Palo Alto Networks PCNSE試験情報と無料練習テストはこちら [Q47-Q70]

Share

Palo Alto Networks PCNSE試験情報と無料練習テストはこちら

合格させるPalo Alto Networks PCNSEプレミアムお試しセットテストエンジンPDFで無料問題集セット


PCNSE認定試験は、120分以内に完了する必要がある60の複数選択質問で構成されています。試験に合格した候補者は、Palo Alto Networksセキュリティ製品を使用して、組織のネットワークを最新のサイバー脅威から保護する専門知識を認識する証明書を受け取ります。この認定は2年間有効であり、その後、候補者は認定を維持するために再認定する必要があります。


PCNSE認定は、世界中の多くの組織によって貴重な資格として認識されています。この認定は、Palo Alto Networksセキュリティソリューションの設計、展開、設定、メンテナンス、およびトラブルシューティングの知識とスキルを持っていることを証明します。この認定は、ネットワークセキュリティエンジニア、システム管理者、およびセキュリティアナリストなど、日々Palo Alto Networksテクノロジーを扱うプロフェッショナルに最適です。PCNSE認定は2年間有効であり、その後、ステータスを維持するために再認定する必要があります。この認定を取得することで、業界の他のセキュリティプロフェッショナルとの差別化を図り、Palo Alto Networksセキュリティテクノロジーの専門知識を示すことができます。

 

質問 # 47
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?

  • A. The Passive firewall, which then synchronizes to the active firewall
  • B. Both the active and passive firewalls independently, with no synchronization afterward
  • C. The active firewall, which then synchronizes to the passive firewall
  • D. Both the active and passive firewalls, which then synchronize with each other

正解:D


質問 # 48
Which three steps will reduce the CPU utilization on the management plane? (Choose three.)

  • A. Disable SNMP on the management interface.
  • B. Reduce the traffic being decrypted by the firewall.
  • C. Disable predefined reports.
  • D. Disable logging at session start in Security policies.
  • E. Application override of SSL application.

正解:A、C、D

解説:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleLCAS


質問 # 49
An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer uses a forward trust certificate from the enterprise PKI that expires December 31, 2025. The validity date on the PA-generated certificate is taken from what?

  • A. The trusted certificate
  • B. The root CA
  • C. The untrusted certificate
  • D. The server certificate

正解:D

解説:
Explanation
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8wCA
"The validity date on the Palo Alto Networks firewall generated certificate is taken from the validity date on the real server certificate."


質問 # 50
Which administrative authentication method supports authorization by an external service?

  • A. SSH keys
  • B. Certificates
  • C. LDAP
  • D. RADIUS

正解:D

解説:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication


質問 # 51
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS® software?

  • A. Server Monitoring
  • B. Client Probing
  • C. Port Mapping
  • D. XML API

正解:D

解説:
Explanation/Reference:
Explanation:
Captive Portal and the other standard user mapping methods might not work for certain types of user access. For example, the standard methods cannot add mappings of users connecting from a third-party VPN solution or users connecting to a 802.1x-enabled wireless network. For such cases, you can use the PAN-OS XML API to capture login events and send them to the PAN-OS integrated User-ID agent Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/user-id-concepts


質問 # 52
When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall?

  • A. When configuring User Activity Reports
  • B. When configuring Antivirus Dynamic Updates
  • C. When configuring Certificate Profiles
  • D. When configuring GlobalProtect portal

正解:B


質問 # 53
SD-WAN is designed to support which two network topology types? (Choose two.)

  • A. hub-and-spoke
  • B. point-to-point
  • C. ring
  • D. full-mesh

正解:A、D


質問 # 54
With the default TCP and UDP settings on the firewall, what will be the identified application in the following session?

  • A. not-applicable
  • B. Insufficient-data
  • C. unknown-tcp
  • D. Incomplete

正解:D

解説:
Explanation
UDP connection on port 443. This would trigger unknown-udp. Incomplete is used in TCP connections only.https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC


質問 # 55
The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?

  • A. 6-tuple match:
    Source IP Address, Destination IP Address, Source port, Destination Port, Protocol, and Source Security Zone
  • B. 5-tuple match:
    Source IP Address, Destination IP Address, Source port, Destination Port, Protocol
  • C. 9-tuple match:
    Source IP Address, Destination IP Address, Source port, Destination Port, Source User, Source Security Zone, Destination Security Zone, Application, and URL Category
  • D. 7-tuple match:
    Source IP Address, Destination IP Address, Source port, Destination Port, Source User, URL Category, and Source Security Zone

正解:A

解説:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVECA0


質問 # 56
Based on the following image, what is the correct path of root, intermediate, and end-user certificate?

