Broadcom 250-583練習テストPDF試験材料 [Q38-Q61]

Share

Broadcom 250-583練習テストPDF試験材料

250-583解答250-583無料サンプルには全てリアル試験合格させます

質問 # 38
Which two outcomes occur when you define multiple Network Security Boundaries that overlap IP ranges?

  • A. Connectors in both boundaries form an any-to-any tunnel mesh
  • B. Health-check alerts show "Overlapping Subnet" warnings
  • C. Policy evaluation fails open if overlap is detected
  • D. ZTNA prioritizes the most specific (longest-prefix) range first

正解:B、D

解説:
Longest-prefix wins; the portal warns but does not fail open.


質問 # 39
Which design principle ensures ZTNA remains effective during cloud provider outages?

  • A. Forcing agentless mode for all applications
  • B. Multi-cloud Connector deployment with DNS-based failover
  • C. Hard-coding provider IP ranges in Connectors
  • D. Disabling SIEM alerts for external downtime

正解:B

解説:
Multi-cloud redundancy mitigates single-provider failures.


質問 # 40
Why might you keep Legacy VPN active in parallel during initial ZTNA go-live?

  • A. Reduces SIEM license costs
  • B. Enables Connector GRE encapsulation
  • C. Provides temporary fallback while confidence builds
  • D. Allows TLS 1.0 traffic

正解:C

解説:
Gradual transition needs rollback path.


質問 # 41
Which best practice helps maintain Connector certificate hygiene?

  • A. Share one certificate across all Connectors in a Site
  • B. Disable OCSP stapling on Connector certificates
  • C. Rotate Connector certificates every 90 days and automate renewal alerts
  • D. Issue self-signed certificates to reduce third-party dependency

正解:C

解説:
Regular rotation with alerting prevents expiry issues.


質問 # 42
Why should Connector host clocks be NTP-synchronized?

  • A. Reduces SAML assertion size
  • B. Ensures correct TLS certificate validation and log ordering
  • C. Improves TCP slow-start algorithms
  • D. Allows SIEM to auto-discard duplicates

正解:B

解説:
Accurate time is vital for security events.


質問 # 43
A ZTNA Policy Simulator indicates "Unmatched" for a test request.
Which next step best pinpoints the gap?

  • A. Increase simulator verbosity
  • B. Restart the Connector in safe mode
  • C. Verify application is mapped to correct Site and Collection
  • D. Change token lifetime in IDP

正解:C

解説:
Unmapped app/collection commonly causes unmatched.


質問 # 44
Which step ensures that fallback routing does not bypass ZTNA controls?

  • A. Advertise a default route from the Connector to core routers
  • B. Disable local proxy PAC files
  • C. Enable DNSSEC validation on end-user devices
  • D. Lock client DNS to the Connector or SWG addresses

正解:D

解説:
Controlling DNS keeps traffic in the ZTNA path.


質問 # 45
A delegated admin must be able to create Policies but not modify Authentication settings.
Which RBAC design satisfies the requirement?

  • A. Assign "Policy Admin" role to a specific Collection
  • B. Assign "Policy Admin" role at Tenant level
  • C. Clone the "Tenant Admin" role and disable Authentication edit rights
  • D. Grant "Site Manager" privileges plus SIEM read access

正解:A

解説:
Collection-scoped Policy Admin confines privileges to policy tasks without exposing global authentication.


質問 # 46
Why is TLS 1.3 preferred for Connector-Cloud communications?

  • A. Enables clear-text JA3 fingerprinting
  • B. Allows static RSA key reuse
  • C. Provides forward secrecy and faster handshakes
  • D. Supports GRE encapsulation natively

正解:C

解説:
TLS 1.3 improves security and performance.


質問 # 47
Which two actions are mandatory when onboarding a new Site to support agent-based access and Cloud SWG policy enforcement?

  • A. Map the Site to a dedicated Collection with RBAC-scoped admins
  • B. Disable SIEM streaming until onboarding is complete
  • C. Associate the Site's DNS suffix with the enterprise IDP
  • D. Register at least one Connector behind the Site's firewall

正解:C、D

解説:
A Connector enables traffic brokering, and DNS association ensures agent-based policy routing; pausing SIEM or RBAC scoping is optional.


質問 # 48
During agentless onboarding, what DNS approach avoids certificate mismatch errors for internal FQDNs?

  • A. Wild-card SANs on the Connector's certificate
  • B. Delegated DNSSEC trust anchor to SWG
  • C. Split-horizon DNS resolving to Connector front-end
  • D. Hosts file injection on the client browser

正解:C

解説:
Split-horizon maps internal hostnames to the Connector, keeping TLS consistent.


質問 # 49
Why should Health Check notifications be integrated with external ITSM tooling?

