Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.

0
Version

ACE Exam 

Question 1 of 50. 

Attackers will employ a number of tactics to hide malware. One such tactic is to encode and/or compress the
file so as to hide the malware. With PAN-OS 7.0 the firewall can decode up to four levels. But if an attacker
has encoded the file beyond four levels, what can you as an administer do to protect your users?
 
Create a Decryption Profile for multi-level encoded files and apply it to a Decryption Policy.  
Create a File Blocking Profile for multi-level encoded files and apply it to a Decryption
Policy.  
Create a File Blocking Profile for multi-level encoded files with the action set to block.  

Create a Decryption Policy for multi-level encoded files and set the action to block.  

 
Mark for follow up

Question 2 of 50. 

After the installation of a new version of PAN-OS, the firewall must be rebooted.
True False

     

Mark for follow up

Question 3 of 50. 

Which of the following search engines are supported by the "Safe Search Enforcement" option? (Select all
correct answers.)
Google  

Yahoo  

Baidu  

Bing  

  
Mark for follow up
Question 4 of 50. 

Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day?
 
1000  

50  

500  

10  

 
Mark for follow up

Question 5 of 50. 

A "Continue" action can be configured on which of the following Security Profiles?

 
URL Filtering and File Blocking  

URL Filtering only  

URL Filtering, File Blocking, and Data Filtering  

URL Filtering and Anti-virus  

 
Mark for follow up

Question 6 of 50. 

In which of the following can User-ID be used to provide a match condition? (Select all correct answers.)
 
Security Policies  

NAT Policies  

Zone Protection Policies  

Threat Profiles  

 
Mark for follow up

Question 7 of 50. 

Security policies specify a source interface and a destination interface.

 True False

     

Mark for follow up

Question 8 of 50. 

In PAN-OS, the WildFire Subscription Service allows updates for malware signatures to be distributed as
often as…
 
Once every 15 minutes  

Once a day  

Once a week  

Once an hour  

 
Mark for follow up

Question 9 of 50. 

Select the implicit rules that are applied to traffic that fails to match any administrator-defined Security
Policies. (Choose all rules that are correct.)
Intra-zone traffic is allowed  

Inter-zone traffic is denied  

Intra-zone traffic is denied  

Inter-zone traffic is allowed  

  
Mark for follow up

Question 10 of 50. 

In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-Based Forwarding
Rule? (Choose 3.)
Source Zone  

Source User  

Destination Application  

Destination Zone  

  
 Mark for follow up

Question 11 of 50. 

Which of the following are methods that HA clusters use to identify network outages?
 
VR and VSYS Monitors  

Heartbeat and Session Monitors  

Path and Link Monitoring  

Link and Session Monitors  

 
Mark for follow up

Question 12 of 50. 

Taking into account only the information in the screenshot above, answer the following question. An
administrator is pinging 4.4.4.4 and fails to receive a response. What is the most likely reason for the lack of
response?
 
There is no Management Profile.  

There is a Security Policy that prevents ping.  

The interface is down.  

There is no route back to the machine originating the
ping.  
 
Mark for follow up

Question 13 of 50. 

As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterwards, not
knowing they are attempting to access a blocked web-based application, users call the Help Desk to
complain about network connectivity issues. What is the cause of the increased number of help desk calls?
 
Application Block Pages will only be displayed when Captive Portal is configured.  

The File Blocking Block Page was disabled.  

The firewall admin did not create a custom response page to notify potential users that their attempt to access
the web-based application is being blocked due to policy.  
Some App-ID's are set with a Session Timeout value that is too low.  
 
Mark for follow up

Question 14 of 50. 

User-ID is enabled in the configuration of …

 
An Interface.  

A Security Policy.  

A Zone.  

A Security Profile.  

 
Mark for follow up

Question 15 of 50. 

Taking into account only the information in the screenshot above, answer the following question. Which
applications will be allowed on their standard ports? (Select all correct answers.)
BitTorrent  

Skype  

SSH  

Gnutella  

  
Mark for follow up

Question 16 of 50. 

Users may be authenticated sequentially to multiple authentication servers by configuring:

 
A custom Administrator Profile.  

An Authentication Profile.  

An Authentication Sequence.  

Multiple RADIUS servers sharing a VSA configuration.  

 
Mark for follow up
Question 17 of 50. 

Which of the following interface types can have an IP address assigned to it?
 
Layer 3  

Layer 2  

Tap  

Virtual Wire  

 
Mark for follow up

Question 18 of 50. 

