Broadcom 250-583 시험

Question No : 1

Analyst logs in for the first time.
Based on best practices for local ZTNA administrative accounts, what system behavior occurs during step 4?

• A.During the initial login attempt, the system intercepts the authentication flow and triggers a mandatory multi-factor authentication (MFA) setup wizard, requiring registration of a time-based one-time password (TOTP) authenticator application such as Google Authenticator before dashboard access is granted.
• B.Manual synchronization of the account via SCIM API is required before the analyst can access the dashboard.
• C.It provisions a hidden agentless access policy for the analyst's endpoint to ensure their connection is cloaked from the internet.
• D.It automatically elevates the analyst to the Super Admin role temporarily to bypass complex login flows during the initial setup.

답을 확인하기

정답:

Question No : 2

An IT Security Manager is relying on the ZTNA Dashboard's "Site Connector Health" widget to monitor the global infrastructure during a critical holiday shopping period. The widget relies on the continuous outbound TCP 443 heartbeat from the connectors. (Choose 2.)
Dashboard Widget State:
Site_Tokyo_01: Online (Green)
Site_London_01: Degraded (Yellow)
Site_NY_01: Offline (Red)
Which TWO statements accurately interpret the operational realities and limitations represented by these specific dashboard health states?

• A.The 'Online' status for Tokyo guarantees that the internal application servers behind that connector are functioning perfectly and serving HTTP 200 OK responses to end-users.
• B.The 'Offline' status for NY definitively proves that the corporate datacenter has lost commercial power, as the cloud edge can no longer ping the connector's physical hardware.
• C.The 'Offline' status for NY means the Symantec cloud edge has missed multiple consecutive TCP heartbeats, indicating a loss of outbound internet routing from that specific virtual machine.
• D.The 'Degraded' status for London is a proactive warning, indicating the connector is still successfully brokering traffic but is experiencing high CPU, high memory, or significant latency.

답을 확인하기

정답:

Question No : 3

A Zero Trust Implementation Specialist is deploying the Symantec ZTNA endpoint agent to a fleet of newly provisioned corporate laptops. The organization's security policy dictates that devices must be securely routed and their compliance posture continuously verified from the moment the operating system boots, without requiring any manual intervention from the end-user.
Which agent configuration mode must the specialist select to fulfill this strict security mandate?

• A.The specialist must configure the agent in On-Demand mode, allowing the user to initiate the connection after the local firewall initializes.
• B.The specialist must configure the agent in Agentless mode, using the Chrome browser to perform initial boot-level posture checks.
• C.The specialist must configure the agent in a hybrid mode using Windows Task Scheduler to trigger the connection script after login.
• D.The specialist must configure the agent in Always-On mode, ensuring the secure tunnel to the Symantec cloud edge and continuous compliance posture evaluations initiate automatically as soon as the operating system boots and network connectivity is detected.

답을 확인하기

정답:

Question No : 4

An Enterprise Security Administrator is configuring a tiered access policy in the ZTNA Admin Portal. The goal is to balance user friction with security by applying different contextual authorization requirements based on the sensitivity of the requested resource.
ZTNA Policy Tier Configuration:
Tier 1 (Low Sensitivity): Employee Cafeteria Menu (Web)
- Identity: SAML SSO (No MFA required)
- Posture: Basic (OS version check only)
Tier 2 (Medium Sensitivity): Internal Ticketing System (Web)
- Identity: SAML SSO + MFA
- Posture: Standard (OS version + AV running)
Tier 3 (High Sensitivity): Source Code Repository (SSH)
- Identity: SAML SSO + MFA
- Posture: Strict (OS version + AV + Client Certificate + No split-tunneling)
Which THREE statements accurately reflect how continuous contextual authorization processes these tiered requirements? (Select all that apply.)

