a service route allows the firewall to communicate with the update servers via a dataplane interface that has Internet access, while ensuring the management network remains isolated. Option A is incorrect as it states a limitation without providing a solution, option C does not appropriately address the routing for update services, and option D lacks specificity and does not ensure the correct routing needed for updates.