Professional Documents
Culture Documents
Ace7 0
Ace7 0
0
Version
ACE Exam
Question 1 of 50.
Attackers will employ a number of tactics to hide malware. One such tactic is to encode and/or compress the
file so as to hide the malware. With PAN-OS 7.0 the firewall can decode up to four levels. But if an attacker
has encoded the file beyond four levels, what can you as an administer do to protect your users?
Create a Decryption Profile for multi-level encoded files and apply it to a Decryption Policy.
Create a File Blocking Profile for multi-level encoded files and apply it to a Decryption
Policy.
Create a File Blocking Profile for multi-level encoded files with the action set to block.
Create a Decryption Policy for multi-level encoded files and set the action to block.
Mark for follow up
Question 2 of 50.
After the installation of a new version of PAN-OS, the firewall must be rebooted.
True False
Question 3 of 50.
Which of the following search engines are supported by the "Safe Search Enforcement" option? (Select all
correct answers.)
Google
Yahoo
Baidu
Bing
Mark for follow up
Question 4 of 50.
Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day?
1000
50
500
10
Mark for follow up
Question 5 of 50.
Mark for follow up
Question 6 of 50.
In which of the following can User-ID be used to provide a match condition? (Select all correct answers.)
Security Policies
NAT Policies
Threat Profiles
Mark for follow up
Question 7 of 50.
Question 8 of 50.
In PAN-OS, the WildFire Subscription Service allows updates for malware signatures to be distributed as
often as…
Once every 15 minutes
Once a day
Once a week
Once an hour
Mark for follow up
Question 9 of 50.
Select the implicit rules that are applied to traffic that fails to match any administrator-defined Security
Policies. (Choose all rules that are correct.)
Intra-zone traffic is allowed
Mark for follow up
Question 10 of 50.
In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-Based Forwarding
Rule? (Choose 3.)
Source Zone
Source User
Destination Application
Destination Zone
Mark for follow up
Question 11 of 50.
Which of the following are methods that HA clusters use to identify network outages?
VR and VSYS Monitors
Mark for follow up
Question 12 of 50.
Taking into account only the information in the screenshot above, answer the following question. An
administrator is pinging 4.4.4.4 and fails to receive a response. What is the most likely reason for the lack of
response?
There is no Management Profile.
Question 13 of 50.
As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterwards, not
knowing they are attempting to access a blocked web-based application, users call the Help Desk to
complain about network connectivity issues. What is the cause of the increased number of help desk calls?
Application Block Pages will only be displayed when Captive Portal is configured.
Question 14 of 50.
A Security Policy.
A Zone.
A Security Profile.
Mark for follow up
Question 15 of 50.
Taking into account only the information in the screenshot above, answer the following question. Which
applications will be allowed on their standard ports? (Select all correct answers.)
BitTorrent
Skype
SSH
Gnutella
Mark for follow up
Question 16 of 50.
An Authentication Profile.
An Authentication Sequence.
Mark for follow up
Question 17 of 50.
Which of the following interface types can have an IP address assigned to it?
Layer 3
Layer 2
Tap
Virtual Wire
Mark for follow up
Question 18 of 50.
What general practice best describes how Palo Alto Networks firewall policies are applied to a session?
The rule with the highest rule number is applied.
Mark for follow up
Question 19 of 50.
The Uplink
Mark for follow up
Question 20 of 50.
What is the maximum file size of .EXE files uploaded from the firewall to WildFire?
Configurable up to 2 megabytes.
Configurable up to 10 megabytes.
Always 10 megabytes.
Always 2 megabytes.
Mark for follow up
Question 21 of 50.
When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of
evaluation within a profile is:
Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined categories.
Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, Allow list.
Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cache files.
Mark for follow up
Question 22 of 50.
An application filter is used by malware to evade detection by firewalls and anti-virus software.
Mark for follow up
Question 23 of 50.
What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on the
firewall? (Select all correct answers.)
Improved BrightCloud malware detection.
Mark for follow up
Question 24 of 50.
With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the Peer ID is just the
public IP address of the device. In situations where the public IP address is not static, the Peer ID can be a
text value.
True False
Question 25 of 50.
WildFire may be used for identifying which of the following types of traffic?
