Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version

ACE Exam

Question 1 of 50.

Which pre-defined Admin Role has all rights except the rights to create administrative accounts and virtual systems?

Superuser
Device Administrator
vsysadmin
A custom admin role must be created for this specific combination of rights.

Mark for follow up

Question 2 of 50.

After the installation of a new version of PAN-OS, the firewall must be rebooted.
True False

Mark for follow up

Question 3 of 50.

Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based (customized user roles) for Administrator Accounts.
True False

Mark for follow up

Question 4 of 50.

What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut off communication?

The default gateway of the firewall.

The local loopback address.
The MGT interface address.
Any layer 3 interface address specified by the firewall administrator.

Mark for follow up

Question 5 of 50.

Users may be authenticated sequentially to multiple authentication servers by configuring:

An Authentication Profile.
An Authentication Sequence.
A custom Administrator Profile.
Multiple RADIUS servers sharing a VSA configuration.

Mark for follow up

Question 6 of 50.

What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on the firewall? (Select all correct answers.)
Improved malware detection in WildFire.

Improved PAN-DB malware detection.

Improved DNS-based C&C signatures.

Improved BrightCloud malware detection.

Mark for follow up

Question 7 of 50.

In PAN-OS 7.0 which of the available choices serves as an alert warning by defining patterns of suspicious traffic and network anomalies that may indicate a host has been
compromised?

1 of 8 8/8/2016 3:35 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...

Custom Signatures
App-ID Signatures
Correlation Events
Correlation Objects
Command & Control Signatures

Mark for follow up

Question 8 of 50.

Which of the following must be enabled in order for User-ID to function?

Captive Portal Policies must be enabled.

Security Policies must have the User-ID option enabled.
Captive Portal must be enabled.
User-ID must be enabled for the source zone of the traffic that is to be identified.

Mark for follow up

Question 9 of 50.

In which of the following can User-ID be used to provide a match condition?

Security Policies
NAT Policies
Zone Protection Policies
Threat Profiles

Mark for follow up

Question 10 of 50.

In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-Based Forwarding Rule? (Choose 3.)
Source User
Destination Zone

Source Zone
Destination Application

Mark for follow up

Question 11 of 50.

The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:

Protection against unwanted downloads by showing the user a response page indicating that a file is going to be downloaded.
Increased speed on downloads of file types that are explicitly enabled.
Password-protected access to specific file downloads for authorized users.
The ability to use Authentication Profiles, in order to protect against unwanted downloads.

Mark for follow up

Question 12 of 50.

Color-coded tags can be used on all of the items listed below EXCEPT:

Vulnerability Profiles
Address Objects
Zones
Service Groups

Mark for follow up

Question 13 of 50.

When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of evaluation within a profile is:

Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, Allow list.

2 of 8 8/8/2016 3:35 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...

Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cache files.
Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined categories.

Mark for follow up

Question 14 of 50.

Can multiple administrator accounts be configured on a single firewall?

Yes No

Mark for follow up

Question 15 of 50.

As the Palo Alto Networks Administrator responsible for User-ID, you need to enable mapping of network users that do not sign-in using LDAP. Which information source would
allow for reliable User-ID mapping while requiring the least effort to configure?

Active Directory Security Logs

Exchange CAS Security logs
WMI Query
Captive Portal

Mark for follow up

Question 16 of 50.

User-ID is enabled in the configuration of …

An Interface.
A Zone.
A Security Policy.
A Security Profile.

Mark for follow up

Question 17 of 50.

In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you need a:

Virtual Router
VLAN
Virtual Wire
Security Profile

Mark for follow up

Question 18 of 50.

An interface in tap mode can transmit packets on the wire.

True False

Mark for follow up

Question 19 of 50.

Which of the following is a routing protocol supported in a Palo Alto Networks firewall?

EIGRP
RIPv2
ISIS
IGRP

Mark for follow up

Question 20 of 50.

WildFire may be used for identifying which of the following types of traffic?

RIPv2

3 of 8 8/8/2016 3:35 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...

Malware
DHCP
OSPF

Mark for follow up

Question 21 of 50.

True or False: The PAN-DB URL Filtering Service is offered as both a Private Cloud solution and a Public Cloud solution.
True False

Mark for follow up

Question 22 of 50.

