究極のガイド準備で無料Palo Alto Networks PCNSE試験問題と解答 [Q138-Q159]

Share

究極のガイド準備で無料Palo Alto Networks PCNSE試験問題と解答

合格させるPalo Alto Networks PCNSEテストエンジンPDFで完全版無料問題集


Palo Alto Networks PCNSE認定試験は、Palo Alto Networksテクノロジーの専門知識を証明したいセキュリティプロフェッショナルにとって、価値のある資格です。認定試験は、複雑なネットワーク環境においてPalo Alto Networks次世代ファイアウォールとPanorama管理サーバーを実装および管理するために必要なスキルと知識を検証します。認定試験は、候補者のサイバーセキュリティの様々な領域における知識とスキルを厳密に評価し、ネットワークセキュリティにおける2年以上の経験が必要です。

 

質問 # 138
Four configuration choices are listed, and each could be used to block access to a specific URL II you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL1?

  • A. Custom URL category in Security policy rule
  • B. EDL in URL Filtering profile
  • C. Custom URL category in URL Filtering profile
  • D. PAN-DB URL category in URL Filtering profile

正解:D


質問 # 139
A distributed log collection deployment has dedicated Log Collectors. A developer needs a device to send logs to Panorama instead of sending logs to the Collector Group.
What should be done first?

  • A. Remove the cable from the management interface. reload the Log Collector and then re-connect that cable
  • B. Revert to a previous configuration
  • C. Remove the device from the Collector Group
  • D. Contact Palo Alto Networks Support team to enter kernel mode commands to allow adjustments

正解:C

解説:
In a distributed log collection deployment, where you have dedicated Log Collectors, if you need a device to send logs to Panorama instead of sending logs to the Collector Group, you must remove the device from the Collector group.
https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/manage- log-collection/remove-a-firewall-from-a-collector-group#_24966


質問 # 140
An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user's knowledge.
What is the expected verdict from WildFire?

  • A. Spyware
  • B. Malware
  • C. Grayware
  • D. Phishing

正解:C

解説:
Wildfire verdictions are as follow 1-Begnin 2-Greyware 3-Mallicious 4-Phishing
https://www.paloaltonetworks.com/documentation/80/wildfire/wf_admin/wildfire-overview/wildfire-concepts/verdicts
The sample does not pose a direct security threat, but might display otherwise obtrusive behavior. Grayware typically includes adware, spyware, and Browser Helper Objects (BHOs)


質問 # 141
An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port. Which log entry can the administrator use to verify that sessions are being decrypted?

  • A. In the details of the Traffic log entries
  • B. Data Filtering log
  • C. Decryption log
  • D. In the details of the Threat log entries

正解:A

解説:
Reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClboCAC The Question is simply asking how to verify if traffic was being decrypted. There are (2) ways to see this in the traffic logs:
1. To confirm that the traffic is decrypted inside the WebGUI > Monitor > Logs > Traffic. Click the magnifying glass icon in the traffic log entries to confirm that the connections were decrypted.
2. Another way to validate the decrypted session is by enabling the column "Decrypted" as below Traffic logs . This can be done by clicking on the arrow down next to any column title and selecting the Columns > Decrypted. This shows decrypted status in regular traffic log view.


質問 # 142
An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing.
What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?

  • A. Add the Evernote application to the Security policy rule, then add a second Security policy rule containing both HTTP and SSL.
  • B. Create an Application Override using TCP ports 443 and 80.
  • C. Add the HTTP. SSL. and Evernote applications to the same Security policy.
  • D. Add only the Evernote application to the Security policy rule.

正解:D

解説:
https://live.paloaltonetworks.com/t5/blogs/what-is-application-dependency/ba-p/344330 To create an application-based Security policy rule to allow Evernote, the administrator only needs to add the Evernote application to the Security policy rule. The Evernote application is a predefined App-ID that identifies the traffic generated by the Evernote client or web interface. The Evernote application implicitly uses SSL and web browsing as dependencies, which means that the firewall automatically allows these applications when the Evernote application is allowed. Therefore, there is no need to add HTTP, SSL, or web browsing applications to the same Security policy rule. Adding these applications would broaden the scope of the rule and potentially allow unwanted traffic12. Reference: App-ID Overview, Create a Security Policy Rule


質問 # 143
An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications. QoS natively integrates with which feature to provide service quality?

