2025年01月 Palo Alto Networks PCNSE実際にある問題と100%カバー率リアル試験問題
PCNSE無料試験問題と解答PDF最新問題2025年01月
質問 # 66
If an administrator wants to decrypt SMTP traffic and possesses the server's certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server?
- A. TLS Bidirectional Inspection
- B. SSL Inbound Inspection
- C. SSH Forward Proxy
- D. SMTP Inbound Decryption
正解:B
解説:
Reference:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-ssl-inbound-inspectio
質問 # 67
If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method, which login will be detected as credential theft?
- A. Using the same user's corporate username and password.
- B. First four letters of the username matching any valid corporate username.
- C. Marching any valid corporate username.
- D. Mapping to the IP address of the logged-in user.
正解:A
解説:
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-new-features/content-inspection-features/credential- ention Reference:
https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/content-inspection-features/crede phishing-prevention
質問 # 68
An engineer is reviewing the following high availability (HA) settings to understand a recent HAfailover event.
Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?
- A. Monitor Fail Hold Up Time
- B. Hello Interval
- C. Promotion Hold Time
- D. Heartbeat Interval
正解:B
解説:
Explanation
The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is
8000 ms for all platforms, and the range is 8000-60000 ms. If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12. References: HA Timers, Layer 3 High Availability with Optimal Failover Times Best Practices How to Configure Ping Interval/Timeout Settings ... - Palo Alto Networks
質問 # 69
On the NGFW, how can you generate and block a private key from export and thus harden your security posture and prevent rogue administrators or other bad actors from misusing keys?
- A. 1. Select Device > Certificates 2. Select Certificate Profile 3. Generate the certificate 4. Select Block Private Key Export
- B. 1. Select Device > Certificate Management > Certificates > Device > Certificates 2. Generate the certificate
3. Select Block Private Key Export 4. Click Generate to generate the new certificate - C. 1. Select Device > Certificate Management > Certificates > Device > Certificates 2. Import the certificate 3.
Select Import Private key 4. Click Generate to generate the new certificate - D. 1. Select Device > Certificates 2. Select Certificate Profile 3. Generate the certificate 4. Select Block Private Key Export
正解:B
解説:
To generate and block a private key from export:
Select Device
Certificate Management
Certificates
Device
Certificates
Generate the certificate.
Select Block Private Key Export
to generate the new certificate.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/decryption-features/block- export-of-private-keys.html
質問 # 70
Which option enables a Palo Alto Networks NGFW administrator to schedule Application and Threat updates while applying only new content-IDs to traffic?
- A. Select download-and-install.
- B. Select download-and-install, with "Disable new apps in content update" selected.
- C. Select disable application updates and select "Install only Threat updates"
- D. Select download-only.
正解:D
質問 # 71
When configuring the firewall for packet capture, what are the valid stage types?
- A. receive, management, transmit, and non-syn
- B. receive, firewall, send, and non-syn
- C. receive, firewall, transmit, and drop
- D. receive, management, transmit, and drop
正解:C
解説:
質問 # 72
How does Panorama handle incoming logs when it reaches the maximum storage capacity?
- A. Panorama stops accepting logs until a reboot to clean storage space.
- B. Panorama stops accepting logs until licenses for additional storage space are applied
- C. Panorama automatically deletes older logs to create space for new ones.
- D. Panorama discards incoming logs when storage capacity full.
正解:C
解説:
Explanation
(https://www.paloaltonetworks.com/documentation/60/panorama/panorama_adminguide/set-up-panorama/determ
質問 # 73
A company hosts a publically accessible web server behind a Palo Alto Networks next generation firewall with the following configuration information.
- Users outside the company are in the "Untrust-L3" zone
- The web server physically resides in the "Trust-L3" zone.
- Web server public IP address: 23.54.6.10
- Web server private IP address: 192.168.1.10
Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the web server? (Choose two)
- A. Untrust-L3 for Source Zone and Trust-L3 for Destination Zone
- B. Untrust-L3 for both Source and Destination zone
- C. Destination IP of 192.168.1.10
- D. Destination IP of 23.54.6.10
正解:B、D
解説:
Before configuring the NAT rules, consider the sequence of events for this scenario.
Host 192.0.2.250 sends an ARP request for the address 192.0.2.100 (the public address of the destination server).
The firewall receives the ARP request packet for destination 192.0.2.100 on the Ethernet1/1 interface and processes the request. The firewall responds to the ARP request with its own MAC address because of the destination NAT rule configured.
The NAT rules are evaluated for a match. For the destination IP address to be translated, a destination NAT rule from zone Untrust-L3 to zone Untrust-L3 must be created to translate the destination IP of 192.0.2.100 to 10.1.1.100.
