Professional Documents
Culture Documents
Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.1 Version
Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.1 Version
Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.1 Version
1Version
ACEExam
Question1of50.
WhichofthefollowingmustbeenabledinorderforUserIDtofunction?
CaptivePortalPoliciesmustbeenabled.
UserIDmustbeenabledforthesourcezoneofthetrafficthatistobeidentified.
SecurityPoliciesmusthavetheUserIDoptionenabled.
CaptivePortalmustbeenabled.
Markforfollowup
Question2of50.
YoucanassignanIPaddresstoaninterfaceinVirtualWiremode.
True
False
Markforfollowup
Question3of50.
BesidesselectingtheHeartbeatBackupoptionwhencreatinganActivePassiveHAPair,whichofthefollowingalsoprevents"SplitBrain"?
UnderPacketForwarding,selectingtheVRSynccheckbox.
ConfiguringabackupHA2linkthatpointstotheMGTinterfaceoftheotherdeviceinthepair.
ConfiguringanindependentbackupHA1link.
CreatingacustominterfaceunderServiceRouteConfiguration,andassigningthisinterfaceasthebackupHA2link.
Markforfollowup
Question4of50.
WhatSecurityProfiletypemustbeconfiguredtosendfilestotheWildFirecloud,andwithwhatchoicesfortheactionsetting?
AVulnerabilityProtectionprofilewiththepossibleactionofForward.
AURLFilteringprofilewiththepossibleactionofForward.
AFileBlockingprofilewithpossibleactionsofForwardorContinueandForward.
ADataFilteringprofilewithpossibleactionsofForwardorContinueandForward.
Markforfollowup
Question5of50.
Choosethebestanswer:InPANOS,theWildFireSubscriptionServiceallowsupdatesformalwaresignaturestobedistributedasoftenas
Onceaweek
Onceanhour
Onceevery15minutes
Onceaday
Markforfollowup
Question6of50.
WhichoftheDynamicUpdateslistedbelowareissuedonadailybasis?(Selectallcorrectanswers.)
ApplicationsandThreats
BrightCloudURLFiltering
Antivirus
Applications
Markforfollowup
Question7of50.
AftertheinstallationofanewApplicationandThreatdatabase,thefirewallmustberebooted.
True
False
Markforfollowup
Question8of50.
WhichofthefollowingwouldbeareasontousethePANOSXMLAPItocommunicatewithaPaloAltoNetworksfirewall?
ToallowthefirewalltopushUserIDinformationtoaNetworkAccessControl(NAC)device.
TopullinformationfromothernetworkresourcesforUserID.
TopermitsysloggingofUserIdentificationevents.
Markforfollowup
Question9of50.
AsthePaloAltoNetworksAdministratorresponsibleforUserID,youneedtoenablemappingofnetworkusersthatdonotsigninusingLDAP.Whichinformationsourcewouldallow
forreliableUserIDmappingwhilerequiringtheleastefforttoconfigure?
ActiveDirectorySecurityLogs
CaptivePortal
ExchangeCASSecuritylogs
WMIQuery
Markforfollowup
Question10of50.
Thescreenshotaboveshowspartofafirewallsconfiguration.Ifpingtrafficcantraversethisdevicefrome1/2toe1/1,whichofthefollowingstatementsmustbeTrueaboutthis
firewallsconfiguration?(Selectallcorrectanswers.)
Theremustbeappropriateroutesinthedefaultvirtualrouter.
TheremustbeaManagementProfilethatallowsping.(ThenassignthatManagementProfiletoe1/1ande1/2.)
TheremustbeasecuritypolicyrulefromtrustzonetoInternetzonethatallowsping.
TheremustbeasecuritypolicyrulefromInternetzonetotrustzonethatallowsping.
Markforfollowup
Question11of50.
WhenconfiguringAdminRolesforWebUIaccess,whataretheavailableaccesslevels?
EnableandDisableonly
AllowandDenyonly
Enable,ReadOnly,andDisable
None,Superuser,DeviceAdministrator
Markforfollowup
Question12of50.
