2024年最新の更新のPCNSE PAN-OSが有効なPCNSE問題集を無料提供しています [Q25-Q44]

Share

2024年最新の更新のPCNSE PAN-OSが有効なPCNSE問題集を無料提供しています

最新のFast2test PCNSEPDF問題集をダウンロードしちゃおう:https://jp.fast2test.com/PCNSE-premium-file.html(179問題と解答)

質問 # 25
If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method, which login will be detected as credential theft?

  • A. Using the same user's corporate username and password.
  • B. Matching any valid corporate username.
  • C. First four letters of the username matching any valid corporate username.
  • D. Mapping to the IP address of the logged-in user.

正解:D

解説:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/content- inspection-features/credential-phishing-prevention


質問 # 26
On the NGFW. how can you generate and block a private key from export and thus harden your security posture and prevent rogue administrators or other bad actors from misusing keys?

  • A. 1 Select Device > Certificate Management > Certificates > Device > Certificates
    2 Generate the certificate
    3 Select Block Private Key Export
    4 Click Genet ale to generate the new certificate.
  • B. 1 Select Device > Certificates
    2 Select Certificate Profile
    3 Generate the certificate
    4 Select Block Private Key Export.
  • C. 1 Select Device > Certificates
    2 Select Certificate Profile.
    3 Generate the certificate
    4 Select Block Private Key Export
  • D. 1.Select Device > Certificate Management > Certificates >Devace > Certificates
    2. Import the certificate.
    3 Select Import Private Key
    4 Click Generate to generate the new certificate

正解:A

解説:
Explanation
1 -
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/decryption-features/block-export-of-private-
2 - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/block-private-key-export


質問 # 27
A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto Networks NGFW.
Which interface type is best suited to provide the raw data for an SLR from the network in a way that is minimally invasive?

  • A. Virtual Wire
  • B. Layer 2
  • C. Tap
  • D. Layer 3

正解:C

解説:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/configure- interfaces/tap-interfaces


質問 # 28
An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama The enterprise already uses GlobalProtect with SAML authentication to obtain iP-to-user mapping information However information Security wants to use this information in Prisma Access for policy enforcement based on group mapping Information Security uses on-prermses Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD How can portaes based on group mapping be learned and enforced in Prisma Access?

  • A. Assign a master device in Panorama through which Prisma Access learns groups
  • B. Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access
  • C. Configure Prisma Access to learn group mapping via SAML assertion
  • D. Create a group mapping configuration that references an LDAP profile that points to on-premises domain controllers

正解:A

解説:
Step 3: Allow Panorama to use group mappings in security policies by configuring one or more next-generation on-premises or VM-series firewalls as a Master Device. If you don't configure a Master Device with a Prisma Access User-ID deployment, use long-form distributed name (DN) entries instead. https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/configure-user-id-in-prisma-access.html


質問 # 29
How can an administrator configure the NGFW to automatically quarantine a device using GlobalProtect?

  • A. by adding the devices Host ID to a quarantine list and configure GlobalProtect to prevent users from connecting to the GlobalProtect gateway from a quarantined device
  • B. there is no native auto-quarantine feature so a custom script would need to be leveraged
  • C. by using security policies, log forwarding profiles, and log settings
  • D. by exporting the list of quarantined devices to a pdf or csv file by selecting PDF/CSV at the bottom of the Device Quarantine page and leveraging the appropriate XSOAR playbook

正解:C

解説:

https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/host- information/quarantine-devices-using-host-information/automatically-quarantine-a-device


質問 # 30
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS software?

  • A. XML API
  • B. Server Monitoring
  • C. Port Mapping
  • D. Client Probing

正解:A

解説:
Captive Portal and the other standard user mapping methods might not work for certain types of user access. For example, the standard methods cannot add mappings of users connecting from a third-party VPN solution or users connecting to a 802.1x-enabled wireless network. For such cases, you can use the PAN-OS XML API to capture login events and send them to the PAN-OS integrated User-ID agent Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/user-id-concepts/ group-mapping#id93306080-fd9b-4f1b-96a6-4bfe1c8e69df


質問 # 31
A network security administrator wants to configure SSL inbound inspection.
Which three components are necessary for inspecting the HTTPS traffic as it enters the firewall? (Choose three.)

  • A. The client's security certificate with the private key
  • B. A Decryption profile
  • C. A Decryption policy
  • D. The web server's security certificate with the private key
  • E. An SSL/TLS Service profile

正解:B、C、D

解説:
Explanation
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-inbound-inspection


質問 # 32
An engineer must configure the Decryption Broker feature
Which Decryption Broker security chain supports bi-directional traffic flow?