After determining the translated address, the firewall performs a route lookup for destination
10.1.1.100 to determine the egress interface. In this example, the egress interface is Ethernet1/2 in zone DMZ.
The firewall performs a security policy lookup to see if the traffic is permitted from zone Untrust- L3 to DMZ.
The direction of the policy matches the ingress zone and the zone where the server is physically located.
The security policy refers to the IP address in the original packet, which has a destination address of 192.0.2.100.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/nat/nat-configuration- examples/ destination-nat-exampleone-to-one-mapping.html#ide8f6a4b3-f875-4855-acb5-
5fd9ad918d04
質問 # 74
After some firewall configuration changes, an administrator discovers that application identification has started failing. The administrator investigates further and notices that a high number of sessions were going to a discard state with the application showing as unknown-tcp.
Which possible firewall change could have caused this issue?
- A. Jumbo frames were enabled on the firewall, which reduced the App-ID queue size and the number of available packet buffers.
- B. enabling Forward segments that exceed the TCP content inspection queue in Device > Setup > Content-ID > Content-ID Settings
- C. Jumbo frames were disabled on the firewall, which reduced the queue sizes dedicated for out-of- order and application identification.
- D. enabling Forward segments that exceed the TCP App-ID inspection queue in Device > Setup > Content-ID > Content-ID Settings
正解:D
解説:
Disable this option to prevent the firewall from forwarding TCP segments and skipping App-ID inspection when the App-ID inspection queue is full.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/device/device-setup- content-id
質問 # 75
What is the purpose of the firewall decryption broker?
- A. decrypt SSL traffic and then send it as cleartext to a security chain of inspection tools.
- B. reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools.
- C. inspect traffic within IPsec tunnels
- D. force decryption of previously unknown cipher suites
正解:A
解説:
https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/decryption- features/decryption-broker
質問 # 76
Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.)
- A. Log Ingestion
- B. LDAP
- C. Log Forwarding
- D. HTTP
正解:C、D
質問 # 77
What should an administrator consider when planning to revert Panorama to a pre-PAN-OS 8.1 version?
- A. When Panorama is reverted to an earlier PAN-OS release, variables used in templates or template stacks will be removed automatically.
- B. An administrator must use the Expedition tool to adapt the configuration to the pre-PAN-OS 8.1 state.
- C. Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or template stacks.
- D. Administrators need to manually update variable characters to those used in pre-PAN-OS 8.1.
正解:C
解説:
Explanation
You are unable to downgrade from PAN-OS 8.1 to an earlier PAN-OS release if variables are used in your template or template stack configuration. Variables must be removed from the template and template stack configuration to downgrade.
質問 # 78
Which benefit do policy rule UUIDs provide?
- A. cloning of policies between device-groups
- B. the use of user IP mapping and groups in policies
- C. an audit trail across a policy's lifespan
- D. functionality for scheduling policy actions
正解:C
解説:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/enumeration-of-rules-within- a-rulebase To keep track of rules within a rulebase, you can refer to the rule number, which changes depending on the order of a rule in the rulebase. The rule number determines the order in which the firewall applies the rule.
The universally unique identifier (UUID) for a rule never changes even if you modify the rule, such as when you change the rule name. The UUID allows you to track the rule across rule bases even after you deleted the rule.
質問 # 79
An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.
Which three dynamic routing protocols support BFD? (Choose three.)
- A. OSPFv3 virtual link
- B. BGP
- C. RIP
- D. IGRP
- E. OSPF
正解:B、C、E
解説:
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/bfd/bfd-overview/bfd-for-dynamic-routing-protocols
質問 # 80
Which data flow describes redistribution of user mappings?
- A. User-ID agent to firewall
- B. User-ID agent to Panorama
- C. Domain Controller to User-ID agent
- D. firewall to firewall
正解:A
解説:
Explanation
質問 # 81
What is the function of a service route?
- A. Service routes provide access to external services such as DNS servers external authentication servers or Palo Alto Networks services like the Customer Support Portal
- B. The service route is the method required to use the firewall's management plane to provide services to applications
- C. The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured destination interface and destination IP address
- D. The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address
正解:A
解説:
Explanation
A service route is the path from an interface on the firewall to a service on a server. Service routes provide access to external services such as DNS servers, external authentication servers or Palo Alto Networks services like the Customer Support Portal1. By default, the firewall uses the management (MGT) interface to access these services, but you can configure a data port (a regular interface) as an alternative2. A service route is not related to the firewall's management plane or the port assigned for the external service. A service route does not affect how the server sends its response to the firewall. References: 1:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/service-routes/service-routes-overview
2
:https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/service-routes/configure-service-route
質問 # 82
An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make?