With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the Peer ID is just the public IP address of the device. In situations where the public IP address is
not static, the Peer ID can be a text value.
True False

Mark for follow up

Question 23 of 50.

A Config Lock may be removed by which of the following users? (Select all correct answers.)
The administrator who set it
Any administrator

Device administrators
Superusers

Mark for follow up

Question 24 of 50.

What will be the user experience when the safe search option is NOT enabled for Google search but the firewall has "Safe Search Enforcement" Enabled?

A block page will be presented with instructions on how to set the strict Safe Search option for the Google search.
The Firewall will enforce Safe Search if the URL filtering license is still valid.
A task bar pop-up message will be presented to enable Safe Search.
The user will be redirected to a different search site that is specified by the firewall administrator.

Mark for follow up

Question 25 of 50.

True or False: The WildFire Analysis Profile can only be configured to send unknown files to the WildFire Public Cloud only.
True False

Mark for follow up

Question 26 of 50.

As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterwards, not knowing they are attempting to access a blocked web-based application, users
call the Help Desk to complain about network connectivity issues. What is the cause of the increased number of help desk calls?

The firewall admin did not create a custom response page to notify potential users that their attempt to access the web-based application is being blocked due to company policy.
Some App-ID's are set with a Session Timeout value that is too low.
The File Blocking Block Page was disabled.
Application Block Pages will only be displayed when Captive Portal is configured.

Mark for follow up

Question 27 of 50.

A "Continue" action can be configured on which of the following Security Profiles?

URL Filtering and File Blocking

URL Filtering only
URL Filtering, File Blocking, and Data Filtering

4 of 8 8/8/2016 3:35 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...

URL Filtering and Anti-virus

Mark for follow up

Question 28 of 50.

Will an exported configuration contain Management Interface settings?

Yes No

Mark for follow up

Question 29 of 50.

Which of the following facts about dynamic updates is correct?

Threat and URL Filtering updates are released daily. Application and Anti-virus updates are released weekly.
Application and Threat updates are released daily. Anti-virus and URL Filtering updates are released weekly.
Anti-virus updates are released daily. Application and Threat updates are released weekly.
Application and Anti-virus updates are released weekly. Threat and “Threat and URL Filtering” updates are released weekly.

Mark for follow up

Question 30 of 50.

WildFire analyzes files to determine whether or not they are malicious. When doing so, WildFire will classify the file with an official verdict. This verdict is known as the WildFire
Analysis verdict. Choose the three correct classifications as a result of this analysis and classification?
Safeware
Malware detection

Benign
Grayware

Spyware

Adware

Mark for follow up

Question 31 of 50.

When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most informative?

Initiating side, System log

Initiating side, Traffic log
Responding side, System Log
Responding side, Traffic log

Mark for follow up

Question 32 of 50.

In Palo Alto Networks terms, an application is:

A specific program detected within an identified stream that can be detected, monitored, and/or blocked.
A combination of port and protocol that can be detected, monitored, and/or blocked.
A file installed on a local machine that can be detected, monitored, and/or blocked.
Web-based traffic from a specific IP address that can be detected, monitored, and/or blocked.

Mark for follow up

Question 33 of 50.

Which of the following services are enabled on the MGT interface by default? (Select all correct answers.)
HTTPS

SSH
Telnet

HTTP

Mark for follow up

5 of 8 8/8/2016 3:35 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...

Question 34 of 50.

Which feature can be configured to block sessions that the firewall cannot decrypt?

Decryption Profile in PBF

Decryption Profile in Security Profile
Decryption Profile in Decryption Policy
Decryption Profile in Security Policy

Mark for follow up

Question 35 of 50.

When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2 tunneling in policies by specifying the SSH-tunnel App-ID?

SSH Proxy
SSL Forward Proxy
SSL Inbound Inspection
SSL Reverse Proxy

Mark for follow up

Question 36 of 50.

As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candidate configuration. These changes may be undone by Device > Setup > Operations >
Configuration Management>....and then what operation?

Revert to Running Configuration

Revert to last Saved Configuration
Load Configuration Version
Import Named Configuration Snapshot

Mark for follow up

Question 37 of 50.

