[2025年04月02日] 最新リアルPCNSC試験問題集解答
あなたを簡単に合格させるPCNSC試験問と正確なPalo Alto Networks Certified Network Security ConsultantPDF問題
質問 # 31
Which log type would you consult to diagnose why a specific URL is being blocked?
- A. Data Filtering log
- B. URL Filtering log
- C. Traffic log
- D. Threat log
正解:B
質問 # 32
Which two log types are necessary to fully investigate a network intrusion? (Choose two)
- A. Threat log
- B. System log
- C. Traffic log
- D. URL Filtering log
正解:A、C
質問 # 33
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs.
The administrator assigns priority 100 to the active firewall.
Which priority is collect tot the passive firewall?
- A. 0
- B. 1
- C. 2
- D. 3
正解:D
質問 # 34
An administrator sees several inbound sessions identified as unknown tcp in the Traffic logs. The administrator determines that these sessions are from external users accessing the company's propriety accounting application. The administrator wants to reliability identity this as their accounting application and to scan this traffic for threats.
Which option would achieve this result?
- A. Create a custom App-ID and use the "ordered condition cheek box.
- B. Create an Application Override policy and a custom threat signature for the application.
- C. Create an Application Override policy
- D. Create a custom App-ID and enable scanning on the advanced tab.
正解:B
質問 # 35
Which CLI command should you use to verify whether all SFP SFP*, or QSFP modules are installed in a firewall?
- A. show system state filter sys.s'-p'-phy
- B. show system state filter sys.p*.phy
- C. show system info
- D. show interface <interface nane> detail
正解:A
解説:
To verify whether all SFP, SFP+, or QSFP modules are installed in a firewall, you should use the following CLI command:
C:show system state filter sys.s-phy*
This command provides detailed information about the physical state of the system, including the status of SFP, SFP+, and QSFP modules installed in the firewall.
References:
* Palo Alto Networks - CLI Commands for Troubleshooting Hardware Issues:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-cli-quick-start/troubleshooting-hardware-issues
* Palo Alto Networks - Understanding Hardware and Interface Details via CLI:
https://knowledgebase.paloaltonetworks.com
質問 # 36
Which option would an administration choose to define the certificate and protect that Panorama and its managed devices uses for SSL/ITS services?
- A. Configure a Decryption Profile and select SSL/TLS services.
- B. Set Up SSL/TLS under Policies > Service/URL Category > Service.
- C. Configure on SSL/TLS Profile.
- D. Set up Security policy rule to allow SSL communication.
正解:C
質問 # 37
A customer has deployed a GlobalProtect portal and gateway as its remote-access VPN solution for its fleet of Windows 10 laptops The customer wants to use Host information Profile (HIP) data collected at the GlobalProtect gateway throughout its enterprise as an additional means of policy enforcement What additional licensing must the customer purchase?
- A. GlobalProtect license for each firewall that will use HIP data to enforce policy
- B. DNS Security on the perimeter firewall
- C. GlobalProtect license for the gateway firewall
- D. WildFire license
正解:A
解説:
To utilize Host Information Profile (HIP) data collected at the GlobalProtect gateway for policy enforcement throughout the enterprise, the customer needs to purchase aGlobalProtect license for each firewall that will use HIP data to enforce policy. The GlobalProtect license enables the firewall to collect and use HIP data to create policies based on the security posture of the endpoints.
References:
* Palo Alto Networks - GlobalProtect Licensing:
* https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-licenses
質問 # 38
Which of the following is a primary use case for the Decryption Broker feature?
- A. Decrypting outbound SSL traffic
- B. Managing multiple decryption rules
- C. Sharing decrypted traffic with multiple security appliances
- D. Aggregating traffic logs from different sources
正解:C
質問 # 39
What feature should be used to decrypt and inspect inbound SSL traffic without having to install a certificate on the client devices?
- A. SSL Forward Proxy
- B. SSL Inbound Inspection
- C. SSL Outbound Inspection
- D. SSL Reverse Proxy
正解:D
質問 # 40
A customer has a pair of Panorama HA appliances tunning local log collectors and wants to have log redundancy on logs forwarded from firewalls Which two configuration options fulfill the customer's requirement for log redundancy? (Choose two)
- A. Log redundancy must be enabled per Collector Group
- B. Panorama configured in HA provides log redundancy
- C. A Collector Group must contain at least two Log Collectors
- D. Panorama operational mode needs to be Dedicated Log Collector
正解:A、C
解説:
To fulfill the customer's requirement for log redundancy on logs forwarded from firewalls in a Panorama HA setup, the following configuration options are necessary:
B:Log redundancy must be enabled per Collector Group: This ensures that logs are redundantly stored across multiple log collectors within the same collector group.