  • A. Palo Alto Networks > Symantec > VeriSign
  • B. VeriSign > Palo Alto Networks > Symantec
  • C. VeriSign > Symantec > Palo Alto Networks
  • D. Symantec > VeriSign > Palo Alto Networks

正解:D


質問 # 57
Refer to Exhibit:


A firewall has three PDF rules and a default route with a next hop of 172.29.19.1 that is configured in the default VR. A user named XX-bes a PC with a 192.168.101.10 IP address.
He makes an HTTPS connection to 172.16.10.29.
What is the next hop IP address for the HTTPS traffic from Wills PC.

  • A. 172.20.30.1
  • B. 172.20.40.1
  • C. 172.20.20.1
  • D. 172.20.10.1

正解:C


質問 # 58
What is the best definition of the Heartbeat Interval?

  • A. The interval in milliseconds between hello packets
  • B. The frequency at which the HA peers check link or path availability
  • C. The interval during which the firewall will remain active following a link monitor failure
  • D. The frequency at which the HA peers exchange ping

正解:D

解説:
Explanation
"A "heartbeat-interval" CLI command was added to the election settings for HA, this interval has a 1000ms minimum for all Palo Alto Networks platforms and is an ICMP ping to the other device through the HA control link."https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMaCAK


質問 # 59
After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.
The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.
The engineer reviews the following CLI output for ethernet1/1.

Which setting should be modified on ethernet1/1 to remedy this problem?

  • A. Adjust the TCP maximum segment size (MSS) value. *
  • B. Change the subnet mask from /23 to /24.
  • C. Enable the Ignore IPv4 Don't Fragment (DF) setting.
  • D. Lower the interface MTU value below 1500.

正解:A

解説:
Explanation
The engineer should adjust the TCP maximum segment size (MSS) value on ethernet1/1 to remedy this problem. This is because the MTU on an upstream router interface is set to 1400 bytes, which is causing the return traffic from the web servers to not reach the users behind the firewall. By adjusting the TCP MSS value, the engineer can ensure that the return traffic is able to reach the users without any issues.
The TCP MSS is the maximum amount of data that can be transmitted in a single TCP segment, excluding the TCP and IP headers. The TCP MSS is usually derived from the MTU of the underlying network, which is the maximum packet size that can be transmitted without fragmentation. For example, if the MTU is 1500 bytes, which is the default value for ethernet interfaces, then the TCP MSS is 1460 bytes (1500 - 20 bytes for IP header - 20 bytes for TCP header). However, if there are intermediate devices or networks that have a lower MTU than the end-to-end path, then the TCP MSS may need to be adjusted accordingly to avoid packet loss or fragmentation1.
In this case, the firewall has an MTU of 1500 bytes on ethernet1/1, which is connected to a WAN link.
However, an upstream router has an MTU of 1400 bytes on its interface, which means that any packet larger than 1400 bytes will be either dropped or fragmented by the router. This can cause problems for the return traffic from the web servers, which may have a TCP MSS of 1460 bytes or higher, depending on their MTU settings. If these packets have the Don't Fragment (DF) bit set in their IP header, which is common for TCP packets, then they will be dropped by the router and never reach the firewall or the users behind it. If they do not have the DF bit set, then they will be fragmented by the router and reassembled by the firewall, which can cause performance degradation and overhead2.
To avoid these problems, the engineer should adjust the TCP MSS value on ethernet1/1 to match or be lower than the MTU of the upstream router. This can be done by using the CLI command set network interface ethernet ethernet1/1 tcp-mss <value> , where <value> is an integer between 64 and 15003. For example, if the engineer sets the TCP MSS value to 1360 bytes (1400 - 20 - 20), then this will ensure that any TCP packet sent or received by ethernet1/1 will not exceed 1400 bytes in total size, and thus will not be dropped or fragmented by the router. This will allow the return traffic from the web servers to reach the users behind the firewall without any issues4.
References: TCP Maximum Segment Size (MSS), Configure Session Settings, TCP MSS Adjustments, PCNSE Study Guide (page 59)


質問 # 60
Which processing order will be enabled when a Panorama administrator selects the setting "Objects defined in ancestors will take higher precedence?"

  • A. Descendant objects will take precedence over other descendant objects.
  • B. Ancestor objects will have precedence over descendant objects.
  • C. Descendant objects will take precedence over ancestor objects.
  • D. Ancestor objects will have precedence over other ancestor objects.

正解:B

解説:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/device/device- setup-management


質問 # 61
How can a candidate or running configuration be copied to a host external from Panorama?

  • A. Export a named configuration snapshot.
  • B. Save a candidate configuration.
  • C. Save a configuration snapshot.
  • D. Commit a running configuration.

正解:A

解説:
Explanation/Reference: https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/ administer-panorama/back-up-panorama-and-firewall-configurations


質問 # 62
Match each GlobalProtect component to the purpose of that component

正解:

解説:


質問 # 63
View the GlobalProtect configuration screen capture.

