Professional Documents
Culture Documents
1 Version
ACE Exam
Question 1 of 50.
2. Virtual Systems
3. Virtual Router
Question 2 of 50.
Question 3 of 50.
2. PAN-OS uses BrightCloud as its default URL Filtering database, but also
supports PAN-DB.
4. PAN-OS uses PAN-DB for URL Filtering, replacing BrightCloud. Mark for
follow up
Question 4 of 50.
When employing the BrightCloud URL filtering database in a Palo Alto Networks
firewall, the order of evaluation within a profile is:
4. Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories,
Predefined categories. Mark for follow up
Question 5 of 50.
With IKE Phase 1, each device is identified to the other by a Peer ID. In most
cases, the Peer ID is just the public IP address of the device. In situations where
the public IP address is not static, the Peer ID can be a text value.
Tr u e
Fa l s e
Question 6 of 50.
1. There must be a security policy from Internet zone to trust zone that
allows ping.
Question 7 of 50.
Which feature can be configured to block sessions that the firewall cannot
decrypt?
Question 8 of 50.
All of the interfaces on a Palo Alto Networks device must be of the same
interface type.
Tr u e
False
Question 9 of 50.
Which of the following would be a reason to use the PAN-OS XML API to
communicate with a Palo Alto Networks firewall?
Question 10 of 50.
Which of the following statements is NOT True about Palo Alto Networks
firewalls?
Question 11 of 50.
After the installation of a new version of PAN-OS, the firewall must be rebooted.
Tr u e
Fa l s e
Question 12 of 50.
Which of the Dynamic Updates listed below are issued on a daily basis? (Select
all correct answers.)
3. Applications
4. Anti-virus
Question 13 of 50.
Color-coded tags can be used on all of the items listed below EXCEPT:
1. Address Objects
2. Service Groups
3. Zones
4. Vulnerability Profiles
Question 14 of 50.
Tr u e
Fa l s e
Question 15 of 50.
Tr u e
False
Question 16 of 50.
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks
firewall, you need a:
1. Virtual Router
2. VLAN
3. Virtual Wire
Question 17 of 50.
Tr u e
False
Question 18 of 50.
Question 19 of 50.
Taking into account only the information in the screenshot above, answer the
following question. Which applications will be allowed on their standard ports?
(Select all correct answers.)
1. BitTorrent
2. Gnutella
3. Skype
4. SSH
Question 20 of 50.
When configuring a Security Policy Rule based on FQDN Address Objects, which
of the following statements is True?
2. The firewall resolves the FQDN first when the policy is committed, and
resolves the FQDN again each time Security Profiles are evaluated.
3. The firewall resolves the FQDN first when the policy is committed,
and resolves the FQDN again at DNS TTL expiration.
Question 21 of 50.
1. An Authentication Sequence.
4. An Authentication Profile.
Question 22 of 50.
Y e s
N o
Question 23 of 50.
When using Config Audit, the color yellow indicates which of the following?
4. An invalid value has been used in a config file. Mark for follow up
Question 24 of 50.
When using remote authentication for users (LDAP, RADIUS, Active Directory,
etc.), what must be done to allow a user to authenticate through multiple
methods?
1. Create an Authentication Sequence, dictating the order of
authentication profiles.
3. This cannot be done. A single user can only use one authentication type.
Question 25 of 50.
When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will
be most informative?
Question 26 of 50.
1. A Zone.
2. A Security Profile.
3. An Interface.
4. A Security Policy.
Question 27 of 50.
What will the user experience when attempting to access a blocked hacking
website through a translation service such as Google Translate or Bing
Translator?
When you have created a Security Policy Rule that allows Facebook, what must
you do to block all other web-browsing traffic?
Question 29 of 50.
Tr u e
Fa l s e
Question 30 of 50.
Question 31 of 50.
Which of the following interface types can have an IP address assigned to it?
1. Layer 3
2. Layer 2
3. Tap
4. Virtual Wire
Question 32 of 50.
What are the benefits gained when the "Enable Passive DNS
Monitoring" checkbox is chosen on the firewall? (Select all correct
answers.)
Question 33 of 50.
Tr u e F a l s e
Question 34 of 50.
Question 35 of 50.
4. The next available address in the configured pool is used, and the source
port number is changed.
Question 36 of 50.
2. System Logs and the indicator light under the User-ID Agent
settings in the firewall.
Question 37 of 50.
Which pre-defined Admin Role has all rights except the rights to create
administrative accounts and virtual systems?
1. Superuser
2. Device Administrator
4. Vsysadmin
Question 38 of 50.
Tr u e F a l s e
Question 39 of 50.
Question 40 of 50.
Question 41 of 50.
Y e s N o
Question 42 of 50.
1. DoS Protection
2. Secuirty Policies
3. Anti-virus Profile
5. QoS
Question 43 of 50.
2. User-ID must be enabled for the source zone of the traffic that is
to be identified.
Question 44 of 50.
Tr u e Fa l s e
Question 45 of 50.
When configuring the firewall for User-ID, what is the maximum number
of Domain Controllers that can be configured?
1. 50
2. 100
3. 10
4. 150
Question 46 of 50.
Palo Alto Networks firewalls support the use of both Dynamic (built-in
user roles) and Role-Based (customized user roles) for Administrator
Accounts.
Tr u e Fa l s e
Question 48 of 50.
1. SSH Proxy
Question 49 of 50.
1. Security Policies
2. NAT Policies
4. Threat Profiles
Question 50 of 50.
In PAN-OS 6.0, rule numbers are:
1. Numbers that specify the order in which security policies are
evaluated.
Q 52: If the Forward Proxy Ready shows no when running the command show
system setting ssl
-decrypt setting, what is most likely the cause?
1. Create a DNS Proxy Object with a default DNS Server for external
resolution and a DNS server for internal domain. Then, in the
device settings, point to this proxy object for DNS resolution.
2. In the device settings define internal hosts via a static list.
3. In the device settings set the Primary DNS server to an external server and
the secondary to an internal server.
4. Create a DNS Proxy Object with a default DNS Server for external
resolution and a DNS server for internal domain. Then, in the device
settings, select the proxy object as the Primary DNS and create a custom
security rule which references that object for
Q 58: With PAN-OS 5.0, how can a common NTP value be pushed to a cluster
of firewalls?