[2025年02月]更新のPalo Alto Networks PCNSE問題集厳選された問題集でパスして、最短時間を目指そう [Q167-Q191]

Share

[2025年02月]更新のPalo Alto Networks PCNSE問題集厳選された問題集でパスして、最短時間を目指そう

Palo Alto Networks PCNSE試験問題集で[2025年最新] 練習 高合格率な試験問題集問題

質問 # 167
Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?

  • A. Configure a Decryption Profile and select SSL/TLS services.
  • B. Set up Security policy rule to allow SSL communication.
  • C. Configure an SSL/TLS Profile.
  • D. Set up SSL/TLS under Polices > Service/URL Category>Service.

正解:C

解説:
Explanation/Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device- certificate-management-ssltls-service-profile


質問 # 168
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

  • A. Disable automatic updates during weekdays.
  • B. Automatically "download and install" but with the "disable new applications" option used.
  • C. Automatically "download only" and then install Applications and Threats later, after the administrator approves the update.
  • D. Configure the option for "Threshold".

正解:D

解説:
For Antivirus and Applications and Threats updates, you have the option to set a minimum Threshold of time that a content update must be available before the firewall installs it. Very rarely, there can be an error in a content update and this threshold ensures that the firewall only downloads content releases that have been available and functioning in customer environments for the specified amount of time. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/device/device-dynamic-updates


質問 # 169
Panorama provides which two SD_WAN functions? (Choose two.)

  • A. control plane
  • B. network monitoring
  • C. physical network links
  • D. data plane

正解:A、B


質問 # 170
The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet.
Which profile is the engineer configuring?

  • A. Packet Buffer Protection
  • B. DoS Protection
  • C. Zone Protection
  • D. Vulnerability Protection

正解:B

解説:
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos- protection/zone-defense/dos-protection-profiles-and-policy-rules


質問 # 171
Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition?

  • A. QoS
  • B. Tunnel inspection
  • C. NAT
  • D. DOS protection

正解:A

解説:
The type of policy in Palo Alto Networks firewalls that can use Device-ID as a match condition is QoS. This is because Device-ID is a feature that allows the firewall to identify and classify devices on the network based on their characteristics, such as vendor, model, OS, and role1. QoS policies are used to allocate bandwidth and prioritize traffic based on various criteria, such as application, user, source, destination, and device2. By using Device-ID as a match condition in QoS policies, the firewall can apply different QoS actions to different types of devices, such as IoT devices, laptops, smartphones, etc3. This can help optimize the network performance and ensure the quality of service for critical applications and devices.


質問 # 172
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?

  • A. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.
  • B. Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.
  • C. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.
  • D. The firewalls do not use floating IPs in active/active HA.

正解:C

解説:
Each HA firewall interface has its own IP address and floating IP. The interface IP address remains local to the firewall, but the floating IP address moves between the firewalls upon firewall failure. You configure the end hosts to use a floating IP address as its default gateway, thus allowing you to load balance traffic to the two HA peers. You also can use external load balancers to load balance traffic.If a link or firewall fails or a path monitoring event causes a failover, the floating IP address and virtual MAC address move over to the functional firewall. (In the figure that follows, each firewall has two floating IP addresses and virtual MAC addresses; they all move over if the firewall fails.) The functioning firewall sends a gratuitous ARP to update the MAC tables of the connected switches to inform them of the change in floating IP address and MAC address ownership to redirect traffic to itself.


質問 # 173
Refer to the exhibit.

Which certificates can be used as a Forward Trust certificate?

  • A. Forward_Trust
  • B. Certificate from Default Trust Certificate Authorities
  • C. Domain Sub-CA
  • D. Domain-Root-Cert

正解:B


質問 # 174
Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.)

  • A. .dll
  • B. .pdf
  • C. .src
  • D. .jar
  • E. .exe
  • F. .apk

正解:B、D、F

解説:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/getting-started/enable-basic-wildfire-forwarding


質問 # 175
Drag and Drop Question
Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration. Place the steps in order.

正解:

解説:

Explanation:
https://www.paloaltonetworks.com/resources/videos/how-to-run-a-bpa


質問 # 176
During the packet flow process, which two processes are performed in application identification? (Choose two.)

  • A. pattern based application identification
  • B. session application identified
  • C. application override policy match
  • D. application changed from content inspection

正解:A、C


質問 # 177
How does Panorama prompt VMWare NSX to quarantine an infected VM?

