Realize Your Potential: paloaltonetworks Página 1 de 13
Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version
ACE Exam
Question 1 of 50.
What will the user experience when attempting to access a blocked hacking website through a translation service such
as Google Translate or Bing Translator?
A “Blocked” page response when the URL filtering policy to block is enforced.
A “Success” page response when the site is successfully translated.
The browser will be redirected to the original website address.
An "HTTP Error 503 - Service unavailable" message.
Mark for follow up
Question 2 of 50.
Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based (customized user
roles) for Administrator Accounts.
True False
Mark for follow up
Question 3 of 50.
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:
Password-protected access to specific file downloads for authorized users.
Protection against unwanted downloads by showing the user a response page indicating that a file is going to be
downloaded.
Increased speed on downloads of file types that are explicitly enabled.
The ability to use Authentication Profiles, in order to protect against unwanted downloads.
Mark for follow up
Question 4 of 50.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44... 30/07/2016
�Realize Your Potential: paloaltonetworks Página 2 de 13
Considering the information in the screenshot above, what is the order of evaluation for this URL Filtering Profile?
URL Categories (BrightCloud or PAN-DB), Custom Categories, Block List, Allow List.
Block List, Allow List, Custom Categories, URL Categories (BrightCloud or PAN-DB).
Allow List, Block List, Custom Categories, URL Categories (BrightCloud or PAN-DB).
Block List, Allow List, URL Categories (BrightCloud or PAN-DB), Custom Categories.
Mark for follow up
Question 5 of 50.
Users may be authenticated sequentially to multiple authentication servers by configuring:
An Authentication Profile.
An Authentication Sequence.
A custom Administrator Profile.
Multiple RADIUS servers sharing a VSA configuration.
Mark for follow up
Question 6 of 50.
In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-Based Forwarding Rule?
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44... 30/07/2016
�Realize Your Potential: paloaltonetworks Página 3 de 13
(Choose 3.)
Destination Zone
Source User
Source Zone
Destination Application
Mark for follow up
Question 7 of 50.
As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candidate configuration. These
changes may be undone by Device > Setup > Operations > Configuration Management>....and then what operation?
Revert to Running Configuration
Revert to last Saved Configuration
Load Configuration Version
Import Named Configuration Snapshot
Mark for follow up
Question 8 of 50.
Taking into account only the information in the screenshot above, answer the following question. Which applications
will be allowed on their standard ports? (Select all correct answers.)
Gnutella
Skype
BitTorrent
SSH
Mark for follow up
Question 9 of 50.
Which of the following would be a reason to use the PAN-OS XML API to communicate with a Palo Alto Networks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44... 30/07/2016
�Realize Your Potential: paloaltonetworks Página 4 de 13
firewall?
To permit syslogging of User Identification events.
To allow the firewall to push User-ID information to a Network Access Control (NAC) device.
To pull information from other network resources for User-ID.
Mark for follow up
Question 10 of 50.
What is the maximum file size of .EXE files uploaded from the firewall to WildFire?
Configurable up to 2 megabytes.
Always 2 megabytes.
Always 10 megabytes.
Configurable up to 10 megabytes.
Mark for follow up
Question 11 of 50.
When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most informative?
Initiating side, System log
Responding side, Traffic log
Initiating side, Traffic log
Responding side, System Log
Mark for follow up
Question 12 of 50.
Which link is used by an Active/Passive cluster to synchronize session information?
The Control Link
The Uplink
The Management Link
The Data Link
Mark for follow up
Question 13 of 50.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44... 30/07/2016
�Realize Your Potential: paloaltonetworks Página 5 de 13
After the installation of the Threat Prevention license, the firewall must be rebooted.
True False
Mark for follow up
Question 14 of 50.
An interface in Virtual Wire mode must be assigned an IP address.
True False
Mark for follow up
Question 15 of 50.
True or False: The WildFire Analysis Profile can only be configured to send unknown files to the WildFire Public Cloud
only.
True False
Mark for follow up
Question 16 of 50.
In PAN-OS 6.0 and later, rule numbers are:
Numbers that specify the order in which security policies are evaluated.
Numbers created to be unique identifiers in each firewall’s policy database.
Numbers on a scale of 0 to 99 that specify priorities when two or more rules are in conflict.
