[2023年12月] 合格 Palo Alto Networks PCNSE テストエンジンpdf - 完全版無料問題集 [Q29-Q46]

[2023年12月] 合格させるPalo Alto Networks PCNSEテストエンジンPDFで完全版無料問題集

Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.0練習テスト2023年最新のPCNSEストレスなしで合格！

質問 # 29
With the default TCP and UDP settings on the firewall what will be me identified application in the following session?

A. incomplete
B. insufficient-data
C. unknown-tcp
D. unknown-udp

正解：A

質問 # 30
Which CLI command can be used to export the tcpdump capture?

A. download mgmt.-pcap
B. scp extract mgmt-pcap from mgmt.pcap to <username@host:path>
C. scp export mgmt-pcap from mgmt.pcap to <username@host:path>
D. scp export tcpdump from mgmt.pcap to <username@host:path>

正解：C

質問 # 31
An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed Which Panorama tool can help this organization?

A. Application Groups
B. Config Audit
C. Policy Optimizer
D. Test Policy Match

正解：C

解説：
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/policy-optimizer his new feature identifies port-based rules so you can convert them to application-based rules that allow the traffic or add applications to existing rules without compromising application availability. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/policy-optimizer.html

質問 # 32
An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet. Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22

Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?

A. Option
B. Option
C. Option
D. Option

正解：C

質問 # 33
The NAT rule destination zone should be set to Outside because that is the zone where the post-NAT IP address of the server (192.168.10.10) belongs. The destination zone of a NAT rule is the zone where the translated IP address resides. Option A is incorrect because None is not a valid zone for a NAT rule. Option C is incorrect because DMZ is the zone where the pre-NAT IP address of the server (153.6 12.10) belongs, not the post-NAT IP address. Option D is incorrect because Inside is not a zone that is configured on the firewall.
An administrator is troubleshooting why video traffic is not being properly classified.
If this traffic does not match any QoS classes, what default class is assigned?

A. 0
B. 1
C. 2
D. 3

正解：C

解説：
Explanation
The default class that is assigned to traffic that does not match any QoS classes is class 4. Class 4 is the default class for any session not matched to a QoS policy. QoS policy, like security policy, is processed top to bottom and the first policy match will be applied. If no policy match is found, the traffic is assigned to class 412.
Option A is incorrect because class 1 is not the default class for unmatched traffic. Class 1 is a user-defined class that can be used to assign traffic based on QoS policy criteria. Option B is incorrect because class 2 is not the default class for unmatched traffic. Class 2 is a user-defined class that can be used to assign traffic based on QoS policy criteria. Option C is incorrect because class 3 is not the default class for unmatched traffic. Class 3 is a user-defined class that can be used to assign traffic based on QoS policy criteria3.

質問 # 34
An administrator is configuring an IPSec VPN to a Cisco ASA at the administrator's home and experiencing issues completing the connection. the following is the output from the command:

What could be the cause of this problem?

A. The public IP addresses do not match for both the Palo Alto Networks Firewall and the ASA.
B. The shared secrets do not match between the Palo Alto Networks Firewall and the ASA.
C. The Proxy IDs on the Palo Alto Networks Firewall do not match the setting on the ASA.
D. The dead peer detection settings do not match between the Palo Alto Networks Firewall and the ASA.

正解：A

質問 # 35
A network security administrator has been tasked with deploying User-ID in their organization.
What are three valid methods of collecting User-ID information in a network? (Choose three.)

A. External dynamic list
B. XMLAPI
C. Dynamic user groups
D. GlobalProtect
E. Windows User-ID agent

正解：B、D、E

解説：
Explanation
User-ID is a feature that allows the firewall to identify and classify users and groups on the network based on their usernames, IP addresses, and other attributes1. User-ID information can be collected from various sources, such as:
* A: Windows User-ID agent: A software agent that runs on a Windows server and collects user information from Active Directory domain controllers, Exchange servers, or eDirectory servers2. The agent then sends the user information to the firewall or Panorama for user mapping2.
* B: GlobalProtect: A software agent that runs on the endpoints and provides secure VPN access to the network3. GlobalProtect also collects user information from the endpoints and sends it to the firewall or Panorama for user mapping4.
* C: XMLAPI: An application programming interface that allows external systems or scripts to send user information to the firewall or Panorama in XML format. The XMLAPI can be used to integrate with third-party systems, such as identity providers, captive portals, or custom applications.

