NSK200試験問題集、NSK200練習テスト問題 [Q13-Q33]

Share

NSK200試験問題集、NSK200練習テスト問題

PDF問題(2024年最新)実際のNetskope NSK200試験問題

質問 # 13
What is the purpose of the filehash list in Netskope?

  • A. It configures blocklist and allowlist entries referenced in the custom Malware Detection profiles.
  • B. It is used to allow and block URLs.
  • C. It provides the file types that Netskope can inspect.
  • D. It providesClient Threat Exploit Prevention (CTEP).

正解:A

解説:
Explanation
The purpose of the file hash list in Netskope is to configure blocklist and allowlist entries referenced in the custom Malware Detection profiles. A file hash list is a collection of MD5 or SHA-256 hashes that represent files that you want to allow or block in your organization. You can create a file hash list when adding a file profile and use it as an allowlist or blocklist for files in your organization1. You can then select the file hash list when creating a Malware Detection profile2.


質問 # 14
You are comparing the behavior of Netskope's Real-time Protection policies to API Data Protection policies.
In this Instance, which statement is correct?

  • A. All API policies are enforced, regardless of sequential order, while real-time policies are analyzed sequentially from top to bottom and stop once a policy Is matched.
  • B. Both real-time and API policies are all enforced, regardless of sequential order.
  • C. Both real-time and API policies are analyzed sequentially from top to bottom and stop once a policy Is matched.
  • D. All real-time policies are enforced, regardless of sequential order, while API policies are analyzed sequentially from top to bottom and stop once a policy Is matched.

正解:A

解説:
Explanation
Netskope's Real-time Protection policies and API Data Protection policies have different ways of applying actions based on the policy order. Real-time Protection policies are analyzed sequentially from top to bottom and stop once a policy is matched. This means that only one policy action is applied per transaction. API Data Protection policies are all enforced, regardless of sequential order. This means that multiple policy actions can be applied per file or email. Therefore, the correct statement is that all API policies are enforced, regardless of sequential order, while real-time policies are analyzed sequentially from top to bottom and stop once a policy is matched. References: Real-time Protection Policies1, API Data Protection Policies2


質問 # 15
You are an administrator writing Netskope Real-time Protection policies and must determine proper policy ordering.
Which two statements are true in this scenario? (Choose two.)

  • A. You must place Netskope private access malware policies in the middle.
  • B. You do not need to create an "allow all" Web Access policy at the bottom.
  • C. You must place DLP policies at the bottom.
  • D. You must place high-risk block policies at the top.

正解:B、D

解説:
Explanation
To determine proper policy ordering for Netskope Real-time Protection policies, you need to follow these two statements: B. You do not need to create an "allow all" Web Access policy at the bottom. D. You must place high-risk block policies at the top. These statements are based on the best practices for policy ordering recommended by Netskope3. An "allow all" Web Access policy at the bottom is not necessary because any traffic that does not match any policy will be allowed by default. However, you can create a "monitor all" Web Access policy at the bottom if you want to log all the traffic that is not matched by any other policy4.
High-risk block policies atthe top are important because they prevent any traffic that poses a serious threat or violates a critical compliance standard from reaching its destination. These policies should have higher priority than other policies that may allow or modify the traffic5. Therefore, options B and D are correct and the other options are incorrect. References: Real-time Protection Policies - Netskope Knowledge Portal, Create a Real-time Protection Policy for Web Categories - Netskope Knowledge Portal, Best Practices: Real-time Protection Policies (1 of 2) - Netskope


質問 # 16
You are troubleshooting an issue with Microsoft where some users complain about an issue accessing OneDrive and SharePoint Online. The configuration has the Netskope client deployed and active for most users, but some Linux machines are routed to Netskope using GRE tunnels. You need to disable inspection for all users to begin troubleshooting the issue.
In this scenario, how would you accomplish this task?

  • A. Create a Do Not Decrypt SSL policy for the Microsoft 365 App Suite.
  • B. Create a steering exception for the Microsoft 365 domains.
  • C. Create a Real-time Protection policy to isolate Microsoft 365.
  • D. Create a Do Not Decrypt SSL policy for OneDrive.

