Professional Documents
Culture Documents
Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version
Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version
1 of 8
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...
Question 1 of 50.
Which pre-defined Admin Role has all rights except the rights to create administrative accounts and virtual systems?
Superuser
Device Administrator
vsysadmin
A custom admin role must be created for this specific combination of rights.
Question 2 of 50.
After the installation of a new version of PAN-OS, the firewall must be rebooted.
True
False
Question 3 of 50.
Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based (customized user roles) for Administrator Accounts.
True
False
Question 4 of 50.
What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut off communication?
The default gateway of the firewall.
The local loopback address.
The MGT interface address.
Any layer 3 interface address specified by the firewall administrator.
Question 5 of 50.
Users may be authenticated sequentially to multiple authentication servers by configuring:
An Authentication Profile.
An Authentication Sequence.
A custom Administrator Profile.
Multiple RADIUS servers sharing a VSA configuration.
Question 6 of 50.
What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on the firewall? (Select all correct answers.)
Improved malware detection in WildFire.
Improved PAN-DB malware detection.
Improved DNS-based C&C signatures.
Improved BrightCloud malware detection.
Question 7 of 50.
In PAN-OS 7.0 which of the available choices serves as an alert warning by defining patterns of suspicious traffic and network anomalies that may indicate a host has been
compromised?
8/8/2016 3:35 PM
2 of 8
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...
Custom Signatures
App-ID Signatures
Correlation Events
Correlation Objects
Command & Control Signatures
Question 8 of 50.
Which of the following must be enabled in order for User-ID to function?
Captive Portal Policies must be enabled.
Security Policies must have the User-ID option enabled.
Captive Portal must be enabled.
User-ID must be enabled for the source zone of the traffic that is to be identified.
Question 9 of 50.
In which of the following can User-ID be used to provide a match condition?
Security Policies
NAT Policies
Zone Protection Policies
Threat Profiles
Question 10 of 50.
In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-Based Forwarding Rule? (Choose 3.)
Source User
Destination Zone
Source Zone
Destination Application
Question 11 of 50.
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:
Protection against unwanted downloads by showing the user a response page indicating that a file is going to be downloaded.
Increased speed on downloads of file types that are explicitly enabled.
Password-protected access to specific file downloads for authorized users.
The ability to use Authentication Profiles, in order to protect against unwanted downloads.
Question 12 of 50.
Color-coded tags can be used on all of the items listed below EXCEPT:
Vulnerability Profiles
Address Objects
Zones
Service Groups
Question 13 of 50.
When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of evaluation within a profile is:
Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, Allow list.
8/8/2016 3:35 PM
3 of 8
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...
Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cache files.
Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined categories.
Question 14 of 50.
Can multiple administrator accounts be configured on a single firewall?
Yes
No
Question 15 of 50.
As the Palo Alto Networks Administrator responsible for User-ID, you need to enable mapping of network users that do not sign-in using LDAP. Which information source would
allow for reliable User-ID mapping while requiring the least effort to configure?
Active Directory Security Logs
Exchange CAS Security logs
WMI Query
Captive Portal
Question 16 of 50.
User-ID is enabled in the configuration of
An Interface.
A Zone.
A Security Policy.
A Security Profile.
Question 17 of 50.
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you need a:
Virtual Router
VLAN
Virtual Wire
Security Profile
Question 18 of 50.
An interface in tap mode can transmit packets on the wire.
True
False
Question 19 of 50.
Which of the following is a routing protocol supported in a Palo Alto Networks firewall?
EIGRP
RIPv2
ISIS
IGRP
Question 20 of 50.
WildFire may be used for identifying which of the following types of traffic?
RIPv2
8/8/2016 3:35 PM
4 of 8
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...
Malware
DHCP
OSPF
Question 21 of 50.
True or False: The PAN-DB URL Filtering Service is offered as both a Private Cloud solution and a Public Cloud solution.
True
False
Question 22 of 50.
With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the Peer ID is just the public IP address of the device. In situations where the public IP address is
not static, the Peer ID can be a text value.
True
False
Question 23 of 50.
A Config Lock may be removed by which of the following users? (Select all correct answers.)
The administrator who set it
Any administrator
Device administrators
Superusers
Question 24 of 50.
What will be the user experience when the safe search option is NOT enabled for Google search but the firewall has "Safe Search Enforcement" Enabled?
A block page will be presented with instructions on how to set the strict Safe Search option for the Google search.
The Firewall will enforce Safe Search if the URL filtering license is still valid.
A task bar pop-up message will be presented to enable Safe Search.
The user will be redirected to a different search site that is specified by the firewall administrator.
Question 25 of 50.
True or False: The WildFire Analysis Profile can only be configured to send unknown files to the WildFire Public Cloud only.
True
False
Question 26 of 50.
As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterwards, not knowing they are attempting to access a blocked web-based application, users
call the Help Desk to complain about network connectivity issues. What is the cause of the increased number of help desk calls?
The firewall admin did not create a custom response page to notify potential users that their attempt to access the web-based application is being blocked due to company policy.
Some App-ID's are set with a Session Timeout value that is too low.
The File Blocking Block Page was disabled.
