Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.

0 Version
ACE Exam
Question 1 of 50.
User-ID is enabled in the configuration of
A Security Policy.
A Zone.

An Interface.

A Security Profile.
Mark for follow up

Question 2 of 50.
What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on the firewall? (Select all correct answers.)
Improved malware detection in WildFire.
Improved PAN-DB malware detection.

Improved DNS-based C&C signatures.

Improved BrightCloud malware detection.

Mark for follow up

Question 3 of 50.
WildFire analyzes files to determine whether or not they are malicious. When doing so, WildFire will classify the file with an official verdict. This verdict is known as the WildFire
Analysis verdict. Choose the three correct classifications as a result of this analysis and classification?
Grayware

Adware

Benign

Spyware

Malware detection

Safeware

Mark for follow up

Question 4 of 50.
In which of the following can User-ID be used to provide a match condition?
Security Policies
NAT Policies

Zone Protection Policies

Threat Profiles

Mark for follow up

Question 5 of 50.
What is the default setting for 'Action' in a Decryption Policy's rule?
Any

No-Decrypt
Decrypt
None

Mark for follow up

Question 6 of 50.
Which of the following CANNOT use the source user as a match criterion?
QoS

Secuirty Policies

Policy Based Forwarding

DoS Protection

Anti-virus Profile

Mark for follow up

Question 7 of 50.
Which of the Dynamic Updates listed below are issued on a daily basis? (Select all correct answers.)
Applications and Threats
Applications

BrightCloud URL Filtering

Anti-virus

Mark for follow up

Question 8 of 50.
WildFire may be used for identifying which of the following types of traffic?
OSPF

RIPv2

DHCP

Malware
Mark for follow up

Question 9 of 50.
Which of the following platforms supports the Decryption Port Mirror function?
PA-3000

VM-Series 100
PA-2000
PA-4000
Mark for follow up

Question 10 of 50.
Color-coded tags can be used on all of the items listed below EXCEPT:
Service Groups
Zones

Address Objects

Vulnerability Profiles
Mark for follow up

Question 11 of 50.

Taking into account only the information in the screenshot above, answer the following question. An administrator is using SSH on port 3333 and BitTorrent on port 7777. Which
statements are True?
The SSH traffic will be denied.

The BitTorrent traffic will be denied.

The SSH traffic will be allowed.

The BitTorrent traffic will be allowed.

Mark for follow up

Question 12 of 50.
Which of the following facts about dynamic updates is correct?
Application and Threat updates are released daily. Anti-virus and URL Filtering updates are released weekly.

Application and Anti-virus updates are released weekly. Threat and Threat and URL Filtering updates are released weekly.
Threat and URL Filtering updates are released daily. Application and Anti-virus updates are released weekly.
Anti-virus updates are released daily. Application and Threat updates are released weekly.
Mark for follow up

Question 13 of 50.
An interface in tap mode can transmit packets on the wire.
True
False
Mark for follow up

Question 14 of 50.
What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut off communication?
The MGT interface address.

The default gateway of the firewall.

Any layer 3 interface address specified by the firewall administrator.

The local loopback address.
Mark for follow up

Question 15 of 50.
When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must be done to allow a user to authenticate through multiple methods?
This cannot be done. A single user can only use one authentication type.

This cannot be done. Although multiple authentication methods exist, a firewall must choose a single, global authentication type--and all users must use this method.
Create multiple authentication profiles for the same user.

Create an Authentication Sequence, dictating the order of authentication profiles.

Mark for follow up

Question 16 of 50.
Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day?
10

500

1000
50

Mark for follow up

Question 17 of 50.
In Palo Alto Networks terms, an application is:
A specific program detected within an identified stream that can be detected, monitored, and/or blocked.
A combination of port and protocol that can be detected, monitored, and/or blocked.
A file installed on a local machine that can be detected, monitored, and/or blocked.