正解:A

解説:
Explanation
To disable inspection for all users accessing Microsoft 365, you need to create a Do Not Decrypt SSL policy for the Microsoft 365 App Suite. This policy will prevent Netskope from decrypting and analyzing the traffic for any Microsoft 365 app, regardless of the access method (Netskope client or GRE tunnel)3. This policy will also allow SNI-based policies to apply, but no deep analysis performed via Real-time Protection policies4.
Therefore, option B is correct and the other options are incorrect. References: Add a Policy for SSL Decryption - Netskope Knowledge Portal, Default Microsoft appsuite SSL do not decrypt rule - Netskope Community


質問 # 17
Netskope support advised you to enable DTLS for belter performance. You added firewall rules to allow UDP port 443 traffic. These settings are part of which configuration element when enabled in the Netskope tenant?

  • A. client configuration
  • B. SSL decryption policies
  • C. Real-time Protection policies
  • D. steering configuration

正解:A

解説:
Explanation
DTLS (Datagram Transport Layer Security) is a protocol that provides secure communication over UDP. It is an option that can be enabled in the client configuration settings in the Netskope tenant. Enabling DTLS can improve the performance of the Netskope client, especially in high latency or packet loss scenarios. DTLS is not related to Real-time Protection policies, SSL decryption policies, or steering configuration, which are different configuration elements in the Netskope tenant. References: Client Configuration Settings 3, Netskope Client Performance 4


質問 # 18
Recently your company implemented Zoom for collaboration purposes and you are attempting to inspect the traffic with Netskope. Your initial attempt reveals that you are not seeing traffic from the Zoom client that is used by all users. You must ensure that this traffic is visible to Netskope.
In this scenario, which two steps must be completed to satisfy this requirement? (Choose two.)

  • A. Create a Do Not Decrypt SSL policy for the Zoom application suite.
  • B. Remove the default steering exception for the Web Conferencing Category.
  • C. Remove the Zoom certificate-pinned application from the default steering configuration.
  • D. Create a steering exception for Zoom to ensure traffic is reaching Netskope.

正解:B、C

解説:
Explanation
To ensure that the traffic from the Zoom client is visible to Netskope, you need to remove the Zoom certificate-pinned application from the default steering configuration and remove the default steering exception for the Web Conferencing Category. A certificate-pinned application is an application that validates the server certificates against the hardcoded ones in the application. This is a security technique used to prevent man-in-the-middle attacks and secure access to the application. By default, Netskope bypasses the traffic from certificate-pinned applications and does not decrypt or inspect it3. Zoom is one of the predefined certificate-pinned applications that Netskope supports4. To enable Netskope to inspect the traffic from Zoom, you need to remove it from the steering configuration that applies to your users5. Additionally, you need to remove the default steering exception for the Web Conferencing Category, which includes Zoom and other similar applications. A steering exception is a rule that specifies the traffic that you want to bypass Netskope and go directly to the destination6. By removing this exception, you allow Netskope to steer and analyze the traffic from web conferencing applications. Therefore, options C and D are correct and the other options are incorrect. References: Certificate Pinned Applications - Netskope Knowledge Portal, Certificate Pinned App (CPA) - The Netskope Community, Steering Configuration - Netskope Knowledge Portal, Steering Exceptions
- Netskope Knowledge Portal


質問 # 19
To which three event types does Netskope's REST API v2 provide access? (Choose three.)

  • A. infrastructure
  • B. client
  • C. application
  • D. alert
  • E. user

正解:A、C、D

解説:
Explanation
Netskope's REST API v2 provides access to various event types via URI paths. The event types include application, alert, infrastructure, audit, incident, network, and page. These event types can be used to retrieve data from Netskope's cloud security platform. The event types client and user are not supported by the REST API v2. References: REST API v2 Overview, Cribl Netskope Events and Alerts Integration, REST API Events and Alerts Response Descriptions


質問 # 20
Review the exhibit.

While diagnosing an NPA connectivity issue, you notice an error message in the Netskope client logs.
Referring to the exhibit, what does this error represent?

