Question 16 - Palo Alto Networks PCNSE (PAN OS 11) Real Exam Questions [Jan 2026 Update]

Q: 16

An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 sub-interface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy. Without changing the existing access to the management interface, how can the engineer fulfill this request?

Options

Correct Answer:

Explanation

To enable management services, such as the XML API (which uses HTTPS), on a data-plane interface, an Interface Management profile must be used. This profile is created to permit specific services (e.g., HTTPS, Ping, SSH) and is then applied to the Layer 3 sub-interface. This allows the firewall's management plane to process requests sent to the sub-interface's IP address from the specified network segment. This approach correctly provides the required access without modifying the configuration of the dedicated management interface, fulfilling all constraints of the request.

Why Incorrect

A: A data-plane sub-interface cannot be designated as the primary management interface in the Device > Setup > Interfaces section; this area is for the dedicated MGT port.

B: The "Permitted IP Addresses" list restricts access to the dedicated management interface, which the scenario explicitly states cannot be accessed or modified.

D: Service routes define the egress interface for traffic originating from the firewall (e.g., log forwarding, updates), not for inbound management access to the firewall.

References

1. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2: In the section "Use a Data Port for Management Access

" it states

"To use a data port for management access to the firewall

you must attach an interface management profile to the interface... An interface management profile controls which services are available on a firewall data port." This directly supports enabling HTTPS on the sub-interface via a profile. (Reference: Network > Network Profiles > Interface Mgmt)

2. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2: The "Service Route Configuration" section explains

"A service route is a static route for traffic that originates from the firewall... By default

the firewall uses the management (MGT) interface to connect to these services." This confirms service routes are for outbound

not inbound

traffic

invalidating option D. (Reference: Device > Setup > Services > Service Route Configuration)

3. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2: The "Management Interface Settings" section describes the "Permitted IP Addresses" feature as a way to restrict access to the management port. This confirms the feature applies only to the MGT port

making option B incorrect for a data-plane interface scenario. (Reference: Device > Setup > Management > Management Interface Settings)

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE