2024年最新の更新のPCNSE PAN-OSが有効なPCNSE問題集を無料提供しています
最新のFast2test PCNSEPDF問題集をダウンロードしちゃおう:https://jp.fast2test.com/PCNSE-premium-file.html(179問題と解答)
質問 # 25
If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method, which login will be detected as credential theft?
- A. Using the same user's corporate username and password.
- B. Matching any valid corporate username.
- C. First four letters of the username matching any valid corporate username.
- D. Mapping to the IP address of the logged-in user.
正解:D
解説:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/content- inspection-features/credential-phishing-prevention
質問 # 26
On the NGFW. how can you generate and block a private key from export and thus harden your security posture and prevent rogue administrators or other bad actors from misusing keys?
- A. 1 Select Device > Certificate Management > Certificates > Device > Certificates
2 Generate the certificate
3 Select Block Private Key Export
4 Click Genet ale to generate the new certificate. - B. 1 Select Device > Certificates
2 Select Certificate Profile
3 Generate the certificate
4 Select Block Private Key Export. - C. 1 Select Device > Certificates
2 Select Certificate Profile.
3 Generate the certificate
4 Select Block Private Key Export - D. 1.Select Device > Certificate Management > Certificates >Devace > Certificates
2. Import the certificate.
3 Select Import Private Key
4 Click Generate to generate the new certificate
正解:A
解説:
Explanation
1 -
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/decryption-features/block-export-of-private-
2 - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/block-private-key-export
質問 # 27
A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto Networks NGFW.
Which interface type is best suited to provide the raw data for an SLR from the network in a way that is minimally invasive?
- A. Virtual Wire
- B. Layer 2
- C. Tap
- D. Layer 3
正解:C
解説:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/configure- interfaces/tap-interfaces
質問 # 28
An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama The enterprise already uses GlobalProtect with SAML authentication to obtain iP-to-user mapping information However information Security wants to use this information in Prisma Access for policy enforcement based on group mapping Information Security uses on-prermses Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD How can portaes based on group mapping be learned and enforced in Prisma Access?
- A. Assign a master device in Panorama through which Prisma Access learns groups
- B. Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access
- C. Configure Prisma Access to learn group mapping via SAML assertion
- D. Create a group mapping configuration that references an LDAP profile that points to on-premises domain controllers
正解:A
解説:
Step 3: Allow Panorama to use group mappings in security policies by configuring one or more next-generation on-premises or VM-series firewalls as a Master Device. If you don't configure a Master Device with a Prisma Access User-ID deployment, use long-form distributed name (DN) entries instead. https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/configure-user-id-in-prisma-access.html
質問 # 29
How can an administrator configure the NGFW to automatically quarantine a device using GlobalProtect?
- A. by adding the devices Host ID to a quarantine list and configure GlobalProtect to prevent users from connecting to the GlobalProtect gateway from a quarantined device
- B. there is no native auto-quarantine feature so a custom script would need to be leveraged
- C. by using security policies, log forwarding profiles, and log settings
- D. by exporting the list of quarantined devices to a pdf or csv file by selecting PDF/CSV at the bottom of the Device Quarantine page and leveraging the appropriate XSOAR playbook
正解:C
解説:
https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/host- information/quarantine-devices-using-host-information/automatically-quarantine-a-device
質問 # 30
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS software?
- A. XML API
- B. Server Monitoring
- C. Port Mapping
- D. Client Probing
正解:A
解説:
Captive Portal and the other standard user mapping methods might not work for certain types of user access. For example, the standard methods cannot add mappings of users connecting from a third-party VPN solution or users connecting to a 802.1x-enabled wireless network. For such cases, you can use the PAN-OS XML API to capture login events and send them to the PAN-OS integrated User-ID agent Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/user-id-concepts/ group-mapping#id93306080-fd9b-4f1b-96a6-4bfe1c8e69df
質問 # 31
A network security administrator wants to configure SSL inbound inspection.
Which three components are necessary for inspecting the HTTPS traffic as it enters the firewall? (Choose three.)
- A. The client's security certificate with the private key
- B. A Decryption profile
- C. A Decryption policy
- D. The web server's security certificate with the private key
- E. An SSL/TLS Service profile
正解:B、C、D
解説:
Explanation
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-inbound-inspection
質問 # 32
An engineer must configure the Decryption Broker feature
Which Decryption Broker security chain supports bi-directional traffic flow?