C:A Collector Group must contain at least two Log Collectors: For log redundancy to work, there must be at least two log collectors in the collector group so that if one log collector fails, the other can continue to collect logs.
These configurations ensure that log data is replicated across multiple log collectors, providing redundancy and resilience in the event of a failure.
References:
* Palo Alto Networks - Configure Log Forwarding and Redundancy:
https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-log-collection/configure-log-f
* Palo Alto Networks - Panorama High Availability:
https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama/set-up-high-availabil
質問 # 41
Which two methods can be configured to validate the revocation status of a certificate? (Choose two)
- A. CRL
- B. SSL /TLS Service Profile
- C. OCSP
- D. Cert-Validation-Profile
- E. CRT
正解:D、E
質問 # 42
A customer's Palo Alto Networks NGFW currently has only one security policy allowing all traffic They have identified that this is a substantial security risk and have heard that the Expedition tool can help them extract security policies from an "allow any" rule What should the consultant say about Expedition?
- A. The log files can be viewed on Expedition, and right-clicking a log entry gives the option to create security policy from the log entry.
- B. By using the Machine Learning feature Expedition can parse the traffic log files related to the polcy and extract security rules for matching traffic
- C. Expedition cannot parse log files and therefore cannot be used for this purpose
- D. Live firewall traffic can be viewed on Expedition when connected to a firewall, and Expedition can automatically create and push policies to the firewall
正解:B
解説:
The Expedition tool can help the customer extract security policies from an "allow any" rule by using its Machine Learning feature:
B:By using the Machine Learning feature, Expedition can parse the traffic log files related to the policy and extract security rules for matching traffic Expedition can analyze traffic log files and apply machine learning algorithms to suggest security policies that match the observed traffic patterns. This helps in creating a more secure and granular policy set from a broad
"allow any" rule.
References:
* Palo Alto Networks - Expedition Documentation:
https://live.paloaltonetworks.com/t5/expedition-migration-tool/ct-p/migration_tool
* Palo Alto Networks - Using Machine Learning in Expedition:
https://live.paloaltonetworks.com/t5/expedition-articles/expedition-machine-learning-overview/ta-p/26040
質問 # 43
Where and how is Expedition installed^
- A. On an Ubuntu server, by running an installation script thatwill automatically download all dependencies
- B. On a Windows Server, by running an installation script that will automatically download all dependencies
- C. On a Windows Server by manually installing the application and all dependencies
- D. On an Ubuntu server, by manually installing the application and all dependencies
正解:A
解説:
Expedition, the migration tool provided by Palo Alto Networks, is installed on an Ubuntu server. The installation process involves running a script that automatically downloads and installs all necessary dependencies.
A:On an Ubuntu server, by running an installation script that will automatically download all dependencies This method simplifies the installation process by automating the download and configuration of all required components, ensuring that the installation is straightforward and minimizes the potential for errors related to missing dependencies.
References:
* Palo Alto Networks - Expedition Installation Guide:
https://live.paloaltonetworks.com/t5/expedition-migration-tool/ct-p/migration_tool
* Palo Alto Networks - Expedition User Guide:
https://live.paloaltonetworks.com/t5/expedition-documentation/ct-p/migration_tool_docs
質問 # 44
Which User-ID method should b configured to map addresses to usernames for users connected through a terminal server?
- A. Client probing
- B. XFF header
- C. port mapping
- D. server monitoring
正解:C
質問 # 45
Which two conditions must be met for a firewall to successfully forward traffic to a syslog server? (Choose two)
- A. The syslog server must be reachable over a secure connection
- B. The syslog server must be defined in the Device > Server Profiles > Syslog section
- C. The firewall must be in Virtual Wire mode
- D. A syslog forwarding profile must be created and applied to the appropriate security policies
正解:B、D
質問 # 46
Which category of Vulnerability Signatures is most likely to trigger false positive alerts?
- A. brute-force
- B. info-leak
- C. code-execution
- D. phishing
正解:B
解説:
The category of Vulnerability Signatures that is most likely to trigger false positive alerts is:
C:info-leak
Information leakage signatures are designed to detect attempts to access or disclose sensitive information.
These signatures can be prone to false positives because benign activities or legitimate data transmissions can sometimes be mistakenly identified as information leaks.