  • A. App-ID
  • B. certificate revocation
  • C. port inspection
  • D. Content-ID

正解:A

解説:
The Palo Alto Networks firewall provides this capability by integrating the features App-ID and User-ID with the QoS configuration.


質問 # 144
An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2.
Which three platforms support PAN-OS 10 2? (Choose three.)

  • A. PA-800 Series
  • B. PA-220
  • C. PA-500
  • D. PA-5000 Series
  • E. PA-3400 Series

正解:A、B、E

解説:
Explanation
According to the Palo Alto Networks Compatibility Matrix1, the three platforms that support PAN-OS 10.2 are:
* PA-800 Series2
* PA-2202
* PA-3400 Series2
The PA-5000 Series and PA-500 do not support PAN-OS 10.2
To upgrade devices to PAN-OS 10.2 using Panorama, you need to determine the upgrade path3, upgrade Panorama itself4, and then upgrade the firewalls using Panorama


質問 # 145
Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS version, and serial number?

  • A. debug system details
  • B. show system info
  • C. show system details
  • D. show session info

正解:B


質問 # 146
An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web-browsing traffic from any to any zone.
What must the administrator configure so that the PAN-OS software can be upgraded?

  • A. Service route
  • B. Security policy rule
  • C. CRL
  • D. Scheduler

正解:A

解説:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clp3CAC


質問 # 147
In a firewall, which three decryption methods are valid? (Choose three )

  • A. SSL Outbound Proxyless Inspection
  • B. SSL Inbound Proxy
  • C. Decryption Mirror
  • D. SSH Proxy
  • E. SSL Inbound Inspection

正解:C、D、E

解説:
Explanation
You can also use Decryption Mirroring to forward decrypted traffic as plaintext to a third party solution for additional analysis and archiving.
Ref:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-overview.html#idd71f8b4d-c


質問 # 148
An administrator needs to determine why users on the trust zone cannot reach certain websites. The only
information available is shown on the following image.
Which configuration change should the administrator make?
A:

B:

C:

D:

E:

  • A. Option E
  • B. Option B
  • C. Option D
  • D. Option C
  • E. Option A

正解:B


質問 # 149
A file sharing application is being permitted and no one knows what this application is used for.
How should this application be blocked?

  • A. Block all unauthorized applications using a security policy
  • B. Create a WildFire Analysis Profile that blocks Layer 4 and Layer 7 attacks
  • C. Create a File blocking profile that blocks Layer 4 and Layer 7 attacks
  • D. Block all known internal custom applications

正解:C


質問 # 150
Which three options are supported in HA Lite? (Choose three.)

  • A. Synchronization of IPsec security associations
  • B. Configuration synchronization
  • C. Session synchronization
  • D. Virtual link
  • E. Active/passive deployment

正解:A、B、E


質問 # 151
Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)

  • A. Check for WildFire forwarding logs.
  • B. Verify AutoFocus status using CLI "test" command.
  • C. Verify AutoFocus is enabled below Device Management tab.
  • D. Check the WebUI Dashboard AutoFocus widget.
  • E. Check the license

正解:C、E

解説:
Explanation/Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/getting-started/enable- autofocus-threat-intelligence


質問 # 152
An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall. Which settings if configured incorrectly most likely would stop only Traffic logs from being sent from the NGFW to Panorama?
A)

B)

C)

D)

  • A. Option B
  • B. Option D
  • C. Option C
  • D. Option A

正解:A


質問 # 153
A firewall administrator wants to have visibility on one segment of the company network. The traffic on the segment is routed on the Backbone switch. The administrator is planning to apply Security rules on segment X after getting the visibility.
There is already a PAN-OS firewall used in L3 mode as an internet gateway, and there are enough system resources to get extra traffic on the firewall. The administrator needs to complete this operation with minimum service interruptions and without making any IP changes.
What is the best option for the administrator to take?

  • A. Configure the TAP interface for segment X on the firewall.
  • B. Configure a Layer 3 interface for segment X on the firewall.
  • C. Configure a new vsys for segment X on the firewall.
  • D. Configure vwire interfaces for segment X on the firewall.