  • A. Email Server Profile
  • B. HTTP Server Profile
  • C. Syslog Sewer Profile
  • D. SNMP Server Profile

正解:B

解説:
https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series-firewall-on-nsx/set-up-the-vm-series-firewall-on-vmware-nsx/dynamically-quarantine-infected-guests.html#id8e9a242e-e038-4ba2-b0ea-eaaf53690be0


質問 # 178
An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web-browsing traffic from any to any zone. What must the administrator configure so that the PAN-OS software can be upgraded?

  • A. CRL
  • B. Scheduler
  • C. Security policy rule
  • D. Service route

正解:D


質問 # 179
Which type of interface does a firewall use to forward decrypted traffic to a security chain for inspection?

  • A. Layer 3
  • B. Layer 2
  • C. Decryption Mirror
  • D. Tap

正解:A

解説:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/network-packet-broker/configure-routed-layer-3-security-chains
Configure security chain devices with Layer 3 interfaces to connect to the security chain network. These Layer 3 interfaces must have an assigned IP address and subnet mask. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryption-broker/security-chain-layer-3-guidelines.html


質問 # 180
What can the Log Forwarding built-in action with tagging be used to accomplish?

  • A. Forward selected logs to the Azure Security Center.
  • B. Block the source zones of selected unwanted traffic.
  • C. Block the destination IP addresses of selected unwanted traffic.
  • D. Block the destination zones of selected unwanted traffic.

正解:C

解説:
The Log Forwarding feature in Palo Alto Networks firewalls allows administrators to perform automated actions based on logs. One of the actions that can be configured is to tag an IP address, which can then be used in conjunction with Dynamic Address Groups (DAG) to enforce security policies. By tagging the destination IP addresses of unwanted traffic, an administrator can dynamically update policies to block traffic to those destinations.
This method is particularly useful for responding quickly to detected threats by creating and enforcing a policy that blocks traffic to tagged destinations without the need for manual intervention or policy changes.
For a detailed explanation, the Palo Alto Networks' "PAN-OS® Administrator's Guide" provides information on log forwarding and automated actions.


質問 # 181
An engineer is tasked with configuring SSL forward proxy for traffic going to external sites.
Which of the following statements is consistent with SSL decryption best practices?

  • A. The forward untrust certificate should be signed by a certificate authority that is trusted by the clients.
  • B. The forward untrust certificate should not be signed by a Trusted Root CA
  • C. Check both the Forward Trust and Forward Untrust boxes when adding a certificate for use with SSL decryption
  • D. The forward trust certificate should not be stored on an HSM.

正解:A

解説:
Explanation
According to the PCNSE Study Guide , SSL forward proxy is a feature that allows the firewall to decrypt and inspect SSL traffic going to external sites. The firewall acts as a proxy between the client and the server, generating a certificate on the fly for each site.
The best practices for configuring SSL forward proxy are
Use a forward trust certificate that is signed by a certificate authority (CA) that is trusted by the clients.
This certificate is used to sign certificates for sites that have valid certificates from trusted CAs. The clients will not see any certificate errors if they trust the forward trust certificate.
Use a forward untrust certificate that is not signed by a trusted CA. This certificate is used to sign certificates for sites that have invalid or untrusted certificates. The clients will see certificate errors if they do not trust the forward untrust certificate. This helps alert users of potential risks and prevent man-in-the-middle attacks.
Do not store the forward trust or untrust certificates on an HSM (hardware security module). The HSM does not support on-the-fly signing of certificates, which is required for SSL forward proxy.


質問 # 182
How can packet buffer protection be configured?

  • A. at the device level (globally) and, if enabled globally, at the zone level
  • B. at the interface level to protect firewall resources
  • C. at the device level (globally) to protect firewall resources and ingress zones, but not at the zone level
  • D. at zone level to protect firewall resources and ingress zones, but not at the device level

正解:A

解説:
You can configure Packet Buffer Protection at two levels: the device level (global) and if enabled globally, you can also enable it at the zone level.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos- protection/zone-defense/packet-buffer-protection


質問 # 183
Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?

