Palo Alto Networks PCNSE練習テストPDF試験材料
PCNSE解答PCNSE無料サンプルには全てリアル試験合格させます
質問 # 18
Which log type would provide information about traffic blocked by a Zone Protection profile?
- A. IP-Tag
- B. Traffic
- C. Data Filtering
- D. Threat
正解:B
質問 # 19
A company wants to add threat prevention to the network without redesigning the network routing.
What are two best practice deployment modes for the firewall? (Choose two.)
- A. TAP
- B. VirtualWire
- C. Layer3
- D. Layer2
正解:B、D
解説:
VirtualWire and Layer2 deployment modes allow the firewall to act as a bump in the wire without changing the existing network routing. In VirtualWire mode, the firewall bridges two interfaces and passes traffic between them without any IP-layer processing. In Layer2 mode, the firewall acts as a transparent switch and processes traffic at Layer2 of the OSI model. Reference:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/configure-interfaces/virtual-wire-deployments.html
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/configure-interfaces/layer-2-deployments.html
質問 # 20
Which User-ID method maps IP addresses to usernames for users connecting through a web proxy that has already authenticated the user?
- A. server monitoring
- B. client probing
- C. port mapping
- D. syslog listening
正解:D
解説:
To obtain user mappings from existing network services that authenticate users--such as wireless controllers, 802.1x devices, Apple Open Directory servers, proxy servers, or other Network Access Control (NAC) mechanisms--Configure User-ID to Monitor Syslog Senders for User Mapping.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/map-ip-addresses-to- users.html#id61f141da-8b89-49c9-b34a-ed11b434d1db
質問 # 21
Refer to the exhibit.
An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.)
- A. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow
- B. Untrust (Any) to Untrust (10.1.1.1), ssh -Allow
- C. Untrust (Any) to DMZ (10.1.1.1), ssh -Allow
- D. Untrust (Any) to DMZ (10.1.1.1), web-browsing -Allow
- E. Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow
正解:C、D
質問 # 22
An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama The enterprise already uses GlobalProtect with SAML authentication to obtain iP-to-user mapping information However information Security wants to use this information in Prisma Access for policy enforcement based on group mapping Information Security uses on-prermses Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD How can portaes based on group mapping be learned and enforced in Prisma Access?
- A. Assign a master device in Panorama through which Prisma Access learns groups
- B. Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access
- C. Create a group mapping configuration that references an LDAP profile that points to on-premises domain controllers
- D. Configure Prisma Access to learn group mapping via SAML assertion
正解:A
解説:
Step 3: Allow Panorama to use group mappings in security policies by configuring one or more next-generation on-premises or VM-series firewalls as a Master Device. If you don't configure a Master Device with a Prisma Access User-ID deployment, use long-form distributed name (DN) entries instead. https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/configure-user-based-policies-with-prisma-access/configure-user-id-in-prisma-access.html
質問 # 23
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three )
- A. certificate-logon
- B. post-logon (always on)
- C. user-logon (always on)
- D. pre-logon then on-demand
- E. on-demand (manual user initiated connection)
正解:C、D
質問 # 24
Which event will happen if an administrator uses an Application Override Policy?
- A. App-ID processing time is increased.
- B. The Palo Alto Networks NGFW stops App-ID processing at Layer 4.
- C. The application name assigned to the traffic by the security rule is written to the Traffic log.
- D. Threat-ID processing time is decreased.
正解:B
解説:
Reference:
https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-How-to-Create-an-Application-Override/ta-p/65513
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/app-id/manage-custom-or-unknown- applications#
質問 # 25
A super user is tasked with creating administrator accounts for three contractors. For compliance purposes, all three contractors will be working with different device-groups m their hierarchy to deploy policies and objects.
Which type of role-based access is most appropriate for this project?
- A. Create a Dynamic Admin with the Panorama Administrator role.
- B. Create a Custom Panorama Admin.
- C. Create a Dynamic Read only superuser
- D. Create a Device Group and Template Admin.
正解:D
解説:
Explanation
A Device Group and Template Admin is a type of role-based access that allows the administrator to assign different privileges for different device groups and templates. This is useful for managing multiple firewalls with different configuration needs. For example, the administrator can create a Device Group and Template Admin role that allows the contractors to deploy policies and objects only to their assigned device groups and templates1. The other options are not suitable for this project. A Dynamic Admin with the Panorama Administrator role has full access to all device groups and templates . A Custom Panorama Admin can have limited access to device groups and templates, but cannot have different privileges for different device groups and templates3. A Dynamic Read only superuser can only view the configuration and logs, but cannot deploy policies and objects. References:
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-overview/role-based-access-contr
2:
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-overview/role-based-access-contr
3:
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-overview/role-based-access-contr
:
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-overview/role-based-access-contr
質問 # 26
What are three reasons for excluding a site from SSL decryption? (Choose three.)