Web-based traffic from a specific IP address that can be detected, monitored, and/or blocked.
Mark for follow up

Question 18 of 50.
True or False: The WildFire Analysis Profile can only be configured to send unknown files to the WildFire Public Cloud only.
True
False
Mark for follow up

Question 19 of 50.
Traffic going to a public IP address is being translated by a Palo Alto Networks firewall to an internal servers private IP address. Which IP address should the Security Policy use as
the "Destination IP" in order to allow traffic to the server?
The firewalls gateway IP
The servers private IP
The servers public IP
The firewalls MGT IP

Mark for follow up

Question 20 of 50.
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:
Increased speed on downloads of file types that are explicitly enabled.

The ability to use Authentication Profiles, in order to protect against unwanted downloads.

Protection against unwanted downloads by showing the user a response page indicating that a file is going to be downloaded.
Password-protected access to specific file downloads for authorized users.
Mark for follow up

Question 21 of 50.
An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.
True
False
Mark for follow up

Question 22 of 50.
Which of the following would be a reason to use the PAN-OS XML API to communicate with a Palo Alto Networks firewall?
To permit syslogging of User Identification events.

To allow the firewall to push User-ID information to a Network Access Control (NAC) device.
To pull information from other network resources for User-ID.
Mark for follow up

Question 23 of 50.
Can multiple administrator accounts be configured on a single firewall?
Yes
No
Mark for follow up

Question 24 of 50.
What will be the user experience when the safe search option is NOT enabled for Google search but the firewall has "Safe Search Enforcement" Enabled?
A task bar pop-up message will be presented to enable Safe Search.

The user will be redirected to a different search site that is specified by the firewall administrator.

A block page will be presented with instructions on how to set the strict Safe Search option for the Google search.
The Firewall will enforce Safe Search if the URL filtering license is still valid.
Mark for follow up

Question 25 of 50.
Will an exported configuration contain Management Interface settings?
Yes
No
Mark for follow up

Question 26 of 50.
Choose the best answer: In PAN-OS, the WildFire Subscription Service allows updates for malware signatures to be distributed as often as
Once a day

Once an hour

Once every 15 minutes

Once a week

Mark for follow up

Question 27 of 50.
Enabling "Highlight Unused Rules" in the Security Policy window will:
Display rules that caused a validation error to occur at the time a Commit was performed.

Temporarily disable rules that have not matched traffic since the rule was created or since the last reboot of the firewall.
Highlight all rules that did not match traffic within an administrator-specified time period.

Highlight all rules that have not matched traffic since the rule was created or since the last reboot of the firewall.
Mark for follow up

Question 28 of 50.
Besides selecting the Heartbeat Backup option when creating an Active-Passive HA Pair, which of the following also prevents "Split-Brain"?
Under Packet Forwarding, selecting the VR Sync checkbox.

Configuring a backup HA2 link that points to the MGT interface of the other device in the pair.

Creating a custom interface under Service Route Configuration, and assigning this interface as the backup HA2 link.
Configuring an independent backup HA1 link.
Mark for follow up

Question 29 of 50.
You can assign an IP address to an interface in Virtual Wire mode.
True
False
Mark for follow up

Question 30 of 50.
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you need a:
Virtual Router
VLAN

Virtual Wire

Security Profile
Mark for follow up

Question 31 of 50.
As of PAN-OS 7.0, when configuring a Decryption Policy Rule, which of the following is NOT an available option as matching criteria in the rule?
Source Zone

URL Category
Source User
Service

Application
Mark for follow up

Question 32 of 50.
When you have created a Security Policy Rule that allows Facebook, what must you do to block all other web-browsing traffic?
Ensure that the Service column is defined as "application-default" for this Security policy. Doing this will automatically include the implicit web-browsing application dependency.
Create an additional rule that blocks all other traffic.

When creating the policy, ensure that web-browsing is included in the same rule.

Nothing. You can depend on PAN-OS to block the web-browsing traffic that is not needed for Facebook use.
Mark for follow up

Question 33 of 50.

Taking into account only the information in the screenshot above, answer the following question. An administrator is pinging 4.4.4.4 and fails to receive a response. What is the most
likely reason for the lack of response?
There is no Management Profile.
The interface is down.

There is a Security Policy that prevents ping.

There is no route back to the machine originating the ping.

