----------------------- Page 1----------------------Empowering People: paloaltonetworks

7/2/2014
Test - Accredited Configuration Engineer (ACE)
Exam - PAN-OS 6.0 Version
ACE Exam
Question 1 of 50.
Traffic going to a public IP address is being translated by your Palo Alto Net
works firewall to your servers private IP address. Which IP address should the
Security Policy use as the "Destination IP" in order to allow traffic to the
server?
The firewalls MGT IP
The firewalls gateway IP
The servers public IP
The servers private IP

Mark for follow up

Question 2 of 50.
Taking into account only the information in the screenshot above, answer the f
ollowing question. An administrator is pinging 4.4.4.4 and fails to receive a
response. What is the most likely reason for the lack of response?
There is a Security Policy that prevents ping
There is no Management Profile
The interface is down
There is no route back to the machine originating the ping

Mark for follow up

Question 3 of 50.
Which of the Dynamic Updates listed below are issued on a daily basis?
Global Protect
URL Filtering
Antivirus
Applications and Threats

Mark for follow up

Question 4 of 50.
In a Destination NAT configuration, the Translated Address field may be popul
ated with either an IP address or an Address object
True
False

Mark for follow up

Question 5 of 50.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169
-4145-841e-7a72a409f724&evalLvl=5&redirect_url=%2fLMS%2fUserTranscript%2fMainVie
w.aspx
1 / 9
----------------------- Page 2----------------------Empowering People: paloaltonetworks
7/2/2014
Taking into account only the information in the screenshot above, answer the
following question. An administrator is attempting to ping 2.2.2.1. and fails to
receive a response. What is the most likely reason for the lack of response?
The interface is down
There is a security policy that prevents ping
There is no management profile
There is no route back to the machine originating the ping

Mark for follow up

Question 6 of 50.
Select the implicit rules enforced on traffic failing to match any user defin
ed Security Policies:
Intra-zone traffic is denied
Inter-zone traffic is denied
Intra-zone traffic is allowed
Inter-zone traffic is allowed

Mark for follow up

Question 7 of 50.
Palo Alto Networks firewalls support the use of both Dynamic (built-in user r
oles) and Role-Based (customized user roles)
True
False

Mark for follow up

Question 8 of 50.
Which of the following interface types can have an IP address assigned to it?

Layer 3
Layer 2
Vwire
TAP

Mark for follow up

Question 9 of 50.
Subsequent to the installation of a new Application and Threat database, the
firewall must be rebooted
True
False

Mark for follow up

Question 10 of 50.
Subsequent to the installation of a new PAN-OS version, the firewall must be
rebooted
True
False

Mark for follow up

Question 11 of 50.
Which mode will allow a user to choose when they wish to connect to the Globa
l Protect Network?
On Demand mode
Optional mode

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169
-4145-841e-7a72a409f724&evalLvl=5&redirect_url=%2fLMS%2fUserTranscript%2fMainVie
w.aspx
2 / 9
----------------------- Page 3----------------------Empowering People: paloaltonetworks
7/2/2014
Single Sign-On mode
Always On mode

Mark for follow up

Question 12 of 50.
In PAN-OS 6.0, rule numbers were introduced. Rule Numbers are:
Dynamic numbers that refer to a security policys order and are especially
useful when filtering security policies by tags
numbers referring to when the security policy was created and do not have
a bearing on the order of policy enforcement
Static numbers that must be manually re-numbered whenever a new security
policy is added.

Mark for follow up

Question 13 of 50.
When configuring Security Policies based on FQDN objects, which of the follow
ing statements are true?
The firewall resolves the FQDN first when the policy is committed, and is
refreshed at TTL expiration.
In order to create FQDN-based objects, you need to manually define a list
of associated IP addresses. Up to 10 IP addresses can be configured for each FQ
DN
entry
The firewall resolves the FQDN first when the policy is committed, and is
refreshed each time Security profiles are evaluated

Mark for follow up

Question 14 of 50.
Which of the following is NOT a valid option for built-in CLI access roles?
read/write

superusers
vsysadmin
deviceadmin

Mark for follow up

Question 15 of 50.
When Network Address Translation has been performed on traffic, Destination Z
ones in Security Policies should be based on:
Post-NAT addresses
None of the above
Pre-NAT addresses
The same zones used in NAT rules

Mark for follow up

Question 16 of 50.
When troubleshooting Phase 1 of an IPSec VPN tunnel, which location will have
the most informative logs?
Responding side, System Log
Initiating side, System log
Responding side, Traffic log
Initiating side, Traffic log

Mark for follow up

Question 17 of 50.
Which of the following options may be enabled to reduce system overhead when
using Content-ID?
DSRI
RSTP
VRRP
STP

Mark for follow up

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169
-4145-841e-7a72a409f724&evalLvl=5&redirect_url=%2fLMS%2fUserTranscript%2fMainVie
w.aspx
3 / 9
----------------------- Page 4----------------------Empowering People: paloaltonetworks
7/2/2014
Question 18 of 50.
What is the benefit realized when the "Enable Passive DNS Monitoring" checkbox
is enabled on the firewall? Select all that apply
Improve PAN-DB malware detection
Improve DNS-based C&C signature
Improve malware detection in WildFire
Improve BrightCloud malware detection

