Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid...

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version

ACE Exam

Question 1 of 50.

Which routing protocol is supported on the Palo Alto Networks platform?

BGP
RIPv1
ISIS
RSTP

Mark for follow up

Question 2 of 50.

Which type of license is required to perform Decryption Port Mirroring?

A free PAN-PA-Decrypt license

A Client Decryption license
A subscription-based PAN-PA-Decrypt license
A subscription-based SSL Port license

Mark for follow up

Question 3 of 50.

Which of the following is a routing protocol supported in a Palo Alto Networks firewall?

RIPv2
ISIS
IGRP
EIGRP

Mark for follow up

Question 4 of 50.

What is the maximum file size of .EXE files uploaded from the firewall to WildFire?

Configurable up to 10 megabytes.
Always 10 megabytes.
Configurable up to 2 megabytes.
Always 2 megabytes.

Mark for follow up

Question 5 of 50.

WildFire analyzes files to determine whether or not they are malicious. When doing so, WildFire will classify the file with an official verdict. This verdict is known as the WildFire Analysis
verdict. Choose the three correct classifications as a result of this analysis and classification?
Benign

Adware
Spyware

Malware detection

Safeware
Grayware

Mark for follow up

Question 6 of 50.

What is the default setting for 'Action' in a Decryption Policy's rule?

No-Decrypt
Decrypt
Any
None

Mark for follow up

Question 7 of 50.

When using Config Audit, the color yellow indicates which of the following?

A setting has been changed between the two config files

第 1 頁，共 7 頁 21/12/2015 11:39

Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid...

A setting has been deleted from a config file.

A setting has been added to a config file
An invalid value has been used in a config file.

Mark for follow up

Question 8 of 50.

Select the implicit rules that are applied to traffic that fails to match any administrator-defined Security Policies. (Choose all rules that are correct.)
Intra-zone traffic is allowed

Inter-zone traffic is denied

Intra-zone traffic is denied

Inter-zone traffic is allowed

Mark for follow up

Question 9 of 50.

Without a WildFire subscription, which of the following files can be submitted by the Firewall to the hosted WildFire virtualized sandbox?

PE files only
PDF files only
MS Office doc/docx, xls/xlsx, and ppt/pptx files only
PE and Java Applet (jar and class) only

Mark for follow up

Question 10 of 50.

All of the interfaces on a Palo Alto Networks device must be of the same interface type.
True False

Mark for follow up

Question 11 of 50.

In PAN-OS 6.0 and later, rule numbers are:

Numbers that specify the order in which security policies are evaluated.
Numbers created to be unique identifiers in each firewall’s policy database.
Numbers on a scale of 0 to 99 that specify priorities when two or more rules are in conflict.
Numbers created to make it easier for users to discuss a complicated or difficult sequence of rules.

Mark for follow up

Question 12 of 50.

Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day?

500
50
1000
10

Mark for follow up

Question 13 of 50.

Security policy rules specify a source interface and a destination interface.

True False

Mark for follow up

Question 14 of 50.

Which feature can be configured to block sessions that the firewall cannot decrypt?

Decryption Profile in Security Profile

Decryption Profile in Security Policy
Decryption Profile in Decryption Policy
Decryption Profile in PBF

Mark for follow up

Question 15 of 50.

Can multiple administrator accounts be configured on a single firewall?

Yes No

第 2 頁，共 7 頁 21/12/2015 11:39

Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid...

Mark for follow up

Question 16 of 50.

Which of the following services are enabled on the MGT interface by default? (Select all correct answers.)
HTTPS
SSH

Telnet

HTTP

Mark for follow up

Question 17 of 50.

In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order to process traffic.
True False

Mark for follow up

Question 18 of 50.

When you have created a Security Policy Rule that allows Facebook, what must you do to block all other web-browsing traffic?

Create an additional rule that blocks all other traffic.

Nothing. You can depend on PAN-OS to block the web-browsing traffic that is not needed for Facebook use.
Ensure that the Service column is defined as "application-default" for this Security policy. Doing this will automatically include the implicit web-browsing application dependency.
When creating the policy, ensure that web-browsing is included in the same rule.

Mark for follow up

Question 19 of 50.