  • A. Extends DLP policy scope to managed services
  • B. Suppresses redundant alerts in Admin Console
  • C. Enables auto-creation of incident tickets for Connector failures
  • D. Reduces the size of SIEM log indices

正解:C

解説:
ITSM integration automates incident handling for operational alerts.


質問 # 50
A Security-Operations KPI for ZTNA success is:

  • A. Mean time to remediate policy violations
  • B. SIEM daily index growth
  • C. Number of Sites per tenant
  • D. Count of TLS ciphers enabled

正解:A

解説:
Remediation time indicates operational efficiency.


質問 # 51
Which portal report helps forecast when additional Connectors will be needed?

  • A. Peak Concurrent Session Trend
  • B. Policy Violation Summary
  • C. DLP Incident Heatmap
  • D. Audit Trail Volume

正解:A

解説:
Growth in peak sessions signals scaling requirements.


質問 # 52
A customer migrates from VPN to ZTNA.
Which step reduces risk of mis-routing legacy DNS entries?

  • A. Disable agent-based DNS interception
  • B. Implement split-DNS with ZTNA-specific zones
  • C. Force clients to use public DNS resolvers
  • D. Remove on-prem DNS records for all internal apps

正解:B

解説:
Split-DNS ensures ZTNA traffic resolves correctly without impacting non-migrated services.


質問 # 53
If you exceed the recommended 60-application limit per Site, what operational risk increases?

  • A. IDP token bloat that breaks SAML assertions
  • B. Connector resource exhaustion leading to session drops
  • C. Automatic migration to agent-only mode
  • D. Immediate revocation of Symantec support

正解:B

解説:
Too many apps strain the Connector and may drop sessions.


質問 # 54
In a hybrid IDP model, why might you implement OIDC alongside SAML?

  • A. SAML does not allow MFA
  • B. Mobile apps often prefer OIDC tokens over SAML assertions
  • C. Connector firmware only parses OIDC
  • D. OIDC supports XML signatures

正解:B

解説:
Modern native clients leverage OIDC.


質問 # 55
What happens if a Connector health check fails while streaming logs to an external SIEM?

  • A. Log traffic is queued locally until the Connector recovers
  • B. Health-check events are forwarded through alternate Connectors in the Site
  • C. The Admin Console suspends DLP inspection to reduce load
  • D. The Site automatically switches to passive mode, denying all access

正解:B

解説:
Redundant Connectors within a Site continue log forwarding, maintaining access continuity.


質問 # 56
Which feature enforces data-loss prevention for files uploaded via WebDAV?

  • A. Threat Intelligence URL categorization
  • B. Agent posture check with file hash comparison
  • C. SIEM regex alert post-processing
  • D. Cloud SWG inline scanning tied to ZTNA tunnel

正解:D

解説:
SWG inspects file content over ZTNA tunnels.


質問 # 57
A DevOps team requests temporary shell access to an internal build server.
Which ZTNA capability can grant least-privilege, time-bound access?

  • A. Permanent addition to privileged IDP group
  • B. Just-in-time (JIT) Policy with expiry timer
  • C. SIEM-triggered token refresh
  • D. Connector NAT exception list

正解:B

解説:
JIT policies allow precise, time-limited access without long-term group changes.


質問 # 58
A Cloud DLP fingerprint is updated.
What immediate ZTNA action is required?

  • A. Restart all Connectors to reload fingerprints
  • B. No action-DLP updates propagate automatically to connected Sites
  • C. Re-publish all access policies
  • D. Clear policy staging cache

正解:B

解説:
Cloud service automatically syncs fingerprints.


質問 # 59
A Zero-Trust rollout mandates step-wise onboarding to avoid productivity loss.
Which Portal feature supports this?

  • A. Global kill-switch that blocks traffic instantly
  • B. Log replay simulator for historical policies
  • C. Bulk CSV importer for all Policy objects
  • D. Plan -> Onboard wizard that stages Sites, Apps, Policies sequentially

正解:D

解説:
The wizard guides phased deployment.


質問 # 60
What is a practical reason to use Collections even in a single-Site deployment?

  • A. Enables per-Collection TLS cipher negotiation
  • B. Reduces SIEM costs by log throttling
  • C. Allows Connectors to auto-scale independently
  • D. Isolates policies for different business units without duplicating Sites

正解:D

解説:
Collections provide RBAC and policy segregation independent of physical topology.


質問 # 61
......

250-583[2025年12月] 最新リリース] 試験問題あなたを必ず合格させます:https://www.passtest.jp/Broadcom/250-583-shiken.html

Broadcom 250-583試験の基礎問題と解答:https://drive.google.com/open?id=1gAa8ly6mIes2poi3afDTsmLDk4DC3cYV