Fast2test PCNSEリアル試験問題PCNSE練習問題集
厳密検証されたPCNSE試験問題集と解答で無料提供のPCNSE問題と正解付き
Palo Alto Networks Certified Security Engineer (PCNSE) 認定は、Palo Alto Networksセキュリティソリューションの専門知識を証明したいセキュリティの専門家にとって貴重な資格です。PCNSE PAN-OS 10.0 試験は、Palo Alto Networksの最新の製品やソリューションの機能をカバーし、これらのソリューションを設計、展開、構成、メンテナンス、トラブルシューティングするために必要なスキルを検証するために設計されています。認定は、いくつかの高度なPalo Alto Networks認定の前提条件であり、PCNSE PAN-OS 10.0 試験を70%以上のスコアで合格することで取得できます。
Palo Alto Networks認定セキュリティエンジニア(PCNSE)は、Palo Alto Networks Technologiesの実装と管理に関する専門知識を実証したいセキュリティエンジニア向けに設計された一般的な認定試験です。具体的には、PCNSE試験は、多くの組織がネットワークを幅広いサイバー脅威から保護するために使用されているPalo Alto Networks Pan-OS 10.0プラットフォームの最新バージョンに焦点を当てています。
PCNSE認定試験に備えるために、候補者はパロアルトネットワークスのトレーニングコース、オンラインリソース、および学習資料を活用することができます。試験は厳しいものであり、試験に挑戦する前に、候補者はパロアルトネットワークスの製品や技術に対して実践的な経験を持っていることが推奨されています。
質問 # 139
Which three statements correctly describe Session 380280? (Choose three.)
- A. The session went through SSL decryption processing.
- B. The session cid not go through SSL decryption processing.
- C. The application was initially identified as "ssl."
- D. The session has ended with the end-reason "unknown."
- E. The application shifted to "web-browsing."
正解:A、D、E
質問 # 140
What are two best practices for incorporating new and modified App-IDs? (Choose two.)
- A. Study the release notes and install new App-IDs if they are determined to have low impact
- B. Configure a security policy rule to allow new App-IDs that might have network-wide impact
- C. Perform a Best Practice Assessment to evaluate the impact of the new or modified App-IDs
- D. Run the latest PAN-OS version in a supported release tree to have the best performance for the new App-IDs
正解:A、B
解説:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids-introduced-in-content-releases/app-id-updates-workflow.html
質問 # 141
Which virtual router feature determines if a specific destination IP address is reachable?
- A. Heartbeat Monitoring
- B. Failover
- C. Path Monitoring
- D. Ping-Path
正解:C
解説:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/pbf
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/policy/policy-based-forwarding/pbf/path-monitoring
質問 # 142
A firewall should be advertising the static route 10.2.0.0/24 Into OSPF. The configuration on the neighbor is correct, but the route is not in the neighbor's routing table.
Which two configurations should you check on the firewall? (Choose two.)
- A. Ensure that the OSPF neighbor state Is "2-Way."
- B. In the redistribution profile check that the source type is set to "ospf."
- C. In the OSFP configuration, ensure that the correct redistribution profile is selected in the OSPF Export Rules section.
- D. Within the redistribution profile ensure that Redist is selected.
正解:C、D
解説:
Explanation
A redistribution profile defines which routes from one routing protocol are redistributed into another routing protocol. In the OSPF configuration, the OSPF Export Rules section allows you to select which redistribution profiles to apply for exporting routes into OSPF. Within the redistribution profile, you need to select Redist as the option to redistribute the routes that match the profile filter. If you select No Redist, the routes that match the profile filter will not be redistributed. Ensuring that the OSPF neighbor state is "2-Way" is not relevant for advertising a static route into OSPF, as this state indicates that the neighbor relationship is established but not synchronized. In the redistribution profile, the source type should be set to "static" if you want to redistribute a static route into OSPF, not "ospf". References:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/route-redistribution/configure-ro
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfnCAC
質問 # 143
Refer to the exhibit.
An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) received HTTP traffic and host B(10.1.1.101) receives SSH traffic.
Which two security policy rules will accomplish this configuration? (Choose two)
- A. Untrust (Any) to Untrust (10.1.1.1) Web-browsing -Allow
- B. Untrust (Any) to Untrust (10.1.1.1) Ssh-Allow
- C. Untrust (Any) to DMZ (1.1.1.100) Ssh-Allow
- D. Untrust (Any) to DMZ (1.1.1.100) Web-browsing -Allow
正解:A、D
質問 # 144
An administrator needs firewall access on a trusted interface. Which two components are required to configure certificate based, secure authentication to the web Ul? (Choose two )
- A. SSH Service Profile
- B. SSL/TLS Service Profile
- C. server certificate
- D. certificate profile
正解:B、D
質問 # 145
When you troubleshoot an SSL Decryption issue, which PAN-OS CL1 command do you use to check the details of the Forward Trust certificate. Forward Untrust certificate, and SSL Inbound Inspection certificate?