What is the purpose of this configuration?

  • A. It configures the tunnel address of all internal clients to an IP address range starting at 192.168.10.1.
  • B. It enables a client to perform a reverse DNS lookup on 192.168.10.1 to detect that it is an internal client.
  • C. It forces the firewall to perform a dynamic DNS update, which adds the internal gateway's hostname and IP address to the DNS server.
  • D. It forces an internal client to connect to an internal gateway at IP address 192.168.10.1.

正解:B

解説:
Reference:
https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprotect-por the-globalprotect-client-authentication-configurations/define-the-globalprotect-agent-configurations


質問 # 64
An engineer is tasked with configuring a Zone Protection profile on the untrust zone.
Which three settings can be configured on a Zone Protection profile? (Choose three.)

  • A. Resource Protection
  • B. Protocol Protection
  • C. Ethernet SGT Protection
  • D. DoS Protection
  • E. Reconnaissance Protection

正解:B、D、E

解説:
Explanation
B: Protocol Protection: Protocol protection is used to limit or block traffic that uses certain protocols or application functions. For example, a Zone Protection profile can be configured to block traffic that uses non-standard protocols, such as IP-in-IP, or to limit the number of concurrent sessions for certain protocols, such as SIP.
C: DoS Protection: DoS protection is used to protect against various types of denial-of-service (DoS) attacks, such as SYN floods, UDP floods, ICMP floods, and others. A Zone Protection profile can be configured to limit the rate of traffic for certain protocols or to drop traffic that matches specific patterns, such as malformed packets or packets with invalid headers.
D: Reconnaissance Protection: Reconnaissance protection is used to prevent attackers from gathering information about the network, such as by using port scans or other techniques. A Zone Protection profile can be configured to limit the rate of traffic for certain types of reconnaissance, such as port scans or OS fingerprinting, or to drop traffic that matches specific patterns, such as packets with invalid flags or payloads.


質問 # 65
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time?

  • A. Automatically "download only" and then install Applications and Threats later, after the administrator approves the update.
  • B. Disable automatic updates during weekdays.
  • C. Automatically "download and install" but with the "disable new applications" option used.
  • D. Configure the option for "Threshold".

正解:D

解説:
For Antivirus and Applications and Threats updates, you have the option to set a minimum Threshold of time that a content update must be available before the firewall installs it. Very rarely, there can be an error in a content update and this threshold ensures that the firewall only downloads content releases that have been available and functioning in customer environments for the specified amount of time. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/device/device-dynamic-updates
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-dynamic-updates.html


質問 # 66
In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.)

  • A. self-signed CA certificate
  • B. client certificate
  • C. server certificate
  • D. enterprise CA certificate
  • E. wildcard server certificate

正解:A、D

解説:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forward-proxy.html


質問 # 67
A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5-minute window for analysis. The firewall is configured to check for verdicts every 5 minutes.
How quickly will the firewall receive back a verdict?

  • A. 5 minutes
  • B. More than 15 minutes
  • C. 10 to 15 minutes
  • D. 5 to 10 minutes

正解:D

解説:
Explanation
"As new WildFire signatures are available every five minutes, this setting ensures the firewall retrieves these signatures within a minute of availability." Meaning if the WildFire checks for verdict at 06:00 PM it would next check at 06:05, however if you submit a file at 06:06 - WildFire would check at 06:10 but your verdict will come at 06:11, which would be fetched by WildFire at 06:15 - hence 9 minutes since you submitted. So 5 to 10 mins depending on your time of submission.


質問 # 68
An engineer needs to collect User-ID mappings from the company's existing proxies.
What two methods can be used to pull this data from third party proxies? (Choose two.)

  • A. Server Monitoring
  • B. Client probing
  • C. XFF Headers
  • D. Syslog

正解:C、D

解説:
Explanation
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/user-id-concepts/user-mapping/xff-headers
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/user-id-concepts/user-mapping/syslog#idee


質問 # 69
The following objects and policies are defined in a device group hierarchy


A)

B)

C)
Address Objects
-Shared Address 1
-Branch Address2
Policies -Shared Polic1
l -Branch Policyl
D)
Address Objects -Shared Addressl -Shared Address2 -Branch Addressl Policies -Shared Policyl -Shared Policy2 -Branch Policyl

  • A. Option D
  • B. Option A
  • C. Option B
  • D. Option C

正解:B


質問 # 70
......

更新された公式認定はPCNSE認証済みのPCNSE問題集でPDF:https://jp.fast2test.com/PCNSE-premium-file.html

2024年最新の実際に出るPCNSE問題集テストエンジン試験問題はここにある:https://drive.google.com/open?id=1X7KOddJ7nlcHU63djI6q_7ogXbwCTbRg


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어