(PDF)Paloalto Network Security Administrator PCNSA試験と認定テストエンジン
無料提供中のPCNSA試験問題集で(2025年最新のPDF問題集)信頼度の高いPCNSAテストエンジン
質問 # 155
Which feature would be useful for preventing traffic from hosting providers that place few restrictions on content, whose services are frequently used by attackers to distribute illegal or unethical material?
- A. Palo Alto Networks C&C IP Addresses
- B. Palo Alto Networks Known Malicious IP Addresses
- C. Palo Alto Networks High-Risk IP Addresses
- D. Palo Alto Networks Bulletproof IP Addresses
正解:D
解説:
To block hosts that use bulletproof hosts to provide malicious, illegal, and/or unethical content, use the bulletproof IP address list in policy.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/content-inspection-features/edl-for-bulletproof-isps#:~:text=A%20new%20built%2Din%20external,%2C%20illegal%2C%20and%20unethical%20content.
質問 # 156
Which administrator type utilizes predefined roles for a local administrator account?
- A. Dynamic
- B. Superuser
- C. Device administrator
- D. Role-based
正解:A
解説:
Dynamic roles: These are built-in or predefined roles that provide access to the firewall. When new features are added, the firewall automatically updates the definitions of Dynamic roles; you never need to manually update them.
質問 # 157
Given the topology, which zone type should interface E1/1 be configured with?
- A. Tap
- B. Virtual Wire
- C. Tunnel
- D. Layer3
正解:A
質問 # 158
An administrator is troubleshooting an issue with traffic that matches the interzone-default rule, which is set to default configuration.
What should the administrator do?
- A. Tune your Traffic Log filter to include the dates
- B. Refresh the Traffic Log
- C. Review the System Log
- D. Change the logging action on the rule
正解:D
解説:
Traffic that does not match any of the rules you defined will match the predefined interzone- default rule at the bottom of the rulebase and be denied. For visibility into the traffic that is not matching any of the rules you created, enable logging on the interzone-default rule.
質問 # 159
Employees are shown an application block page when they try to access YouTube. Which security policy is blocking the YouTube application?
- A. interzone-default
- B. allowed-security services
- C. intrazone-default
- D. Deny Google
正解:A
質問 # 160
During the App-ID update process, what should you click on to confirm whether an existing policy rule is affected by an App-ID update?
- A. check now
- B. test policy match
- C. review policies
- D. download
正解:C
質問 # 161
If users from the Trusted zone need to allow traffic to an SFTP server in the DMZ zone, how should a Security policy with App-ID be configured?
- A.

- B.

- C.

- D.

正解:C
質問 # 162
What is the main function of Policy Optimizer?
- A. eliminate "Log at Session Start" security rules
- B. migrate other firewall vendors' security rules to Palo Alto Networks configuration
- C. reduce load on the management plane by highlighting combinable security rules
- D. convert port-based security rules to application-based security rules
正解:D
解説:
Reference: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/policy- optimizer.html
質問 # 163
Which DNS Query action is recommended for traffic that is allowed by Security policy and matches Palo Alto Networks Content DNS Signatures?
- A. sinkhole
- B. alert
- C. block
- D. allow
正解:A
解説:
To enable DNS sinkholing for domain queries using DNS security, you must activate your DNS Security subscription, create (or modify) an Anti-Spyware policy to reference the DNS Security service, configure the log severity and policy settings for each DNS signature category, and then attach the profile to a security policy rule.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/dns-security/enable-dns-security
質問 # 164
In which threat profile object would you configure the DNS Security service?
- A. URL Filtering
- B. Antivirus
- C. Anti-Spyware
- D. WildFire
正解:C
質問 # 165
Which two App-ID applications will need to be allowed to use Facebook-chat? (Choose two.)
- A. facebook-email
- B. facebook-chat
- C. facebook
- D. facebook-base
正解:B、D
解説:
If you wanted to chat, then facebook-base and facebook-chat would need to be allowed in the same rule.