Mark for follow up

Question 34 of 50.
Which type of license is required to perform Decryption Port Mirroring?
A Client Decryption license

A free PAN-PA-Decrypt license

A subscription-based SSL Port license

A subscription-based PAN-PA-Decrypt license

Mark for follow up

Question 35 of 50.
When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most informative?
Initiating side, System log

Responding side, System Log

Responding side, Traffic log
Initiating side, Traffic log
Mark for follow up

Question 36 of 50.
Users may be authenticated sequentially to multiple authentication servers by configuring:
A custom Administrator Profile.
An Authentication Sequence.
An Authentication Profile.

Multiple RADIUS servers sharing a VSA configuration.

Mark for follow up

Question 37 of 50.
After the installation of the Threat Prevention license, the firewall must be rebooted.
True
False
Mark for follow up

Question 38 of 50.
As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candidate configuration. These changes may be undone by Device > Setup > Operations >
Configuration Management>....and then what operation?
Revert to Running Configuration

Revert to last Saved Configuration

Load Configuration Version

Import Named Configuration Snapshot

Mark for follow up

Question 39 of 50.
Which of the following must be enabled in order for User-ID to function?
Security Policies must have the User-ID option enabled.

User-ID must be enabled for the source zone of the traffic that is to be identified.
Captive Portal must be enabled.

Captive Portal Policies must be enabled.

Mark for follow up

Question 40 of 50.
When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2 tunneling in policies by specifying the SSH-tunnel App-ID?
SSH Proxy

SSL Forward Proxy

SSL Inbound Inspection

SSL Reverse Proxy
Mark for follow up

Question 41 of 50.

The screenshot above shows part of a firewalls configuration. If ping traffic can traverse this device from e1/2 to e1/1, which of the following statements must be True about this
firewalls configuration? (Select all correct answers.)
There must be a Management Profile that allows ping. (Then assign that Management Profile to e1/1 and e1/2.)
There must be a security policy rule from trust zone to Internet zone that allows ping.

There must be appropriate routes in the default virtual router.

There must be a security policy rule from Internet zone to trust zone that allows ping.
Mark for follow up

Question 42 of 50.
A Config Lock may be removed by which of the following users? (Select all correct answers.)
Any administrator

The administrator who set it

Superusers

Device administrators

Mark for follow up

Question 43 of 50.
Without a WildFire subscription, which of the following files can be submitted by the Firewall to the hosted WildFire virtualized sandbox?
PE and Java Applet (jar and class) only
PE files only

PDF files only

MS Office doc/docx, xls/xlsx, and ppt/pptx files only

Mark for follow up

Question 44 of 50.
Which statement about config locks is True?
A config lock will expire after 24 hours, unless it was set by a superuser.
A config lock can be removed only by the administrator who set it.
A config lock can be removed only by a superuser.

A config lock can only be removed by the administrator who set it or by a superuser.
Mark for follow up

Question 45 of 50.
Which of the following can provide information to a Palo Alto Networks firewall for the purposes of User-ID? (Select all correct answers.)
Domain Controller
SSL Certificates

RIPv2

Network Access Control (NAC) device

Mark for follow up

Question 46 of 50.
A "Continue" action can be configured on which of the following Security Profiles?
URL Filtering and File Blocking
URL Filtering only

URL Filtering, File Blocking, and Data Filtering

URL Filtering and Anti-virus
Mark for follow up

Question 47 of 50.
All of the interfaces on a Palo Alto Networks device must be of the same interface type.
True
False
Mark for follow up

Question 48 of 50.
An interface in Virtual Wire mode must be assigned an IP address.
True
False
Mark for follow up

Question 49 of 50.
What is the maximum file size of .EXE files uploaded from the firewall to WildFire?
Always 10 megabytes.
Always 2 megabytes.

Configurable up to 2 megabytes.

Configurable up to 10 megabytes.
Mark for follow up

Question 50 of 50.

Taking into account only the information in the screenshot above, answer the following question: A span port or a switch is connected to e1/4, but there are no traffic logs. Which of
the following conditions most likely explains this behavior?
The interface is not assigned an IP address.
The interface is not up.

The interface is not assigned a virtual router.

There is no zone assigned to the interface.
Mark for follow up
Save / Return Later

Summary