• A.The platform evaluates the sensitivity of the specific resource being requested and dynamically enforces the corresponding posture checks for that particular session.
• B.The tiered approach allows the organization to reduce user friction for low-risk applications while maintaining rigorous, continuous checks for critical infrastructure.
• C.If a user successfully authenticates to Tier 2 but fails the MFA prompt for Tier 3, they will retain access to the Ticketing System but be denied access to the Source Code Repository.
• D.If a user loses their client certificate while browsing the Cafeteria Menu, their session will be dropped because the platform universally enforces the highest configured posture check across all tiers.
• E.If a developer's antivirus service crashes while connected to the Source Code Repository, the platform will terminate the SSH session immediately because it violates the Tier 3 Strict posture requirement.

답을 확인하기

정답:

Question No : 5

A Security Compliance Analyst is conducting an audit of the Tenant Admin accounts within the Symantec ZTNA environment. The analyst is looking for configurations that violate the organization's identity security policies. (Choose 2.)
Which TWO administrative configurations represent dangerous anti-patterns regarding the management and authentication of ZTNA admin accounts?

• A.Enforcing a policy where local "break-glass" administrator passwords must be rotated manually every 90 days.
• B.Utilizing an external Identity Provider (IdP) via SAML 2.0 to manage the lifecycle of the majority of administrative users.
• C.Creating a single, shared local administrator account (e.g., " [email protected] ") used simultaneously by multiple shift workers.
• D.Disabling the native MFA enrollment requirement for local administrators who connect exclusively from the trusted corporate IP range.

답을 확인하기

정답:

Question No : 6

A Cloud Security Engineer is auditing the configuration of an internal developer portal. The engineer discovers that an attempt to apply a path-based policy exception has completely failed, allowing unauthorized users to access a restricted directory. (Choose 2.)
Application Configuration Review:
App Name: Dev_Portal_TCP
App Type: TCP Tunnel (Agent-Based)
Target Host: 10.0.5.50
Port: 443
Failed Policy Exception:
Rule: Block_Dev_Secrets
App: Dev_Portal_TCP
Path Constraint: /secrets/api_keys/*
Action: Block
Group: Junior_Devs
Which TWO statements describe the architectural anti-pattern that caused this path-based exception to fail?

• A.The ZTNA platform requires all path-based exceptions to be formatted using regular expressions (Regex) rather than standard wildcard (*) characters.
• B.The Site Connector is experiencing a routing loop because it cannot resolve the internal IP address associated with the /secrets/api_keys/ path.
• C.To enforce path-based exceptions, the application must be configured as a Web application with SSL termination occurring at the ZTNA cloud edge.
• D.The application is configured as a "TCP Tunnel", meaning the ZTNA edge is operating at Layer 4 and cannot inspect or parse Layer 7 HTTP URIs.

답을 확인하기

정답:

Question No : 7

Maintain continuous visibility in the ZTNA Admin Portal.
Which THREE architectural principles apply when meeting these deployment requirements using the VMware OVA? (Select all that apply.)

• A.High availability requires the organization to deploy a dedicated third-party hardware load balancer directly in front of the Site Connectors on the internal network.
• B.The administrator must configure identical static IP addresses on all OVA instances within the cluster to ensure seamless session state replication.
• C.The Symantec ZTNA cloud automatically handles the load balancing and failover across all healthy connectors registered to the same logical Site.
• D.The administrator must deploy multiple, distinct Site Connector OVA virtual machines within the same logical ZTNA "Site" in the Admin Portal.
• E.A unique, newly generated registration key is strictly required for every individual OVA instance deployed, even if they belong to the same high-availability cluster.

답을 확인하기

정답:

Question No : 8

A Zero Trust Security Architect is reviewing the interaction between Identity Provider (IdP) timeouts and Continuous Contextual Authorization.
Configuration State:
IdP (Okta) Session Timeout: 8 Hours
ZTNA Global Absolute Timeout: 12 Hours
App 'Payroll' Posture: Strict_Corporate (Continuous AV Check)
A user authenticates at 08:00. At 14:00 (6 hours later), a malicious script disables the user's Antivirus. (Choose 2.)
Which TWO statements accurately describe how the ZTNA architecture handles this event, despite the user's Okta session still being technically valid for another 2 hours?