質問 # 166
Which two statements are true for the DNS security service introduced in PAN-OS version 9.0?
- A. It functions like PAN-DB and requires activation through the app portal.
- B. IT is automatically enabled and configured.
- C. IT eliminates the need for dynamic DNS updates.
- D. It removes the 100K limit for DNS entries for the downloaded DNS updates.
正解:A、D
質問 # 167
Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choices to block the sameURL then which choice would be the last to block access to the URL?
- A. PAN-DB URL category in URL Filtering Profile.
- B. EDL in URL Filtering Profile.
- C. Custom URL category in Security Policy rule.
- D. Custom URL category in URL Filtering Profile.
正解:A
解説:
The precedence is from the top down; First Match Wins: 1) Block list: Manually entered blocked URLs Objects - 2) Allow list: Manually entered allowed URLs Objects - 3) Custom URL Categories - 4) Cached Cached: URLs learned from External Dynamic Lists (EDLs) - 5) Pre-Defined Categories: PAN-DB or Brightcloud categories.
質問 # 168
Which statement is true regarding a Best Practice Assessment?
- A. The assessment, guided by an experienced sales engineer, helps determine the areas of greatest risk where you should focus prevention activities
- B. The BPA tool can be run only on firewalls
- C. It provides a percentage of adoption for each assessment data
- D. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture
正解:C
解説:
Best Practice Assessment (BPA) Tool -The BPA for next-generation firewalls and Panorama evaluates a device's configuration by measuring the adoption of capabilities, validating whether the policies adhere to best practices, and providing recommendations and instructions for how to remediate failed best practice checks.
The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of architecture, and other categories. The results include trending data, which shows the rate of security improvement as you adopt new capabilities, fix gaps, and progress toward a Zero-Trust network.
The BPA component performs more than 200 security checks on a firewall or Panorama configuration and provides a pass/fail score for each check. Each check is a best practice identified by Palo Alto Networks security experts. If a check returns a failing score, the tool provides the justification for the failing score and how to fix the issue.
https://docs.paloaltonetworks.com/best-practices/8-1/data-center-best-practices/data-center-best- practice-security-policy/use-palo-alto-networks-assessment-and-review-tools
質問 # 169
In which three places on the PAN-OS interface can the application characteristics be found? (Choose three.)
- A. Objects tab > Applications
- B. ACC tab > Global Filters
- C. Objects tab > Application Filters
- D. Objects tab > Application Groups
- E. Policies tab > Security
正解:A、C、D
解説:
The application characteristics can be found in three places on the PAN-OS interface: Objects tab > Application Filters, Objects tab > Application Groups, and Objects tab > Applications. These places allow you to view and manage the applications and application groups that are used in your Security policy rules. You can also create custom applications and application filters based on various attributes, such as category, subcategory, technology, risk, and behavior1. Some of the characteristics of these places are:
Objects tab > Application Filters: An application filter is a dynamic object that groups applications based on specific criteria. You can use an application filter to match multiple applications in a Security policy rule without having to list them individually. For example, you can create an application filter that includes all applications that have a high risk level or use peer-to-peer technology.
Objects tab > Application Groups: An application group is a static object that groups applications based on your custom requirements. You can use an application group to match multiple applications in a Security policy rule without having to list them individually. For example, you can create an application group that includes all applications that are related to a specific business function or project.
Objects tab > Applications: An application is an object that identifies and classifies network traffic based on App-ID, which is a technology that uses multiple attributes to identify applications. You can use an application to match a specific application in a Security policy rule and control its access and behavior. For example, you can use an application to allow web browsing but block file sharing or social networking.
質問 # 170
In a security policy what I the quickest way to rest all policy rule hit counters to zero?
- A. Reboot the firewall.
- B. use the Reset Rule Hit Counter > All Rules option.
- C. Use the CLI enter the command reset rules all
- D. Highlight each rule and use the Reset Rule Hit Counter > Selected Rules.