RIPv2
DHCP
OSPF
Malware
Mark for follow up
Question 26 of 50.
Which of the following most accurately describes Dynamic IP in a Source NAT configuration?
The next available address in the configured pool is used, and the source port number is changed.
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:
Password-protected access to specific file downloads for authorized users.
The ability to use Authentication Profiles, in order to protect against unwanted downloads.
Protection against unwanted downloads by showing the user a response page indicating that a file is going to
be downloaded.
Mark for follow up
Question 28 of 50.
What Security Profile type must be configured to send files to the WildFire cloud, and with what choices for
the action setting?
A Data Filtering profile with possible actions of “Forward” or “Continue and
Forward”.
A URL Filtering profile with the possible action of “Forward”.
A File Blocking profile with possible actions of “Forward” or “Continue and Forward”.
Mark for follow up
Question 29 of 50.
Which of the following platforms supports the Decryption Port Mirror function?
PA-3000
VM-Series 100
PA-2000
PA-4000
Mark for follow up
Question 30 of 50.
Traffic going to a public IP address is being translated by a Palo Alto Networks firewall to an internal
server’s private IP address. Which IP address should the Security Policy use as the "Destination IP" in order
to allow traffic to the server?
The firewall’s MGT IP
Mark for follow up
Question 31 of 50.
Question 32 of 50.
Decrypt
None
Any
Mark for follow up
Question 33 of 50.
Reconnaissance Protection is a feature used to protect the Palo Alto Networks firewall from port scans. To
enable this feature within the GUI go to…
Network > Network Profiles > Zone Protection
Question 34 of 50.
When configuring a Decryption Policy Rule, which of the following are available as matching criteria in the
rule? (Choose 3 answers.)
Source Zone
Source User
Service
Application
URL Category
Mark for follow up
Question 35 of 50.
When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must be done to
allow a user to authenticate through multiple methods?
Create an Authentication Sequence, dictating the order of authentication profiles.
This cannot be done. A single user can only use one authentication type.
Question 36 of 50.
Question 37 of 50.
After the installation of a new Application and Threat database, the firewall must be rebooted.
True False
Question 38 of 50.
Taking into account only the information in the screenshot above, answer the following question. An
administrator is using SSH on port 3333 and BitTorrent on port 7777. Which statements are True?
The BitTorrent traffic will be allowed.
Mark for follow up
Question 39 of 50.
Without a WildFire subscription, which of the following files can be submitted by the Firewall to the hosted
WildFire virtualized sandbox?
MS Office doc/docx, xls/xlsx, and ppt/pptx files only
PE files only
Mark for follow up
Question 40 of 50.
An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.
True False
Question 41 of 50.
Which of the following must be enabled in order for User-ID to function?
Captive Portal Policies must be enabled.
Question 42 of 50.
A file installed on a local machine that can be detected, monitored, and/or blocked.
Web-based traffic from a specific IP address that can be detected, monitored, and/or blocked.
Mark for follow up
Question 43 of 50.
Which of the following is NOT a valid option for built-in CLI Admin roles?
deviceadmin
devicereader
superuser
read/write
Mark for follow up
Question 44 of 50.
Question 45 of 50.
Mark for follow up
Question 46 of 50.
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you need a:
Virtual Router
VLAN
Virtual Wire
Security Profile
Mark for follow up
Question 47 of 50.
When using Config Audit, the color yellow indicates which of the following?
A setting has been changed between the two config files
Mark for follow up
Question 48 of 50.
Which feature can be configured to block sessions that the firewall cannot decrypt?
Decryption Profile in PBF
Mark for follow up
Question 49 of 50.
Virtual Switch
Virtual Router
Mark for follow up
Question 50 of 50.
Considering the information in the screenshot above, what is the order of evaluation for this URL Filtering
Profile?
Allow List, Block List, Custom Categories, URL Categories (BrightCloud or PAN-DB).
URL Categories (BrightCloud or PAN-DB), Custom Categories, Block List, Allow List.
Block List, Allow List, Custom Categories, URL Categories (BrightCloud or PAN-DB).
Block List, Allow List, URL Categories (BrightCloud or PAN-DB), Custom Categories.
Mark for follow up