Palo Alto Networks PCNSE日常練習試験は2026年最新のに更新された375問あります
有効問題を試そう!PCNSE試験で実際の試験問題と解答
質問 # 198
What must be configured to apply tags automatically based on User-ID logs?
- A. Log settings
- B. Device ID
- C. Group mapping
- D. Log Forwarding profile
正解:A
解説:
Depending on the type of log you want to use for tagging, create a log forwarding profile or configure the log settings to define how you want the firewall or Panorama to handle logs. For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile. For User-ID, GlobalProtect, and IP-Tag logs, configure the log settings. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions
質問 # 199
Refer to Exhibit:

A firewall has three PDF rules and a default route with a next hop of 172.29.19.1 that is configured in the default VR. A user named XX-bes a PC with a 192.168.101.10 IP address.
He makes an HTTPS connection to 172.16.10.29.
What is the next hop IP address for the HTTPS traffic from Wills PC.
- A. 172.20.30.1
- B. 172.20.10.1
- C. 172.20.40.1
- D. 172.20.20.1
正解:D
質問 # 200
Based on the graphic which statement accurately describes the output shown in the Server Monitoring panel?
- A. The User-ID aaent is connected to the firewall labeled lab-client
- B. The host lab-client has been found by the User-ID agent.
- C. The User-ID agent is connected to a domain controller labeled lab-client
- D. The host lab-client has been found by a domain controller
正解:C
質問 # 201
A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward traffic logs to Panoram a. In which section is this configured?
- A. Device Groups > Objects > Log Forwarding
- B. Templates > Device > Log Settings
- C. Panorama > Managed Devices
- D. Monitor > Logs > Traffic
正解:A
質問 # 202
An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant Which two statements are correct regarding the bootstrap package contents? (Choose two )
- A. The /config /content and /software folders are mandatory while the /license and /plugin folders are optional
- B. The init-cfg txt and bootstrap.xml files are both optional configuration items for the /config folder
- C. The directory structure must include a /config /content, /software and /license folders
- D. The bootstrap package is stored on an AFS share or a discrete container file bucket
- E. The bootstrap xml file allows for automated deployment of VM-Senes firewalls with full network and policy configurations.
正解:B、E
質問 # 203
A prospect is eager to conduct a Security Lifecycle Review (SLR) with the aid of the Palo Alto Networks NGFW.
Which interface type is best suited to provide the raw data for an SLR from the network in a way that is minimally invasive?
- A. Tap
- B. Layer 3
- C. Virtual Wire
- D. Layer 2
正解:A
解説:
Explanation
A tap interface is best suited to provide the raw data for an SLR from the network in a way that is minimally invasive. A tap interface allows the firewall to passively monitor network traffic without affecting the flow of traffic. The firewall can analyze the traffic and generate reports based on the application, user, content, and threat information.
References:https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-interfaces/config
質問 # 204
What are the three key components of a successful Three Tab Demo? (Select the three correct answers.)
- A. Showing which users are running which applications and provide a method for controlling application access on a by user
- B. After setting match criteria in the Object tab showing how that data is presented in the logs
- C. Providing visibility into recently occurring threats and showing how to block those threats
- D. Presenting the information in the Network and Device tabs
- E. Showing how Palo Alto Networks' firewalls provide visibility into applications and control of those applications
正解:A、C、E
質問 # 205
Which Palo Alto Networks tool provides configuration heat map displays for security controls?
- A. Security Life Cycle Review
- B. Expedition
- C. Best Practice Assessment
- D. Prevention Posture Assessment
正解:C
解説:
https://live.paloaltonetworks.com/t5/best-practice-assessment-blogs/the-best-practice- assessment-bpa-tool-for-ngfw-and-panorama/ba-p/248343
質問 # 206
What is the dependency for users to access services that require authentication?
- A. An Authentication profile that includes those services
- B. A Security policy allowing users to access those services
- C. An authentication sequence that includes those services
- D. Disabling the authentication timeout
正解:B
解説:
Explanation
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication-policy/configure-authe
質問 # 207
Review the screenshot of the Certificates page.
An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems.
When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings.
What is the cause of the unsecured website warnings?
- A. The forward trust certificate has not been installed in client systems.
- B. The self-signed CA certificate has the same CN as the forward trust and untrust certificates.
- C. The forward untrust certificate has not been signed by the self-singed root CA certificate.
- D. The forward trust certificate has not been signed by the self-singed root CA certificate.