WhenconfiguringaSecurityPolicyRulebasedonFQDNAddressObjects,whichofthefollowingstatementsisTrue?
InordertocreateFQDNbasedobjects,youneedtomanuallydefinealistofassociatedIPaddresses.
ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagainatDNSTTLexpiration.
ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagaineachtimeSecurityProfilesareevaluated.
Markforfollowup
Question13of50.
Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion:Aspanportoraswitchisconnectedtoe1/4,buttherearenotrafficlogs.Whichofthe
followingconditionsmostlikelyexplainsthisbehavior?
Theinterfaceisnotup.
TheinterfaceisnotassignedanIPaddress.
Theinterfaceisnotassignedavirtualrouter.
Thereisnozoneassignedtotheinterface.
Markforfollowup
Question14of50.
WhichstatementbelowisTrue?
PANOSusesPANDBforURLFiltering,replacingBrightCloud.
PANOSusesBrightCloudasitsdefaultURLFilteringdatabase,butalsosupportsPANDB.
PANOSusesBrightCloudforURLFiltering,replacingPANDB.
PANOSusesPANDBasthedefaultURLFilteringdatabase,butalsosupportsBrightCloud.
Markforfollowup
Question15of50.
WhichroutingprotocolissupportedonthePaloAltoNetworksplatform?
BGP
RIPv1
ISIS
RSTP
Markforfollowup
Question16of50.
WhenconfiguringaDecryptionPolicyrule,whichoptionallowsafirewalladministratortocontrolSSHv2tunnelinginpoliciesbyspecifyingtheSSHtunnelAppID?
SSHProxy
SSLForwardProxy
SSLInboundInspection
SSLReverseProxy
Markforfollowup
Question17of50.
InaDestinationNATconfiguration,theTranslatedAddressfieldmaybepopulatedwitheitheranIPaddressoranAddressObject.
True
False
Markforfollowup
Question18of50.
InordertoroutetrafficbetweenLayer3interfacesonthePaloAltoNetworksfirewall,youneeda:
VirtualRouter
VLAN
VirtualWire
SecurityProfile
Markforfollowup
Question19of50.
PaloAltoNetworksfirewallssupporttheuseofbothDynamic(builtinuserroles)andRoleBased(customizeduserroles)forAdministratorAccounts.
True
False
Markforfollowup
Question20of50.
WhichofthefollowingplatformssupportstheDecryptionPortMirrorfunction?
PA3000
VMSeries100
PA2000
PA4000
Markforfollowup
Question21of50.
ColorcodedtagscanbeusedonalloftheitemslistedbelowEXCEPT:
ServiceGroups
VulnerabilityProfiles
AddressObjects
Zones
Markforfollowup
Question22of50.
WhenyouhavecreatedaSecurityPolicyRulethatallowsFacebook,whatmustyoudotoblockallotherwebbrowsingtraffic?
EnsurethattheServicecolumnisdefinedas"applicationdefault"forthisSecuritypolicy.Doingthiswillautomaticallyincludetheimplicitwebbrowsingapplicationdependency.
Nothing.YoucandependonPANOStoblockthewebbrowsingtrafficthatisnotneededforFacebookuse.
Createanadditionalrulethatblocksallothertraffic.
Whencreatingthepolicy,ensurethatwebbrowsingisincludedinthesamerule.
Markforfollowup
Question23of50.
Whatisthemaximumfilesizeof.EXEfilesuploadedfromthefirewalltoWildFire?
Configurableupto2megabytes.
Configurableupto10megabytes.
Always10megabytes.
Always2megabytes.
Markforfollowup
Question24of50.
WhatwillbetheuserexperiencewhenthesafesearchoptionisNOTenabledforGooglesearchbutthefirewallhas"SafeSearchEnforcement"Enabled?
AblockpagewillbepresentedwithinstructionsonhowtosetthestrictSafeSearchoptionfortheGooglesearch.
TheFirewallwillenforceSafeSearchiftheURLfilteringlicenseisstillvalid.