Taking into account only the information in the screenshot above, answer the following question. Which applications will be allowed on their standard ports? (Select all correct answers.)
BitTorrent
SSH

Gnutella
Skype

Mark for follow up

Question 20 of 50.

An interface in Virtual Wire mode must be assigned an IP address.

True False

Mark for follow up

Question 21 of 50.

Traffic going to a public IP address is being translated by a Palo Alto Networks firewall to an internal server’s private IP address. Which IP address should the Security Policy use as the
"Destination IP" in order to allow traffic to the server?

The firewall’s gateway IP

The server’s public IP
The server’s private IP
The firewall’s MGT IP

Mark for follow up

Question 22 of 50.

What are two sources of information for determining whether the firewall has been successful in communicating with an external User-ID Agent?

System Logs and Authentication Logs.

System Logs and the indicator light under the User-ID Agent settings in the firewall.
System Logs and an indicator light on the chassis.
Traffic Logs and Authentication Logs.

第 3 頁，共 7 頁 21/12/2015 11:39

Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid...

Mark for follow up

Question 23 of 50.

An interface in tap mode can transmit packets on the wire.

True False

Mark for follow up

Question 24 of 50.

User-ID is enabled in the configuration of …

A Security Policy.
A Zone.
An Interface.
A Security Profile.

Mark for follow up

Question 25 of 50.

Users may be authenticated sequentially to multiple authentication servers by configuring:

An Authentication Profile.
An Authentication Sequence.
A custom Administrator Profile.
Multiple RADIUS servers sharing a VSA configuration.

Mark for follow up

Question 26 of 50.

Which of the following most accurately describes Dynamic IP in a Source NAT configuration?

The next available address in the configured pool is used, and the source port number is changed.
The next available IP address in the configured pool is used, but the source port number is unchanged.
A single IP address is used, and the source port number is unchanged.
A single IP address is used, and the source port number is changed.

Mark for follow up

Question 27 of 50.

WildFire may be used for identifying which of the following types of traffic?

RIPv2
Malware
DHCP
OSPF

Mark for follow up

Question 28 of 50.

Enabling "Highlight Unused Rules" in the Security Policy window will:

Highlight all rules that did not match traffic within an administrator-specified time period.
Highlight all rules that have not matched traffic since the rule was created or since the last reboot of the firewall.
Temporarily disable rules that have not matched traffic since the rule was created or since the last reboot of the firewall.
Display rules that caused a validation error to occur at the time a Commit was performed.

Mark for follow up

Question 29 of 50.

When configuring a Security Policy Rule based on FQDN Address Objects, which of the following statements is True?

The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN again each time Security Profiles are evaluated.
The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN again at DNS TTL expiration.
In order to create FQDN-based objects, you need to manually define a list of associated IP addresses.

Mark for follow up

Question 30 of 50.

When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2 tunneling in policies by specifying the SSH-tunnel App-ID?

SSH Proxy

第 4 頁，共 7 頁 21/12/2015 11:39

Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid...

SSL Forward Proxy

SSL Inbound Inspection
SSL Reverse Proxy

Mark for follow up

Question 31 of 50.

When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must be done to allow a user to authenticate through multiple methods?

Create an Authentication Sequence, dictating the order of authentication profiles.

This cannot be done. Although multiple authentication methods exist, a firewall must choose a single, global authentication type--and all users must use this method.
Create multiple authentication profiles for the same user.
This cannot be done. A single user can only use one authentication type.

Mark for follow up

Question 32 of 50.

Which of the following is NOT a valid option for built-in CLI Admin roles?

read/write
deviceadmin
devicereader
superuser

Mark for follow up

Question 33 of 50.

When Destination Network Address Translation is being performed, the destination in the corresponding Security Policy Rule should use:

The Post-NAT destination zone and Pre-NAT IP addresses.

The Pre-NAT destination zone and Post-NAT IP addresses.
The Pre-NAT destination zone and Pre-NAT IP addresses.
The Post-NAT destination zone and Post-NAT IP addresses.

Mark for follow up

Question 34 of 50.

A "Continue" action can be configured on which of the following Security Profiles?

URL Filtering and File Blocking

URL Filtering only
URL Filtering, File Blocking, and Data Filtering
URL Filtering and Anti-virus

Mark for follow up

Question 35 of 50.