  • A. The primary publisher is unavailable or cannot be reached.
  • B. There Is an EDNS or LDNS resolution error.
  • C. There Is an upstream device trying to intercept the NPA TLS connection.
  • D. The Netskope client has been load-balanced to a different data center.

正解:C

解説:
Explanation
The error message in the exhibit represents that there is an upstream device trying to intercept the NPA TLS connection. The error message is "ERROR SSL certificate verification failed: self signed certificate in certificate chain". This means that the Netskope client is receiving a certificate that is not issued by Netskope, but by a device that is intercepting and decrypting the traffic between the client and the Netskope cloud. This can cause the client to fail to establish a secure connection to the NPA service and access the private applications4. To solve this problem, you need to either bypass or trust the upstream device that is performing SSL decryption, such as a firewall or proxy5. Therefore, option D is correct and the other options are incorrect. References: Troubleshooting Netskope Client - Netskope Knowledge Portal, Netskope Client Troubleshooting Guide - The Netskope Community


質問 # 21
You have deployed Netskope Secure Web Gateway (SWG). Users are accessing new URLs that need to be allowed on a daily basis. As an SWG administrator, you are spending a lot of time updating Web policies. You want to automate this process without having to log into the Netskope tenant Which solution would accomplish this task?

  • A. You can minimize your work by sharing URLs with Netskope support.
  • B. You can use Cloud Risk Exchange.
  • C. You can use Cloud Log Shipper.
  • D. You can use REST API to update the URL list.

正解:D

解説:
Explanation
To automate the process of updating Web policies without having to log into the Netskope tenant, you can use REST API to update the URL list. REST API is a feature that allows you to use an auth token to make authorized calls to the Netskope API and access resources via URI paths1. You can use REST API to update a URL list with new values by providing the name of an existing URL list and a comma-separated list of URLs or IP addresses2. This can help you automate or script the management of your URL lists and keep them up-to-date. Therefore, option D is correct and the other options are incorrect. References: REST API v2 Overview - Netskope Knowledge Portal, Update a URL List - Netskope Knowledge Portal


質問 # 22
Your company has a Symantec BlueCoat proxy on-premises and you want to deploy Netskope using proxy chaining. Which two prerequisites need to be enabled first in this scenario? (Choose two.)

  • A. Enable SSL decryption.
  • B. Disable SSL decryption.
  • C. Disable the X-Authenticated-User header.
  • D. Enable the X-Forwarded-For HTTP header

正解:A、D

解説:
Explanation
To deploy Netskope using proxy chaining with Symantec BlueCoat proxy on-premises, you need to enable two prerequisites first: Enable SSL decryption on your Symantec BlueCoat proxy. This is required for proxy chaining because Netskope needs to inspect the SSL traffic that is sent from your proxy to the Netskope cloud.
To enable SSL decryption, you need to configure your Symantec BlueCoat proxy to trust the Netskope certificate for SSL interception. You can download the certificate from Settings > Manage > Certificates > Signing CA in the Netskope UI. Enable the X-Forwarded-For HTTP header on your Symantec BlueCoat proxy. This is required for proxy chaining because Netskope needs to identify the original source IP address of the user behind your proxy. The X-Forwarded-For header is used to pass this information from your proxy to Netskope. To enable this header, you need to configure your Symantec BlueCoat proxy to send X-Forwarded-For HTTP header for all HTTP requests. The other options are not valid prerequisites for this scenario. You do not need to disable SSL decryption on your Symantec BlueCoat proxy, as this would prevent Netskope from inspecting the SSL traffic. You do not need to disable the X-Authenticated-User header on your Symantec BlueCoat proxy, as this is an optional header that can be used to pass additional user information from your proxy to Netskope. References: Proxy Chaining3, Configure Forcepoint for Proxy Chaining


質問 # 23
Your customer implements Netskope Secure Web Gateway to secure all Web traffic. While they have created policies to block certain categories, there are many new sites available dally that are not yet categorized. The customer's users need quick access and cannot wait to put in a request to gain access requiring a policy change or have the site's category changed.
To solve this problem, which Netskope feature would provide quick, safe access to these types of sites?

