Empowering People: paloaltonetworks

7/2/2014

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.0 Version

ACE Exam
Question 1 of 50.
Traffic going to a public IP address is being translated by your Palo Alto Networks firewall to your servers private IP address.
Which IP address should the Security Policy use as the "Destination IP" in order to allow traffic to the server?

The firewalls MGT IP

The firewalls gateway IP
The servers public IP
The servers private IP
Mark for follow up
Question 2 of 50.

king into account only the information in the screenshot above,

An administrator
answer the following
is pingingquestion.
4.4.4.4 and fails to rec
response.
What is the most likely reason for the lack of response?

There is a Security Policy that prevents ping

There is no Management Profile
The interface is down
There is no route back to the machine originating the ping
Mark for follow up
Question 3 of 50.

Which of the Dynamic Updates listed below are issued on a daily basis?
Global Protect
URL Filtering
Antivirus
Applications and Threats
Mark for follow up
Question 4 of 50.
In a Destination NAT configuration, the Translated Address field may be populated with either an IP address or an Address
object
True
False

Mark for follow up

Question 5 of 50.

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evalLvl=5&redirect_url=
%2fLMS%2fUserTranscript%2fMainView.aspx
1/9

Empowering People: paloaltonetworks

7/2/2014

king into account only the information in the screenshot above,

An administrator
answer the following
is attempting
question.
to ping 2.2.2.1. an
receive aWhat
response.
is the most likely reason for the lack of response?

The interface is down

There is a security policy that prevents ping
There is no management profile
There is no route back to the machine originating the ping
Mark for follow up
Question 6 of 50.
Select the implicit rules enforced on traffic failing to match any user defined Security Policies:

Intra-zone traffic is denied

Inter-zone traffic is denied
Intra-zone traffic is allowed
Inter-zone traffic is allowed
Mark for follow up
Question 7 of 50.
Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based (customized user roles)
True
False

Mark for follow up

Question 8 of 50.
Which of the following interface types can have an IP address assigned to it?

Layer 3
Layer 2
Vwire
TAP
Mark for follow up
Question 9 of 50.
Subsequent to the installation of a new Application and Threat database, the firewall must be rebooted
True
False

Mark for follow up

Question 10 of 50.
Subsequent to the installation of a new PAN-OS version, the firewall must be rebooted
True
False

Mark for follow up

Question 11 of 50.
Which mode will allow a user to choose when they wish to connect to the Global Protect Network?

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evalLvl=5&redirect_url=
%2fLMS%2fUserTranscript%2fMainView.aspx
2/9

Empowering People: paloaltonetworks

7/2/2014

On Demand mode
Optional mode

Single Sign-On mode

Always On mode
Mark for follow up
Question 12 of 50.
In PAN-OS 6.0, rule numbers were introduced. Rule Numbers are:

mbers that refer to a security policys order and are especially useful when filtering security pol
ferring to when the security policy was created and do not have a bearing on the order of policy
numbers that must be manually re-numbered whenever a new security policy is added.
Mark for follow up
Question 13 of 50.
When configuring Security Policies based on FQDN objects, which of the following statements are true?

wall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration.
r to create FQDN-based objects, you need to manually
Updefine
to 10 a
IPlist
addresses
of associated
can beIPconfigured
addresses.
for
entry
resolves the FQDN first when the policy is committed, and is refreshed each time Security profil
Mark for follow up
Question 14 of 50.
Which of the following is NOT a valid option for built-in CLI access roles?

read/write
superusers
vsysadmin
deviceadmin
Mark for follow up
Question 15 of 50.
When Network Address Translation has been performed on traffic, Destination Zones in Security Policies should be based on:

Post-NAT addresses
None of the above
Pre-NAT addresses
The same zones used in NAT rules
Mark for follow up
Question 16 of 50.
When troubleshooting Phase 1 of an IPSec VPN tunnel, which location will have the most informative logs?

Responding side, System Log

Initiating side, System log
Responding side, Traffic log
Initiating side, Traffic log
Mark for follow up
Question 17 of 50.
Which of the following options may be enabled to reduce system overhead when using Content-ID?
DSRI
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evalLvl=5&redirect_url=
%2fLMS%2fUserTranscript%2fMainView.aspx
3/9

Empowering People: paloaltonetworks

7/2/2014

RSTP
VRRP
STP
Mark for follow up

Question 18 of 50.
What is the benefit realized when the "Enable Passive DNS Monitoring" checkbox is enabled on the firewall? Select all that
apply

Improve PAN-DB malware detection

Improve DNS-based C&C signature
Improve malware detection in WildFire
Improve BrightCloud malware detection
Mark for follow up
Question 19 of 50.
Which of the following objects cannot use User-ID as a match criteria?

Security Policies
QoS
Policy Based Forwarding
DoS Protection
None of the above
Mark for follow up
Question 20 of 50.
Wildfire may be used for identifying which of the following types of traffic?

Malware
DNS
DHCP
URL Content
Mark for follow up
Question 21 of 50.
As the Palo Alto Networks Administrator responsible for User-ID, you need to enable mapping of network users that do not sign
in via LDAP. Which information source would allow for reliable User-ID mapping while requiring the least amount of
configuration?

Exchange CAS Security logs

Active Directory Security Logs
WMI Query
Captive Portal
Mark for follow up
Question 22 of 50.
What are two sources of information for determining if the firewall has been successful in communicating with an external
User-ID Agent?

em Logs and the indicator light under the User-ID Agent settings in the firewall
There's only one location - System Logs
There's only one location - Traffic Logs
System Logs and indicator light on the chassis
Mark for follow up
Question 23 of 50.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evalLvl=5&redirect_url=
%2fLMS%2fUserTranscript%2fMainView.aspx
4/9

Empowering People: paloaltonetworks

7/2/2014

Which of the following statements about dynamic updates are correct?

and Antivirus updates are released weekly and Threat and Threat and URL filtering updates are
Application and Threat updates
Antivirus
are
and
released
URL filtering
daily. updates are released weekly.
s and URL Filtering updates are released daily. Application and Threat updates are released week
nd URL filtering updates are released daily and Application and Antivirus updates are released w
Mark for follow up
Question 24 of 50.
Subsequent to the installation of new licenses, the firewall must be rebooted
True
False

Mark for follow up

Question 25 of 50.
Which of the following most accurately describes Dynamic IP in a Source NAT configuration?

xt available address in the address range is used, and the source port number is changed
The same address is always used, and the port is unchanged
ext available address in the configured pool is used, but the port number is unchanged
None of the above
Mark for follow up
Question 26 of 50.
When an interface is in Tap mode and a policy action is set to block, the interface will send a TCP reset.
True
False

Mark for follow up

Question 27 of 50.
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:

ssword-protected access to specific file downloads, for authorized users

ncreased speed on the downloads of the allowed file types
gainst unwanted downloads, by alerting the user with a response page indicating that s file is go
istrator the ability to leverage Authentication Profiles in order to protect against unwanted dow
Mark for follow up
Question 28 of 50.
Which of the following would be a reason to use an XML API to communicate with a Palo Alto Networks firewall?

that information can be pulled from other network resources for User-ID
To allow the firewall to push User-ID information to a NAC
To permit syslogging of User Identification events
Mark for follow up
Question 29 of 50.
Which link is used by an Active-Passive cluster to synchronize session information?

The Data Link

The Control Link
The Uplink
The Management Link
Mark for follow up
Question 30 of 50.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evalLvl=5&redirect_url=
%2fLMS%2fUserTranscript%2fMainView.aspx
5/9

Empowering People: paloaltonetworks

7/2/2014

An interface in tap mode can transmit packets on the wire.

True
False

Mark for follow up

Question 31 of 50.
Which of the following describes the sequence of the Global Protect agent connecting to a Gateway?
The Agent connects to the Portal obtains a list of Gateways, and connects to the Gateway with the
fastest SSL response time

agent connects to the closest Gateway and sends the HIP report to the portal
onnects to the portal, obtains a list of gateways, and connects to the gateway with the fastest PI
nt connects to the portal and randomly establishes a connection to the first available gateway
Mark for follow up
Question 32 of 50.

o account only the information in the screenshot above, answer the following question. In order for ping traffi
what else needs to be Select
configured?
all that apply.
curity policy from trust zone to Internet zone that allows ping
reate the appropriate routes in the default virtual router
curity policy from Internet zone to trust zone that allows ping
a Management profile that allows ping. Assign that management profile to e1/1 and e1/2
Mark for follow up
Question 33 of 50.
What is the default DNS Sinkhole address used by Palo Alto Networks Firewall to cut off communication?

MGT interface address

Loopback interface address
Any one Layer 3 interface address
Localhost address
Mark for follow up
Question 34 of 50.
When configuring Admin Roles for Web UI access, what are the available access levels?

