[2026年06月27日] 心強いPCNSEのPDF問題集はPCNSE問題
正真正銘のPCNSE問題集で無料PDF問題で合格させる
質問 # 169
Which statement regarding HA timer settings is true?
- A. Use the Critical profile for faster failover timer settings.
- B. Use the Aggressive profile for slower failover timer settings.
- C. Use the Moderate profile for typical failover timer settings
- D. Use the Recommended profile for typical failover timer settings
正解:D
質問 # 170
An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS software, the administrator enables log forwarding from the firewalls to PanoramA.
Pre-existing logs from the firewalls are not appearing in PanoramA.
Which action would enable the firewalls to send their pre-existing logs to Panorama?
- A. A CLI command will forward the pre-existing logs to Panorama.
- B. Use the import option to pull logs into Panorama.
- C. Use the ACC to consolidate pre-existing logs.
- D. The log database will need to exported form the firewalls and manually imported into Panorama.
正解:A
質問 # 171
An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory. What must be configured in order to select users and groups for those rules from Panorama? The Security rules must be targeted to a firewall in the device group and have Group Mapping configured.
- A. A master device with Group Mapping configured must be set in the device group where the Security rules are configured
- B. User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings
- C. N/A
- D. A User-ID Certificate profile must be configured on Panorama
正解:A
解説:
To create Security rules in Panorama that reference specific users and groups from Active Directory (AD), the Panorama-managed firewalls need access to user-to-group mapping information. This is achieved through Group Mapping, which relies on User-ID functionality. In a Panorama-managed environment, a "master device" must be designated within the device group to provide this Group Mapping data. The master device is a firewall that retrieves user and group information from AD (via LDAP or User-ID agent) and shares it with other firewalls in the device group. This ensures consistent user-based policies across all devices in the group.
Option B (User-ID Redistribution) is incorrect because redistribution is used to share IP-to-user mappings, not group mappings, and is typically configured between firewalls or via Panorama's User-ID redistribution feature, not a requirement for selecting users/groups in rules. Option C (User-ID Certificate profile) is unrelated, as it pertains to certificate-based authentication, not AD group mapping. Official documentation specifies that a master device with Group Mapping configured is essential for this scenario.
Reference: Palo Alto Networks Administrator's Guide, PAN-OS 11.2, "User-ID" section - Group Mapping Configuration; Panorama Administrator's Guide, "Device Groups" section.
質問 # 172
An engineer is tasked with configuring a Zone Protection profile on the untrust zone. Which three settings can be configured on a Zone Protection profile? (Choose three.)
- A. Resource Protection
- B. Ethernet SGT Protection
- C. DoS Protection
- D. Protocol Protection
- E. Reconnaissance Protection
正解:C、D、E
解説:
B) Protocol Protection: Protocol protection is used to limit or block traffic that uses certain protocols or application functions. For example, a Zone Protection profile can be configured to block traffic that uses non-standard protocols, such as IP-in-IP, or to limit the number of concurrent sessions for certain protocols, such as SIP.
C) DoS Protection: DoS protection is used to protect against various types of denial-of-service (DoS) attacks, such as SYN floods, UDP floods, ICMP floods, and others. A Zone Protection profile can be configured to limit the rate of traffic for certain protocols or to drop traffic that matches specific patterns, such as malformed packets or packets with invalid headers.
D) Reconnaissance Protection: Reconnaissance protection is used to prevent attackers from gathering information about the network, such as by using port scans or other techniques. A Zone Protection profile can be configured to limit the rate of traffic for certain types of reconnaissance, such as port scans or OS fingerprinting, or to drop traffic that matches specific patterns, such as packets with invalid flags or payloads.
質問 # 173
Match each type of DoS attack to an example of that type of attack
正解:
解説:
質問 # 174
A security engineer needs to mitigate packet floods that occur on a RSF servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?
- A. Data Filtering profile
- B. URL Filtering profile
- C. DoS Protection profile
- D. Vulnerability Protection profile
正解:C
質問 # 175
What must be configured to apply tags automatically based on User-ID logs?
