Professional Documents
Culture Documents
ACE Exam - PAN-OS 6.1
ACE Exam - PAN-OS 6.1
ACE Exam - PAN-OS 6.1
TestAccreditedConfigurationEngineer(ACE)ExamPANOS6.1Version
ACEExam
Question1of50.
Thefollowingcanbeconfiguredasanexthopinastaticroute:
APolicyBasedForwardingRule
VirtualSystems
VirtualRouter
VirtualSwitch
Markforfollowup
Question2of50.
AsaPaloAltoNetworksfirewalladministrator,youhavemadeunwantedchangestotheCandidateconfiguration.ThesechangesmaybeundonebyDevice>Setup>Operations>
ConfigurationManagement>....andthenwhatoperation?
ReverttoRunningConfiguration
ReverttolastSavedConfiguration
LoadConfigurationVersion
ImportNamedConfigurationSnapshot
Markforfollowup
Question3of50.
WhichstatementbelowisTrue?
PANOSusesBrightCloudforURLFiltering,replacingPANDB.
PANOSusesBrightCloudasitsdefaultURLFilteringdatabase,butalsosupportsPANDB.
PANOSusesPANDBasthedefaultURLFilteringdatabase,butalsosupportsBrightCloud.
PANOSusesPANDBforURLFiltering,replacingBrightCloud.
Markforfollowup
Question4of50.
WhenemployingtheBrightCloudURLfilteringdatabaseinaPaloAltoNetworksfirewall,theorderofevaluationwithinaprofileis:
Blocklist,CustomCategories,Predefinedcategories,DynamicURLfiltering,Allowlist,Cachefiles.
Blocklist,Allowlist,CustomCategories,Cachefiles,LocalURLDBfile.
Blocklist,CustomCategories,Cachefiles,Predefinedcategories,DynamicURLfiltering,Allowlist.
DynamicURLfiltering,Blocklist,Allowlist,Cachefiles,Customcategories,Predefinedcategories.
Markforfollowup
Question5of50.
WithIKEPhase1,eachdeviceisidentifiedtotheotherbyaPeerID.Inmostcases,thePeerIDisjustthepublicIPaddressofthedevice.InsituationswherethepublicIPaddressis
notstatic,thePeerIDcanbeatextvalue.
True
False
Markforfollowup
Question6of50.
Thescreenshotaboveshowspartofafirewallsconfiguration.Ifpingtrafficcantraversethisdevicefrome1/2toe1/1,whichofthefollowingstatementsmustbeTrueaboutthis
firewallsconfiguration?(Selectallcorrectanswers.)
TheremustbeasecuritypolicyfromInternetzonetotrustzonethatallowsping.
TheremustbeasecuritypolicyfromtrustzonetoInternetzonethatallowsping.
Theremustbeappropriateroutesinthedefaultvirtualrouter.
TheremustbeaManagementProfilethatallowsping.(ThenassignthatManagementProfiletoe1/1ande1/2.)
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.
1/7
4/7/2015
Markforfollowup
Question7of50.
Whichfeaturecanbeconfiguredtoblocksessionsthatthefirewallcannotdecrypt?
DecryptionProfileinSecurityPolicy
DecryptionProfileinDecryptionPolicy
DecryptionProfileinPBF
DecryptionProfileinSecurityProfile
Markforfollowup
Question8of50.
AlloftheinterfacesonaPaloAltoNetworksdevicemustbeofthesameinterfacetype.
True
False
Markforfollowup
Question9of50.
WhichofthefollowingwouldbeareasontousethePANOSXMLAPItocommunicatewithaPaloAltoNetworksfirewall?
TopermitsysloggingofUserIdentificationevents.
TopullinformationfromothernetworkresourcesforUserID.
ToallowthefirewalltopushUserIDinformationtoaNetworkAccessControl(NAC)device.
Markforfollowup
Question10of50.
WhichofthefollowingstatementsisNOTTrueaboutPaloAltoNetworksfirewalls?
InitialconfigurationmaybeaccomplishedthrutheMGTinterfaceortheConsoleport.
ThedefaultAdminaccountmaybedisabledordeleted.
BydefaulttheMGTPort'sIPAddressis192.168.1.1/24.
SystemdefaultsmayberestoredbyperformingafactoryresetinMaintenanceMode.
Markforfollowup
Question11of50.
AftertheinstallationofanewversionofPANOS,thefirewallmustberebooted.
True
False
Markforfollowup
Question12of50.
WhichoftheDynamicUpdateslistedbelowareissuedonadailybasis?(Selectallcorrectanswers.)
BrightCloudURLFiltering
ApplicationsandThreats
Applications
Antivirus
Markforfollowup
Question13of50.
ColorcodedtagscanbeusedonalloftheitemslistedbelowEXCEPT:
AddressObjects
ServiceGroups
Zones
VulnerabilityProfiles
Markforfollowup
Question14of50.
InaPaloAltoNetworksfirewall,everyinterfaceinusemustbeassignedtoazoneinordertoprocesstraffic.
True
False
Markforfollowup
Question15of50.
YoucanassignanIPaddresstoaninterfaceinVirtualWiremode.
True
False
Markforfollowup
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.
2/7
4/7/2015
Question16of50.
InordertoroutetrafficbetweenLayer3interfacesonthePaloAltoNetworksfirewall,youneeda:
VirtualRouter
VLAN
VirtualWire
SecurityProfile
Markforfollowup
Question17of50.
Aninterfaceintapmodecantransmitpacketsonthewire.
True
False
Markforfollowup
Question18of50.
WhenDestinationNetworkAddressTranslationisbeingperformed,thedestinationinthecorrespondingSecurityPolicyRuleshoulduse:
ThePostNATdestinationzoneandPostNATIPaddress.
ThePreNATdestinationzoneandPreNATIPaddress.
ThePreNATdestinationzoneandPostNATIPaddress.
ThePostNATdestinationzoneandPreNATIPaddress.
Markforfollowup
Question19of50.
Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion.Whichapplicationswillbeallowedontheirstandardports?(Selectallcorrect
answers.)
BitTorrent
Gnutella
Skype
SSH
Markforfollowup
Question20of50.
WhenconfiguringaSecurityPolicyRulebasedonFQDNAddressObjects,whichofthefollowingstatementsisTrue?
InordertocreateFQDNbasedobjects,youneedtomanuallydefinealistofassociatedIPaddresses.
ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagaineachtimeSecurityProfilesareevaluated.
ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagainatDNSTTLexpiration.
Markforfollowup
Question21of50.
Usersmaybeauthenticatedsequentiallytomultipleauthenticationserversbyconfiguring:
AnAuthenticationSequence.
MultipleRADIUSserverssharingaVSAconfiguration.
AcustomAdministratorProfile.
AnAuthenticationProfile.
Markforfollowup
Question22of50.
WillanexportedconfigurationcontainManagementInterfacesettings?
Yes
No
Markforfollowup
Question23of50.
WhenusingConfigAudit,thecoloryellowindicateswhichofthefollowing?
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.
3/7
4/7/2015
Asettinghasbeenchangedbetweenthetwoconfigfiles
Asettinghasbeendeletedfromaconfigfile.
Asettinghasbeenaddedtoaconfigfile
Aninvalidvaluehasbeenusedinaconfigfile.
Markforfollowup
Question24of50.
Whenusingremoteauthenticationforusers(LDAP,RADIUS,ActiveDirectory,etc.),whatmustbedonetoallowausertoauthenticatethroughmultiplemethods?
CreateanAuthenticationSequence,dictatingtheorderofauthenticationprofiles.
Createmultipleauthenticationprofilesforthesameuser.
Thiscannotbedone.Asingleusercanonlyuseoneauthenticationtype.
Thiscannotbedone.Althoughmultipleauthenticationmethodsexist,afirewallmustchooseasingle,globalauthenticationtypeandallusersmustusethismethod.
Markforfollowup
Question25of50.