In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order to process traffic.
True False

Mark for follow up

Question 38 of 50.

Which statement below is True?

PAN-OS uses PAN-DB for URL Filtering, replacing BrightCloud.

PAN-OS uses BrightCloud as its default URL Filtering database, but also supports PAN-DB.
PAN-OS uses BrightCloud for URL Filtering, replacing PAN-DB.
PAN-OS uses PAN-DB as the default URL Filtering database, but also supports BrightCloud.

Mark for follow up

Question 39 of 50.

Which of the following platforms supports the Decryption Port Mirror function?

PA-3000
VM-Series 100
PA-2000
PA-4000

Mark for follow up

Question 40 of 50.

Which of the following are methods that HA clusters use to identify network outages?

Path and Link Monitoring

Link and Session Monitors
VR and VSYS Monitors

6 of 8 8/8/2016 3:35 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...

Heartbeat and Session Monitors

Mark for follow up

Question 41 of 50.

Taking into account only the information in the screenshot above, answer the following question: A span port or a switch is connected to e1/4, but there are no traffic logs. Which of
the following conditions most likely explains this behavior?

There is no zone assigned to the interface.

The interface is not assigned a virtual router.
The interface is not assigned an IP address.
The interface is not up.

Mark for follow up

Question 42 of 50.

Which of the following statements is NOT True about Palo Alto Networks firewalls?

The default Admin account may be disabled or deleted.

System defaults may be restored by performing a factory reset in Maintenance Mode.
By default the MGT Port's IP Address is 192.168.1.1/24.
Initial configuration may be accomplished thru the MGT interface or the Console port.

Mark for follow up

Question 43 of 50.

Which of the following can provide information to a Palo Alto Networks firewall for the purposes of User-ID? (Select all correct answers.)
SSL Certificates
RIPv2

Domain Controller
Network Access Control (NAC) device

Mark for follow up

Question 44 of 50.

Which of the following interface types can have an IP address assigned to it?

Layer 3
Layer 2
Tap
Virtual Wire

Mark for follow up

Question 45 of 50.

As of PAN-OS 7.0, when configuring a Decryption Policy Rule, which of the following is NOT an available option as matching criteria in the rule?

Service
URL Category
Source User

7 of 8 8/8/2016 3:35 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...

Application
Source Zone

Mark for follow up

Question 46 of 50.

Security policy rules specify a source interface and a destination interface.

True False

Mark for follow up

Question 47 of 50.

Both SSL decryption and SSH decryption are disabled by default.

True False

Mark for follow up

Question 48 of 50.

Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day?

1000
10
50
500

Mark for follow up

Question 49 of 50.

Palo Alto Networks offers WildFire users three solution types. These solution types are the WildFire Public Cloud, The WF-500 Private Appliance, and the WildFire Hybrid solution.
What is the main reason and purpose for the WildFire Hybrid solution?

The WildFire Hybrid solution enables companies to send to the WF-500 Private Appliance keeping them internal to their network, as well providing the option to send other, general files to the
WildFire Public Cloud for analysis.
The WildFire Hybrid solution places WF-500s at multiple places in the cloud, so that firewall appliances distributed throughout an enterprise's network receive WildFire verdicts with minimal
latency while retaining data privacy.
The WildFire Hybrid solution is only offered to companies that have sensitive files to protect and does not require a WildFire subscription.
The WildFire Hybrid solution enables outside companies to share the same WF-500 Appliance while at the same time allowing them to send only their private files to the private WF-500.

Mark for follow up

Question 50 of 50.

Choose the best answer: In PAN-OS, the WildFire Subscription Service allows updates for malware signatures to be distributed as often as…

Once every 15 minutes

Once an hour
Once a day
Once a week

Mark for follow up

Save / Return Later Summary

8 of 8 8/8/2016 3:35 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/Tests/UserTestReview.as...

Test results are summarized below. Change the view to see only Correct or Incorrect questions.

Review Test Questions

View: All Questions Correct Questions Incorrect Questions (50 Results) 1 2 3

ID Question Correct

6781 A "Continue" action can be configured on which of the following Security Profiles? Correct

A Config Lock may be removed by which of the following users? (Select all correct
6786 Correct
answers.)