• A.The ZTNA cloud edge pauses the 'Payroll' connection and redirects the user back to Okta, forcing them to complete a step-up MFA prompt before allowing the session to continue.
• B.Continuous authorization creates a logical "AND" condition; because the posture fell out of compliance, the overall authorization equation failed, triggering the dynamic network block.
• C.The ZTNA platform sends an API command to Okta, forcing an immediate, out-of-band expiration of the user's 8-hour session token.
• D.The ZTNA cloud edge ignores the active Okta session and immediately revokes the TCP connection to the 'Payroll' application because the device failed the mandatory continuous posture check.

답을 확인하기

정답:

Question No : 9

A ZTNA Administrator is tasked with enabling Cloud SWG integration for a specific group of roaming users. The administrator has the PAC file URL hosted on a highly available internal server: https://pac.corp.local/roaming.pac .
Configuration Task:
Goal: Steer public web traffic to Cloud SWG for roaming users.
Tool: ZTNA Admin Portal.
Requirement: Agent must pull the PAC file dynamically.
Where in the ZTNA Admin Portal architecture must the administrator apply this PAC file URL to fulfill the requirement?

• A.Within the 'Applications' tab by creating a new ZTNA Web Application explicitly named 'Cloud_SWG_Proxy'.
• B.Within the Identity Provider (IdP) SAML metadata XML as a custom authentication claim attribute.
• C.In the Site Connector deployment wizard's advanced network settings for the primary datacenter.
• D.Within the endpoint agent configuration profile (Cloud SWG settings section) assigned to the roaming users' policy group.

답을 확인하기

정답:

Question No : 10

A Zero Trust Security Architect is evaluating whether to use agentless browser-based access or agent-based (TCP Tunnel) access for a new vendor portal. The vendors use unmanaged, personal computers.
Vendor Access Scenario:
Environment: Unmanaged BYOD Hardware
Application Type: Internal Web Portal (HTTPS)
Requirement 1: Prevent vendors from downloading sensitive architectural diagrams to their local machines.
Requirement 2: Eliminate the need for vendors to install administrative-level software.
Which THREE statements represent the architectural trade-offs that make the agentless (Chrome extension) model the superior choice for this specific scenario? (Select all that apply.)

• A.The agentless model seamlessly integrates with Remote Browser Isolation (RBI), providing a mechanism to enforce read-only access and completely prevent document downloads.
• B.The Chrome extension performs continuous, deep-system malware scanning on the vendor's hard drive, compensating for the lack of a full corporate endpoint protection agent.
• C.By restricting access entirely to the browser environment, the agentless model inherently prevents the vendor's local machine from routing non-web traffic or malware into the corporate network.
• D.Agentless configurations bypass the Identity Provider (IdP) authentication phase, allowing temporary vendors to access the portal instantly without needing a corporate identity account.
• E.Agentless access eliminates the administrative friction and support overhead of installing and maintaining a full OS-level network agent on unmanaged, third-party computers.

답을 확인하기

정답:

Question No : 11

A ZTNA Administrator is integrating the TIS Intelligence Feed to protect several custom domains configured for agentless access.
How is the TIS blocking mechanism typically applied within the Symantec ZTNA architecture to achieve this protection?

• A.By configuring the Identity Provider (IdP), such as Okta or Azure Active Directory, to query the TIS threat intelligence database in real-time during the SAML assertion generation phase for authentication requests.
• B.By manually copying the TIS malicious IP list into the Windows Defender Firewall of every endpoint device using a centralized Group Policy Object (GPO) deployment.
• C.By deploying a dedicated TIS virtual appliance alongside the internal Site Connector within the corporate datacenter environment.
• D.By enabling TIS integration to enforce blocking at the cloud edge for all configured ZTNA applications.

답을 확인하기

정답:

Question No : 12

A Cloud Security Engineer receives an escalation: a group of contractors cannot access a newly provisioned internal inventory web application. The engineer needs to verify if the application is correctly mapped to an active Site Connector and if an access rule is inadvertently blocking the contractor group.
Which TWO sections of the Admin Console must the engineer navigate to in order to verify these specific configurations? (Choose 2.)