- A. Transparent Bridge security chain
- B. Transparent Proxy security chain
- C. Layer 3 security chain
- D. Layer 2 security chain
正解:C
解説:
Explanation
Together, the primary and secondary interfaces form a pair of decryption forwarding interfaces. Only interfaces that you have enabled to be Decrypt Forward interfaces are displayed here. Your security chain type (Layer 3 or Transparent Bridge) and the traffic flow direction (unidirectional or bidirectional) determine which of the two interfaces forwards allowed, clear text traffic to the security chain, and which interface receives the traffic back from the security chain after it has undergone additional enforcement.
質問 # 33
An organization wants to begin decrypting guest and BYOD traffic.
Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?
- A. SSL Decryption profile
- B. Authentication Portal
- C. SSL decryption policy
- D. comfort pages
正解:B
解説:
https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best- practices/plan-ssl-decryption-best-practice-deployment
質問 # 34
Which method will dynamically register tags on the Palo Alto Networks NGFW?
- A. Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain controller (RODC)
- B. XML-API or the VMware API on the firewall or on the User-ID agent or the CLI
- C. Restful API or the VMware API on the firewall or on the User-ID agent
- D. XML API or the VM Monitoring agent on the NGFW or on the User-ID agent
正解:D
解説:
Reference:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/monitor-changes-in-the-virtual-environmen
質問 # 35
During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.
Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?
- A. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust
- B. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
- C. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.
- D. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.
正解:B
解説:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy
質問 # 36
Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.
正解:
解説:
Reference:
https://www.paloaltonetworks.com/resources/videos/how-to-run-a-bpa
質問 # 37
An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet.
Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22
Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?
A)
B)
C)
D)
- A. Option A
- B. Option D
- C. Option B
- D. Option C
正解:D
質問 # 38
An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices.
The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed.
Which Panorama tool can help this organization?
- A. Test Policy Match
- B. Application Groups
- C. Policy Optimizer
- D. Config Audit
正解:C
解説:
This new feature identifies port-based rules so you can convert them to application-based rules that allow the traffic or add applications to existing rules without compromising application availability.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/policy- optimizer.html
質問 # 39
Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.
正解:
解説:
質問 # 40
Which processing order will be enabled when a Panorama administrator selects the setting
"Objects defined in ancestors will take higher precedence?"
- A. Descendant objects will take precedence over ancestor objects.
- B. Ancestor objects will have precedence over other ancestor objects.
- C. Descendant objects will take precedence over other descendant objects.
- D. Ancestor objects will have precedence over descendant objects.
正解:D
解説:
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/manage- device-groups/manage-precedence-of-inherited-objects
質問 # 41
Refer to the exhibit.
An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.)
- A. Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow
- B. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow
- C. Untrust (Any) to DMZ (1.1.1.100), SSH -Allow
- D. Untrust (Any) to Untrust (10.1.1.1), SSH -Allow
- E. Untrust (Any) to DMZ (1.1.1.100), web-browsing -Allow
正解:C、E
解説:
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destinat
質問 # 42
When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action.
Answer options may be used more than once or not at all.
正解:
解説:
Explanation
IMAP , POP3 , SMTP - > Alert
HTTP,FTP,SMB -> Reset-both
質問 # 43
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?
- A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.
- B. The firewalls do not use floating IPs in active/active HA.
- C. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.
- D. Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.
正解:A
解説:
Explanation
Each HA firewall interface has its own IP address and floating IP. The interface IP address remains local to the firewall, but the floating IP address moves between the firewalls upon firewall failure. You configure the end hosts to use a floating IP address as its default gateway, thus allowing you to load balance traffic to the two HA peers. You also can use external load balancers to load balance traffic.If a link or firewall fails or a path monitoring event causes a failover, the floating IP address and virtual MAC address move over to the functional firewall. (In the figure that follows, each firewall has two floating IP addresses and virtual MAC addresses; they all move over if the firewall fails.) The functioning firewall sends a gratuitous ARP to update the MAC tables of the connected switches to inform them of the change in floating IP address and MAC address ownership to redirect traffic to itself.
質問 # 44
......
実験された試験材料はPCNSE:https://jp.fast2test.com/PCNSE-premium-file.html
最新PCNSEリアル試験問題をフォローせよ!:https://drive.google.com/open?id=1fW9qOXTOiwSxW0O1qCnIC3ZnFFaeFYng