AtaskbarpopupmessagewillbepresentedtoenableSafeSearch.
Theuserwillberedirectedtoadifferentsearchsitethatisspecifiedbythefirewalladministrator.
Markforfollowup
Question25of50.
SelecttheimplicitrulesthatareappliedtotrafficthatfailstomatchanyadministratordefinedSecurityPolicies.(Chooseallrulesthatarecorrect.)
Intrazonetrafficisallowed
Interzonetrafficisdenied
Intrazonetrafficisdenied
Interzonetrafficisallowed
Markforfollowup
Question26of50.
WhataretwosourcesofinformationfordeterminingwhetherthefirewallhasbeensuccessfulincommunicatingwithanexternalUserIDAgent?
SystemLogsandtheindicatorlightundertheUserIDAgentsettingsinthefirewall.
SystemLogsandanindicatorlightonthechassis.
TrafficLogsandAuthenticationLogs.
SystemLogsandAuthenticationLogs.
Markforfollowup
Question27of50.
A"Continue"actioncanbeconfiguredonwhichofthefollowingSecurityProfiles?
URLFilteringandFileBlocking
URLFilteringonly
URLFiltering,FileBlocking,andDataFiltering
URLFilteringandAntivirus
Markforfollowup
Question28of50.
WhichofthefollowingstatementsisNOTTrueaboutPaloAltoNetworksfirewalls?
InitialconfigurationmaybeaccomplishedthrutheMGTinterfaceortheConsoleport.
ThedefaultAdminaccountmaybedisabledordeleted.
BydefaulttheMGTPort'sIPAddressis192.168.1.1/24.
SystemdefaultsmayberestoredbyperformingafactoryresetinMaintenanceMode.
Markforfollowup
Question29of50.
Whichofthefollowingsearchenginesaresupportedbythe"SafeSearchEnforcement"option?(Selectallcorrectanswers.)
Yahoo
Google
Bing
Baidu
Markforfollowup
Question30of50.
UsingtheAPIinPANOS6.1,WildFiresubscriberscanuploaduptohowmanysamplesperday?
50
1000
10
500
Markforfollowup
Question31of50.
WithIKEPhase1,eachdeviceisidentifiedtotheotherbyaPeerID.Inmostcases,thePeerIDisjustthepublicIPaddressofthedevice.InsituationswherethepublicIPaddressis
notstatic,thePeerIDcanbeatextvalue.
True
False
Markforfollowup
Question32of50.
Whatisthedefaultsettingfor'Action'inaDecryptionPolicy'srule?
Any
NoDecrypt
Decrypt
None
Markforfollowup
Question33of50.
WhenaninterfaceisinTapmodeandaPolicysactionissettoblock,theinterfacewillsendaTCPreset.
True
False
Markforfollowup
Question34of50.
WhenemployingtheBrightCloudURLfilteringdatabaseinaPaloAltoNetworksfirewall,theorderofevaluationwithinaprofileis:
DynamicURLfiltering,Blocklist,Allowlist,Cachefiles,Customcategories,Predefinedcategories.
Blocklist,CustomCategories,Predefinedcategories,DynamicURLfiltering,Allowlist,Cachefiles.
Blocklist,Allowlist,CustomCategories,Cachefiles,LocalURLDBfile.
Blocklist,CustomCategories,Cachefiles,Predefinedcategories,DynamicURLfiltering,Allowlist.
Markforfollowup
Question35of50.
Securitypolicyrulesspecifyasourceinterfaceandadestinationinterface.
True
False
Markforfollowup
Question36of50.
WhichofthefollowinginterfacetypescanhaveanIPaddressassignedtoit?
Layer3
Layer2
Tap
VirtualWire
Markforfollowup
Question37of50.
UserIDisenabledintheconfigurationof
ASecurityProfile.
ASecurityPolicy.
AZone.
AnInterface.
Markforfollowup
Question38of50.
Whenusingremoteauthenticationforusers(LDAP,RADIUS,ActiveDirectory,etc.),whatmustbedonetoallowausertoauthenticatethroughmultiplemethods?