  • A. Netskope SaaS Security Posture Management (SSPM)
  • B. Netskope Cloud Firewall (CFW)
  • C. Netskope Continuous Security Assessment (CSA)
  • D. Netskope Remote Browser Isolation (RBI)

正解:D

解説:
Explanation
To solve the problem of providing quick, safe access to uncategorized and risky websites, the Netskope feature that the customer should use is Netskope Remote Browser Isolation (RBI). Netskope RBI is a part of the Netskope Secure Web Gateway offering that intercepts a user's browsing session to a website, acting as a proxy that fetches the content for that user and renders the content in an isolated browsing instance. The rendered content is delivered to the user's browser as a safe stream of pixels. This safely silos the end user's device and the enterprise network and systems, separating it from their browsing activity and restricting the ability of an attacker to establish control and / or breach other systems and exfiltrate data1. Netskope RBI can be easily invoked with an 'isolate' policy action within the Netskope Security Cloud for any website category or domain2. Therefore, option B is correct and the other options are incorrect. References: Remote Browser Isolation - Netskope Knowledge Portal, Netskope Remote Browser Isolation - Netskope


質問 # 24
You are integrating Netskope tenant administration with an external identity provider. You need to implement role-based access control. Which two statements are true about this scenario? (Choose two.)

  • A. You need to define the administrators locally in the Netskope tenant.
  • B. You do not need to define the administrators locally in the Netskope tenant after It Is integrated with IdP.
  • C. The roles you want to assign must be present in the Netskope tenant.
  • D. Once integrated withIdP. you must append the "locallogin" URL to log in using IdP

正解:A、C

解説:
Explanation
To implement role-based access control when integrating Netskope tenant administration with an external identity provider (IdP), two statements that are true about this scenario are A. The roles you want to assign must be present in the Netskope tenant and C. You need to define the administrators locally in the Netskope tenant. Role-based access control (RBAC) is a feature that allows you to assign different levels of permissions and access to the Netskope tenant based on the user's role. You can use RBAC to integrate Netskope tenant administration with an external IdP such as Azure AD or Okta and delegate administrative tasks to different users or groups1. To do this, you need to ensure that the roles you want to assign are present in the Netskope tenant. You can use the predefined roles such as SYSADMIN, AUDITOR, or OPERATOR, or create custom roles with specific privileges2. You also need to define the administrators locally in the Netskope tenant by creating local user accounts and assigning them roles. You can use the same email address as the IdP user account for the local useraccount3. Therefore, options A and C are correct and the other options are incorrect. References: Role-Based Access Control - Netskope Knowledge Portal, Roles - Netskope Knowledge Portal, Integrate with Azure AD - Netskope Knowledge Portal


質問 # 25
The risk team at your company has determined that traffic from the sales team to a custom Web application should not be inspected by Netskope. All other traffic to the Web application should continue to be inspected.
In this scenario, how would you accomplish this task?

  • A. Create a Do Not Decrypt Policy using Destination IP and Application in the policy page.
  • B. Create a Do Not Decrypt Policy using Source IP and Application in the policy page.
  • C. Create a Do Not Decrypt Policy using Application in the policy page and a Steering Exception for Group
  • D. Create a Do Not Decrypt Policy using User Group and Domainin the policy page.

正解:D

解説:
Explanation
To prevent traffic from the sales team to a custom Web application from being inspected by Netskope, you need to create a Do Not Decrypt Policy using User Group and Domain in the policy page. A Do Not Decrypt Policy allows you to specify the traffic you want to leave encrypted and not further analyzed by Netskope via the Real-time Protection policies3. You can use the User Group criteria to match the sales team members and the Domain criteria to match the custom Web application. This way, only the traffic from the sales team to the custom Web application will be exempted from decryption, while all other traffic to the Web application will continue to be inspected.


質問 # 26
You want to allow both the user identities and groups to be imported in the Netskope platform. Which two methods would satisfy this requirement? (Choose two.)

  • A. Use Bulk Upload with a CSV file.
  • B. Use System for Cross-domain Identity Management (SCIM).
  • C. Use Directory Importer.
  • D. Use Manual Entries.

