最新の2023年04月25日 PCNSE問題集は学習ガイドは試験合格するための秘訣
PCNSE問題集の無料PDFをゲットせよ!最近更新された問題
質問 37
An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing.
The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL.
Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?
- A. Create a Security policy rule that matches application "encrypted BitTorrent" and place the rule at the top of the Security policy.
- B. Create a decryption rule matching the encrypted BitTorrent traffic with action "No-Decrypt," and place the rule at the top of the Decryption policy.
- C. Create a Decryption Profile to block traffic using unsupported cyphers, and attach the profile to the decryption rule.
- D. Disable the exclude cache option for the firewall.
正解: C
解説:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRtCAK Block sessions that use cipher suites you don't support. You configure which cipher suites (encryption algorithms) to allow on the SSL Protocol Settings tab. Don't allow users to connect to sites with weak cipher suites.
質問 38
Refer to exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring platforms?
- A. Any configuration on an M-500 would address the insufficient bandwidth concerns.
- B. Configure log compression and optimization features on all remote firewalls.
- C. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.
- D. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW.
正解: B
質問 39
In a virtual router, which object contains all potential routes?
- A. RIB
- B. SIP
- C. MIB
- D. FIB
正解: A
解説:
Reference: https://www.google.com/url?
sa=t&rct=j&q=&esrc=s&source=web&cd=10&ved=0ahUKEwiOkbfYzPzXAhVnEJoKHcwVCg4QFghiMAk&
2Flive.paloaltonetworks.com%2Ftwzvq79624%2Fattachments%2Ftwzvq79624%2Fdocumentation_tkb%2F487%
2520Redistribution%2520and%2520Filtering%2520TechNote%2520-%2520Rev%
2520B.pdf&usg=AOvVaw0H9qgaJK0oI2xjIJBNo1Km
質問 40
During the packet flow process, which two processes are performed in application identification? (Choose two.)
- A. Application override policy match
- B. Pattern based application identification
- C. Application changed from content inspection
- D. Session application identified.
正解: A,D
質問 41
A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a firewall
Which part of files needs to be imported back into the replacement firewall that is using Panorama?
- A. Device state and license files
- B. Configuration and statistics files
- C. Configuration and serial number files
- D. Configuration and Large Scale VPN (LSVPN) setups file
正解: A
質問 42
Refer to the exhibit.
An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) received HTTP traffic and host B(10.1.1.101) receives SSH traffic.
Which two security policy rules will accomplish this configuration? (Choose two)
- A. Untrust (Any) to DMZ (1.1.1.100) Ssh-Allow
- B. Untrust (Any) to DMZ (1.1.1.100) Web-browsing -Allow
- C. Untrust (Any) to Untrust (10.1.1.1) Ssh-Allow
- D. Untrust (Any) to Untrust (10.1.1.1) Web-browsing -Allow
正解: B,D
質問 43
When is the content inspection performed in the packet flow process?
- A. before the packet forwarding process
- B. before session lookup
- C. after the SSL Proxy re-encrypts the packet
- D. after the application has been identified
正解: D
解説:
Explanation/Reference:
Reference:
https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081
質問 44
Match each type of DoS attack to an example of that type of attack
正解:
解説:
Explanation
Plan to defend your network against different types of DoS attacks:
* Application-Based Attacks
-Target weaknesses in a particular application and try to exhaust its resources so legitimate users can't use it.
An example of this is the Slowloris attack.
* Protocol-Based Attacks
-Also known as state-exhaustion attacks, these attacks target protocol weaknesses. A common example is a SYN flood attack.
* Volumetric Attacks
-High-volume attacks that attempt to overwhelm the available network resources, especially bandwidth, and bring down the target to prevent legitimate users from accessing those resources. An example of this is a UDP flood attack.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense.ht
質問 45
A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.
Which solution in PAN-OS® software would help in this case?
- A. content inspection
- B. Virtual Wire mode
- C. redistribution of user mappings
- D. application override
正解: C
解説:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/deploy-user-id-in- a-large-scale-network
質問 46
Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site-A connects directly to the internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect to the internet.
How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B?
- A. Enable on Site-A only
- B. Enable on Site-A and Site-B
- C. Enable on Site-B only with Passive Mode
- D. Enable on Site-B only
正解: B
解説:
NAT traversal (NAT-T) must be enabled on both gateways if you have NAT occurring on a device that sits between the two gateways. A gateway can see only the public (globally routable) IP address of the NAT device.
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/vpns/site-to-site-vpn- concepts
質問 47
An administrator device-group commit push is tailing due to a new URL category How should the administrator correct this issue?
- A. verify that the URL seed Tile has been downloaded and activated on the firewall
- B. update the Firewall Apps and Threat version to match the version of Panorama
- C. ensure that the firewall can communicate with the URL cloud
- D. change the new category action to alert" and push the configuration again
正解: B
質問 48
Refer to the exhibit.