- A. Device ID
- B. Group mapping
- C. Log Forwarding profile
- D. Log settings
正解:D
解説:
To apply tags automatically based on User-ID logs, the engineer must configure a Log Forwarding profile that specifies the criteria for matching the logs and the tags to apply. The Log Forwarding profile can be attached to a security policy rule or a decryption policy rule to enable auto-tagging for the traffic that matches the rule. The tags can then be used for dynamic address groups, policy enforcement, or reporting1. References: Use Auto-Tagging to Automate Security Actions, PCNSE Study Guide (page 49)
質問 # 176
Refer to the diagram. Users at an internal system want to ssh to the SSH server The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?
A)
B)
C)
D)
- A. Option D
- B. Option A
- C. Option C
- D. Option B
正解:C
質問 # 177
Which two features require another license on the NGFW? (Choose two.)
- A. Decryption Mirror
- B. SSL Forward Proxy
- C. SSL Inbound Inspection
- D. Decryption Broker
正解:A、D
質問 # 178
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
- A. certificate-logon
- B. on-demand (manual user initiated connection)
- C. post-logon (always on)
- D. pre-logon then on-demand
- E. user-logon (always on)
正解:D、E
質問 # 179
Which new PAN-OS 11.0 feature supports IPv6 traffic?
- A. OSPF
- B. DHCP Server
- C. IKEv1
- D. DHCPv6 Client with Prefix Delegation
正解:D
解説:
https://docs.paloaltonetworks.com/compatibility-matrix/ipv6-support-by-feature/ipv6-support-by- feature-table
質問 # 180
A customer is replacing its legacy remote-access VPN solution Prisma Access has been selected as the replacement During onboarding, the following options and licenses were selected and enabled:
The customer wants to forward to a Splunk SIEM the logs that are generated by users that are connected to Prisma Access for Mobile Users Which two settings must the customer configure? (Choose two)
- A. Configure a log forwarding profile and select the Panorama/Cortex Data Lake checkbox Apply the Log Forwarding profile to all of the security policy rules in Mobile_User_Device_Group
- B. Configure Panorama Collector group device log forwarding to send logs to the Splunk syslog server
- C. Configure a Log Forwarding profile, select the syslog checkbox and add the Splunk syslog server Apply the Log Forwarding profile to all of the security policy rules in the Mobiie_User_Device_Group
- D. Configure Cortex Data Lake log forwarding and add the Splunk syslog server
正解:C、D
質問 # 181
In a template, you can configure which two objects? (Choose two.)
- A. Monitor profile
- B. SD-WAN path quality profile
- C. application group
- D. IPsec tunnel
正解:A、D
解説:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network- network-profiles/network-network-profiles-monitor.html
質問 # 182
A
user's traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user's traffic matches when it goes to http://www.company.com.
How can the firewall be configured automatically disable the PBF rule if the next hop goes down?
- A. Create and add a Monitor Profile with an action of Fail Over in the PBF rule in question:.
- B. Enable and configure a Link Monitoring Profile for the external interface of the firewall.
- C. Configure path monitoring for the next hop gateway on the default route in the virtual router.
- D. Create and add a Monitor Profile with an action of Wait Recover in the PBF rule in question:.
正解:A
質問 # 183
A network administrator wants to use a certificate for the SSL/TLS Service Profile Which type of certificate should the administrator use?
- A. certificate authority (CA) certificate
- B. server certificate
- C. machine certificate
- D. client certificate
正解:B
解説:
Explanation
Use only signed certificates, not CA certificates, in SSL/TLS service profiles.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/configure-an-ssltls-service
質問 # 184
Which three items are import considerations during SD-WAN configuration planning? (Choose three.)
- A. branch and hub locations
- B. link requirements
- C. IP Addresses
- D. the name of the ISP
正解:A、B、C
解説:
https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/plan-sd-wan-configuration
質問 # 185
A firewall administrator wants to be able to see all NAT sessions that are going through a firewall with source NAT.
Which CLI command can the administrator use?
- A. show session all filter nat source
- B. show running nat-rule-ippool rule "rule_name"
- C. show running nat-policy
- D. show session all filter nat-rule-source
正解:A
質問 # 186
Which statement explains the difference between using the PAN-OS integrated User-ID agent and the standalone User-ID agent when using Active Directory for user-to-IP mapping?