A:
B:
C:
D:
E:
- A. Option E
- B. Option A
- C. Option B
- D. Option C
- E. Option D
正解:C
質問 # 83
A network security administrator has an environment with multiple forms of authentication. There is a network access control system in place that authenticates and restricts access for wireless users, multiple Windows domain controllers, and an MDM solution for company-provided smartphones. All of these devices have their authentication events logged.
Given the information, what is the best choice for deploying User-ID to ensure maximum coverage?
- A. captive portal
- B. Syslog listener
- C. agentless User-ID with redistribution
- D. standalone User-ID agent
正解:D
解説:
Explanation
A syslog listener is a User-ID agent that listens for syslog messages from network devices that contain user mapping information, such as network access control systems, domain controllers, or MDM solutions. By configuring a syslog listener on the firewall or Panorama and specifying the syslog format and filters, User-ID can parse the syslog messages and extract user mapping information from multiple sources. Agentless User-ID with redistribution is a method of using an existing firewall as a User-ID agent that redistributes user mappings to other firewalls or Panorama. This method does not involve syslog messages. A standalone User-ID agent is a software application that runs on a Windows server and collects user mappings from Active Directory servers or other sources. This method requires installing and managing a separate agent software. A captive portal is a web page that prompts users to authenticate before accessing certain network resources. This method does not involve syslog messages. References:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/syslog-mon
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/user-id-age
質問 # 84
Which feature prevents the submission of corporate login information into website forms?
- A. Data filtering
- B. File blocking
- C. User-ID
- D. Credential phishing prevention
正解:D
解説:
Reference:
https://www.paloaltonetworks.com/cyberpedia/how-the-next-generation-security-platform-contributes-to-gdpr-co
"Credential phishing prevention works by scanning username and password submissions to websites and comparing those submissions against valid corporate credentials. You can choose what websites you want to either allow, alert on, or block corporate credential submissions to based on the URL category of the website.
Alternatively, you can present a page that warns users against submitting credentials to sites classified in certain URL categories. This gives you the opportunity to educate users against reusing corporate credentials, even on legitimate, non-phishing sites. In the event that corporate credentials are compromised, this feature allows you to identify the user who submitted credentials so that you can remediate."
質問 # 85
What is the purpose of the firewall decryption broker?
- A. decrypt SSL traffic and then send it as cleartext to a security chain of inspection tools.
- B. reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools.
- C. inspect traffic within IPsec tunnels
- D. force decryption of previously unknown cipher suites
正解:A
解説:
https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/decryption- features/decryption-broker
質問 # 86
The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.
Which profile is the engineer configuring?
- A. Packet Buffer Protection
- B. DoS Protection
- C. Vulnerability Protection
- D. Zone Protection
正解:B
解説:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos- protection/zone-defense/dos-protection-profiles-and-policy-rules
質問 # 87
Refer to the exhibit. Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113?
- A. ethernet1/7
- B. ethernet1/5
- C. ethernet1/6
- D. ethernet1/3
正解:B
質問 # 88
If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?
- A. All the settings configured in all templates.
- B. The settings assigned to the template that is on top of the stack.
- C. The administrator will be promoted to choose the settings for that chosen firewall.
- D. Depending on the firewall location, Panorama decides with settings to send.
正解:B
解説:
Panorama evaluates the templates listed in a stack configuration from top to bottom, with higher templates having priority.
https://docs.paloaltonetworks.com/panorama/7-1/panorama-admin/panorama- overview/templates-and-template-stacks
質問 # 89
Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a "No Decrypt" action? (Choose two.)
- A. Block sessions with unsupported cipher suites
- B. Block sessions with client authentication
- C. Block sessions with untrusted issuers
- D. Block credential phishing
- E. Block sessions with expired certificates
正解:A、B、E
解説:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/create-a- decryption-profile
質問 # 90
ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?
- A. 36 hours
- B. 6 to 12 hours
- C. 24 hours
- D. 1 to 4 hours
正解:B
解説:
Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall waits before installing the latest content. In a security-first network, schedule a six to twelve hour threshold.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-thre
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/best-practices-for-
質問 # 91
......
Palo Alto Networks PCNSE認定を取得することは、個人がPalo Alto Networksファイアウォールを設計、展開、および管理するために必要なスキルと知識を持っていることを示すものです。これは、個人のキャリアの展望を向上させ、収入を増やすことができる貴重な資格です。全体的に、PCNSE認定は、Palo Alto Networksファイアウォールの専門知識を示し、ITセキュリティ業界でキャリアを進めたい人にとって必須の資格です。
Palo Alto Networks PCNSEリアル2025年最新のブレーン問題集模擬試験問題集:https://jp.fast2test.com/PCNSE-premium-file.html
最新PCNSE試験問題集で最近更新された250問題:https://drive.google.com/open?id=1fW9qOXTOiwSxW0O1qCnIC3ZnFFaeFYng