  • A. Transparent Bridge security chain
  • B. Transparent Proxy security chain
  • C. Layer 3 security chain
  • D. Layer 2 security chain

正解:C

解説:
Explanation
Together, the primary and secondary interfaces form a pair of decryption forwarding interfaces. Only interfaces that you have enabled to be Decrypt Forward interfaces are displayed here. Your security chain type (Layer 3 or Transparent Bridge) and the traffic flow direction (unidirectional or bidirectional) determine which of the two interfaces forwards allowed, clear text traffic to the security chain, and which interface receives the traffic back from the security chain after it has undergone additional enforcement.


質問 # 33
An organization wants to begin decrypting guest and BYOD traffic.
Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted?

  • A. SSL Decryption profile
  • B. Authentication Portal
  • C. SSL decryption policy
  • D. comfort pages

正解:B

解説:
https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best- practices/plan-ssl-decryption-best-practice-deployment


質問 # 34
Which method will dynamically register tags on the Palo Alto Networks NGFW?

  • A. Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain controller (RODC)
  • B. XML-API or the VMware API on the firewall or on the User-ID agent or the CLI
  • C. Restful API or the VMware API on the firewall or on the User-ID agent
  • D. XML API or the VM Monitoring agent on the NGFW or on the User-ID agent

正解:D

解説:
Reference:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/monitor-changes-in-the-virtual-environmen


質問 # 35
During the implementation of SSL Forward Proxy decryption, an administrator imports the company's Enterprise Root CA and Intermediate CA certificates onto the firewall. The company's Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company's Intermediate CA.
Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?

  • A. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust
  • B. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust.
  • C. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust.
  • D. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust.

正解:B

解説:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy


質問 # 36
Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.

正解:

解説:

Reference:
https://www.paloaltonetworks.com/resources/videos/how-to-run-a-bpa


質問 # 37
An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet.
Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22

Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?
A)

B)

C)

D)

  • A. Option A
  • B. Option D
  • C. Option B
  • D. Option C

正解:D


質問 # 38
An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices.
The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed.
Which Panorama tool can help this organization?

  • A. Test Policy Match
  • B. Application Groups
  • C. Policy Optimizer
  • D. Config Audit

正解:C

解説:
This new feature identifies port-based rules so you can convert them to application-based rules that allow the traffic or add applications to existing rules without compromising application availability.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/policy- optimizer.html


質問 # 39
Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order.

正解:

解説:


質問 # 40
Which processing order will be enabled when a Panorama administrator selects the setting
"Objects defined in ancestors will take higher precedence?"

  • A. Descendant objects will take precedence over ancestor objects.
  • B. Ancestor objects will have precedence over other ancestor objects.
  • C. Descendant objects will take precedence over other descendant objects.
  • D. Ancestor objects will have precedence over descendant objects.

正解:D

解説:
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/manage- device-groups/manage-precedence-of-inherited-objects


質問 # 41
Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.)

  • A. Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow
  • B. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow
  • C. Untrust (Any) to DMZ (1.1.1.100), SSH -Allow
  • D. Untrust (Any) to Untrust (10.1.1.1), SSH -Allow
  • E. Untrust (Any) to DMZ (1.1.1.100), web-browsing -Allow

正解:C、E

解説:
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destinat


質問 # 42
When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action.
Answer options may be used more than once or not at all.

正解:

解説:

Explanation
IMAP , POP3 , SMTP - > Alert
HTTP,FTP,SMB -> Reset-both


質問 # 43
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?

  • A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.
  • B. The firewalls do not use floating IPs in active/active HA.
  • C. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.
  • D. Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.

正解:A

解説:
Explanation
Each HA firewall interface has its own IP address and floating IP. The interface IP address remains local to the firewall, but the floating IP address moves between the firewalls upon firewall failure. You configure the end hosts to use a floating IP address as its default gateway, thus allowing you to load balance traffic to the two HA peers. You also can use external load balancers to load balance traffic.If a link or firewall fails or a path monitoring event causes a failover, the floating IP address and virtual MAC address move over to the functional firewall. (In the figure that follows, each firewall has two floating IP addresses and virtual MAC addresses; they all move over if the firewall fails.) The functioning firewall sends a gratuitous ARP to update the MAC tables of the connected switches to inform them of the change in floating IP address and MAC address ownership to redirect traffic to itself.


質問 # 44
......

実験された試験材料はPCNSE:https://jp.fast2test.com/PCNSE-premium-file.html

最新PCNSEリアル試験問題をフォローせよ!:https://drive.google.com/open?id=1fW9qOXTOiwSxW0O1qCnIC3ZnFFaeFYng


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어