Mark for follow up

Question 19 of 50.
Which of the following objects cannot use User-ID as a match criteria?
Security Policies
QoS
Policy Based Forwarding
DoS Protection
None of the above

Mark for follow up

Question 20 of 50.
Wildfire may be used for identifying which of the following types of traffic?
Malware
DNS
DHCP
URL Content

Mark for follow up

Question 21 of 50.
As the Palo Alto Networks Administrator responsible for User-ID, you need to e
nable mapping of network users that do not sign in via LDAP. Which information
source would allow for reliable User-ID mapping while requiring the least amo
unt of configuration?
Exchange CAS Security logs
Active Directory Security Logs
WMI Query
Captive Portal

Mark for follow up

Question 22 of 50.
What are two sources of information for determining if the firewall has been s
uccessful in communicating with an external User-ID Agent?
System Logs and the indicator light under the User-ID Agent settings in t
he firewall
Theres only one location - System Logs
Theres only one location - Traffic Logs
System Logs and indicator light on the chassis

Mark for follow up

Question 23 of 50.
Which of the following statements about dynamic updates are correct?
Application and Antivirus updates are released weekly and Threat and Thre
at and URL filtering updates are released weekly
Application and Threat updates are released daily. Antivirus and URL filt
ering updates are released weekly.
Antivirus and URL Filtering updates are released daily. Application and T
hreat updates are released weekly
Threat and URL filtering updates are released daily and Application and A
ntivirus updates are released weekly

Mark for follow up

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169
-4145-841e-7a72a409f724&evalLvl=5&redirect_url=%2fLMS%2fUserTranscript%2fMainVie
w.aspx
4 / 9
----------------------- Page 5----------------------Empowering People: paloaltonetworks
7/2/2014
Question 24 of 50.
Subsequent to the installation of new licenses, the firewall must be rebooted
True

False

Mark for follow up

Question 25 of 50.
Which of the following most accurately describes Dynamic IP in a Source NAT c
onfiguration?
The next available address in the address range is used, and the source p
ort number is changed
The same address is always used, and the port is unchanged
The next available address in the configured pool is used, but the port n
umber is unchanged
None of the above

Mark for follow up

Question 26 of 50.
When an interface is in Tap mode and a policy action is set to block, the int
erface will send a TCP reset.
True
False

Mark for follow up

Question 27 of 50.
The "Drive-By Download" protection feature, under File Blocking profiles in C
ontent-ID, provides:

Password-protected access to specific file downloads, for authorized use

rs
increased speed on the downloads of the allowed file types
Protection against unwanted downloads, by alerting the user with a respo
nse page indicating that s file is going to be downloaded
The Administrator the ability to leverage Authentication Profiles in orde
r to protect against unwanted downloads

Mark for follow up

Question 28 of 50.
Which of the following would be a reason to use an XML API to communicate wit
h a Palo Alto Networks firewall?
So that information can be pulled from other network resources for User-I
D
To allow the firewall to push User-ID information to a NAC
To permit syslogging of User Identification events

Mark for follow up

Question 29 of 50.
Which link is used by an Active-Passive cluster to synchronize session inform
ation?
The Data Link
The Control Link
The Uplink
The Management Link

Mark for follow up

Question 30 of 50.
An interface in tap mode can transmit packets on the wire.
True
False

Mark for follow up

Question 31 of 50.
Which of the following describes the sequence of the Global Protect agent con

necting to a Gateway?
The Agent connects to the Portal obtains a list of Gateways, and connects
to the Gateway with the fastest SSL response time
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169
-4145-841e-7a72a409f724&evalLvl=5&redirect_url=%2fLMS%2fUserTranscript%2fMainVie
w.aspx
5 / 9
----------------------- Page 6----------------------Empowering People: paloaltonetworks
7/2/2014
The agent connects to the closest Gateway and sends the HIP report to the
portal
The agent connects to the portal, obtains a list of gateways, and connect
s to the gateway with the fastest PING response time
The agent connects to the portal and randomly establishes a connection to
the first available gateway

Mark for follow up

Question 32 of 50.
Taking into account only the information in the screenshot above, answer the
following question. In order for ping traffic to traverse this device from e1/2
to e1/1,
what else needs to be configured? Select all that apply.
Security policy from trust zone to Internet zone that allows ping
Create the appropriate routes in the default virtual router
Security policy from Internet zone to trust zone that allows ping
Create a Management profile that allows ping. Assign that management prof
ile to e1/1 and e1/2

Mark for follow up

Question 33 of 50.
What is the default DNS Sinkhole address used by Palo Alto Networks Firewall t
o cut off communication?
MGT interface address
Loopback interface address
Any one Layer 3 interface address

Localhost address

Mark for follow up

Question 34 of 50.
When configuring Admin Roles for Web UI access, what are the available access
levels?
Enable and Disable only
None, Superuser, Device Administrator
Allow and Deny only
Enable, Read-Only and Disable