• A.Applications
• B.Identity
• C.Sites
• D.Policies

답을 확인하기

정답:

Question No : 13

An Enterprise Security Administrator is automating the lifecycle of ZTNA Tenant Admins and end-users using Azure AD SCIM provisioning. The administrator maps specific Azure AD groups to different ZTNA functions.
SCIM Group Mapping Configuration:
Azure AD Group A: ZTNA_App_Users -> Mapped to ZTNA Access Policy (CRM App)
Azure AD Group B: ZTNA_Site_Admins -> Mapped to ZTNA Site Admin Role (Scope: EU Sites)
Status: SCIM is actively pushing these groups to the ZTNA platform.
Which THREE statements accurately describe how the ZTNA platform utilizes this SCIM-provisioned data across its different architectural components? (Select all that apply.)

• A.When an employee is added to ZTNA_App_Users in Azure AD, SCIM pushes the update, granting the user instant access authorization based on the existing CRM App policy.
• B.SCIM automatically pushes the internal network routing tables for the EU Sites to the endpoint devices of new Site Admins.
• C.SCIM automatically provisions the SAML signing certificates required for the ZTNA_App_Users to securely authenticate to the CRM application.
• D.If an administrator is removed from the ZTNA_Site_Admins group in Azure AD, the SCIM push instantly revokes their portal privileges, degrading them to standard user status.
• E.The SCIM integration allows Azure AD to dynamically push Tenant Admin role assignments, enabling automated onboarding of new Site Admins without manual portal configuration.

답을 확인하기

정답:

Question No : 14

A Zero Trust Implementation Specialist is observing a junior administrator attempt to troubleshoot an offline Site Connector. The junior admin spends 20 minutes clicking through the "Policies" and "Identity" tabs searching for the connector's registration key and health status.
Audit Log Snippet:
14:02:11 - Admin: junior.admin - View: Identity_Providers
14:05:33 - Admin: junior.admin - View: Access_Policies
14:15:40 - Admin: junior.admin - View: Identity_Tenant_Admins
Which TWO statements explain why the junior administrator's navigation strategy is fundamentally flawed? (Choose 2.)

• A.The "Identity" tab is used for configuring authentication sources and admin roles, lacking any visibility into deployed network connectors.
• B.The "Policies" tab is exclusively reserved for defining access rules and DLP configurations, not for managing infrastructure health.
• C.Connector registration keys are only visible during the initial deployment wizard and are permanently hidden from all portal views thereafter.
• D.Connector health and registration data are exclusively managed via the local VMware vSphere console, completely bypassing the ZTNA portal.

답을 확인하기

정답:

Question No : 15

A Security Operations Engineer is auditing the effectiveness of the TIS integration across a globally distributed ZTNA deployment. The engineer pulls a report from the ZTNA Admin Portal's logging interface to verify that TIS is actively enforcing policies across all applications. (Choose 2.)
Access Log Export Snippet:
Event 1: Source IP 45.33.x.x | App: HR_Portal | Action: Block | Reason: Access Policy Deny (Group Mismatch)
Event 2: Source IP 185.15.x.x | App: N/A | Action: Block | Reason: Threat Intel (Category: Botnet)
Event 3: Source IP 8.8.x.x | App: Finance_DB | Action: Allow | Reason: Policy Match
Event 4: Source IP 103.45.x.x | App: N/A | Action: Block | Reason: Threat Intel (Category: Spam Source)
Based on the log snippet, which TWO statements accurately describe the behavior of the active TIS enforcement mechanism?

• A.The log confirms that TIS is actively evaluating traffic against multiple distinct threat categories (e.g., Botnet, Spam Source) and successfully dropping malicious connections.
• B.The log indicates a configuration error; TIS events should only be recorded in the Cloud SWG console, not within the ZTNA Access Logs.
• C.TIS blocks (Events 2 and 4) log the targeted Application as "N/A" because the SASE cloud edge terminates the connection at the network layer before the HTTP application request is processed.
• D.The TIS integration is failing to protect the HR_Portal (Event 1) because the action was blocked by a standard Access Policy rather than a Threat Intel rule.

답을 확인하기

정답: