Professional Documents
Culture Documents
EmpoweringPeople:paloaltonetworks
TestAccreditedConfigurationEngineer(ACE)ExamPANOS6.0Version
ACEExam
Question1of50.
WhichofthefollowingstatementsisNOTTrueregardingaDecryptionMirrorinterface?
SupportsSSLoutbound
SupportsSSLinbound
CanbeamemberofanyVSYS
Requiressuperuserprivilege
Markforfollowup
Question2of50.
HowdoyoureducetheamountofinformationrecordedintheURLContentFilteringLogs?
Enable"Logcontainerpageonly".
DisableURLpacketcaptures.
EnableURLlogcaching.
EnableDSRI.
Markforfollowup
Question3of50.
WhichroutingprotocolissupportedonthePaloAltoNetworksplatform?
BGP
RIPv1
ISIS
RSTP
Markforfollowup
Question4of50.
Whenusingremoteauthenticationforusers(LDAP,RADIUS,ActiveDirectory,etc.),whatmustbedonetoallowauser
toauthenticatethroughmultiplemethods?
Createmultipleauthenticationprofilesforthesameuser.
Thiscannotbedone.Asingleusercanonlyuseoneauthenticationtype.
CreateanAuthenticationSequence,dictatingtheorderofauthenticationprofiles.
Thiscannotbedone.Althoughmultipleauthenticationmethodsexist,afirewallmustchooseasingle,global
authenticationtypeandallusersmustusethismethod.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.as
1/12
1/20/2015
EmpoweringPeople:paloaltonetworks
Markforfollowup
Question5of50.
InaDestinationNATconfiguration,theTranslatedAddressfieldmaybepopulatedwitheitheranIPaddressoran
AddressObject.
True
False
Markforfollowup
Question6of50.
WhichofthefollowingCANNOTusethesourceuserasamatchcriterion?
DoSProtection
SecuirtyPolicies
QoS
AntivirusProfile
PolicyBasedForwarding
Markforfollowup
Question7of50.
AConfigLockmayberemovedbywhichofthefollowingusers?(Selectallcorrectanswers.)
Deviceadministrators
Anyadministrator
Theadministratorwhosetit
Superusers
Markforfollowup
Question8of50.
Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion.Anadministratoris
usingSSHonport3333andBitTorrentonport7777.WhichstatementsareTrue?
TheBitTorrenttrafficwillbedenied.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.as
2/12
1/20/2015
EmpoweringPeople:paloaltonetworks
TheSSHtrafficwillbeallowed.
TheBitTorrenttrafficwillbeallowed.
TheSSHtrafficwillbedenied.
Markforfollowup
Question9of50.
WithIKEPhase1,eachdeviceisidentifiedtotheotherbyaPeerID.Inmostcases,thePeerIDisjustthepublicIP
addressofthedevice.InsituationswherethepublicIPaddressisnotstatic,thePeerIDcanbeatextvalue.
True
False
Markforfollowup
Question10of50.
WhatSecurityProfiletypemustbeconfiguredtosendfilestotheWildFirecloud,andwithwhatchoicesfortheaction
setting?
ADataFilteringprofilewithpossibleactionsofForwardorContinueandForward.
AVulnerabilityProtectionprofilewiththepossibleactionofForward.
AFileBlockingprofilewithpossibleactionsofForwardorContinueandForward.
AURLFilteringprofilewiththepossibleactionofForward.
Markforfollowup
Question11of50.
BothSSLdecryptionandSSHdecryptionaredisabledbydefault.
True
False
Markforfollowup
Question12of50.
WhichofthefollowingwouldbeareasontousethePANOSXMLAPItocommunicatewithaPaloAltoNetworks
firewall?
TopermitsysloggingofUserIdentificationevents.
TopullinformationfromothernetworkresourcesforUserID.
ToallowthefirewalltopushUserIDinformationtoaNetworkAccessControl(NAC)device.
Markforfollowup
Question13of50.
WithoutaWildFiresubscription,whichofthefollowingfilescanbesubmittedbytheFirewalltothehostedWildFire
virtualizedsandbox?
MSOfficedoc/docx,xls/xlsx,andppt/pptxfilesonly
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.as
3/12
1/20/2015
EmpoweringPeople:paloaltonetworks
PEandJavaApplet(jarandclass)only
PEfilesonly
PDFfilesonly
Markforfollowup
Question14of50.
WhatisthefunctionoftheGlobalProtectPortal?
TomaintainthelistofGlobalProtectGatewaysandspecifyHIPdatathattheagentshouldreport.
ToloadbalanceGlobalProtectclientconnectionstoGlobalProtectGateways.
TomaintainthelistofremoteGlobalProtectPortalsandthelistofcategoriesforcheckingtheclientmachine.