Mark for follow up

Question 35 of 50.
Which fields can be altered in the default Vulnerability Protection Profile?
Category
Severity
None

Mark for follow up

Question 36 of 50.
Which of the following interfaces types will have a MAC address?
Layer 3
Tap
Vwire
Layer 2

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169
-4145-841e-7a72a409f724&evalLvl=5&redirect_url=%2fLMS%2fUserTranscript%2fMainVie
w.aspx
6 / 9
----------------------- Page 7----------------------Empowering People: paloaltonetworks

7/2/2014
Mark for follow up
Question 37 of 50.
When creating an Application filter, which of the following is true?
Excessive bandwidth may be used as a filter match criteria
they are called dynamic because they automatically adapt to new IP addres
ses
they are called dynamic because they will automatically include new appli
cations from an application signature update if the new applications filter type
is included
in the filter
they are used by malware

Mark for follow up

Question 38 of 50.
WildFire Analysis Reports are available for the following Operating Systems (s
elect all that apply)
Windows XP
Windows 7
Windows 8
Mac OS-X

Mark for follow up

Question 39 of 50.
What will the user experience when browsing a Blocked hacking website such as
www.2600.com via Google Translator?
The URL filtering policy to Block is enforced
It will be translated successfully
It will be redirected to www.2600.com
User will get "HTTP Error 503 - Service unavailable" message

Mark for follow up

Question 40 of 50.
What option should be configured when using User-ID

Enable User-ID per zone

Enable User-ID per interface
Enable User-ID per Security Policy
None of the above

Mark for follow up

Question 41 of 50.
What is the default setting for Action in a Decryption Policys rule?
no-decrypt
decrypt
any
none

Mark for follow up

Question 42 of 50.
When using remote authentication for users (LDAP, Radius, AD, etc),what must b
e done to allow a user to authenticate through multiple methods?
This can not be done. A single user can only use one authentication type
Create multiple authentication profiles for the same user.
Create an Authentication Sequence, dictating the order of authentication
profiles
This can not be done. Although multiple authentication methods exist, a f
irewall must choose a single, global authentication type, and all users must use
this
method
Mark for follow up
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169
-4145-841e-7a72a409f724&evalLvl=5&redirect_url=%2fLMS%2fUserTranscript%2fMainVie
w.aspx
7 / 9
----------------------- Page 8----------------------Empowering People: paloaltonetworks

7/2/2014
Question 43 of 50.
Which of the following platforms supports the Decryption Port Mirror function?
PA-VM300
PA-4000
PA-3000
PA-2000

Mark for follow up

Question 44 of 50.
As the Palo Alto Networks Administrator you have enabled Application Block pag
es. Afterward, some users do not receive web-based feedback for all denied
applications. What is the cause?
Application Block Pages will only be displayed when users attempt to acce
ss a denied web-based application
Application Block Pages will only be displayed when Captive Portal is con
figured
Some users are accessing the Palo Alto Networks firewall through a virtua
l system that does not have Application Block Pages enabled
w

Some Application IDs are set with a Session Timeout value that is too lo

Mark for follow up

Question 45 of 50.
With IKE, each device is identified to the other by a Peer ID. In most cases,
this is just the public IP address of the device. In situations where the public
ID is not
static, this value can be replaced with a domain name or other text value
True
False

Mark for follow up

Question 46 of 50.
In PAN-OS, how is Wildfire enabled?

Via the "Forward" and "Continue and Forward" File-Blocking actions

Via the URL-Filtering "Continue" action
Wildfire is automatically enabled with a valid URL-Filtering license
A custom file blocking action must be enabled for all PDF and PE type fil
es

Mark for follow up

Question 47 of 50.
How do you limit the amount of information recorded in the URL Content Filter
ing Logs?
Enable "Log container page only"
Disable URL packet captures
Enable URL log caching
Enable DSRI

Mark for follow up

Question 48 of 50.
In which of the following objects can User-ID be used to provide a match cond
ition?
Security Policies
NAT Policies
Zone Protection Policies
Threat Profiles

Mark for follow up

Question 49 of 50.
When configuring a Decryption Policy, which of the following are available as
matching criteria in a policy? (Choose 3)
Source Zone
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169
-4145-841e-7a72a409f724&evalLvl=5&redirect_url=%2fLMS%2fUserTranscript%2fMainVie
w.aspx
8 / 9
----------------------- Page 9-----------------------

Empowering People: paloaltonetworks

7/2/2014
Source User
Service
URL-Category
Application

Mark for follow up

Question 50 of 50.
Which of the following are methods HA clusters use to identify network outages
?
Path and Link Monitoring
VR and VSys Monitors
Heartbeat and Session Monitors
Link and Session Monitors

Mark for follow up

Save / Return Later

Summary

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169
-4145-841e-7a72a409f724&evalLvl=5&redirect_url=%2fLMS%2fUserTranscript%2fMainVie
w.aspx
9 / 9