WhentroubleshootingPhase1ofanIPsecVPNtunnel,whichlocationandlogwillbemostinformative?
Respondingside,SystemLog
Initiatingside,Trafficlog
Initiatingside,Systemlog
Respondingside,Trafficlog
Markforfollowup
Question26of50.
UserIDisenabledintheconfigurationof
AZone.
ASecurityProfile.
AnInterface.
ASecurityPolicy.
Markforfollowup
Question27of50.
WhatwilltheuserexperiencewhenattemptingtoaccessablockedhackingwebsitethroughatranslationservicesuchasGoogleTranslateorBingTranslator?
ABlockedpageresponsewhentheURLfilteringpolicytoblockisenforced.
ASuccesspageresponsewhenthesiteissuccessfullytranslated.
Thebrowserwillberedirectedtotheoriginalwebsiteaddress.
An"HTTPError503Serviceunavailable"message.
Markforfollowup
Question28of50.
WhenyouhavecreatedaSecurityPolicyRulethatallowsFacebook,whatmustyoudotoblockallotherwebbrowsingtraffic?
Nothing.YoucandependonPANOStoblockthewebbrowsingtrafficthatisnotneededforFacebookuse.
EnsurethattheServicecolumnisdefinedas"applicationdefault"forthisSecuritypolicy.Doingthiswillautomaticallyincludetheimplicitwebbrowsingapplicationdependency.
Createanadditionalrulethatblocksallothertraffic.
Whencreatingthepolicy,ensurethatwebbrowsingisincludedinthesamerule.
Markforfollowup
Question29of50.
BothSSLdecryptionandSSHdecryptionaredisabledbydefault.
True
False
Markforfollowup
Question30of50.
A"Continue"actioncanbeconfiguredonwhichofthefollowingSecurityProfiles?
URLFilteringandFileBlocking
URLFilteringonly
URLFiltering,FileBlocking,andDataFiltering
URLFilteringandAntivirus
Markforfollowup
Question31of50.
WhichofthefollowinginterfacetypescanhaveanIPaddressassignedtoit?
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.
4/7
4/7/2015
Layer3
Layer2
Tap
VirtualWire
Markforfollowup
Question32of50.
Whatarethebenefitsgainedwhenthe"EnablePassiveDNSMonitoring"checkboxischosenonthefirewall?(Selectallcorrectanswers.)
ImprovedDNSbasedC&Csignatures.
ImprovedPANDBmalwaredetection.
ImprovedBrightCloudmalwaredetection.
ImprovedmalwaredetectioninWildFire.
Markforfollowup
Question33of50.
Securitypoliciesspecifyasourceinterfaceandadestinationinterface.
True
False
Markforfollowup
Question34of50.
Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion.AnadministratorisusingSSHonport3333andBitTorrentonport7777.Which
statementsareTrue?
TheSSHtrafficwillbedenied.
TheBitTorrenttrafficwillbeallowed.
TheSSHtrafficwillbeallowed.
TheBitTorrenttrafficwillbedenied.
Markforfollowup
Question35of50.
WhichofthefollowingmostaccuratelydescribesDynamicIPinaSourceNATconfiguration?
AsingleIPaddressisused,andthesourceportnumberisunchanged.
ThenextavailableIPaddressintheconfiguredpoolisused,butthesourceportnumberisunchanged.
AsingleIPaddressisused,andthesourceportnumberischanged.
Thenextavailableaddressintheconfiguredpoolisused,andthesourceportnumberischanged.
Markforfollowup
Question36of50.
WhataretwosourcesofinformationfordeterminingwhetherthefirewallhasbeensuccessfulincommunicatingwithanexternalUserIDAgent?
SystemLogsandAuthenticationLogs.
SystemLogsandtheindicatorlightundertheUserIDAgentsettingsinthefirewall.
SystemLogsandanindicatorlightonthechassis.
TrafficLogsandAuthenticationLogs.
Markforfollowup
Question37of50.
WhichpredefinedAdminRolehasallrightsexcepttherightstocreateadministrativeaccountsandvirtualsystems?