What general practice best describes how Palo Alto Networks firewall policies are applied to a session?
 
The rule with the highest rule number is applied.  

First match applied.  

Most specific match applied.  

Last match applied.  

 
Mark for follow up

Question 19 of 50. 

Which link is used by an Active/Passive cluster to synchronize session information?

 
The Management Link  

The Data Link  

The Control Link  

The Uplink  

 
Mark for follow up

Question 20 of 50. 

What is the maximum file size of .EXE files uploaded from the firewall to WildFire?
 
Configurable up to 2 megabytes.  

Configurable up to 10 megabytes.  

Always 10 megabytes.  

Always 2 megabytes.  

 
Mark for follow up

Question 21 of 50. 

When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of
evaluation within a profile is:
 
Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined categories.  

Block list, Allow list, Custom Categories, Cache files, Local URL DB file.  

Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, Allow list.  

Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cache files.  

 
Mark for follow up

Question 22 of 50. 

Which of the following is True of an application filter?

 
An application filter automatically adapts when an application moves from one IP address to another.  
An application filter automatically includes a new application when one of the new application’s characteristics
are included in the filter.  
An application filter specifies the users allowed to access an application.  

An application filter is used by malware to evade detection by firewalls and anti-virus software.  

 
Mark for follow up

Question 23 of 50. 

What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on the
firewall? (Select all correct answers.)
Improved BrightCloud malware detection.  

Improved PAN-DB malware detection.  

 Improved DNS-based C&C signatures.  

Improved malware detection in WildFire.  

  
Mark for follow up

Question 24 of 50. 

With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the Peer ID is just the
public IP address of the device. In situations where the public IP address is not static, the Peer ID can be a
text value.
True False

     

Mark for follow up

Question 25 of 50. 

WildFire may be used for identifying which of the following types of traffic?
 
RIPv2  

DHCP  

OSPF  

Malware  

 
Mark for follow up

Question 26 of 50. 

Which of the following most accurately describes Dynamic IP in a Source NAT configuration?
 
The next available address in the configured pool is used, and the source port number is changed.  

A single IP address is used, and the source port number is unchanged.  

A single IP address is used, and the source port number is changed.  

The next available IP address in the configured pool is used, but the source port number is
unchanged.  
 
Mark for follow up
Question 27 of 50. 

The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:
 
Password-protected access to specific file downloads for authorized users.  

Increased speed on downloads of file types that are explicitly enabled.  

The ability to use Authentication Profiles, in order to protect against unwanted downloads.  
Protection against unwanted downloads by showing the user a response page indicating that a file is going to
be downloaded.  
 
Mark for follow up

Question 28 of 50. 

What Security Profile type must be configured to send files to the WildFire cloud, and with what choices for
the action setting?
 
A Data Filtering profile with possible actions of “Forward” or “Continue and
Forward”.  
A URL Filtering profile with the possible action of “Forward”.  

A Vulnerability Protection profile with the possible action of “Forward”.  

A File Blocking profile with possible actions of “Forward” or “Continue and Forward”.  

 
Mark for follow up

Question 29 of 50. 

Which of the following platforms supports the Decryption Port Mirror function?
 
PA-3000  

VM-Series 100  

PA-2000  

PA-4000  

 
Mark for follow up

Question 30 of 50. 

Traffic going to a public IP address is being translated by a Palo Alto Networks firewall to an internal
server’s private IP address. Which IP address should the Security Policy use as the "Destination IP" in order
to allow traffic to the server?
 
The firewall’s MGT IP  

The firewall’s gateway IP  

The server’s private IP  

The server’s public IP  

 
Mark for follow up

Question 31 of 50. 

Both SSL decryption and SSH decryption are disabled by default.

True False

     

Mark for follow up

Question 32 of 50. 

What is the default setting for 'Action' in a Decryption Policy's rule?

 
No-Decrypt  

Decrypt  

None  

Any  

 
Mark for follow up

Question 33 of 50. 

Reconnaissance Protection is a feature used to protect the Palo Alto Networks firewall from port scans. To
enable this feature within the GUI go to…
 
Network > Network Profiles > Zone Protection  

Objects > Zone Protection  

Interfaces > Interface Number > Zone Protection  

Policies > Profile > Zone Protection  

 
Mark for follow up

Question 34 of 50. 

When configuring a Decryption Policy Rule, which of the following are available as matching criteria in the
rule? (Choose 3 answers.)
Source Zone  

Source User  

Service  

Application  

URL Category  

  
Mark for follow up

Question 35 of 50. 

