PCNSE試験問題集合格できるには更新された2023年01月テスト問題集
PCNSEテスト問題練習は2023年最新のに更新された190問あります
質問 32
Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)
- A. Check the WebUI Dashboard AutoFocus widget.
- B. Verify AutoFocus is enabled below Device Management tab.
- C. Check for WildFire forwarding logs.
- D. Check the license.
- E. Verify AutoFocus status using the CLI "test" command.
正解: B,D
解説:
Explanation/Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/getting-started/enable- autofocus-threat-intelligence
質問 33
The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing
session using which kind of match?
- A. 7-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Source User, URL
Category, and Source Security Zone - B. 6-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Protocol, and Source
Security Zone - C. 5-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Protocol - D. 9-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Source User, Source
Security Zone, Destination Security Zone, Application, and URL Category
正解: B
質問 34
Place the steps in the WildFire process workflow in their correct order.
正解:
解説:
質問 35
Refer to the exhibit.
An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
A)
B)
C)
D)
- A. Option C
- B. Option B
- C. Option D
- D. Option A
正解: C
質問 36
When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action.
Answer options may be used more than once or not at all.
正解:
解説:
Explanation
IMAP , POP3 , SMTP - > Alert
HTTP,FTP,SMB -> Reset-both
質問 37
An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant Which two statements are correct regarding the bootstrap package contents? (Choose two )
- A. The bootstrap.xml file allows for automated deployment of VM-Senes firewalls with full network and policy configurations.
- B. The directory structure must include a /config /content, /software and /license folders
- C. The init-cfg txt and bootstrap.xml files are both optional configuration items for the /config folder
- D. The /config /content and /software folders are mandatory while the /license and /plugin folders are optional
- E. The bootstrap package is stored on an AFS share or a discrete container file bucket
正解: A,B
解説:
Explanation
https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/bootstrap-the-vm-series-firewall/bootstra
質問 38
Which protection feature is available only in a Zone Protection Profile?
- A. UDP Flood Protections
- B. ICMP Flood Protection
- C. Port Scan Protection
- D. SYN Flood Protection using SYN Flood Cookies
正解: C
質問 39
Based on the image, what caused the commit warning?
- A. The FWDtrust certificate does not have a certificate chain.
- B. SSL Forward Proxy requires a public certificate to be imported into the firewall.
- C. The CA certificate for FWDtrust has not been imported into the firewall.
- D. The FWDtrust certificate has not been flagged as Trusted Root CA.
正解: A
質問 40
When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?
- A. You must set the interface to Layer 2 Layer 3. or virtual wire
- B. You must use a static IP address
- C. You must enable DoS and zone protection
- D. The interface must be used for traffic to the required services
正解: D
質問 41
The certificate information displayed in the following image is for which type of certificate?
Exhibit:
- A. Self-Signed Root CA certificate
- B. Web Server certificate
- C. Forward Trust certificate
- D. Public CA signed certificate
正解: A
質問 42
The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong?
- A. A Certificate Profile that contains the CA certificate needs to be selected.
- B. The source address supports only files hosted with an ftp://<address/file>.
- C. A Certificate Profile that contains the client certificate needs to be selected.
- D. External Dynamic Lists do not support SSL connections.
正解: A
解説:
https://live.paloaltonetworks.com/t5/MineMeld-Articles/Connecting-PAN-OS-to-MineMeld-using- External-Dynamic-Lists/ta-p/190414
質問 43
When a malware-infected host attempts to resolve a known command-and-control server, the traffic matches a security policy with DNS sinhole enabled, generating a traffic log.
What will be the destination IP Address in that log entry?
- A. The IP Address of sinkhole.paloaltonetworks.com
- B. The IP Address of one of the external DNS servers identified in the anti-spyware database
- C. The IP Address of the command-and-control server
- D. The IP Address specified in the sinkhole configuration
正解: D
解説:
Explanation: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Verify- DNS-Sinkhole-Function-is-Working/ta-p/65864
質問 44
Exhibit:
What will be the source address in the ICMP packet?
- A. 192.168.93.1
- B. 10.46.64.94
- C. 10.30.0.93
- D. 10.46.72.93
正解: B
質問 45
The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall.
Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?
- A. Forward-Trust-Certificate
- B. Firewall-Trusted-Root-CA
- C. Forward-Untrust-Certificate
- D. Firewall-CA
正解: A
質問 46
What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.)
- A. Highlight Unused Rules will highlight zero rules.
- B. Highlight Unused Rules will highlight all rules.
- C. Rule Usage Hit counter will not be reset
- D. Rule Usage Hit counter will reset.
正解: B,C
解説:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVICA0
"Notice how the rules looks after selecting "Highlight Unused Rules." You can now see exactly what rules have and have not been used since the last reboot."
質問 47
Which three authentication services can an administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.)
- A. SAML
- B. Kerberos
- C. RADIUS
- D. PAP
- E. TACACS+
- F. LDAP
正解: A,C,E
質問 48
Which three split tunnel methods are supported by a GlobalProtect Gateway?
- A. Client Application Process
- B. URL Category
- C. Destination Domain
- D. video streaming application
- E. Destination user/group
- F. Source Domain
正解: A,C,D
解説:
https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/globalprotect- features/split-tunnel-for-public-applications
質問 49
If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method, which login will be detected as credential theft?
- A. Mapping to the IP address of the logged-in user.
- B. Using the same user's corporate username and password.
- C. First four letters of the username matching any valid corporate username.
- D. Marching any valid corporate username.
正解: A
解説:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-
os/newfeaturesguide/content-inspection-features/credential- phishing-prevention
質問 50
On March 10, 2016, between 11:00 am and 11:30 am, users reported that web-browsing traffic to the IP address 1.1.1.1 failed.
Which filter can be applied to the traffic logs to show how many users were affected during this time frame?
- A. ( time_generated geq `2016/03/10 11:00:00') and ( time_generated leq `2016/03/10 11:30:00') and ( addr.dst in 1.1.1.1)
- B. ( time_generated leq `2016/03/10 11:30:00') and ( app is web-browsing )
- C. ( time_generated leq `2016/03/10 11:00:00') and ( time_generated geq `2016/03/10 11:30:00') and ( app eq web-browsing )
- D. ( time_generated geq `2016/03/10 11:00:00') and ( time_generated leq `2016/03/10 11:30:00') and ( app neq web-browsing )
正解: A
質問 51
SD-WAN is designed to support which two network topology types? (Choose two.)
- A. full-mesh
- B. point-to-point
- C. ring
- D. hub-and-spoke
正解: A,D
解説:
Explanation
https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/panorama-plugin-for-s
https://www.paloaltonetworks.nl/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/g
質問 52
A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?
- A. Add a Vulnerability Protection Profile to block the attack.
- B. Add QoS Profiles to throttle incoming requests.
- C. Define a custom App-ID to ensure that only legitimate application traffic reaches the server.
- D. Add a DoS Protection Profile with defined session count.
正解: D
質問 53
......
Palo Alto Networks PCNSE 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|---|
| トピック 1 |
|
| トピック 2 |
|
| トピック 3 |
|
| トピック 4 |
|
| トピック 5 |
|
| トピック 6 |
|
| トピック 7 |
|
| トピック 8 |
|
| トピック 9 |
|
| トピック 10 |
|
正真正銘のPCNSE問題集には100%合格率練習テスト問題集:https://jp.fast2test.com/PCNSE-premium-file.html
更新されたプレミアムPCNSE試験エンジンPDF:https://drive.google.com/open?id=1fW9qOXTOiwSxW0O1qCnIC3ZnFFaeFYng