正解:D
解説:
The cause of the unsecured website warnings is that the forward trust certificate has not been signed by the self-signed root CA certificate. The forward trust certificate is used by the firewall to generate a copy of the server certificate for outbound SSL decryption (SSL Forward Proxy). The firewall signs the copy with the forward trust certificate and presents it to the client. The client then verifies the signature using the public key of the CA that issued the forward trust certificate. If the client does not trust the CA, it will display a warning message. Therefore, the forward trust certificate must be signed by a CA that is trusted by the client. In this case, the administrator has installed the self-signed root CA certificate in all client systems, so this CA should be used to sign the forward trust certificate. However, as shown in the screenshot, the forward trust certificate has a different issuer than the self-signed root CA certificate, which means it has not been signed by it. This causes the client to reject the signature and show a warning message. To fix this issue, the administrator should generate a new forward trust certificate and sign it with the self-signed root CA certificate12. Reference: Keys and Certificates for Decryption Policies, How to Configure SSL Decryption
質問 # 208
A company has recently migrated their branch office's PA-220S to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama They notice that commit times have drastically increased for the PA-220S after the migration What can they do to reduce commit times?
- A. Update the apps and threat version using device-deployment
- B. Perform a device group push using the "merge with device candidate config" option
- C. Use "export or push device config bundle" to ensure that the firewall is integrated with the Panorama config.
- D. Disable "Share Unused Address and Service Objects with Devices" in Panorama Settings.
正解:D
解説:
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups
/manage-unused-shared-objects
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS
質問 # 209
A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link aggregation.
Which two formats are correct for naming aggregate interfaces? (Choose two.)
- A. aggregate.1
- B. ae.1
- C. ae.8
- D. aggregate.8
正解:B、C
質問 # 210
Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a "No Decrypt" action? (Choose two.)
- A. Block sessions with untrusted issuers
- B. Block sessions with client authentication
- C. Block sessions with expired certificates
- D. Block credential phishing
- E. Block sessions with unsupported cipher suites
正解:A、C
解説:
Explanation/Reference:
Reference: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/decryption/define-traffic- to-decrypt/create-a-decryption-profile
質問 # 211
Which action does a firewall take when a decryption profile allows unsupported modes and unsupported traffic with TLS 1.2 protocol traverses the firewall?
- A. It automatically adds the server to the SSL decryption exclusion list.
- B. It blocks all communication with the server indefinitely.
- C. It generates a decryption error message but allows the traffic to continue decryption.
- D. It downgrades the protocol to ensure compatibility.
正解:A
質問 # 212
Refer to the diagram.
An administrator needs to create an address object that will be useable by the NYC. MA, CA and WA device groups Where will the object need to be created within the device-group hierarchy?
- A. East
- B. US
- C. Americas
- D. West
正解:C
質問 # 213
An administrator has 750 firewalls The administrator's central-management Panorama instance deploys dynamic updates to the firewalls
The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.
If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear what is the root cause?
- A. No service route is configured on the firewalls to Palo Alto Networks update servers
- B. Locally-defined dynamic update settings take precedence over the settings that Panorama pushed
- C. Panorama has no connection to Palo Alto Networks update servers
- D. Panorama does not have valid licenses to push the dynamic updates
正解:B
解説:
Locally defined dynamic updates setting on a managed Palo Alto Networks firewall take preference over the Panorama pushed setting. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKQCA0
質問 # 214
A network administrator wants to use a certificate for the SSL/TLS Service Profile.
Which type of certificate should the administrator use?
- A. certificate authority (CA) certificate
- B. machine certificate
- C. server certificate
- D. client certificate
正解:C
解説:
Use only signed certificates, not CA certificates, in SSL/TLS service profiles. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/configure-an-ssltls-service-profile.html
質問 # 215
Which four NGFW multi-factor authentication factors are supported by PAN-OS? (Choose four.)
- A. SSH key
- B. One-Time Password
- C. Short message service
- D. Push
- E. User logon
- F. Voice
正解:B、C、D、F
解説:
Explanation
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/authentication/authentication-types/multi-factor-auth Push - An endpoint device (such as a phone or tablet) prompts the user to allow or deny authentication.
Short message service (SMS) - An SMS message on the endpoint device prompts the user to allow or deny authentication. In some cases, the endpoint device provides a code that the user must enter in the MFA login page.
Voice - An automated phone call prompts the user to authenticate by pressing a key on the phone or entering a code in the MFA login page.
One-time password (OTP) - An endpoint device provides an automatically generated alphanumeric string, which the user enters in the MFA login page to enable authentication for a single transaction or session.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication-types/multi-factor-auth
質問 # 216
An administrator has configured OSPF with Advanced Routing enabled on a Palo Alto Networks firewall running PAN-OS 10.2. After OSPF was configured, the administrator noticed that OSPF routes were not being learned.
Which two actions could an administrator take to troubleshoot this issue? (Choose two.)
- A. Look for configuration problems in Network > virtual router > OSPF
- B. In the WebUl, view the Runtime Stats in the virtual router.
- C. Run the CLI command show advanced-routing ospf neighbor
- D. In the WebUl, view the Runtime Stats in the logical router.
正解:B、C
質問 # 217
......
テストエンジンに練習PCNSEテスト問題:https://www.goshiken.com/Palo-Alto-Networks/PCNSE-mondaishu.html
PCNSEリアル試験問題でテストエンジン問題集トレーニングには375問あります:https://drive.google.com/open?id=1ffxGJFXvIiuyi6r57h4s_U_uC1MiqDDl