[2024年10月] を試そう!リアルPCNSE問題集で100%無料PCNSE試験問題集
PCNSEのPDF問題集試験問題 有効なPCNSE問題集
質問 # 25
An administrator device-group commit push is tailing due to a new URL category How should the administrator correct this issue?
- A. change the new category action to alert" and push the configuration again
- B. verify that the URL seed Tile has been downloaded and activated on the firewall
- C. update the Firewall Apps and Threat version to match the version of Panorama
- D. ensure that the firewall can communicate with the URL cloud
正解:C
解説:
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNqw
質問 # 26
The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such.
The admin has not yet installed the root certificate onto client systems.
What effect would this have on decryption functionality?
- A. Decryption will function and there will be no effect to end users
- B. Decryption will not function until the certificate is installed on client systems
- C. Decryption will function but users will see certificate warnings for each SSL site they visit
- D. Decryption will not function because self-signed root certificates are not supported
正解:C
解説:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0
質問 # 27
A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an Interface Management profile to secure management access? (Choose three.)
- A. HTTP
- B. https
- C. Permitted IP Addresses
- D. SSH
- E. User-ID
正解:B、C、D
解説:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/getting-started/best-practices-for-securing-administrative-access
質問 # 28
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?
- A. find
- B. sim
- C. test
- D. check
正解:C
質問 # 29
With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?
- A. not-applicable
- B. insufficient-data
- C. unknown-tcp
- D. incomplete
正解:A
解説:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClspCAC
質問 # 30
A user's traffic traversing a Palo Alto Networks NGFW sometimes can reach
http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user's traffic matches when it goes to http://www.company.com.
How can the firewall be configured automatically disable the PBF rule if the next hop goes down?
- A. Configure path monitoring for the next hop gateway on the default route in the virtual router
- B. Create and add a monitor profile with an action of wait recover in the PBF rule in question
- C. Create and add a monitor profile with an action of fail over in the PBF rule in question
- D. Enable and configure a link monitoring profile for the external interface of the firewall
正解:C
解説:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/network/network- network-profiles/network-network-profiles-monitor A monitor profile is used to monitor IPSec tunnels and to monitor a next-hop device for policy- based forwarding (PBF) rules. In both cases, the monitor profile is used to specify an action to take when a resource (IPSec tunnel or next-hop device) becomes unavailable.
wait-recover - Wait for the tunnel to recover; do not take additional action. Packets will continue to be sent according to the PBF rule.
fail-over - Traffic will fail over to a backup path, if one is available. The firewall uses routing table lookup to determine routing for the duration of this session.
質問 # 31
A network security administrator wants to enable Packet-Based Attack Protection in a Zone Protection profile. What are two valid ways to enable Packet-Based Attack Protection? (Choose two.)
- A. TCP Port Scan Block
- B. ICMP Drop
- C. TCP Drop
- D. SYN Random Early Drop
正解:B、C
質問 # 32
Refer to the exhibit.
An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) received HTTP traffic and host B(10.1.1.101) receives SSH traffic.
Which two security policy rules will accomplish this configuration? (Choose two)
- A. Untrust (Any) to Untrust (10.1.1.1) Ssh-Allow
- B. Untrust (Any) to DMZ (1.1.1.100) Web-browsing -Allow
- C. Untrust (Any) to DMZ (1.1.1.100) Ssh-Allow
- D. Untrust (Any) to Untrust (10.1.1.1) Web-browsing -Allow
正解:B、D
質問 # 33
An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router.
Which two options enable the administrator to troubleshoot this issue? (Choose two.)
- A. Perform a traffic pcap at the routing stage.
- B. View System logs.
- C. Add a redistribution profile to forward as BGP updates.
- D. View Runtime Stats in the virtual router.
正解:C、D
質問 # 34
A network administrator wants to use a certificate for the SSL/TLS Service Profile.
Which type of certificate should the administrator use?
- A. machine certificate
- B. client certificate
- C. server certificate
- D. certificate authority (CA) certificate
正解:C
解説:
Explanation
Use only signed certificates, not CA certificates, in SSL/TLS service profiles.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/configure-an-ssltls-service
質問 # 35
Which Panorama mode should be used so that all logs are sent to, and only stored in. Cortex Data Lake?
- A. Panorama
- B. Log Collector
- C. Management Only
- D. Legacy
正解:C
解説:
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama- overview/panorama-models
質問 # 36
Which method does an administrator use to integrate all non-native MFA platforms in PAN-OS software?
- A. DUO
- B. RADIUS
- C. Okta
- D. PingID
正解:B
解説:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/authentication-types/multi-factor-authentication
質問 # 37
An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.)
- A. Traffic Logs
- B. System Logs
- C. Configuration Logs
- D. Task Manager
正解:B、D
解説:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/view-and-manage-logs/log-types-and-severity-levels/config-logs
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/web-interface-basics/task-manager.html
質問 # 38
The UDP-4501 protocol-port is used between which two GlobalProtect components?