7947 After the installation of a new version of PAN-OS, the firewall must be rebooted. Correct

7942 An interface in tap mode can transmit packets on the wire. Correct

As a Palo Alto Networks firewall administrator, you have made unwanted changes to the
7954 Candidate configuration. These changes may be undone by Device > Setup > Operations Correct
> Configuration Management>....and then what operation?

As the Palo Alto Networks Administrator responsible for User-ID, you need to enable
7979 mapping of network users that do not sign-in using LDAP. Which information source Incorrect
would allow for reliable User-ID mapping while requiring the least effort to configure?

As the Palo Alto Networks Administrator you have enabled Application Block pages.
Afterwards, not knowing they are attempting to access a blocked web-based application,
7984 Incorrect
users call the Help Desk to complain about network connectivity issues. What is the
cause of the increased number of help desk calls?

7953 Both SSL decryption and SSH decryption are disabled by default. Correct

7994 Can multiple administrator accounts be configured on a single firewall? Correct

8062 Color-coded tags can be used on all of the items listed below EXCEPT: Correct

In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in
7952 Correct
order to process traffic.

In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall,
8756 Correct
you need a:

8751 In Palo Alto Networks terms, an application is: Incorrect

In PAN-OS 6.0 and later, which of these items may be used as match criterion in a
8741 Incorrect
Policy-Based Forwarding Rule? (Choose 3.)

Choose the best answer: In PAN-OS, the WildFire Subscription Service allows updates
8731 Correct
for malware signatures to be distributed as often as…

1 of 2 8/8/2016 3:38 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/Tests/UserTestReview.as...

ID Question Correct

8721 In which of the following can User-ID be used to provide a match condition? Correct

Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and
7944 Correct
Role-Based (customized user roles) for Administrator Accounts.

7945 Security policy rules specify a source interface and a destination interface. Correct

Taking into account only the information in the screenshot above, answer the following
8072 question: A span port or a switch is connected to e1/4, but there are no traffic logs. Incorrect
Which of the following conditions most likely explains this behavior?

The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID,
8711 Correct
provides:

Close

2 of 2 8/8/2016 3:38 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/Tests/UserTestReview.as...

Test results are summarized below. Change the view to see only Correct or Incorrect questions.

Review Test Questions

View: All Questions Correct Questions Incorrect Questions (50 Results) 1 2 3

ID Question Correct

8651 User-ID is enabled in the configuration of … Correct

Users may be authenticated sequentially to multiple authentication servers by

8696 Correct
configuring:

What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is
8681 Incorrect
chosen on the firewall? (Select all correct answers.)

What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut
8676 Correct
off communication?

What will be the user experience when the safe search option is NOT enabled for Google
8646 Correct
search but the firewall has "Safe Search Enforcement" Enabled?

When configuring a Decryption Policy rule, which option allows a firewall administrator
8636 Incorrect
to control SSHv2 tunneling in policies by specifying the SSH-tunnel App-ID?

When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall,
8596 Incorrect
the order of evaluation within a profile is:

When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be
8586 Correct
most informative?

8576 Which feature can be configured to block sessions that the firewall cannot decrypt? Correct

8551 Which of the following are methods that HA clusters use to identify network outages? Correct

Which of the following can provide information to a Palo Alto Networks firewall for the
8541 Incorrect
purposes of User-ID? (Select all correct answers.)

8490 Which of the following facts about dynamic updates is correct? Correct

8531 Which of the following interface types can have an IP address assigned to it? Correct

8556 Which of the following is a routing protocol supported in a Palo Alto Networks firewall? Correct

8516 Which of the following must be enabled in order for User-ID to function? Correct

8500 Which of the following platforms supports the Decryption Port Mirror function? Correct

1 of 2 8/8/2016 3:39 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/Tests/UserTestReview.as...

ID Question Correct

Which of the following services are enabled on the MGT interface by default? (Select all
8495 Correct
correct answers.)

8485 Which of the following statements is NOT True about Palo Alto Networks firewalls? Correct

Which pre-defined Admin Role has all rights except the rights to create administrative
8466 Correct
accounts and virtual systems?

8420 Which statement below is True? Correct

Close

2 of 2 8/8/2016 3:39 PM