
Broadcom 250-583練習テストPDF試験材料
250-583解答250-583無料サンプルには全てリアル試験合格させます
質問 # 38
Which two outcomes occur when you define multiple Network Security Boundaries that overlap IP ranges?
- A. Connectors in both boundaries form an any-to-any tunnel mesh
- B. Health-check alerts show "Overlapping Subnet" warnings
- C. Policy evaluation fails open if overlap is detected
- D. ZTNA prioritizes the most specific (longest-prefix) range first
正解:B、D
解説:
Longest-prefix wins; the portal warns but does not fail open.
質問 # 39
Which design principle ensures ZTNA remains effective during cloud provider outages?
- A. Forcing agentless mode for all applications
- B. Multi-cloud Connector deployment with DNS-based failover
- C. Hard-coding provider IP ranges in Connectors
- D. Disabling SIEM alerts for external downtime
正解:B
解説:
Multi-cloud redundancy mitigates single-provider failures.
質問 # 40
Why might you keep Legacy VPN active in parallel during initial ZTNA go-live?
- A. Reduces SIEM license costs
- B. Enables Connector GRE encapsulation
- C. Provides temporary fallback while confidence builds
- D. Allows TLS 1.0 traffic
正解:C
解説:
Gradual transition needs rollback path.
質問 # 41
Which best practice helps maintain Connector certificate hygiene?
- A. Share one certificate across all Connectors in a Site
- B. Disable OCSP stapling on Connector certificates
- C. Rotate Connector certificates every 90 days and automate renewal alerts
- D. Issue self-signed certificates to reduce third-party dependency
正解:C
解説:
Regular rotation with alerting prevents expiry issues.
質問 # 42
Why should Connector host clocks be NTP-synchronized?
- A. Reduces SAML assertion size
- B. Ensures correct TLS certificate validation and log ordering
- C. Improves TCP slow-start algorithms
- D. Allows SIEM to auto-discard duplicates
正解:B
解説:
Accurate time is vital for security events.
質問 # 43
A ZTNA Policy Simulator indicates "Unmatched" for a test request.
Which next step best pinpoints the gap?
- A. Increase simulator verbosity
- B. Restart the Connector in safe mode
- C. Verify application is mapped to correct Site and Collection
- D. Change token lifetime in IDP
正解:C
解説:
Unmapped app/collection commonly causes unmatched.
質問 # 44
Which step ensures that fallback routing does not bypass ZTNA controls?
- A. Advertise a default route from the Connector to core routers
- B. Disable local proxy PAC files
- C. Enable DNSSEC validation on end-user devices
- D. Lock client DNS to the Connector or SWG addresses
正解:D
解説:
Controlling DNS keeps traffic in the ZTNA path.
質問 # 45
A delegated admin must be able to create Policies but not modify Authentication settings.
Which RBAC design satisfies the requirement?
- A. Assign "Policy Admin" role to a specific Collection
- B. Assign "Policy Admin" role at Tenant level
- C. Clone the "Tenant Admin" role and disable Authentication edit rights
- D. Grant "Site Manager" privileges plus SIEM read access
正解:A
解説:
Collection-scoped Policy Admin confines privileges to policy tasks without exposing global authentication.
質問 # 46
Why is TLS 1.3 preferred for Connector-Cloud communications?
- A. Enables clear-text JA3 fingerprinting
- B. Allows static RSA key reuse
- C. Provides forward secrecy and faster handshakes
- D. Supports GRE encapsulation natively
正解:C
解説:
TLS 1.3 improves security and performance.
質問 # 47
Which two actions are mandatory when onboarding a new Site to support agent-based access and Cloud SWG policy enforcement?
- A. Map the Site to a dedicated Collection with RBAC-scoped admins
- B. Disable SIEM streaming until onboarding is complete
- C. Associate the Site's DNS suffix with the enterprise IDP
- D. Register at least one Connector behind the Site's firewall
正解:C、D
解説:
A Connector enables traffic brokering, and DNS association ensures agent-based policy routing; pausing SIEM or RBAC scoping is optional.
質問 # 48
During agentless onboarding, what DNS approach avoids certificate mismatch errors for internal FQDNs?
- A. Wild-card SANs on the Connector's certificate
- B. Delegated DNSSEC trust anchor to SWG
- C. Split-horizon DNS resolving to Connector front-end
- D. Hosts file injection on the client browser
正解:C
解説:
Split-horizon maps internal hostnames to the Connector, keeping TLS consistent.
質問 # 49
Why should Health Check notifications be integrated with external ITSM tooling?