Application Block Pages will only be displayed when Captive Portal is configured.
Question 27 of 50.
A "Continue" action can be configured on which of the following Security Profiles?
URL Filtering and File Blocking
URL Filtering only
URL Filtering, File Blocking, and Data Filtering
8/8/2016 3:35 PM
5 of 8
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...
Question 28 of 50.
Will an exported configuration contain Management Interface settings?
Yes
No
Question 29 of 50.
Which of the following facts about dynamic updates is correct?
Threat and URL Filtering updates are released daily. Application and Anti-virus updates are released weekly.
Application and Threat updates are released daily. Anti-virus and URL Filtering updates are released weekly.
Anti-virus updates are released daily. Application and Threat updates are released weekly.
Application and Anti-virus updates are released weekly. Threat and Threat and URL Filtering updates are released weekly.
Question 30 of 50.
WildFire analyzes files to determine whether or not they are malicious. When doing so, WildFire will classify the file with an official verdict. This verdict is known as the WildFire
Analysis verdict. Choose the three correct classifications as a result of this analysis and classification?
Safeware
Malware detection
Benign
Grayware
Spyware
Adware
Question 31 of 50.
When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most informative?
Initiating side, System log
Initiating side, Traffic log
Responding side, System Log
Responding side, Traffic log
Question 32 of 50.
In Palo Alto Networks terms, an application is:
A specific program detected within an identified stream that can be detected, monitored, and/or blocked.
A combination of port and protocol that can be detected, monitored, and/or blocked.
A file installed on a local machine that can be detected, monitored, and/or blocked.
Web-based traffic from a specific IP address that can be detected, monitored, and/or blocked.
Question 33 of 50.
Which of the following services are enabled on the MGT interface by default? (Select all correct answers.)
HTTPS
SSH
Telnet
HTTP
8/8/2016 3:35 PM
6 of 8
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...
Question 34 of 50.
Which feature can be configured to block sessions that the firewall cannot decrypt?
Decryption Profile in PBF
Decryption Profile in Security Profile
Decryption Profile in Decryption Policy
Decryption Profile in Security Policy
Question 35 of 50.
When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2 tunneling in policies by specifying the SSH-tunnel App-ID?
SSH Proxy
SSL Forward Proxy
SSL Inbound Inspection
SSL Reverse Proxy
Question 36 of 50.
As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candidate configuration. These changes may be undone by Device > Setup > Operations >
Configuration Management>....and then what operation?
Revert to Running Configuration
Revert to last Saved Configuration
Load Configuration Version
Import Named Configuration Snapshot
Question 37 of 50.
In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order to process traffic.
True
False
Question 38 of 50.
Which statement below is True?
PAN-OS uses PAN-DB for URL Filtering, replacing BrightCloud.
PAN-OS uses BrightCloud as its default URL Filtering database, but also supports PAN-DB.
PAN-OS uses BrightCloud for URL Filtering, replacing PAN-DB.
PAN-OS uses PAN-DB as the default URL Filtering database, but also supports BrightCloud.
Question 39 of 50.
Which of the following platforms supports the Decryption Port Mirror function?
PA-3000
VM-Series 100
PA-2000
PA-4000
Question 40 of 50.
Which of the following are methods that HA clusters use to identify network outages?
Path and Link Monitoring
Link and Session Monitors
VR and VSYS Monitors
8/8/2016 3:35 PM
7 of 8
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...
Question 41 of 50.
Taking into account only the information in the screenshot above, answer the following question: A span port or a switch is connected to e1/4, but there are no traffic logs. Which of
the following conditions most likely explains this behavior?
There is no zone assigned to the interface.
The interface is not assigned a virtual router.
The interface is not assigned an IP address.
The interface is not up.
Question 42 of 50.
Which of the following statements is NOT True about Palo Alto Networks firewalls?
The default Admin account may be disabled or deleted.
System defaults may be restored by performing a factory reset in Maintenance Mode.
By default the MGT Port's IP Address is 192.168.1.1/24.
Initial configuration may be accomplished thru the MGT interface or the Console port.
Question 43 of 50.
Which of the following can provide information to a Palo Alto Networks firewall for the purposes of User-ID? (Select all correct answers.)
SSL Certificates
RIPv2
Domain Controller
Network Access Control (NAC) device
Question 44 of 50.
Which of the following interface types can have an IP address assigned to it?
Layer 3
Layer 2
Tap
Virtual Wire
Question 45 of 50.
As of PAN-OS 7.0, when configuring a Decryption Policy Rule, which of the following is NOT an available option as matching criteria in the rule?
Service
URL Category
Source User
8/8/2016 3:35 PM
8 of 8
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...
Application
Source Zone
Question 46 of 50.
Security policy rules specify a source interface and a destination interface.
True
False
Question 47 of 50.
Both SSL decryption and SSH decryption are disabled by default.
True
False
Question 48 of 50.
Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day?
1000
10
50
500
Question 49 of 50.
Palo Alto Networks offers WildFire users three solution types. These solution types are the WildFire Public Cloud, The WF-500 Private Appliance, and the WildFire Hybrid solution.