- A. GlobalProtect app and GlobalProtect gateway
- B. GlobalProtect app and GlobalProtect satellite
- C. GlobalProtect app and GlobalProtect portal
- D. GlobalProtect portal and GlobalProtect gateway
正解:A
解説:
UDP 4501 Used for IPSec tunnel connections between GlobalProtect apps and gateways. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/reference-port-number-usage/ports-used-for-globalprotect.html
質問 # 39
A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama. What are the next steps to migrate configuration from the firewalls to Panorama?
- A. Use the Firewall Migration plugin to retrieve the configuration directly from the managed devices
- B. Export Named Configuration Snapshot on each firewall followed by Import Named Configuration Snapshot in Panorama
- C. Use API calls to retrieve the configuration directly from the managed devices
- D. import Device Configuration to Panorama followed by Export or Push Device Config Bundle
正解:D
解説:
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS
質問 # 40
Refer to the exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all the existing monitoring/security platforms?
- A. Configure log compression and optimization features on all remote firewalls
- B. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services
- C. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW
- D. Any configuration on an M-500 would address the insufficient bandwidth concerns
正解:B
解説:
Explanation
Forwarding logs from firewalls only to Panorama and having Panorama forward logs to other external services is the best option for the administrator to reduce WAN traffic while maintaining support for all the existing monitoring/security platforms. This option minimizes the number of log forwarding destinations on each firewall and consolidates log forwarding on Panorama. Panorama can forward logs to external destinations such as syslog servers, email servers, SNMP trap receivers, HTTP servers, or AutoFocus1. Option B is incorrect because configuring log compression and optimization features on all remote firewalls may reduce the size of log files but does not reduce the number of log forwarding destinations. Option C is incorrect because any configuration on an M-500 would not address the insufficient bandwidth concerns. An M-500 is a dedicated log collector that can store logs from multiple firewalls and Panorama appliances. However, it does not reduce the WAN traffic generated by log forwarding . Option D is incorrect because forwarding logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW does not reduce WAN traffic while maintaining support for all the existing monitoring/security platforms. This option would increase the WAN traffic by sending logs back and forth between Panorama and the NGFW1.
質問 # 41
Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application?
- A. Tunnel mode
- B. Satellite mode
- C. iPSec mode
- D. No Direct Access to local networks
正解:A
解説:
https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-tra
質問 # 42
An engineer is troubleshooting traffic routing through the virtual router. The firewall uses multiple routing protocols, and the engineer is trying to determine routing priority Match the default Administrative Distances for each routing protocol.
正解:
解説:
質問 # 43
The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes
do not seem to be populating the virtual router.
Which two options would help the administrator troubleshoot this issue? (Choose two.)
- A. View the Runtime Stats and look for problems with BGP configuration.
- B. View the System logs and look for the error messages about BGP.
- C. View the ACC tab to isolate routing issues.
- D. Perform a traffic pcap on the NGFW to see any BGP problems.
正解:A、C
質問 # 44
Refer to the exhibit.

Review the screenshots and consider the following information:
* FW-1 is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DG.
* There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.
Which IP address will be pushed to the firewalls inside Address Object Server-1?
- A. Server-1 on FW-1 will have IP 4.4.4.4. Server-1 on FW-2 will have IP 1.1.1.1.
- B. Server-1 on FW-1 will have IP 2.2.2.2. Server-1 will not be pushed to FW-2.
- C. Server-1 on FW-1 will have IP 3.3.3.3. Server-1 will not be pushed to FW-2.
- D. Server-1 on FW-1 will have IP 1.1.1.1. Server-1 will not be pushed to FW-2.
正解:B
質問 # 45
SAML SLO is supported for which two firewall features? (Choose two.)
- A. WebUI
- B. CLI
- C. CaptivePortal
- D. GlobalProtect Portal
正解:A、D
解説:
Explanation
SSO is available to administrators who access the web interface and to end users who access applications through GlobalProtect or Captive Portal. SLO is available to administrators and GlobalProtect end users, but not to Captive Portal end users.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/authentication-types/saml
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-server-profiles-saml-ide
質問 # 46
An administrator wants to grant read-only access to all firewall settings, except administrator accounts, to a new-hire colleague in the IT department.
Which dynamic role does the administrator assign to the new-hire colleague?
- A. System administrator (read-only)
- B. Firewall administrator (read-only)
- C. Device administrator (read-only)
- D. Superuser (read-only)
正解:C
解説:
Read-only access to all firewall settings except password profiles (no access) and administrator accounts (only the logged in account is visible). https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-role-types
質問 # 47
......
究極のPCNSE無料準備ガイド最新のPalo Alto Networks練習テスト問題集:https://jp.fast2test.com/PCNSE-premium-file.html
今すぐゲットせよ!高評価Palo Alto Networks PCNSE試験問題集:https://drive.google.com/open?id=1fW9qOXTOiwSxW0O1qCnIC3ZnFFaeFYng