更新された2022年03月テストエンジンに練習PCNSEテスト問題
PCNSEリアル試験問題テストエンジン問題集トレーニングには394問あります
Palo Alto Networks PCNSE 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|---|
| トピック 1 |
|
| トピック 2 |
|
| トピック 3 |
|
| トピック 4 |
|
| トピック 5 |
|
| トピック 6 |
|
| トピック 7 |
|
| トピック 8 |
|
| トピック 9 |
|
| トピック 10 |
|
質問 109
An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS software?
- A. Application and Threats update package
- B. Wildfire update package
- C. Anti virus update package
- D. User-ID agent
正解: A
解説:
Explanation : Dependencies : Before upgrade, make sure the firewall is running a version of app + threat (content version) that meets the minimum requirement of the new PAN-OS Upgrade.
https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045
質問 110
Refer to the exhibit.
An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.)
- A. Untrust (Any) to Untrust (10.1.1.101), ssh -Allow
- B. Untrust (Any) to DMZ (10.1.1.100), ssh -Allow
- C. Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow
- D. Untrust (Any) to Untrust (10.1.1.100), web-browsing -Allow
- E. Untrust (Any) to DMZ (10.1.1.100), web-browsing -Allow
正解: B,E
質問 111
An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet.
Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22
Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly?
A)
B)
C)
D)
- A. Option C
- B. Option B
- C. Option A
- D. Option D
正解: D
質問 112
What is the default behavior when a Certificate Profile is configured to use both CRL and OCSP?
- A. The option will the lower timeout value will be preferred.
- B. The firewall will use the first profile to respond.
- C. CRL will be preferred
- D. OCSP will be preferred.
正解: D
解説:
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/certificate- management/configure-a-certificate-profile
質問 113
Refer to exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms?
- A. Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services.
- B. Any configuration on an M-500 would address the insufficient bandwidth concerns.
- C. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW.
- D. Configure log compression and optimization features on all remote firewalls.
正解: A
解説:
https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/panorama-overview/centralized-logging-and-reporting
質問 114
A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects.
How would an administrator configure the interface to 1Gbps?
- A. set deviceconfig system speed-duplex 1Gbps-full-duplex
- B. set deviceconfig interface speed-duplex 1Gbps-full-duplex
- C. set deviceconfig Interface speed-duplex 1Gbps-half-duplex
- D. set deviceconfig system speed-duplex 1Gbps-duplex
正解: A
解説:
Explanation/Reference:
Reference: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-Speed-and- Duplex-of-the-Management-Port/ta-p/59034
質問 115
The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong?
- A. External Dynamic Lists do not support SSL connections.
- B. A Certificate Profile that contains the client certificate needs to be selected.
- C. A Certificate Profile that contains the CA certificate needs to be selected.
- D. The source address supports only files hosted with an ftp://<address/file>.
正解: C
解説:
https://live.paloaltonetworks.com/t5/MineMeld-Articles/Connecting-PAN-OS-to-MineMeld-using- External-Dynamic-Lists/ta-p/190414
質問 116
Which two statements accurately describe how DoS Protection Profiles and Policies mitigate attacks? (Choose two.)
- A. They mitigate against attacks by utilizing "random early drop".
- B. They mitigate against volumetric attacks by leveraging known vulnerabilities, brute force methods, amplification, spoofing, and other vulnerabilities.
- C. They mitigate against attacks by providing resource protection by limiting the number of sessions that can be used.
- D. They mitigate against attacks on a zone basis by providing reconnaissance protection against TCP/ UDP port scans and host sweeps.
正解: A,C
解説:
DOS
In addition to flood protection, we also offer resources protection. This type of protection enforces a quota for your hosts. It restricts the maximum number of sessions allowed for a particular source IP address, destination IP address or IP source-destination pair.
ZONE PROTECTION
Zone protection policies allow the use of flood protection and have the ability to protect against port scanning\sweeps and packet based attacks. A few examples are IP spoofing, fragments, overlapping segments, reject tcp-non-syn.
質問 117
The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router.
Which two options would help the administrator troubleshoot this issue? (Choose two.)
- A. View the Runtime Stats and look for problems with BGP configuration.
- B. View the System logs and look for the error messages about BGP.
- C. View the ACC tab to isolate routing issues.
- D. Perform a traffic pcap on the NGFW to see any BGP problems.
正解: A,B
質問 118
The firewall identifies a popular application as an unknown-tcp.
Which two options are available to identify the application? (Choose two.)
- A. Create a custom object for the custom application server to identify the custom application.
- B. Submit an Apple-ID request to Palo Alto Networks.
- C. Create a Security policy to identify the custom application.
- D. Create a custom application.
正解: C,D
解説:
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id/manage-custom-or-unknown-applications
質問 119
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.)
- A. Virtual router
- B. ARP entries
- C. Netflow Profile
- D. Security zone
正解: A,D
解説:
Reference:
https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/network/network-interfaces/pa- layer-2-interface#idd2bcaacc-54b9-4ec9-a1dd-8064499f5b9d
質問 120
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS® software?
- A. XML API
- B. Client Probing
- C. Port Mapping
- D. Server Monitoring
正解: A
解説:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/user-id-concepts/user-mapping/xml-api.html
質問 121
A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods?
- A. URL Filtering profile
- B. Data Filtering profile
- C. DoS Protection profile
- D. Vulnerability Protection profile
正解: C
質問 122
A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects. How would an administrator configure the interface to 1Gbps?
- A. set deviceconfig system speed-duplex 1Gbps-full-duplex
- B. set deviceconfig interface speed-duplex 1Gbps-full-duplex
- C. set deviceconfig Interface speed-duplex 1Gbps-half-duplex
- D. set deviceconfig system speed-duplex 1Gbps-duplex
正解: A
解説:
Reference:
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-Speed-and-Duplex-of-the-Management- Port/ta-p/59034 user@PA# set deviceconfig system speed-duplex 100Mbps-full-duplex 100Mbps-full-duplex 100Mbps-half-duplex 100Mbps-half-duplex 10Mbps-full-duplex 10Mbps-full-duplex 10Mbps-half-duplex 10Mbps-half-duplex 1Gbps-full-duplex 1Gbps-full-duplex 1Gbps-half-duplex 1Gbps-half-duplex auto-negotiate auto-negotiate
質問 123
An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS software?
- A. Application and Threats update package
- B. Wildfire update package
- C. Anti virus update package
- D. User-ID agent
正解: A
解説:
Dependencies : Before upgrade, make sure the firewall is running a version of app + threat (content version) that meets the minimum requirement of the new PAN-OS Upgrade.
https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045
質問 124
......
PCNSE実際の問題解答PDFには100%カバー率リアル試験問題:https://www.goshiken.com/Palo-Alto-Networks/PCNSE-mondaishu.html
PCNSE試験問題解答:https://drive.google.com/open?id=1ce7TdI6ASs9iAHlLOOL5tpYv3XvfcHjw