Numbers created to make it easier for users to discuss a complicated or difficult sequence of rules.
Mark for follow up
Question 17 of 50.
Can multiple administrator accounts be configured on a single firewall?
Yes No
Mark for follow up
Question 18 of 50.
Reconnaissance Protection is a feature used to protect the Palo Alto Networks firewall from port scans. To enable this
feature within the GUI go to…
Network > Network Profiles > Zone Protection
Objects > Zone Protection
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44... 30/07/2016
�Realize Your Potential: paloaltonetworks Página 6 de 13
Interfaces > Interface Number > Zone Protection
Policies > Profile > Zone Protection
Mark for follow up
Question 19 of 50.
After the installation of a new version of PAN-OS, the firewall must be rebooted.
True False
Mark for follow up
Question 20 of 50.
You can assign an IP address to an interface in Virtual Wire mode.
True False
Mark for follow up
Question 21 of 50.
Which of the following CANNOT use the source user as a match criterion?
Anti-virus Profile
Secuirty Policies
Policy Based Forwarding
QoS
DoS Protection
Mark for follow up
Question 22 of 50.
When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must be done to allow a user
to authenticate through multiple methods?
Create an Authentication Sequence, dictating the order of authentication profiles.
This cannot be done. Although multiple authentication methods exist, a firewall must choose a single, global authentication
type--and all users must use this method.
This cannot be done. A single user can only use one authentication type.
Create multiple authentication profiles for the same user.
Mark for follow up
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44... 30/07/2016
�Realize Your Potential: paloaltonetworks Página 7 de 13
Question 23 of 50.
When configuring a Security Policy Rule based on FQDN Address Objects, which of the following statements is True?
The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN again at DNS TTL expiration.
The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN again each time Security Profiles
are evaluated.
In order to create FQDN-based objects, you need to manually define a list of associated IP addresses.
Mark for follow up
Question 24 of 50.
When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2 tunneling in
policies by specifying the SSH-tunnel App-ID?
SSH Proxy
SSL Forward Proxy
SSL Inbound Inspection
SSL Reverse Proxy
Mark for follow up
Question 25 of 50.
All of the interfaces on a Palo Alto Networks device must be of the same interface type.
True False
Mark for follow up
Question 26 of 50.
Select the implicit rules that are applied to traffic that fails to match any administrator-defined Security Policies.
(Choose all rules that are correct.)
Intra-zone traffic is allowed
Inter-zone traffic is denied
Intra-zone traffic is denied
Inter-zone traffic is allowed
Mark for follow up
Question 27 of 50.
Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day?
500
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44... 30/07/2016
�Realize Your Potential: paloaltonetworks Página 8 de 13
10
50
1000
Mark for follow up
Question 28 of 50.
WildFire may be used for identifying which of the following types of traffic?
OSPF
DHCP
RIPv2
Malware
Mark for follow up
Question 29 of 50.
Traffic going to a public IP address is being translated by a Palo Alto Networks firewall to an internal server’s private IP
address. Which IP address should the Security Policy use as the "Destination IP" in order to allow traffic to the server?
The server’s public IP
The firewall’s gateway IP
The firewall’s MGT IP
The server’s private IP
Mark for follow up
Question 30 of 50.
Which of the Dynamic Updates listed below are issued on a daily basis? (Select all correct answers.)
Anti-virus
BrightCloud URL Filtering
Applications
Applications and Threats
Mark for follow up
Question 31 of 50.
Which of the following must be enabled in order for User-ID to function?
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44... 30/07/2016
�Realize Your Potential: paloaltonetworks Página 9 de 13
User-ID must be enabled for the source zone of the traffic that is to be identified.
Captive Portal must be enabled.
Captive Portal Policies must be enabled.
Security Policies must have the User-ID option enabled.
Mark for follow up
Question 32 of 50.
Choose the best answer: In PAN-OS, the WildFire Subscription Service allows updates for malware signatures to be
distributed as often as…
Once every 15 minutes
Once an hour
Once a day
Once a week
Mark for follow up
Question 33 of 50.
What is the default setting for 'Action' in a Decryption Policy's rule?
No-Decrypt
Decrypt
Any
None
Mark for follow up
Question 34 of 50.
With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the Peer ID is just the public IP
address of the device. In situations where the public IP address is not static, the Peer ID can be a text value.