Enable and Disable only

None, Superuser, Device Administrator
Allow and Deny only
Enable, Read-Only and Disable
Mark for follow up
Question 35 of 50.
Which fields can be altered in the default Vulnerability Protection Profile?

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evalLvl=5&redirect_url=
%2fLMS%2fUserTranscript%2fMainView.aspx
6/9

Empowering People: paloaltonetworks

7/2/2014

Category
Severity
None
Mark for follow up
Question 36 of 50.
Which of the following interfaces types will have a MAC address?
Layer 3
Tap
Vwire
Layer 2

Mark for follow up

Question 37 of 50.
When creating an Application filter, which of the following is true?

Excessive bandwidth may be used as a filter match criteria

y are called dynamic because they automatically adapt to new IP addresses
amic because they will automatically include new applications from an application signature upd
in the filter
they are used by malware
Mark for follow up
Question 38 of 50.
WildFire Analysis Reports are available for the following Operating Systems (select all that apply)

Windows XP
Windows 7
Windows 8
Mac OS-X
Mark for follow up
Question 39 of 50.
What will the user experience when browsing a Blocked hacking website such as www.2600.com via Google Translator?

The URL filtering policy to Block is enforced

It will be translated successfully
It will be redirected to www.2600.com
User will get "HTTP Error 503 - Service unavailable" message
Mark for follow up
Question 40 of 50.
What option should be configured when using User-ID

Enable User-ID per zone

Enable User-ID per interface
Enable User-ID per Security Policy
None of the above
Mark for follow up
Question 41 of 50.
What is the default setting for 'Action' in a Decryption Policy's rule?

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evalLvl=5&redirect_url=
%2fLMS%2fUserTranscript%2fMainView.aspx
7/9

Empowering People: paloaltonetworks

7/2/2014

no-decrypt
decrypt
any
none
Mark for follow up
Question 42 of 50.
When using remote authentication for users (LDAP, Radius, AD, etc),what must be done to allow a user to authenticate through
multiple methods?

s can not be done. A single user can only use one authentication type
Create multiple authentication profiles for the same user.
te an Authentication Sequence, dictating the order of authentication profiles
hough
This
multiple
can not
authentication
be done.
methods exist, a firewall must choose a single, global authentica
method
Mark for follow up
Question 43 of 50.
Which of the following platforms supports the Decryption Port Mirror function?

PA-VM300
PA-4000
PA-3000
PA-2000
Mark for follow up
Question 44 of 50.
As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterward, some users do not receive webbased feedback for all denied applications. What is the cause?

on Block Pages will only be displayed when users attempt to access a denied web-based applica
lication Block Pages will only be displayed when Captive Portal is configured
re accessing the Palo Alto Networks firewall through a virtual system that does not have Applica
me Application ID's are set with a Session Timeout value that is too low
Mark for follow up
Question 45 of 50.
With IKE, each device is identified to the other by a Peer ID. In most cases, this is just the public IP address of the device. In
situations where the public ID is not static, this value can be replaced with a domain name or other text value
True

False

Mark for follow up

Question 46 of 50.
In PAN-OS, how is Wildfire enabled?

a the "Forward" and "Continue and Forward" File-Blocking actions

Via the URL-Filtering "Continue" action
ildfire is automatically enabled with a valid URL-Filtering license
ustom file blocking action must be enabled for all PDF and PE type files
Mark for follow up
Question 47 of 50.
How do you limit the amount of information recorded in the URL Content Filtering Logs?

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evalLvl=5&redirect_url=
%2fLMS%2fUserTranscript%2fMainView.aspx
8/9

Empowering People: paloaltonetworks

7/2/2014

Enable "Log container page only"

Disable URL packet captures
Enable URL log caching
Enable DSRI
Mark for follow up
Question 48 of 50.
In which of the following objects can User-ID be used to provide a match condition?

Security Policies
NAT Policies
Zone Protection Policies
Threat Profiles
Mark for follow up
Question 49 of 50.
When configuring a Decryption Policy, which of the following are available as matching criteria in a
policy? (Choose 3)

Source Zone

Source User
Service
URL-Category
Application
Mark for follow up
Question 50 of 50.
Which of the following are methods HA clusters use to identify network outages?

Path and Link Monitoring

VR and VSys Monitors
Heartbeat and Session Monitors
Link and Session Monitors
Mark for follow up
Save / Return Later
Summary

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evalLvl=5&redirect_url=
%2fLMS%2fUserTranscript%2fMainView.aspx
9/9