正解:A、B

解説:
Explanation
To allow both the user identities and groups to be imported in the Netskope platform, you can use either the System for Cross-domain Identity Management (SCIM) method or the Bulk Upload with a CSV file method.
Both of these methods allow for the import of user identities and groups from different identity providers (IdPs) that support SCIM or CSV formats. The SCIM method is recommended for large-scale deployments, as it automates the exchange of user identity information across apps for user provisioning. The CSV method is recommended for small-scale deployments, as it allows for manual upload of user details in a comma-separated values file. The other methods are not suitable for this requirement. The Manual Entries method does not allow for the import of groups, only user emails. The Directory Importer method does not import users and groups directly into the Netskope platform, but rather connects to an Active Directory or LDAP server and periodically fetches user and group information.
References: Provisioning Users for Netskope Client2, SCIM Integration3, Bulk Upload via CSV file


質問 # 27
You want to provision users and groups to a Netskope tenant. You have Microsoft Active Directory servers hosted in two different forests. Which statement is true about this scenario?

  • A. You can use the Netskope Adapter Tool for user provisioning.
  • B. You can use SCIM version 2 for user provisioning.
  • C. You cannot provision users until you migrate to Azure AD or Okta.
  • D. You can use the Netskope virtual appliance for user provisioning

正解:B

解説:
Explanation
You can use SCIM version 2 for user provisioning in this scenario. SCIM (System for Cross-domain Identity Management) is a standard protocol for exchanging identity information across different cloud applications.
Netskope supports SCIM version 2 and can integrate with identity providers (IdPs) that follow the same standard, such as Microsoft Azure AD, Okta, OneLogin, and Ping Identity. You can use SCIM to provision users and groups from multiple Active Directory forests to a Netskope tenant. The other options are not valid for this scenario. The Netskope Adapter Tool and the Netskope virtual appliance are used for user identification, not provisioning. They can only connect to one Active Directory forest at a time. You do not need to migrate to Azure AD or Okta to provision users, as Netskope supports other IdPs that use SCIM as well. References: Provisioning Users for Netskope Client1, SCIM Integration2


質問 # 28
Your organization has a homegrown cloud application. You are required to monitor the activities that users perform on this cloud application such as logins, views, and downloaded files. Unfortunately, it seems Netskope is unable to detect these activities by default.
How would you accomplish this goal?

  • A. Create a new cloud application definition using the Chrome extension.
  • B. Ensure that the application is added to the SSL decryption policy.
  • C. Enable access to the application with Netskope Private Access.
  • D. Ensure that the cloud application is added as a steering exception.

正解:A

解説:
Explanation
To monitor the activities that users perform on a homegrown cloud application, you need to create a new cloud application definition using the Chrome extension. The Chrome extension is a tool that allows you to record the traffic and activities of any web-based application and create a custom app definition that can be imported into your Netskope tenant1. This way, you can enable Netskope to detect and analyze the activities of your homegrown cloud application and apply policies accordingly. Therefore, option D is correct and the other options are incorrect. References: Creating a Cloud App Definition - Netskope Knowledge Portal


質問 # 29
Your learn is asked to Investigate which of the Netskope DLP policies are creating the most incidents. In this scenario, which two statements are true? (Choose two.)

  • A. The Skope IT Alerts tab will list the top five DLP policies.
  • B. The Skope IT Applications tab will list the top five DLP policies.
  • C. You can create a report using Reporting or Advanced Analytics.
  • D. You can see the top Ave DLP policies triggered using the Analyze feature

