Question 507 of 516
Core Concepts and ArchitecturemediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is to enable the 'Allow FQDN to be updated in DAG' option in the DNS Proxy object. This is required because the Palo Alto Networks firewall, while it will send DNS queries for the FQDN to the configured internal DNS server, will not automatically use the response to populate the Dynamic Address Group (DAG) unless that specific checkbox is enabled. Without it, the DAG remains empty, so the security policy rule referencing the DAG never matches the resolved IP address (10.20.30.40), causing the traffic to be dropped even though the DNS resolution itself succeeds. On the PCNSE exam, this scenario tests your understanding of how DNS Proxy interacts with DAG objects—a common trap is assuming that simply configuring a DNS Proxy is enough for FQDN-based DAG updates. Remember the mnemonic: "Proxy proxies, but DAG needs permission"—the DNS Proxy object must explicitly grant the DAG the right to use its responses.

PCNSE Core Concepts and Architecture Practice Question

This PCNSE practice question tests your understanding of core concepts and architecture. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company recently deployed a Palo Alto Networks PA-5250 firewall in a data center. The firewall is configured with multiple virtual routers and is connected to an MPLS WAN router and an internet router. The network team reports that users can access internet resources but cannot reach a critical application hosted in a remote branch office over the MPLS link. The application uses TCP port 443 and is accessed via a fully qualified domain name (FQDN). The security policy includes a rule that allows traffic from the internal zone to the MPLS zone with the application 'ssl' and the destination address set to the FQDN of the application server. The internal DNS server resolves the FQDN correctly to the private IP address 10.20.30.40. The firewall has DNS proxy enabled, but the DNS server is configured as the internal DNS server. The administrator runs a packet capture and sees that the firewall is sending DNS queries for the FQDN to the internal DNS server but the response is not being used to update the dynamic address group (DAG) that is referenced in the security policy. The DAG is configured with a 'FQDN' match criteria. What is the most likely cause?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1mediummultiple choice
Read the full MPLS explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Enable the 'Allow FQDN to be updated in DAG' option in the DNS Proxy object

Option C is correct because the DNS Proxy object must have the 'Allow FQDN to be updated in DAG' option enabled for the firewall to use DNS responses to update the Dynamic Address Group (DAG) that matches on FQDN. Without this setting, the firewall sends DNS queries but ignores the responses for DAG updates, so the security policy rule referencing the DAG never matches the destination IP address (10.20.30.40), causing traffic to be dropped.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Configure a security policy rule to allow DNS traffic from the firewall to the internal DNS server

    Why it's wrong here

    DNS traffic is already allowed if the firewall can send queries and receive responses.

  • Change the security policy to use the IP address instead of the FQDN

    Why it's wrong here

    The FQDN is resolved, but the DAG is not updating; using IP is a workaround but not the root cause.

  • Enable the 'Allow FQDN to be updated in DAG' option in the DNS Proxy object

    Why this is correct

    This option must be enabled for the firewall to update DAGs based on DNS responses.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Configure a static route for the FQDN's IP address pointing to the MPLS interface

    Why it's wrong here

    Routing is separate from DAG update; the firewall already has connectivity.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates assume DNS Proxy automatically updates DAGs when FQDN match criteria are used, but Palo Alto requires an explicit checkbox to enable this behavior, and many overlook it because they focus on the DNS query/response flow rather than the DAG update configuration.

Detailed technical explanation

How to think about this question

The DNS Proxy feature on Palo Alto firewalls can be configured to update DAGs with resolved IP addresses from DNS responses, but this requires explicitly enabling the 'Allow FQDN to be updated in DAG' checkbox in the DNS Proxy object. Without it, the firewall performs DNS resolution for other purposes (e.g., URL filtering) but does not inject the resolved IPs into DAGs. This is a common misconfiguration because the DNS Proxy is often set up for caching or forwarding without realizing that DAG updates are a separate toggle.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related PCNSE practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free PCNSE practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this PCNSE question test?

Core Concepts and Architecture — This question tests Core Concepts and Architecture — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Enable the 'Allow FQDN to be updated in DAG' option in the DNS Proxy object — Option C is correct because the DNS Proxy object must have the 'Allow FQDN to be updated in DAG' option enabled for the firewall to use DNS responses to update the Dynamic Address Group (DAG) that matches on FQDN. Without this setting, the firewall sends DNS queries but ignores the responses for DAG updates, so the security policy rule referencing the DAG never matches the destination IP address (10.20.30.40), causing traffic to be dropped.

What should I do if I get this PCNSE question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This PCNSE practice question is part of Courseiva's free Palo Alto Networks certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PCNSE exam.