正解:C
質問 # 171
An address object of type IP Wildcard Mask can be referenced in which part of the configuration?
- A. NAT address pool
- B. ACC global filter
- C. Security policy rule
- D. external dynamic list
正解:C
解説:
You can use an address object of type IP Wildcard Mask only in a Security policy rule.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/objects/objects-addresses IP Wildcard Mask
--Enter an IP wildcard address in the format of an IPv4 address followed by a slash and a mask (which must begin with a zero); for example,
10.182.1.1/0.127.248.0. In the wildcard mask, a zero (0) bit indicates that the bit being compared must match the bit in the IP address that is covered by the 0. A one (1) bit in the mask is a wildcard bit, meaning the bit being compared need not match the bit in the IP address that is covered by the 1. Convert the IP address and the wildcard mask to binary. To illustrate the matching: on binary snippet 0011, a wildcard mask of 1010 results in four matches (0001, 0011, 1001, and 1011).
質問 # 172
Users from the internal zone need to be allowed to Telnet into a server in the DMZ zone.
Complete the security policy to ensure only Telnet is allowed.
Security Policy: Source Zone: Internal to DMZ Zone __________services "Application defaults", and action = Allow
- A. Application = `Telnet'
- B. Destination IP: 192.168.1.123/24
- C. Log Forwarding
- D. USER-ID = `Allow users in Trusted'
正解:A
質問 # 173
You receive notification about new malware that is being used to attack hosts.
The malware exploits a software bug in a common application.
Which Security Profile detects and blocks access to this threat after you update the firewall's threat signature database?
- A. Vulnerability Profile applied to inbound Security policy rules
- B. Data Filtering Profile applied to outbound Security policy rules
- C. Data Filtering Profile applied to inbound Security policy rules
- D. Antivirus Profile applied to outbound Security policy rules
正解:A
質問 # 174
Which policy set should be used to ensure that a policy is applied just before the default security rules?
- A. Shared post-rulebase
- B. Local Firewall policy
- C. Child device-group post-rulebase
- D. Parent device-group post-rulebase
正解:A
解説:
The policy set that should be used to ensure that a policy is applied just before the default security rules is the shared post-rulebase. The shared post-rulebase is a set of Security policy rules that are defined on Panorama and apply to all firewalls or device groups. The shared post-rulebase is evaluated after the local firewall policy and the child device-group post-rulebase, but before the default security rules. The shared post-rulebase can be used to enforce common security policies across multiple firewalls or device groups, such as blocking high-risk applications or traffic1. Reference: Security Policy Rule Hierarchy, Security Policy Rulebase, Certifications - Palo Alto Networks, Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) or [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)].
質問 # 175
Based on the screenshot what is the purpose of the group in User labelled ''it"?
- A. Allows users in group "it" to access IT applications
- B. Allows "any" users to access servers in the DMZ zone
- C. Allows users in group "DMZ" lo access IT applications
- D. Allows users to access IT applications on all ports
正解:A
質問 # 176
You have been tasked to configure access to a new web server located in the DMZ Based on the diagram what configuration changes are required in the NGFW virtual router to route traffic from the 10 1 1 0/24 network to 192 168 1 0/24?
- A. Add a route with the destination of 192 168 1 0/24 using interface Eth 1/3 with a next-hop of 192.168
1.10 - B. Add a route with the destination of 192 168 1 0/24 using interface Eth 1/3 with a next-hop of 172.16.1.2
- C. Add a route with the destination of 192 168 1 0/24 using interface Eth 1/3 with a next-hop of
192.168.1.254 - D. Add a route with the destination of 192 168 1 0/24 using interface Eth 1/2 with a next-hop of 172.16.1.2
正解:B
質問 # 177
......
PCNSA完全版問題集には無料PDF問題で合格させる:https://jp.fast2test.com/PCNSA-premium-file.html
PCNSAPDFで最近更新された問題です集試験点数を伸ばそう:https://drive.google.com/open?id=1rbNEvzsoh9JrEX4AKvAvcIDDPqHiwI1C