What is the main reason and purpose for the WildFire Hybrid solution?
The WildFire Hybrid solution enables companies to send to the WF-500 Private Appliance keeping them internal to their network, as well providing the option to send other, general files to the
WildFire Public Cloud for analysis.
The WildFire Hybrid solution places WF-500s at multiple places in the cloud, so that firewall appliances distributed throughout an enterprise's network receive WildFire verdicts with minimal
latency while retaining data privacy.
The WildFire Hybrid solution is only offered to companies that have sensitive files to protect and does not require a WildFire subscription.
The WildFire Hybrid solution enables outside companies to share the same WF-500 Appliance while at the same time allowing them to send only their private files to the private WF-500.
Question 50 of 50.
Choose the best answer: In PAN-OS, the WildFire Subscription Service allows updates for malware signatures to be distributed as often as
Once every 15 minutes
Once an hour
Once a day
Once a week
Summary
8/8/2016 3:35 PM
1 of 2
https://paloaltonetworks.csod.com/Evaluations/Tests/UserTestReview.as...
Test results are summarized below. Change the view to see only Correct or Incorrect questions.
All Questions
Correct Questions
Incorrect Questions
(50 Results)
ID
Question
Correct
6781
Correct
6786
A Config Lock may be removed by which of the following users? (Select all correct
answers.)
Correct
7947
After the installation of a new version of PAN-OS, the firewall must be rebooted.
Correct
7942
Correct
7954
As a Palo Alto Networks firewall administrator, you have made unwanted changes to the
Candidate configuration. These changes may be undone by Device > Setup > Operations Correct
> Configuration Management>....and then what operation?
7979
As the Palo Alto Networks Administrator responsible for User-ID, you need to enable
mapping of network users that do not sign-in using LDAP. Which information source
would allow for reliable User-ID mapping while requiring the least effort to configure?
7984
As the Palo Alto Networks Administrator you have enabled Application Block pages.
Afterwards, not knowing they are attempting to access a blocked web-based application,
Incorrect
users call the Help Desk to complain about network connectivity issues. What is the
cause of the increased number of help desk calls?
7953
Correct
7994
Correct
8062
Color-coded tags can be used on all of the items listed below EXCEPT:
Correct
7952
In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in
order to process traffic.
Correct
8756
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall,
you need a:
Correct
8751
Incorrect
8741
In PAN-OS 6.0 and later, which of these items may be used as match criterion in a
Policy-Based Forwarding Rule? (Choose 3.)
Incorrect
8731
Choose the best answer: In PAN-OS, the WildFire Subscription Service allows updates
for malware signatures to be distributed as often as
Correct
Incorrect
8/8/2016 3:38 PM
2 of 2
https://paloaltonetworks.csod.com/Evaluations/Tests/UserTestReview.as...
ID
Question
Correct
8721
Correct
7944
Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and
Role-Based (customized user roles) for Administrator Accounts.
Correct
7945
Correct
8072
Taking into account only the information in the screenshot above, answer the following
question: A span port or a switch is connected to e1/4, but there are no traffic logs.
Which of the following conditions most likely explains this behavior?
Incorrect
8711
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID,
provides:
Correct
Close
8/8/2016 3:38 PM
1 of 2
https://paloaltonetworks.csod.com/Evaluations/Tests/UserTestReview.as...
Test results are summarized below. Change the view to see only Correct or Incorrect questions.
All Questions
Correct Questions
Incorrect Questions
(50 Results)
ID
Question
Correct
8651
Correct
8696
Correct
8681
What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is
chosen on the firewall? (Select all correct answers.)
Incorrect
8676
What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut
Correct
off communication?
8646
What will be the user experience when the safe search option is NOT enabled for Google
Correct
search but the firewall has "Safe Search Enforcement" Enabled?
8636
When configuring a Decryption Policy rule, which option allows a firewall administrator
to control SSHv2 tunneling in policies by specifying the SSH-tunnel App-ID?
8596
When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall,
Incorrect
the order of evaluation within a profile is:
8586
When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be
most informative?
Correct
8576
Which feature can be configured to block sessions that the firewall cannot decrypt?
Correct
8551
Which of the following are methods that HA clusters use to identify network outages?
Correct
8541
Which of the following can provide information to a Palo Alto Networks firewall for the
purposes of User-ID? (Select all correct answers.)
Incorrect
8490
Correct
8531
Which of the following interface types can have an IP address assigned to it?
Correct
8556
Which of the following is a routing protocol supported in a Palo Alto Networks firewall?
Correct
8516
Correct
8500
Which of the following platforms supports the Decryption Port Mirror function?
Correct
Incorrect
8/8/2016 3:39 PM
2 of 2
https://paloaltonetworks.csod.com/Evaluations/Tests/UserTestReview.as...
ID
Question
Correct
8495
Which of the following services are enabled on the MGT interface by default? (Select all
correct answers.)
Correct
8485
Which of the following statements is NOT True about Palo Alto Networks firewalls?
Correct
8466
Which pre-defined Admin Role has all rights except the rights to create administrative
accounts and virtual systems?
Correct
8420
Correct
Close
8/8/2016 3:39 PM