PCNSE認定の有効な試験問題集解答学習ガイド！（最新の91問題) [Q53-Q69]

PCNSE認定の有効な試験問題集解答学習ガイド！（最新の91問題)

PCNSE問題集で時間限定！無料アクセスせよ

パロアルトネットワークスのPCNSE認定は、ネットワークセキュリティ技術と最良のプラクティスにおける専門知識を証明したいセキュリティエンジニアにとって価値のある資格です。認定試験は幅広いトピックをカバーしており、試験に挑戦する前に、候補者はパロアルトネットワークスの製品や技術に対して実践的な経験を持っていることが推奨されています。PCNSE認定を取得することで、セキュリティエンジニアはキャリアの向上や、パロアルトネットワークスのソリューションを使用して組織をサイバー脅威から保護する能力を証明することができます。

Palo Alto NetworksのPCNSE（Palo Alto Networks Certified Security Engineer）認定試験は、ITセキュリティ専門家にとって非常に求められる認定資格です。この認定資格は、リアルワールド環境でのPalo Alto Networksの次世代ファイアウォールの展開、管理、トラブルシューティングに必要なスキルと知識を検証するために設計されています。この認定資格は、セキュリティ管理者、ネットワークエンジニア、サポートスタッフを含む、Palo Alto Networksのファイアウォールの展開と管理を担当する個人を対象としています。

 

質問 # 53
What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram?

• A. IP Address
• B. IP Netmask
• C. IP Wildcard Mask
• D. IP Range

正解：C

解説：
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-address-object-to-represent-ip-addresses/address-objects An IP Wildcard Mask address object is useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram. An IP Wildcard Mask address object specifies which source or destination addresses are subject to a Security policy rule. A zero ( 0 ) bit in the mask indicates that the bit being compared must match the bit in the IP address that is covered by the zero. A one ( 1 ) bit in the mask (a wildcard bit) indicates that the bit being compared need not match the bit in the IP address1. For example, if you want to match all cash registers in the northeastern U.S., you can use an IP Wildcard Mask address object of 10.132.1.0/0.0.2.255, which will match any IP address from 10.132.1.0 to 10.132.3.255. Reference: 1: https://docs.paloaltonetworks.com/network-security/security-policy/objects/addresses

質問 # 54
In SSL Forward Proxy decryption, which two certificates can be used for certificate signing?
(Choose two.)

• A. server certificate
• B. enterprise CA certificate
• C. self-signed CA certificate
• D. wildcard server certificate
• E. client certificate

正解：B、C

解説：
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forward- proxy.html

質問 # 55
Before you upgrade a Palo Alto Networks NGFW what must you do?

• A. Make sure that the PAN-OS support contract is valid for at least another year
• B. Export a device state of the firewall
• C. Make sure that the firewall is running a version of antivirus software and a version of WildFire that support the licensed subscriptions.
• D. Make sure that the firewall is running a supported version of the app + threat update

正解：B

質問 # 56
An administrator needs to optimize traffic to prefer business-critical applications over non-critical applications. QoS natively integrates with which feature to provide service quality?

• A. App-ID
• B. Content-ID
• C. Certificate revocation
• D. Port Inspection

正解：A

解説：
Reference:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/quality-of-service/qos-for-applications-and-

質問 # 57
A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward traffic logs to Panorama. In which section is this configured?

• A. Templates > Device > Log Settings
• B. Device Groups > Objects > Log Forwarding
• C. Panorama > Managed Devices
• D. Monitor > Logs > Traffic

正解：B

解説：
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-log-collection/configure-log-forwarding-to-panorama

質問 # 58
Which two settings can be configured only locally on the firewall and not pushed from a Panorama template or template stack? (Choose two)

• A. Network Interface Type
• B. HA1 IP Address
• C. Master Key
• D. Zone Protection Profile

正解：A、B

質問 # 59
Which protocol is supported by GlobalProtect Clientless VPN?

• A. SSH
• B. HTTPS
• C. RDP
• D. FTP

正解：B

解説：
Explanation
Virtual Desktop Infrastructure (VDI) and Virtual Machine (VM) environments, such as Citrix XenApp and XenDesktop or VMWare Horizon and Vcenter, support access natively through HTML5. You can RDP, VNC, or SSH to these machines through Clientless VPN without requiring additional third-party middleware. In environments that do not include native support for HTML5 or other web application technologies supported by Clientless VPN, you can use third-party vendors, such as Thinfinity, to RDP through Clientless VPN.
Reference:
https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vpn/supported
https://networkwiki.blogspot.com/2017/03/palo-alto-networks-clientless-vpn-and.html

質問 # 60
View the GlobalProtect configuration screen capture.

What is the purpose of this configuration?

• A. It forces the firewall to perform a dynamic DNS update, which adds the internal gateway's hostname and IP address to the DNS server.
• B. It configures the tunnel address of all internal clients to an IP address range starting at 192.168.10.1.
• C. It forces an internal client to connect to an internal gateway at IP address 192.168.10.1.
• D. It enables a client to perform a reverse DNS lookup on 192.168.10.1 to detect that it is an internal client.