True False
Mark for follow up
Question 35 of 50.
Which of the following platforms supports the Decryption Port Mirror function?
PA-3000
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44... 30/07/2016
�Realize Your Potential: paloaltonetworks Página 10 de 13
VM-Series 100
PA-2000
PA-4000
Mark for follow up
Question 36 of 50.
When an interface is in Tap mode and a Policy’s action is set to “block”, the interface will send a TCP reset.
True False
Mark for follow up
Question 37 of 50.
Which of the following services are enabled on the MGT interface by default? (Select all correct answers.)
HTTPS
SSH
Telnet
HTTP
Mark for follow up
Question 38 of 50.
In PAN-OS 7.0 which of the available choices serves as an alert warning by defining patterns of suspicious traffic and
network anomalies that may indicate a host has been compromised?
Custom Signatures
Correlation Events
App-ID Signatures
Command & Control Signatures
Correlation Objects
Mark for follow up
Question 39 of 50.
Will an exported configuration contain Management Interface settings?
Yes No
Mark for follow up
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44... 30/07/2016
�Realize Your Potential: paloaltonetworks Página 11 de 13
Question 40 of 50.
When configuring the firewall for User-ID, what is the maximum number of Domain Controllers that can be configured?
10
150
50
100
Mark for follow up
Question 41 of 50.
The following can be configured as a next hop in a static route:
Virtual Systems
A Policy-Based Forwarding Rule
Virtual Switch
Virtual Router
Mark for follow up
Question 42 of 50.
What are two sources of information for determining whether the firewall has been successful in communicating with an
external User-ID Agent?
System Logs and Authentication Logs.
System Logs and an indicator light on the chassis.
Traffic Logs and Authentication Logs.
System Logs and the indicator light under the User-ID Agent settings in the firewall.
Mark for follow up
Question 43 of 50.
True or False: The PAN-DB URL Filtering Service is offered as both a Private Cloud solution and a Public Cloud
solution.
True False
Mark for follow up
Question 44 of 50.
What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut off communication?
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44... 30/07/2016
�Realize Your Potential: paloaltonetworks Página 12 de 13
The MGT interface address.
Any layer 3 interface address specified by the firewall administrator.
The default gateway of the firewall.
The local loopback address.
Mark for follow up
Question 45 of 50.
Besides selecting the Heartbeat Backup option when creating an Active-Passive HA Pair, which of the following also
prevents "Split-Brain"?
Configuring a backup HA2 link that points to the MGT interface of the other device in the pair.
Creating a custom interface under Service Route Configuration, and assigning this interface as the backup HA2 link.
Configuring an independent backup HA1 link.
Under “Packet Forwarding”, selecting the VR Sync checkbox.
Mark for follow up
Question 46 of 50.
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you need a:
Virtual Router
VLAN
Virtual Wire
Security Profile
Mark for follow up
Question 47 of 50.
When configuring Admin Roles for Web UI access, what are the available access levels?
Enable and Disable only
None, Superuser, Device Administrator
Enable, Read-Only, and Disable
Allow and Deny only
Mark for follow up
Question 48 of 50.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44... 30/07/2016
�Realize Your Potential: paloaltonetworks Página 13 de 13
In Palo Alto Networks terms, an application is:
A specific program detected within an identified stream that can be detected, monitored, and/or blocked.
A combination of port and protocol that can be detected, monitored, and/or blocked.
A file installed on a local machine that can be detected, monitored, and/or blocked.
Web-based traffic from a specific IP address that can be detected, monitored, and/or blocked.
Mark for follow up
Question 49 of 50.
When using Config Audit, the color yellow indicates which of the following?
A setting has been changed between the two config files
A setting has been deleted from a config file.
A setting has been added to a config file
An invalid value has been used in a config file.
Mark for follow up
Question 50 of 50.
What will be the user experience when the safe search option is NOT enabled for Google search but the firewall has
"Safe Search Enforcement" Enabled?
The Firewall will enforce Safe Search if the URL filtering license is still valid.
A task bar pop-up message will be presented to enable Safe Search.
The user will be redirected to a different search site that is specified by the firewall administrator.
A block page will be presented with instructions on how to set the strict Safe Search option for the Google search.
Mark for follow up
Save / Return Later Summary
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44... 30/07/2016