  • A. SSL and 80
  • B. web-browsing and 80
  • C. SSL and 443
  • D. web-browsing and 443

正解:D

解説:
Explanation
We know that SSL decryption is supposed to give us visibility of traffic that would otherwise be encrypted.
Therefore, we'd expect decrypted traffic to be identified as the underlying applications, such as web-browsing, facebook-base or other, but not as SSL.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmdLCAS


質問 # 184
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)

  • A. Cert-Validation-Profile
  • B. CRL
  • C. OCSP
  • D. SSL/TLS Service Profile
  • E. CRT

正解:B、C

解説:
Explanation/Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/certificate-management/set- up-verification-for-certificate-revocation-status


質問 # 185
Which two features can be used to tag a username so that it is included in a dynamic user group?
(Choose two.)

  • A. User-ID Windows-based agent
  • B. log forwarding auto-tagging
  • C. GlobalProtect agent
  • D. XML API

正解:B、D

解説:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/register-ip-addresses-and- tags-dynamically


質問 # 186
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS software?

  • A. Server Monitoring
  • B. Client Probing
  • C. Port Mapping
  • D. XML API

正解:C

解説:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/user-id-concepts


質問 # 187
An administrator connected a new fiber cable and transceiver to interface Ethernetl/l on a Palo Alto Networks firewall. However, the link does not seem to be coming up.
If an administrator were to troubleshoot, how would they confirm the transceiver type, tx-power, rx-power, vendor name, and part number via the CLI?

  • A. show system state filter ethernet1/1
  • B. show system state filter sw.dev.interface.config
  • C. show chassis status slot s1
  • D. show system state filter-pretty sys.s1.*

正解:A

解説:
According to the Palo Alto Networks documentation1, the command show system state filter displays the current state of the system and allows you to filter the output by a specific keyword. The keyword ethernet1/1 matches the interface name that the administrator wants to troubleshoot. The output of this command will show information about the transceiver type, tx-power, rx-power, vendor name, and part number for that interface2. Therefore, the correct answer is D. Reference: 1: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/find-a-command 2: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFmCAK


質問 # 188
A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working.
Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.) Site A configuration:

  • A. Configure Local Identification on Site firewall
  • B. Match IKE version on both firewalls.
  • C. Enable NAT Traversal on Site B firewall
  • D. Disable passive mode on Site A firewall

正解:B、D

解説:
The image shows an IKE Gateway configuration where Site B is set to IKEv1 only mode, and passive mode is not enabled. For dynamic peering to work when Site A is using a DHCP assigned address:
* Passive mode on Site A needs to be disabled. In passive mode, the firewall will not initiate the IKE negotiation and will only respond to negotiation requests from the peer. Since Site A has a dynamic IP, it must be able to initiate the connection to Site B, which has a static IP.
* Matching the IKE version between Site A and Site B is also necessary for successful IPSec tunnel establishment. Since Site B is set to IKEv1 only mode, Site A also needs to be configured to use IKEv1 to ensure that both sites are using the same version for the IKE negotiation process.
NAT Traversal is used when there are NAT devices between the two endpoints, but there's no indication that this is the case here. Additionally, local identification on Site A is not necessarily related to the issue with dynamic peering not working.


質問 # 189
Which log type will help the engineer verify whether packet buffer protection was activated?

  • A. Data Filtering
  • B. Configuration
  • C. Threat
  • D. Traffic

正解:C

解説:
The log type that will help the engineer verify whether packet buffer protection was activated is Threat Logs. Threat Logs are logs generated by the Palo Alto Networks firewall when it detects a malicious activity on the network. These logs contain information about the source, destination, and type of threat detected. They also contain information about the packet buffer protection that was activated in response to the detected threat. This information can help the engineer verify that packet buffer protection was activated and determine which actions were taken in response to the detected threat.


質問 # 190
ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?

  • A. 36 hours
  • B. 24 hours
  • C. 1 to 4 hours
  • D. 6 to 12 hours

正解:D

解説:
Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall waits before installing the latest content. In a security-first network, schedule a six to twelve hour threshold.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-thre
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/best-practices-for-


質問 # 191
......

PCNSE試験問題集でPDF合格保証 成功は正確かつ更新された問題:https://jp.fast2test.com/PCNSE-premium-file.html

PCNSE問題集-[最新2025]Palo Alto Networks試験問題集を掴み取れ:https://drive.google.com/open?id=1fW9qOXTOiwSxW0O1qCnIC3ZnFFaeFYng


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어