- A. show system setting ssl-decrypt certs
- B. show system setting ssl-decrypt certificate
- C. debug dataplane show ssl-decrypt ssl-certs
- D. show system setting ssl-decrypt certificate-cache
正解:B
質問 # 146
Review the screenshot of the Certificates page.
An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems.
When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings.
What is the cause of the unsecured website warnings?
- A. The forward trust certificate has not been installed in client systems.
- B. The self-signed CA certificate has the same CN as the forward trust and untrust certificates.
- C. The forward untrust certificate has not been signed by the self-singed root CA certificate.
- D. The forward trust certificate has not been signed by the self-singed root CA certificate.
正解:D
解説:
The cause of the unsecured website warnings is that the forward trust certificate has not been signed by the self-signed root CA certificate. The forward trust certificate is used by the firewall to generate a copy of the server certificate for outbound SSL decryption (SSL Forward Proxy). The firewall signs the copy with the forward trust certificate and presents it to the client. The client then verifies the signature using the public key of the CA that issued the forward trust certificate. If the client does not trust the CA, it will display a warning message. Therefore, the forward trust certificate must be signed by a CA that is trusted by the client. In this case, the administrator has installed the self-signed root CA certificate in all client systems, so this CA should be used to sign the forward trust certificate. However, as shown in the screenshot, the forward trust certificate has a different issuer than the self-signed root CA certificate, which means it has not been signed by it. This causes the client to reject the signature and show a warning message. To fix this issue, the administrator should generate a new forward trust certificate and sign it with the self-signed root CA certificate12. References: Keys and Certificates for Decryption Policies, How to Configure SSL Decryption
質問 # 147
Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to dynamically create the routes between the sites. The OSPF configuration in Site-A is configured properly, but the route for the tunner is not being established. The Site-B interfaces in the graphic are using a broadcast Link Type. The administrator has determined that the OSPF configuration in Site-B is using the wrong Link Type for one of its interfaces.
Which Link Type setting will correct the error?
- A. Set Ethernet 1/1 to p2p
- B. Set tunnel. 1 to p2mp
- C. Set tunnel. 1 to p2p
- D. Set Ethernet 1/1 to p2mp
正解:C
質問 # 148
In the following image from Panorama, why are some values shown in red?
- A. us3 has a logging rate that deviates from the administrator-configured thresholds.
- B. uk3 has a logging rate that deviates from the seven-day calculated baseline.
- C. sg2 session count is the lowest compared to the other managed devices.
- D. sg2 has misconfigured session thresholds.
正解:B
質問 # 149
A network security engineer has been asked to analyze Wildfire activity.
However, the Wildfire Submissions item is not visible form the Monitor tab.
What could cause this condition?
- A. A policy is blocking WildFire Submission traffic.
- B. The firewall does not have an active WildFire subscription.
- C. The engineer's account does not have permission to view WildFire Submissions.
- D. Though WildFire is working, there are currently no WildFire Submissions log entries.
正解:C
質問 # 150
An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD.
Which three dynamic routing protocols support BFD? (Choose three.)
- A. OSPF
- B. IGRP
- C. BGP
- D. OSPFv3 virtual link
- E. RIP
正解:A、C、E
解説:
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/bfd/bfd-overview/bfd- for-dynamic-routing-protocols
質問 # 151
Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with multiple virtual systems?
- A. To allow traffic between zones in different virtual systems without the traffic leaving the appliance
- B. Multiple external zones are required in each virtual system to allow the communications between virtual systems
- C. External zones are required because the same external zone can be used on different virtual systems
- D. To allow traffic between zones in different virtual systems while the traffic is leaving the appliance
正解:A
解説:
External zones are a unique zone type on Palo Alto Networks firewalls that facilitate the movement of traffic between virtual systems on the same physical appliance. These zones are required when multiple virtual systems (vsys) are configured on a single firewall and there is a need to allow inter-vsys traffic without the need for the traffic to leave the firewall and re-enter. An external zone is associated with a specific virtual system and enables traffic to pass from one virtual system to another securely, thereby simplifying traffic management and reducing the need for additional physical interfaces or external routing to handle inter-vsys communication.
質問 # 152
An administrator has configured a QoS policy rule and a QoS profile that limits the maximum allowable bandwidth for the YouTube application. However , YouTube is consuming more than the maximum bandwidth allotment configured.
Which configuration step needs to be configured to enable QoS?
- A. Enable Qos interface
- B. Enable QoS monitor
- C. Enable Qos in the interface Management Profile.