References:
* Palo Alto Networks - Managing False Positives in Threat Prevention:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/manage-false-positives-in-
* Palo Alto Networks - Vulnerability Protection:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/vulnerability-protection
質問 # 47
The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router.
Which two options would help the administrator Troubleshoot this issue? (Choose two.)
- A. View the Runtime Stats and look for problems with BGP configuration
- B. Perform a traffic pcap on the NGFW lo see any BGP problems
- C. View the System logs and look for error messages about BGP
- D. View the ACC lab to isolate routing issues.
正解:A、D
質問 # 48
Which Palo Alto Networks feature allows you to create dynamic security policies based on the behavior of the devices in your network?
- A. Dynamic Address Groups
- B. App-ID
- C. Cortex XDR
- D. Behavioral Threat Detection
正解:A
質問 # 49
An existing customer who has deployed several Palo Alto Networks Next-Generation Firewalls would like to start using Device-ID to obtain policy rule recommendations They have also purchased a Support license, a Threat license a URL Filtering license, and a WildFire license for each firewall What additional license do they need to purchase"?
- A. a Cortex Data Lake license
- B. an loT Security license (or the perimeter firewall
- C. an loT Security license for each deployed firewall
- D. an Enterprise Data Loss Prevention (DLP) license
正解:A
解説:
To start using Device-ID to obtain policy rule recommendations, the customer needs to purchase:
A:a Cortex Data Lake license
The Cortex Data Lake is a cloud-based logging service that aggregates data from all Palo Alto Networks products and services. Device-ID uses this data to provide insights and recommendations for policy rules based on the identities of devices on the network.
References:
* Palo Alto Networks - Cortex Data Lake: https://docs.paloaltonetworks.com/cortex/cortex-data-lake
* Palo Alto Networks - Device-ID Overview:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/use-device-id-to-enforce-policy
質問 # 50
Which of the following WildFire action settings will ensure that a malicious file is quarantined and prevented from spreading?
- A. Allow
- B. Reset-Both
- C. Block
- D. Alert
正解:C
質問 # 51
How can you enforce a security policy based on the device type?
- A. Use Device-ID
- B. Use User-ID
- C. Use App-ID
- D. Use Content-ID
正解:A
質問 # 52
You are hosting a public-facing web server on your DMZ and access to that server is through a Palo Alto Networks firewall Both internal clients and internet clients access this web server using the FQDN public webserver acme com which resolves to the public address of 99.99 99.2 Which combination of NAT policies is necessary to enable access to the web server for both internal and internet clients?
- A.

- B.

- C.

- D.

正解:D
解説:
To enable access to a public-facing web server for both internal and internet clients using the FQDNpublic.webserver.acme.com, which resolves to the public address99.99.99.2, the necessary combination of NAT policies is:C.Option C
* Policy 11: DMZ to Untrust
* Source Zone: DMZ
* Destination Zone: Untrust
* Destination Address:Web_Server_Public_99.99.99.2
* Destination Translation:address: Web_Server_Private_172.16.1.2
* Policy 12: Untrust to Untrust
* Source Zone: Untrust
* Destination Zone: Untrust
* Destination Address:Web_Server_Public_99.99.99.2
* Destination Translation:address: Web_Server_Private_172.16.1.2
These policies ensure that traffic destined for the public IP address99.99.99.2from both the DMZ and Untrust zones is properly translated to the internal web server's private IP address172.16.1.2.
References:
* Palo Alto Networks - NAT Configuration:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/nat/nat-policy-rules
質問 # 53
Which virtual router feature determines if a specific destination IP address is reachable'?
- A. Path Monitoring
- B. Failover
- C. Heartbeat Monitoring
- D. Ping-Path
正解:A
質問 # 54
......
PCNSC認定は、Palo Alto Networksセキュリティソリューションを扱う専門家にとって貴重な資格です。ネットワークセキュリティにおける熟練度とPalo Alto Networksセキュリティソリューションを実装および維持する能力を証明します。この認定プログラムは、ネットワークセキュリティエンジニア、セキュリティアーキテクト、セキュリティコンサルタントなどの役割を担う個人を対象としています。
PCNSC認証試験問題集の解答を提供しています:https://drive.google.com/open?id=1LjLm7DzojQjlgPNkm6rjeDvzqgPdj0rz
更新されたPCNSC試験練習テスト問題:https://jp.fast2test.com/PCNSC-premium-file.html