A web server in the DMZ is being mapped to a public address through DNAT.
Which Security policy rule will allow traffic to flow to the web server?
- A. Untrust (any) to Untrust (10. 1.1. 100), web browsing - Allow
- B. Untrust (any) to DMZ (10. 1. 1. 100), web browsing - Allow
- C. Untrust (any) to DMZ (1. 1. 1. 100), web browsing - Allow
- D. Untrust (any) to Untrust (1. 1. 1. 100), web browsing - Allow
正解: C
解説:
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destinat
質問 49
Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general?
- A. Deny application facebook on top
- B. Deny application facebook-chat before allowing application facebook
- C. Allow application facebook on top
- D. Allow application facebook before denying application facebook-chat
正解: B
解説:
Explanation/Reference:
Reference: https://live.paloaltonetworks.com/t5/Configuration-Articles/Failed-to-Block-Facebook-Chat- Consistently/ta-p/115673
質問 50
What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1 version?
- A. Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or template stacks.
- B. When Panorama is reverted to an earlier PAN-OS release, variables used in templates or template stacks will be removed automatically.
- C. Administrators need to manually update variable characters to those used in pre-PAN-OS 8.1.
- D. An administrator must use the Expedition tool to adapt the configuration to the pre-PAN-OS 8.1 state.
正解: A
解説:
Explanation/Reference: https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/upgrade-to-pan-os-
81/upgradedowngrade-considerations
質問 51
A company is using wireless controllers to authenticate users. Which source should be used for User-ID mappings?
- A. server monitoring
- B. Syslog
- C. XFF headers
- D. client probing
正解: B
質問 52
An engineer needs to redistribute User-ID mappings from multiple data centers. Which data flow best describes redistribution of user mappings?
- A. User-ID agent to firewall
- B. Domain Controller to User-ID agent
- C. firewall to firewall
- D. User-ID agent to Panorama
正解: C
質問 53
What is exchanged through the HA2 link?
- A. HA state information
- B. hello heartbeats
- C. User-ID information
- D. session synchronization
正解: D
解説:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high-availability/ha-links- and-backup-links
質問 54
Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.)
- A. PAP
- B. Kerberos
- C. TACACS+
- D. SAML
- E. LDAP
- F. RADIUS
正解: C,D,F
解説:
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/firewall-administration/manage-firewall-administrat
質問 55
An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet.
Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22 Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?
A:
B:
C:
D:
- A. Option D
- B. Option A
- C. Option C
- D. Option B
正解: C
質問 56
A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode.
Which statement is true about this deployment?
- A. The management port may be used for a backup control connection
- B. The two devices may be different models within the PA-5000 series
- C. The HA1 IP address from each peer must be on a different subnet
- D. The two devices must share a routable floating IP address
正解: A
質問 57
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)
- A. Create a no-decrypt Decryption Policy rule.
- B. Configure an EDL to pull IP addresses of known sites resolved from a CRL.
- C. Create a Dynamic Address Group for untrusted sites
- D. Enable the "Block sessions with untrusted issuers" setting.
- E. Create a Security Policy rule with vulnerability Security Profile attached.
正解: A,E
質問 58
An administrator has a PA-820 firewall with an active Threat Prevention subscription.
The administrator is considering adding a WildFire subscription.
How does adding the WildFire subscription improve the security posture of the organization1?
- A. Protection against unknown malware can be provided in near real-time
- B. WildFire and Threat Prevention combine to provide the utmost security posture for the firewall
- C. WildFire and Threat Prevention combine to minimize the attack surface
- D. After 24 hours WildFire signatures are included in the antivirus update
正解: A
質問 59
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs.
The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?
- A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.
- B. The firewalls do not use floating IPs in active/active HA.
- C. Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.
- D. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.
正解: A
解説:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high-availability/floating-ip- address-and-virtual-mac-address
質問 60
Which three authentication services can an administrator use to authenticate admins into the Palo Alto
Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.)
- A. Kerberos
- B. PAP
- C. SAML
- D. LDAP
- E. TACACS+
- F. RADIUS
正解: A,C,D
質問 61
What are three reasons why an installed session can be identified with the application incomplete" tag? (Choose three.)
- A. The TCP connection was terminated without identifying any application data
- B. The TCP connection did not fully establish
- C. There was no application data after the TCP connection was established
- D. The client sent a TCP segment with the PUSH flag set
- E. There is not enough application data after the TCP connection was established
正解: A,B,C
解説:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC
質問 62
......
最新PCNSE試験問題集には高得点で一発合格:https://jp.fast2test.com/PCNSE-premium-file.html
PCNSE認定試験問題集には211練習テスト問題はこちら:https://drive.google.com/open?id=1DVR7lqSGXcdt_L18J3tUJIzCjCRI9pq1