When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must be done to
allow a user to authenticate through multiple methods?
 
Create an Authentication Sequence, dictating the order of authentication profiles.  

This cannot be done. A single user can only use one authentication type.  

Create multiple authentication profiles for the same user.  

This cannot be done. Although multiple authentication methods exist, a firewall must choose a single, global
authentication type--and all users must use this method.  
 
Mark for follow up

Question 36 of 50. 

An interface in Virtual Wire mode must be assigned an IP address.

True False

     

Mark for follow up

Question 37 of 50. 

After the installation of a new Application and Threat database, the firewall must be rebooted.
 True False

     

Mark for follow up

Question 38 of 50. 

Taking into account only the information in the screenshot above, answer the following question. An
administrator is using SSH on port 3333 and BitTorrent on port 7777. Which statements are True?
The BitTorrent traffic will be allowed.  

The SSH traffic will be denied.  

The SSH traffic will be allowed.  

The BitTorrent traffic will be denied.  

  
Mark for follow up

Question 39 of 50. 

Without a WildFire subscription, which of the following files can be submitted by the Firewall to the hosted
WildFire virtualized sandbox?
 
MS Office doc/docx, xls/xlsx, and ppt/pptx files only  

PE and Java Applet (jar and class) only  

PDF files only  

PE files only  

 
Mark for follow up

Question 40 of 50. 

An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.
True False

     

Mark for follow up

Question 41 of 50. 
Which of the following must be enabled in order for User-ID to function?
 
Captive Portal Policies must be enabled.  

Security Policies must have the User-ID option enabled.  

Captive Portal must be enabled.  

User-ID must be enabled for the source zone of the traffic that is to be
identified.  
 
Mark for follow up

Question 42 of 50. 

In Palo Alto Networks terms, an application is:

 
A specific program detected within an identified stream that can be detected, monitored, and/or
blocked.  
A combination of port and protocol that can be detected, monitored, and/or blocked.  

A file installed on a local machine that can be detected, monitored, and/or blocked.  

Web-based traffic from a specific IP address that can be detected, monitored, and/or blocked.  

 
Mark for follow up

Question 43 of 50. 

Which of the following is NOT a valid option for built-in CLI Admin roles?
 
deviceadmin  

devicereader  

superuser  

read/write  

 
Mark for follow up

Question 44 of 50. 

Enabling "Highlight Unused Rules" in the Security Policy window will:

 
Highlight all rules that did not match traffic within an administrator-specified time period.  
 Display rules that caused a validation error to occur at the time a Commit was performed.  
Temporarily disable rules that have not matched traffic since the rule was created or since the last reboot of
the firewall.  
Highlight all rules that have not matched traffic since the rule was created or since the last reboot of the
firewall.  
 
Mark for follow up

Question 45 of 50. 

Which type of license is required to perform Decryption Port Mirroring?

 
A subscription-based SSL Port license  

A subscription-based PAN-PA-Decrypt license  

A Client Decryption license  

A free PAN-PA-Decrypt license  

 
Mark for follow up

Question 46 of 50. 

In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you need a:
 
Virtual Router  

VLAN  

Virtual Wire  

Security Profile  

 
Mark for follow up

Question 47 of 50. 

When using Config Audit, the color yellow indicates which of the following?
 
A setting has been changed between the two config files  

A setting has been deleted from a config file.  

A setting has been added to a config file  

 An invalid value has been used in a config file.  

 
Mark for follow up

Question 48 of 50. 

Which feature can be configured to block sessions that the firewall cannot decrypt?
 
Decryption Profile in PBF  

Decryption Profile in Security Policy  

Decryption Profile in Decryption Policy  

Decryption Profile in Security Profile  

 
Mark for follow up

Question 49 of 50. 

The following can be configured as a next hop in a static route:

 
Virtual Systems  

Virtual Switch  

Virtual Router  

A Policy-Based Forwarding Rule  

 
Mark for follow up

Question 50 of 50. 

Considering the information in the screenshot above, what is the order of evaluation for this URL Filtering
Profile?
 
Allow List, Block List, Custom Categories, URL Categories (BrightCloud or PAN-DB).  

URL Categories (BrightCloud or PAN-DB), Custom Categories, Block List, Allow List.  

Block List, Allow List, Custom Categories, URL Categories (BrightCloud or PAN-DB).  

Block List, Allow List, URL Categories (BrightCloud or PAN-DB), Custom Categories.  
 
Mark for follow up