質問 # 36
An administrator would like to determine which action the firewall will take for a specific CVE. Given the screenshot below, where should the administrator navigate to view this information?

A. Exceptions lab
B. CVE column
C. The profile rule threat name
D. The profile rule action

正解：A

解説：
Explanation
The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The Exception tab supports filtering functions.
If you not believed, then login the firewall go to Vulnerability > Exceptions and select "Show all signatures".
From there you will see all threat information including specific actions.
More detail: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC

質問 # 37
Refer to the exhibit.

An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.)

A. Untrust (Any) to Untrust (10.1.1.1), ssh -Allow
B. Untrust (Any) to DMZ (10.1.1.1), web-browsing -Allow
C. Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow
D. Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow
E. Untrust (Any) to DMZ (10.1.1.1), ssh -Allow

正解：B、E

解説：
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destinat

質問 # 38
An administrator has configured PAN-OS SD-WAN and has received a request to find out the reason for a session failover for a session that has already ended Where would you find this in Panorama or firewall logs?

A. Traffic Logs
B. Session Browser
C. System Logs
D. You cannot find failover details on closed sessions

正解：D

質問 # 39
Which option enables a Palo Alto Networks NGFW administrator to schedule Application and Threat updates while applying only new content-IDs to traffic?

A. Select disable application updates and select "Install only Threat updates"
B. Select download-only.
C. Select download-and-install.
D. Select download-and-install, with "Disable new apps in content update" selected.

正解：D

質問 # 40
An administrator has configured a QoS policy rule and a QoS profile that limits the maximum allowable bandwidth for the YouTube application. However , YouTube is consuming more than the maximum bandwidth allotment configured.
Which configuration step needs to be configured to enable QoS?

A. Enable QoS Data Filtering Profile
B. Enable QoS monitor
C. Enable Qos in the interface Management Profile.
D. Enable Qos interface

正解：D

解説：
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/network/network-qos/qos-interface-settings#

質問 # 41
If the firewall has the link monitoring configuration, what will cause a failover?

A. ethernet1/3 or Ethernet1/6 going down
B. ethernet1/3 going down
C. ethernet1/3 and ethernet1/6 going down
D. ethernet1/6 going down

正解：C

質問 # 42
An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications QoS natively integrates with which feature to provide service quality?

A. port inspection
B. certificate revocation
C. App-ID
D. Content-ID

正解：C

解説：
Explanation
QoS natively integrates with App-ID, which is a feature that identifies applications based on their unique characteristics and behaviors, regardless of port, protocol, encryption, or evasive tactics. By using App-ID, QoS can prioritize or limit traffic based on the application name, category, subcategory, technology, or risk level. Certificate revocation is a process of invalidating digital certificates that are no longer trusted or secure.
Content-ID is a feature that scans content and data within allowed applications for threats and sensitive data.
Port inspection is a method of identifying applications based on the TCP or UDP port numbers they use, which is not reliable or granular enough for QoS purposes. References:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/quality-of-service/configure-qos
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id

質問 # 43
An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet.
Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22 Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?

A:

B:

C:

D:

A. Option D
B. Option B
C. Option A
D. Option C

正解：D

質問 # 44
An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing, and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS?software?

A. Antivirus update package.
B. Applications and Threats update package.
C. User-ID agent.
D. WildFire update package.

正解：B

解説：
https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/upgrade-to-pan- os-80/upgrade-the-firewall-to-pan-os-80/upgrade-an-ha-firewall-pair-to-pan-os-80

質問 # 45
Based on the following image, what is the correct path of root, intermediate, and end-user certificate?