正解：D

解説：
Reference:
https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprotect-por the-globalprotect-client-authentication-configurations/define-the-globalprotect-agent-configurations
"Select this option to allow the GlobalProtect agent to determine if it is inside the enterprise network. This option applies only to endpoints that are configured to communicate with internal gateways.When the user attempts to log in, the agent does a reverse DNS lookup of an internal host using the specified Hostname to the specified IP Address. The host serves as a reference point that is reachable if the endpoint is inside the enterprise network. If the agent finds the host, the endpoint is inside the network and the agent connects to an internal gateway; if the agent fails to find the internal host, the endpoint is outside the network and the agent establishes a tunnel to one of the external gateways"

質問 # 61
Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.)

• A. Check the license
• B. Verify AutoFocus is enabled below Device Management tab.
• C. Verify AutoFocus status using CLI.
• D. Check the WebUI Dashboard AutoFocus widget.
• E. Check for WildFire forwarding logs.

正解：A、D

解説：
Reference: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/getting- started/enable-autofocus-threat-intelligence

質問 # 62
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two)

• A. XML API
• B. GlobafProtect agent
• C. User-ID Windows-based agent
• D. log forwarding auto-tagging

正解：C、D

解説：
Explanation
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/register-ip-addresses-and-tags-dynamically.
You can enable the dynamic registration process using any of the following options:
User-ID agent for Windows*
VM Information Sources
Panorama Plugin
VMware Service Manager
XML API*
Auto-Tag*
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnse-study-guide.p Usernames can also be tagged and untagged using the auto-tagging feature in a Log Forwarding Profile. You also can program another utility to invoke PAN-OS XML API commands to tag or untag usernames.

質問 # 63
A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5-minute window for analysis. The firewall is configured to check for verdicts every 5 minutes.
How quickly will the firewall receive back a verdict?

• A. More than 15 minutes
• B. 10 to 15 minutes
• C. 5 minutes
• D. 5 to 10 minutes

正解：D

解説：
"As new WildFire signatures are available every five minutes, this setting ensures the firewall retrieves these signatures within a minute of availability."
Meaning if the WildFire checks for verdict at 06:00 PM it would next check at 06:05, however if you submit a file at 06:06 - WildFire would check at 06:10 but your verdict will come at 06:11, which would be fetched by WildFire at 06:15 - hence 9 minutes since you submitted. So 5 to 10 mins depending on your time of submission.

質問 # 64
Which two options are required on an M-100 appliance to configure it as a Log Collector? (Choose two)

• A. Enter the command logger-mode enable the enter Y to confirm the change to Log Collector mode.
• B. From the Device tab of the Panorama GUI select Log Collector mode and then commit changes.
• C. From the Panorama tab of the Panorama GUI select Log Collector mode and then commit changes
• D. Log in the Panorama CLI of the dedicated Log Collector
• E. Enter the command request system system-mode logger then enter Y to confirm the change to Log Collector mode.

正解：D、E

解説：
Explanation
(https://www.paloaltonetworks.com/documentation/60/panorama/panorama_adminguide/set-up-panorama/set-up

質問 # 65
SSL Forward Proxy decryption is configured but the firewall uses Untrusted-CA to sign the website https //www important-website com certificate End-users are receiving me "security certificate is not trusted is warning Without SSL decryption the web browser shows that the website certificate is trusted and signed by a well-known certificate chain Well-Known-lntermediate and Well-Known-Root-
CA.
The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1 End-users must not get the warning for the https://www.very-important-website.com website.
2 End-users should get the warning for any other untrusted website
Which approach meets the two customer requirements?

• A. Navigate to Device > Certificate Management > Certificates > Device Certificates import Well-Known-lntermediate-CA and Well-Known-Root-CA select the Trusted Root CA checkbox and commit the configuration
• B. Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration
• C. Navigate to Device > Certificate Management - Certificates s Default Trusted Certificate Authorities import Well-Known-intermediate-CA and Well-Known-Root-CA select the Trusted Root CA check box and commit the configuration
• D. Install the Well-Known-lntermediate-CA and Well-Known-Root-CA certificates on all end-user systems m the user and local computer stores

正解：C

質問 # 66
If the firewall has the link monitoring configuration, what will cause a failover?

• A. ethernet1/3 or Ethernet1/6 going down
• B. ethernet1/3 going down
• C. ethernet1/6 going down
• D. ethernet1/3 and ethernet1/6 going down

正解：D

質問 # 67
Drag and Drop Question
Place the steps to onboard a ZTP firewall into Panorama/CSP/ZTP-Service in the correct order.

正解：

解説：

Explanation:
Reference: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage- firewalls/set-up-zero-touch-provisioning/ztp-overview/ztp-configuration-elements.html

質問 # 68
An administrator wants to upgrade an NGFW from PAN-OS 9.0 to PAN-OS 10.0. The firewall is not a part of an HA pair. What needs to be updated first?

• A. Applications and Threats
• B. WildFire
• C. XML Agent
• D. PAN-OS Upgrade Agent

正解：A

解説：
https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/upgrade-to-pan-os-80/upgrade-the-firewall-to-pan-os-80/upgrade-a-firewall-to-pan-os-80

質問 # 69
......

Palo Alto Networks PCNSE試験実践テスト問題：https://www.jpntest.com/shiken/PCNSE-mondaishu