正解:A

解説:
Explanation
A TAP interface is a dedicated interface on the firewall that can be connected to a switch SPAN or mirror port to passively monitor traffic flows across a network. A TAP interface provides application visibility and threat detection without being in the flow of network traffic. A TAP interface does not require any IP changes or service interruptions on the network segment . Option B is incorrect because vwire interfaces are used to create virtual wires that transparently connect two network segments. Vwire interfaces require physical cabling changes and may cause service interruptions on the network segment . Option C is incorrect because a Layer 3 interface is used to route traffic between different subnets. A Layer 3 interface requires IP changes and may cause service interruptions on the network segment . Option D is incorrect because a new vsys is used to create a virtual system that can have its own set of policies and objects. A new vsys does not provide visibility or security for a specific network segment


質問 # 154
Which field is optional when creating a new Security Policy rule?

  • A. Source Zone
  • B. Description
  • C. Destination Zone
  • D. Name
  • E. Action

正解:B


質問 # 155
An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors.
How would the administrator establish the chain of trust?

  • A. Enable LDAP or RADIUS integration
  • B. Configure strong password authentication
  • C. Set up multi-factor authentication
  • D. Use custom certificates

正解:D

解説:
Explanation/Reference: https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/panorama- overview/plan-your-panorama-deployment


質問 # 156
An engineer is monitoring an active/active high availability (HA) firewall pair.
Which HA firewall state describes the firewall that is experiencing a failure of a monitored path?

  • A. Initial
  • B. Passive
  • C. Active-secondary
  • D. Tentative

正解:D

解説:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-firewall-states
State of a firewall (in an active/active configuration) caused by one of the following:
Failure of a firewall.
Failure of a monitored object (a link or path).
The firewall leaves suspended or non-functional state.


質問 # 157
An administrator connected a new fiber cable and transceiver to interface Ethernetl/l on a Palo Alto Networks firewall. However, the link does not seem to be coming up.
If an administrator were to troubleshoot, how would they confirm the transceiver type, tx-power, rx-power, vendor name, and part number via the CLI?

  • A. show system state filter sw.dev.interface.config
  • B. show system state filter ethernet1/1
  • C. show system state filter-pretty sys.s1.*
  • D. show chassis status slot s1

正解:B

解説:
Explanation
According to the Palo Alto Networks documentation , the command show system state filter displays the current state of the system and allows you to filter the output by a specific keyword. The keyword ethernet1/1 matches the interface name that the administrator wants to troubleshoot. The output of this command will show information about the transceiver type, tx-power, rx-power, vendor name, and part number for that interface2. Therefore, the correct answer is D. References:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/find-a-command 2:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFmCAK


質問 # 158
A network security administrator has been tasked with deploying User-ID in their organization.
What are three valid methods of collecting User-ID information in a network? (Choose three.)

  • A. External dynamic list
  • B. XMLAPI
  • C. Windows User-ID agent
  • D. Dynamic user groups
  • E. GlobalProtect

正解:B、C、E

解説:
Explanation
User-ID is a feature that enables the firewall to identify users and groups based on their IP addresses, usernames, or other attributes.
There are three valid methods of collecting User-ID information in a network:
* Windows User-ID agent: This is a software agent that runs on a Windows server and collects user mapping information from Active Directory, Exchange servers, or other sources.
* GlobalProtect: This is a VPN solution that provides secure remote access for users and devices. It also collects user mapping information from endpoints that connect to the firewall using GlobalProtect.
* XMLAPI: This is an application programming interface that allows third-party applications or scripts to send user mapping information to the firewall using XML format.


質問 # 159
......


Palo Alto Networks PCNSE(Palo Alto Networks Certified Security Engineer)試験は、Palo Alto Networksテクノロジーを使用するセキュリティエンジニアのスキルを検証する認定プログラムです。この試験は、ネットワークセキュリティの概念を熟知し、Palo Alto Networksプラットフォームでの実務経験があるプロフェッショナルを対象としています。認定プログラムは、業界の最新技術とベストプラクティスを使用したセキュリティエンジニアの知識とスキルをテストするように設計されています。

 

Palo Alto Networks Certified Network Security Engineer Exam練習テスト2024年最新のPCNSEをストレスなしで合格!:https://drive.google.com/open?id=1X7KOddJ7nlcHU63djI6q_7ogXbwCTbRg

オンライン試験練習テストと詳細な解説付き!:https://jp.fast2test.com/PCNSE-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어