- A. The standalone User-ID agent must run directly on the domain controller server
- B. The standalone User-ID agent consumes fewer resources on the NGFW's management CPU
- C. The PAN-OS integrated User-ID agent consumes fewer resources on the NGFW's management CPU
- D. The PAN-OS integrated User-ID agent must be a member of the Active Directory domain
正解:B
解説:
The standalone User-ID agent (Option C) offloads user-to-IP mapping to an external server, reducing the firewall's management CPU usage compared to the integrated agent, which runs on the firewall. Option A is false; neither requires domain membership. Option B is incorrect; the integrated agent uses more resources.
Option D is false; the standalone agent can run on any server. The original answer (B) was incorrect, contributing to the 83% Core Concepts score.
Reference: PAN-OS 11.2 Administrator's Guide, "User-ID" section - Integrated vs. Standalone Agent.
質問 # 187
Match each GlobalProtect component to the purpose of that component
正解:
解説:
質問 # 188
What best describes the HA Promotion Hold Time?
- A. the time that a passive firewall with a low device priority will wait before taking over as the active firewall if the firewall is operational again
- B. the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost
- C. the time that is recommended to avoid an HA failover due to the occasional flapping of neighboring devices
- D. the time that is recommended to avoid a failover when both firewalls experience the same link/path monitor failure simultaneously
正解:B
解説:
Explanation
HA Promotion Hold Time is the time that the passive firewall will wait before taking over as the active firewall after communications with the HA peer have been lost 2. References: 2: PAN-OS New Features Guide
質問 # 189
Which method does an administrator use to integrate all non-native MFA platforms in PAN-OS® software?
- A. DUO
- B. RADIUS
- C. Okta
- D. PingID
正解:B
解説:
The firewall makes it easy to implement MFA in your network by integrating directly with several MFA platforms (Duo v2, Okta Adaptive, PingID, and Okta Adaptive) and integrating through RADIUS with all other MFA platforms.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/authentication- types/multi-factor-authentication.html
質問 # 190
Match each GlobalProtect component to the purpose of that component
正解:
解説:
Explanation
The GlobalProtect portal provides the management functions for your GlobalProtect infrastructure The GlobalProtect gateways provide security enforcement for traffic from GlobalProtect apps The GlobalProtect app software runs on endpoints and enables access to your network resources
質問 # 191
An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication. Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?
- A. OSPF
- B. ECMP
- C. ASBR
- D. OSPFv3
正解:D
解説:
Support for multiple instances per link-With OSPFv3, you can run multiple instances of the OSPF protocol over a single link. This is accomplished by assigning an OSPFv3 instance ID number. An interface that is assigned to an instance ID drops packets that contain a different ID.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/ospf/ospf-concepts/ospfv3
質問 # 192
Which CLI command can be used to export the tcpdump capture?
- A. scp extract mgmt-pcap from mgmt.pcap to <username@host:path>
- B. download mgmt.-pcap
- C. scp export mgmt-pcap from mgmt.pcap to <username@host:path>
- D. scp export tcpdump from mgmt.pcap to <username@host:path>
正解:C
解説:
Reference: https://live.paloaltonetworks.com/t5/Management-Articles/How-To-Packet-Capture- tcpdump-On-Management-Interface/ta- p/55415
質問 # 193
An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing. What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?
- A. Add only the Evernote application to the Security policy rule.
- B. Add the Evernote application to the Security policy rule, then add a second Security policy rule containing both HTTP and SSL.
- C. Add the HTTP, SSL, and Evernote applications to the same Security policy
- D. Create an Application Override using TCP ports 443 and 80.
正解:A
解説:
Explanation
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/applications-with-implicit-support
質問 # 194
......
結果を保証するには最新2026年06月無料:https://jp.fast2test.com/PCNSE-premium-file.html
有効な問題最新版を無料で試そうPCNSE試験問題集解答:https://drive.google.com/open?id=1X7KOddJ7nlcHU63djI6q_7ogXbwCTbRg