Superuser
DeviceAdministrator
Acustomadminrolemustbecreatedforthisspecificcombinationofrights.
vsysadmin
Markforfollowup
Question38of50.
AnenterprisePKIsystemisrequiredtodeploySSLForwardProxydecryptioncapabilities.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.
5/7
4/7/2015
True
False
Markforfollowup
Question39of50.
Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion:Aspanportoraswitchisconnectedtoe1/4,buttherearenotrafficlogs.Whichof
thefollowingconditionsmostlikelyexplainsthisbehavior?
Theinterfaceisnotup.
Thereisnozoneassignedtotheinterface.
TheinterfaceisnotassignedanIPaddress.
Theinterfaceisnotassignedavirtualrouter.
Markforfollowup
Question40of50.
WhichtypeoflicenseisrequiredtoperformDecryptionPortMirroring?
AsubscriptionbasedSSLPortlicense
AfreePANPADecryptlicense
AClientDecryptionlicense
AsubscriptionbasedPANPADecryptlicense
Markforfollowup
Question41of50.
Canmultipleadministratoraccountsbeconfiguredonasinglefirewall?
Yes
No
Markforfollowup
Question42of50.
WhichofthefollowingCANNOTusethesourceuserasamatchcriterion?
DoSProtection
SecuirtyPolicies
AntivirusProfile
PolicyBasedForwarding
QoS
Markforfollowup
Question43of50.
WhichofthefollowingmustbeenabledinorderforUserIDtofunction?
CaptivePortalPoliciesmustbeenabled.
UserIDmustbeenabledforthesourcezoneofthetrafficthatistobeidentified.
CaptivePortalmustbeenabled.
SecurityPoliciesmusthavetheUserIDoptionenabled.
Markforfollowup
Question44of50.
InaDestinationNATconfiguration,theTranslatedAddressfieldmaybepopulatedwitheitheranIPaddressoranAddressObject.
True
False
Markforfollowup
Question45of50.
WhenconfiguringthefirewallforUserID,whatisthemaximumnumberofDomainControllersthatcanbeconfigured?
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.
6/7
4/7/2015
50
100
10
150
Markforfollowup
Question46of50.
BesidesselectingtheHeartbeatBackupoptionwhencreatinganActivePassiveHAPair,whichofthefollowingalsoprevents"SplitBrain"?
CreatingacustominterfaceunderServiceRouteConfiguration,andassigningthisinterfaceasthebackupHA2link.
ConfiguringanindependentbackupHA1link.
ConfiguringabackupHA2linkthatpointstotheMGTinterfaceoftheotherdeviceinthepair.
UnderPacketForwarding,selectingtheVRSynccheckbox.
Markforfollowup
Question47of50.
PaloAltoNetworksfirewallssupporttheuseofbothDynamic(builtinuserroles)andRoleBased(customizeduserroles)forAdministratorAccounts.
True
False
Markforfollowup
Question48of50.
WhenconfiguringaDecryptionPolicyrule,whichoptionallowsafirewalladministratortocontrolSSHv2tunnelinginpoliciesbyspecifyingtheSSHtunnelAppID?
SSHProxy
SSLForwardProxy
SSLInboundInspection
SSLReverseProxy
Markforfollowup
Question49of50.
InwhichofthefollowingcanUserIDbeusedtoprovideamatchcondition?(Selectallcorrectanswers.)
SecurityPolicies
NATPolicies
ZoneProtectionPolicies
ThreatProfiles
Markforfollowup
Question50of50.
InPANOS6.0,rulenumbersare:
Numbersthatspecifytheorderinwhichsecuritypoliciesareevaluated.
Numberscreatedtobeuniqueidentifiersineachfirewallspolicydatabase.
Numbersonascaleof0to99thatspecifyprioritieswhentwoormorerulesareinconflict.
Numberscreatedtomakeiteasierforuserstodiscussacomplicatedordifficultsequenceofrules.
Markforfollowup
Save/ReturnLater
Summary
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.
7/7