正解:C、D

解説:
Explanation
To investigate which of the Netskope DLP policies are creating the most incidents, the following two statements are true:
You can see the top five DLP policies triggered using the Analyze feature. The Analyze feature allows you to create custom dashboards and widgets to visualize and explore your data. You can use the DLP Policy widget to see the top five DLP policies that generated the most incidents in a given time period3.
You can create a report using Reporting or Advanced Analytics. The Reporting feature allows you to create scheduled or ad-hoc reports based on predefined templates or custom queries. You can use the DLP Incidents by Policy template to generate a report that shows the number of incidents per DLP policy4. TheAdvanced Analytics feature allows you to run SQL queries on your data and export the results as CSV or JSON files. You can use the DLP_INCIDENTS table to query the data by policy name and incident count5.
The other two statements are not true because:
The Skope IT Applications tab will not list the top five DLP policies. The Skope IT Applications tab shows the cloud app usage and risk summary for your organization. It does not show any information about DLP policies or incidents6.
The Skope IT Alerts tab will not list the top five DLP policies. The Skope IT Alerts tab shows the alerts generated by various policies and profiles, such as DLP, threat protection, IPS, etc. It does not show the number of incidents per policy, only the number of alerts per incident7.


質問 # 30
You are using the Netskope DLP solution. You notice that valid credit card numbers in a file that you just uploaded to an unsanctioned cloud storage solution are not triggering a policy violation. You can see the Skope IT application events for this traffic but no DLP alerts.
Which statement is correct in this scenario?

  • A. Netskope client is enabled, but API protection for the SaaS application is not configured.
  • B. Credit card numbers are entered with a space or dash separator and not as a 16-digit consecutive number.
  • C. You have set the severity threshold to a higher value.
  • D. Netskope client is not enabled.

正解:B

解説:
Explanation
The statement that is correct in this scenario is D. Credit card numbers are entered with a space or dash separator and not as a 16-digit consecutive number. This is one of the possible reasons why valid credit card numbers in a file are not triggering a policy violation by Netskope DLP. Netskope DLP uses data identifiers to detect sensitive data in files and network traffic. Data identifiers are predefined or custom rules that match data patterns based on regular expressions, checksums, keywords, etc1. The credit card number data identifier matches 16-digit consecutive numbers that pass the Luhn algorithm check2. If the credit card numbers are entered with a space or dash separator, such as 1234-5678-9012-3456 or 1234 5678 9012 3456, they will not match the data identifier and will not trigger a policy violation. To solve this problem, you can either remove the separators from the credit card numbers or create a custom data identifier that matches the credit card numbers with separators3. Therefore, option D is correct and the other options are incorrect. References: Data Identifiers - Netskope Knowledge Portal, Credit Card Number - Netskope Knowledge Portal, Create a Custom Data Identifier - Netskope Knowledge Portal


質問 # 31
Netskope is being used as a secure Web gateway. Your organization's URL list changes frequently. In this scenario, what makes It possible for a mass update of the URL list in the Netskope platform?

  • A. Assertion Consumer Service URL
  • B. Cloud Threat Exchange
  • C. SCIM provisioning
  • D. REST API v2

正解:D

解説:
Explanation
The method that makes it possible for a mass update of the URL list in the Netskope platform is A. REST API v2. REST API v2 is a feature that allows you to use an auth token to make authorized calls to the Netskope API and access resources via URI paths5. You can use REST API v2 to update a URL list with new values by providing the name of an existing URL list and a comma-separated list of URLs or IP addresses6. This can help you automate or script the management of your URL lists and keep them up-to-date. Therefore, option A is correct and the other options are incorrect. References: REST API v2 Overview - Netskope Knowledge Portal, Update a URL List - Netskope Knowledge Portal


質問 # 32
Which object would be selected when creating a Malware Detection profile?

  • A. Domain profile
  • B. DLP profile
  • C. User profile
  • D. File profile

正解:D

解説:
Explanation
A file profile is an object that contains a list of file hashes that can be used to create a malware detection profile. A file profile can be configured as an allowlist or a blocklist, depending on whether the files are known to be benign or malicious. A file profile can be created in the Settings > File Profile page1. A malware detection profile is a set of rules that define how Netskope handles malware incidents. A malware detection profile can be created in the Policies > Threat Protection > Malware Detection Profiles page2. To create a malware detection profile, one needs to select a file profile as an allowlist or a blocklist, along with the Netskope malware scan option. The other options are not objects that can be selected when creating a malware detection profile.


質問 # 33
......

更新された2024年04月合格させるNSK200試験リアル練習テスト問題:https://jp.fast2test.com/NSK200-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어