When configuring Admin Roles for Web UI access, what are the available access levels?

Enable, Read-Only, and Disable

None, Superuser, Device Administrator
Allow and Deny only
Enable and Disable only

Mark for follow up

Question 36 of 50.

Which of the following would be a reason to use the PAN-OS XML API to communicate with a Palo Alto Networks firewall?

To allow the firewall to push User-ID information to a Network Access Control (NAC) device.
To permit syslogging of User Identification events.
To pull information from other network resources for User-ID.

Mark for follow up

Question 37 of 50.

Previous to PAN-OS 7.0 the firewall was able to decode up to two levels. With PAN-OS 7.0 the firewall can now decode up to how many levels?

Three
Six
Five
Four

第 5 頁，共 7 頁 21/12/2015 11:39

Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid...

Mark for follow up

Question 38 of 50.

The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:

Increased speed on downloads of file types that are explicitly enabled.

The ability to use Authentication Profiles, in order to protect against unwanted downloads.
Password-protected access to specific file downloads for authorized users.
Protection against unwanted downloads by showing the user a response page indicating that a file is going to be downloaded.

Mark for follow up

Question 39 of 50.

In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-Based Forwarding Rule? (Choose 3.)
Source Zone

Destination Zone

Source User

Destination Application

Mark for follow up

Question 40 of 50.

Both SSL decryption and SSH decryption are disabled by default.

True False

Mark for follow up

Question 41 of 50.

You can assign an IP address to an interface in Virtual Wire mode.

True False

Mark for follow up

Question 42 of 50.

Taking into account only the information in the screenshot above, answer the following question. An administrator is pinging 4.4.4.4 and fails to receive a response. What is the most likely
reason for the lack of response?

There is no route back to the machine originating the ping.

The interface is down.
There is no Management Profile.
There is a Security Policy that prevents ping.

Mark for follow up

Question 43 of 50.

Which of the following is True of an application filter?

An application filter automatically adapts when an application moves from one IP address to another.
An application filter automatically includes a new application when one of the new application’s characteristics are included in the filter.
An application filter specifies the users allowed to access an application.
An application filter is used by malware to evade detection by firewalls and anti-virus software.

Mark for follow up

Question 44 of 50.

In a Destination NAT configuration, the Translated Address field may be populated with either an IP address or an Address Object.
True False

第 6 頁，共 7 頁 21/12/2015 11:39

Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid...

Mark for follow up

Question 45 of 50.

In PAN-OS 7.0 which of the available choices serves as an alert warning by defining patterns of suspicious traffic and network anomalies that may indicate a host has been compromised?

App-ID Signatures
Correlation Objects
Command & Control Signatures
Correlation Events
Custom Signatures

Mark for follow up

Question 46 of 50.

Which statement below is True?

PAN-OS uses PAN-DB as the default URL Filtering database, but also supports BrightCloud.
PAN-OS uses BrightCloud as its default URL Filtering database, but also supports PAN-DB.
PAN-OS uses BrightCloud for URL Filtering, replacing PAN-DB.
PAN-OS uses PAN-DB for URL Filtering, replacing BrightCloud.

Mark for follow up

Question 47 of 50.

Which of the following can provide information to a Palo Alto Networks firewall for the purposes of User-ID? (Select all correct answers.)
Network Access Control (NAC) device

Domain Controller

RIPv2

SSL Certificates

Mark for follow up

Question 48 of 50.

When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of evaluation within a profile is:

Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, Allow list.
Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined categories.
Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cache files.

Mark for follow up

Question 49 of 50.

As of PAN-OS 7.0, when configuring a Decryption Policy Rule, which of the following is NOT an available option as matching criteria in the rule?

Application
Source User
URL Category
Source Zone
Service

Mark for follow up

Question 50 of 50.

What will the user experience when attempting to access a blocked hacking website through a translation service such as Google Translate or Bing Translator?

A “Blocked” page response when the URL filtering policy to block is enforced.
A “Success” page response when the site is successfully translated.
The browser will be redirected to the original website address.
An "HTTP Error 503 - Service unavailable" message.

Mark for follow up

Save / Return Later Summary

第 7 頁，共 7 頁 21/12/2015 11:39