- A. certificate pinning
- B. the website is not present in English
- C. unsupported ciphers
- D. unsupported browser version
- E. mutual authentication
正解:A、C、E
解説:
Explanation
Reasons that sites break decryption technically include pinned certificates, client authentication, incomplete certificate chains, and unsupported ciphers.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption- exclusions/exclude-a-server-from-decryption.html
質問 # 27
Refer to the exhibit.
An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.)
Which two security policy rules will accomplish this configuration? (Choose two.)
- A. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow
- B. Untrust (Any) to DMZ (1.1.1.100), SSH -Allow
- C. Untrust (Any) to DMZ (1.1.1.100), web-browsing -Allow
- D. Untrust (Any) to Untrust (10.1.1.1), SSH -Allow
- E. Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow
正解:B、C
解説:
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-many-mapping#
質問 # 28
A network administrator plans a Prisma Access deployment with three service connections, each with a BGP peering to a CPE. The administrator needs to minimize the BGP configuration and management overhead on on-prem network devices.
What should the administrator implement?
- A. default routing
- B. target service connection for traffic steering
- C. hot potato routing
- D. summarized BGP routes before advertising
正解:D
解説:
The best way to minimize the BGP configuration and management overhead on on-prem network devices is to summarize BGP routes before advertising them. Route summarization is a technique that reduces the number of routes in a routing table by aggregating multiple routes into a single route with a less specific prefix. This reduces the size of routing updates and the memory and CPU usage of routers. Prisma Access supports route summarization for service connections and remote network connections that use BGP routing1. You should not implement target service connection for traffic steering, as this is a feature that allows you to select a specific service connection for traffic from a remote network connection or a mobile user based on destination IP address or application. This does not affect the BGP configuration or management on on-prem network devices2. You should not implement hot potato routing, as this is a routing technique that selects the closest exit point to the destination network based on the number of hops or the lowest IGP metric. This does not affect the BGP configuration or management on on-prem network devices3. You should not implement default routing, as this is a routing technique that uses a default route to forward packets to an unknown destination. This does not affect the BGP configuration or management on on-prem network devices, and it may not provide optimal routing for Prisma Access traffic4. Reference: 1: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/service-connection-overview/configure-route-summarization-for-service-connections 2: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/service-connection-overview/target-service-connection-for-traffic-steering 3: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/prisma-access-service-connections/service-connection-routing 4: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/prisma-access-service-connections/service-connection-routing/routing-for-service-connection-traffic-cloud-management.html
質問 # 29
A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects.
How would an administrator configure the interface to 1Gbps?
- A. set deviceconfig system speed-duplex 1Gbps-full-duplex
- B. set deviceconfig interface speed-duplex 1Gbps-full-duplex
- C. set deviceconfig Interface speed-duplex 1Gbps-half-duplex
- D. set deviceconfig system speed-duplex 1Gbps-duplex
正解:A
質問 # 30
After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall After troubleshooting the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports What can the engineer do to solve the VoIP traffic issue?
- A. Increase the TCP timeout under H.323 application
- B. Increase the TCP timeout under SIP application
- C. Disable ALG under SIP application
- D. Disable ALG under H.323 application
正解:C
解説:
Explanation
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/app-id/disable-the-sip-application-level-gateway-a
質問 # 31
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?
- A. Antivirus
- B. WildFire
- C. Anti-Spyware
- D. Vulnerability Protection
正解:D
解説:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/objects/objects-security-profiles-vulnerability-protection.html
質問 # 32
What must be configured to apply tags automatically based on User-ID logs?
- A. Log Forwarding profile
- B. Group mapping
- C. Log settings
- D. Device ID
正解:C
解説:
Explanation
Depending on the type of log you want to use for tagging, create a log forwarding profile or configure the log settings to define how you want the firewall or Panorama to handle logs. For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile. For User-ID, GlobalProtect, and IP-Tag logs, configure the log settings.https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-auto-tagging-to-automate-secur
質問 # 33
PAN-OS 7.0 introduced an automated correlation engine that analyzes log patterns and generates correlation events visible in the new Application Command Center (ACC).
Which license must the firewall have to obtain new correlation objectives?
- A. GlobalProtect
- B. Threat Prevention
- C. Application Center
- D. URL Filtering
正解:B
質問 # 34
Which is the maximum number of samples that can be submitted to WildFire per day, based on wildfire subscription?
- A. 10,000
- B. 75,00
- C. 15,000
- D. 5,000
正解:A
質問 # 35
Which prerequisite must be satisfied before creating an SSH proxy Decryption policy?
- A. SSL certificates must be generated.
- B. Both SSH keys and SSL certificates must be generated.
- C. SSH keys must be manually generated.
- D. No prerequisites are required.
正解:D
解説:
Reference:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/configure-ssh-proxy
質問 # 36
......
PCNSE[2023年11月] 最新リリース] 試験問題あなたを必ず合格させます:https://jp.fast2test.com/PCNSE-premium-file.html
Palo Alto Networks PCNSE試験の基礎問題と解答:https://drive.google.com/open?id=1X7KOddJ7nlcHU63djI6q_7ogXbwCTbRg