- D. Enable QoS Data Filtering Profile
正解:A
解説:
Explanation
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/network/network-qos/qos-interface-sett
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/quality-of-service/configure-qos.html QoS implementation on a Palo Alto Networks firewall begins with three primary configuration components that support a full QoS solution: a QoS policy, a QoS Profile, and configuration of the QoS egress interface.
質問 # 153
If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed?
- A. All the settings configured in all templates.
- B. The settings assigned to the template that is on top of the stack.
- C. The administrator will be promoted to choose the settings for that chosen firewall.
- D. Depending on the firewall location, Panorama decides with settings to send.
正解:B
解説:
Panorama evaluates the templates listed in a stack configuration from top to bottom, with higher templates having priority.
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama- overview/centralized-firewall-configuration-and-update-management/templates-and-template- stacks
質問 # 154
As a best practice, which URL category should you target first for SSL decryption*?
- A. Health and Medicine
- B. High Risk
- C. Online Storage and Backup
- D. Financial Services
正解:B
解説:
Explanation
https://docs.paloaltonetworks.com/best-practices/10-0/decryption-best-practices/decryption-best-practices/plan-s Phase in decryption. Plan to decrypt the riskiest traffic first (URL Categories most likely to harbor malicious traffic, such as gaming or high-risk)
質問 # 155
Given the following snippet of a WildFire submission log did the end-user get access to the requested information and why or why not?
- A. Yes, because the action is set to allow.
- B. No, because the severity is high and the verdict is malicious.
- C. No, because this is an example from a defeated phishing attack
- D. Yes, because the action is set to alert
正解:A
解説:
https://live.paloaltonetworks.com/t5/general-topics/wildfire-submission-entries-with-severity-high-showing- action/td-p/143516
質問 # 156
What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?
- A. Discard
- B. Deny
- C. Allow
- D. Next VR
正解:A
解説:
Set the Action to take when matching a packet:
Forward-Directs the packet to the specified Egress Interface.
Forward to VSYS (On a firewall enabled for multiple virtual systems)-Select the virtual system to which to forward the packet.
Discard-Drops the packet.
No PBF-Excludes packets that match the criteria for source, destination, application, or service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/policy-based-forwarding/create-a-policy-ba
質問 # 157
Which two subscriptions are available when configuring panorama to push dynamic updates to connected devices? (Choose two.)
- A. Content-ID
- B. User-ID
- C. Antivirus
- D. Applications and Threats
正解:C、D
解説:
Reference:
https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/device/device-dynamic-updates
質問 # 158
What can be used to create dynamic address groups?
- A. dynamic address
- B. tags
- C. region objects
- D. FODN addresses
正解:B
質問 # 159
Which CLI command can be used to export the tcpdump capture?
- A. scp export mgmt-pcap from mgmt.pcap to <username@host:path>
- B. scp export tcpdump from mgmt.pcap to <username@host:path>
- C. scp extract mgmt-pcap from mgmt.pcap to <username@host:path>
- D. download mgmt.-pcap
正解:A
解説:
Explanation/Reference:
Reference: https://live.paloaltonetworks.com/t5/Management-Articles/How-To-Packet-Capture-tcpdump- On-Management-Interface/ta-p/55415
質問 # 160
Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?
- A. Add a WildFire subscription to activate DoS and zone protection features.
- B. Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection.
- C. Replace the hardware firewall, because DoS and zone protection are not available with VM- Series systems.
- D. Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN, ICMP, ICMPv6, UDP, and other IP flood attacks.
正解:B
解説:
Explanation
Check and monitor firewall dataplane CPU consumption to ensure that each firewall is properly sized to support DoS and Zone Protection along with any other features that consume CPU cycles, such as decryption.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos- protection.html
質問 # 161
An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version What is considered best practice for this scenario?
- A. Upgrade Panorama to a version at or above the target firewall version
- B. Perform the Panorama and firewall upgrades simultaneously
- C. Export the device state perform the update, and then import the device state
- D. Upgrade the firewall first wait at least 24 hours and then upgrade the Panorama version
正解:B
質問 # 162
An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy.
Which tool can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed?
- A. Managed Devices Health
- B. Test Policy Match
- C. Policy Optimizer
- D. Preview Changes
正解:D
解説:
Using "preview changes" with broad context you can see polices-tree structure and works BEFORE commit.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEaCAK
質問 # 163
......
無料でゲット!高評価Palo Alto Networks PCNSE試験問題集を今すぐダウンロード!:https://jp.fast2test.com/PCNSE-premium-file.html
あなたを合格させるPCNSE無料最新問題集でPalo Alto Networks練習テスト:https://drive.google.com/open?id=1fW9qOXTOiwSxW0O1qCnIC3ZnFFaeFYng