- A. Extends DLP policy scope to managed services
- B. Suppresses redundant alerts in Admin Console
- C. Enables auto-creation of incident tickets for Connector failures
- D. Reduces the size of SIEM log indices
正解:C
解説:
ITSM integration automates incident handling for operational alerts.
質問 # 50
A Security-Operations KPI for ZTNA success is:
- A. Mean time to remediate policy violations
- B. SIEM daily index growth
- C. Number of Sites per tenant
- D. Count of TLS ciphers enabled
正解:A
解説:
Remediation time indicates operational efficiency.
質問 # 51
Which portal report helps forecast when additional Connectors will be needed?
- A. Peak Concurrent Session Trend
- B. Policy Violation Summary
- C. DLP Incident Heatmap
- D. Audit Trail Volume
正解:A
解説:
Growth in peak sessions signals scaling requirements.
質問 # 52
A customer migrates from VPN to ZTNA.
Which step reduces risk of mis-routing legacy DNS entries?
- A. Disable agent-based DNS interception
- B. Implement split-DNS with ZTNA-specific zones
- C. Force clients to use public DNS resolvers
- D. Remove on-prem DNS records for all internal apps
正解:B
解説:
Split-DNS ensures ZTNA traffic resolves correctly without impacting non-migrated services.
質問 # 53
If you exceed the recommended 60-application limit per Site, what operational risk increases?
- A. IDP token bloat that breaks SAML assertions
- B. Connector resource exhaustion leading to session drops
- C. Automatic migration to agent-only mode
- D. Immediate revocation of Symantec support
正解:B
解説:
Too many apps strain the Connector and may drop sessions.
質問 # 54
In a hybrid IDP model, why might you implement OIDC alongside SAML?
- A. SAML does not allow MFA
- B. Mobile apps often prefer OIDC tokens over SAML assertions
- C. Connector firmware only parses OIDC
- D. OIDC supports XML signatures
正解:B
解説:
Modern native clients leverage OIDC.
質問 # 55
What happens if a Connector health check fails while streaming logs to an external SIEM?
- A. Log traffic is queued locally until the Connector recovers
- B. Health-check events are forwarded through alternate Connectors in the Site
- C. The Admin Console suspends DLP inspection to reduce load
- D. The Site automatically switches to passive mode, denying all access
正解:B
解説:
Redundant Connectors within a Site continue log forwarding, maintaining access continuity.
質問 # 56
Which feature enforces data-loss prevention for files uploaded via WebDAV?
- A. Threat Intelligence URL categorization
- B. Agent posture check with file hash comparison
- C. SIEM regex alert post-processing
- D. Cloud SWG inline scanning tied to ZTNA tunnel
正解:D
解説:
SWG inspects file content over ZTNA tunnels.
質問 # 57
A DevOps team requests temporary shell access to an internal build server.
Which ZTNA capability can grant least-privilege, time-bound access?
- A. Permanent addition to privileged IDP group
- B. Just-in-time (JIT) Policy with expiry timer
- C. SIEM-triggered token refresh
- D. Connector NAT exception list
正解:B
解説:
JIT policies allow precise, time-limited access without long-term group changes.
質問 # 58
A Cloud DLP fingerprint is updated.
What immediate ZTNA action is required?
- A. Restart all Connectors to reload fingerprints
- B. No action-DLP updates propagate automatically to connected Sites
- C. Re-publish all access policies
- D. Clear policy staging cache
正解:B
解説:
Cloud service automatically syncs fingerprints.
質問 # 59
A Zero-Trust rollout mandates step-wise onboarding to avoid productivity loss.
Which Portal feature supports this?
- A. Global kill-switch that blocks traffic instantly
- B. Log replay simulator for historical policies
- C. Bulk CSV importer for all Policy objects
- D. Plan -> Onboard wizard that stages Sites, Apps, Policies sequentially
正解:D
解説:
The wizard guides phased deployment.
質問 # 60
What is a practical reason to use Collections even in a single-Site deployment?
- A. Enables per-Collection TLS cipher negotiation
- B. Reduces SIEM costs by log throttling
- C. Allows Connectors to auto-scale independently
- D. Isolates policies for different business units without duplicating Sites
正解:D
解説:
Collections provide RBAC and policy segregation independent of physical topology.
質問 # 61
......
250-583[2025年12月] 最新リリース] 試験問題あなたを必ず合格させます:https://www.passtest.jp/Broadcom/250-583-shiken.html
Broadcom 250-583試験の基礎問題と解答:https://drive.google.com/open?id=1gAa8ly6mIes2poi3afDTsmLDk4DC3cYV