Createmultipleauthenticationprofilesforthesameuser.
Thiscannotbedone.Asingleusercanonlyuseoneauthenticationtype.
CreateanAuthenticationSequence,dictatingtheorderofauthenticationprofiles.
Thiscannotbedone.Althoughmultipleauthenticationmethodsexist,afirewallmustchooseasingle,globalauthenticationtypeandallusersmustusethismethod.
Markforfollowup
Question39of50.
InPaloAltoNetworksterms,anapplicationis:
Aspecificprogramdetectedwithinanidentifiedstreamthatcanbedetected,monitored,and/orblocked.
Acombinationofportandprotocolthatcanbedetected,monitored,and/orblocked.
Afileinstalledonalocalmachinethatcanbedetected,monitored,and/orblocked.
WebbasedtrafficfromaspecificIPaddressthatcanbedetected,monitored,and/orblocked.
Markforfollowup
Question40of50.
Whichfeaturecanbeconfiguredtoblocksessionsthatthefirewallcannotdecrypt?
DecryptionProfileinSecurityProfile
DecryptionProfileinPBF
DecryptionProfileinDecryptionPolicy
DecryptionProfileinSecurityPolicy
Markforfollowup
Question41of50.
WhentroubleshootingPhase1ofanIPsecVPNtunnel,whichlocationandlogwillbemostinformative?
Initiatingside,Trafficlog
Initiatingside,Systemlog
Respondingside,SystemLog
Respondingside,Trafficlog
Markforfollowup
Question42of50.
WillanexportedconfigurationcontainManagementInterfacesettings?
Yes
No
Markforfollowup
Question43of50.
TrafficgoingtoapublicIPaddressisbeingtranslatedbyaPaloAltoNetworksfirewalltoaninternalserversprivateIPaddress.WhichIPaddressshouldtheSecurityPolicyuseas
the"DestinationIP"inordertoallowtraffictotheserver?
ThefirewallsgatewayIP
ThefirewallsMGTIP
TheserversprivateIP
TheserverspublicIP
Markforfollowup
Question44of50.
WhenconfiguringaDecryptionPolicyRule,whichofthefollowingareavailableasmatchingcriteriaintherule?(Choose3answers.)
SourceUser
URLCategory
Service
Application
SourceZone
Markforfollowup
Question45of50.
InPANOS6.0andlater,whichoftheseitemsmaybeusedasmatchcriterioninaPolicyBasedForwardingRule?(Choose3.)
SourceZone
SourceUser
DestinationZone
DestinationApplication
Markforfollowup
Question46of50.
AsaPaloAltoNetworksfirewalladministrator,youhavemadeunwantedchangestotheCandidateconfiguration.ThesechangesmaybeundonebyDevice>Setup>Operations>
ConfigurationManagement>....andthenwhatoperation?
ReverttoRunningConfiguration
ReverttolastSavedConfiguration
LoadConfigurationVersion
ImportNamedConfigurationSnapshot
Markforfollowup
Question47of50.
WhenconfiguringthefirewallforUserID,whatisthemaximumnumberofDomainControllersthatcanbeconfigured?
10
50
150
100
Markforfollowup
Question48of50.
InaPaloAltoNetworksfirewall,everyinterfaceinusemustbeassignedtoazoneinordertoprocesstraffic.
True
False
Markforfollowup
Question49of50.
WhichlinkisusedbyanActive/Passiveclustertosynchronizesessioninformation?
TheManagementLink
TheDataLink
TheUplink
TheControlLink
Markforfollowup
Question50of50.
WhichofthefollowingmostaccuratelydescribesDynamicIPinaSourceNATconfiguration?
AsingleIPaddressisused,andthesourceportnumberischanged.
ThenextavailableIPaddressintheconfiguredpoolisused,butthesourceportnumberisunchanged.
Thenextavailableaddressintheconfiguredpoolisused,andthesourceportnumberischanged.
AsingleIPaddressisused,andthesourceportnumberisunchanged.
Markforfollowup
Save/ReturnLater
Summary