ToprovideredundancyfortunneledconnectionsthroughtheGlobalProtectGateways.
Markforfollowup
Question15of50.
WhichofthefollowinginterfacetypescanhaveanIPaddressassignedtoit?(Selectallcorrectanswers.)
Layer3
Layer2
Tap
VirtualWire
Markforfollowup
Question16of50.
WhichofthefollowingmostaccuratelydescribesDynamicIPinaSourceNATconfiguration?
Thenextavailableaddressintheconfiguredpoolisused,andthesourceportnumberischanged.
AsingleIPaddressisused,andthesourceportnumberisunchanged.
AsingleIPaddressisused,andthesourceportnumberischanged.
ThenextavailableIPaddressintheconfiguredpoolisused,butthesourceportnumberisunchanged.
Markforfollowup
Question17of50.
WildFiremaybeusedforidentifyingwhichofthefollowingtypesoftraffic?
RIPv2
DHCP
OSPF
Malware
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.as
4/12
1/20/2015
EmpoweringPeople:paloaltonetworks
Markforfollowup
Question18of50.
WhichlinkisusedbyanActive/Passiveclustertosynchronizesessioninformation?
TheUplink
TheControlLink
TheManagementLink
TheDataLink
Markforfollowup
Question19of50.
Usersmaybeauthenticatedsequentiallytomultipleauthenticationserversbyconfiguring:
MultipleRADIUSserverssharingaVSAconfiguration.
AcustomAdministratorProfile.
AnAuthenticationSequence.
AnAuthenticationProfile.
Markforfollowup
Question20of50.
WhichstatementaboutconfiglocksisTrue?
Aconfiglockcanberemovedonlybyasuperuser.
Aconfiglockwillexpireafter24hours,unlessitwassetbyasuperuser.
Aconfiglockcanonlyberemovedbytheadministratorwhosetitorbyasuperuser.
Aconfiglockcanberemovedonlybytheadministratorwhosetit.
Markforfollowup
Question21of50.
Whichfeaturecanbeconfiguredtoblocksessionsthatthefirewallcannotdecrypt?
DecryptionProfileinSecurityProfile
DecryptionProfileinPBF
DecryptionProfileinDecryptionPolicy
DecryptionProfileinSecurityPolicy
Markforfollowup
Question22of50.
AlloftheinterfacesonaPaloAltoNetworksdevicemustbeofthesameinterfacetype.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.as
5/12
1/20/2015
True
EmpoweringPeople:paloaltonetworks
False
Markforfollowup
Question23of50.
AsthePaloAltoNetworksAdministratoryouhaveenabledApplicationBlockpages.Afterwards,notknowingtheyare
attemptingtoaccessablockedwebbasedapplication,userscalltheHelpDesktocomplainaboutnetworkconnectivity
issues.Whatisthecauseoftheincreasednumberofhelpdeskcalls?
SomeAppID'saresetwithaSessionTimeoutvaluethatistoolow.
ApplicationBlockPageswillonlybedisplayedwhenCaptivePortalisconfigured.
Thefirewalladmindidnotcreateacustomresponsepagetonotifypotentialusersthattheirattempttoaccesstheweb
basedapplicationisbeingblockedduetopolicy.
TheFileBlockingBlockPagewasdisabled.
Markforfollowup
Question24of50.
WhenconfiguringaDecryptionPolicyrule,whichoptionallowsafirewalladministratortocontrolSSHv2tunnelingin
policiesbyspecifyingtheSSHtunnelAppID?
SSHProxy
SSLForwardProxy
SSLInboundInspection
SSLReverseProxy
Markforfollowup
Question25of50.
WhatisthedefaultDNSsinkholeaddressusedbythePaloAltoNetworksFirewalltocutoffcommunication?
Anylayer3interfaceaddressspecifiedbythefirewalladministrator.
TheMGTinterfaceaddress.
Thelocalloopbackaddress.
Thedefaultgatewayofthefirewall.
Markforfollowup
Question26of50.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.as
6/12
1/20/2015
EmpoweringPeople:paloaltonetworks
Consideringtheinformationinthescreenshotabove,whatistheorderofevaluationforthisURLFilteringProfile?
BlockList,AllowList,URLCategories(BrightCloudorPANDB),CustomCategories.
AllowList,BlockList,CustomCategories,URLCategories(BrightCloudorPANDB).
BlockList,AllowList,CustomCategories,URLCategories(BrightCloudorPANDB).
URLCategories(BrightCloudorPANDB),CustomCategories,BlockList,AllowList.
Markforfollowup
Question27of50.
Securitypoliciesspecifyasourceinterfaceandadestinationinterface.
True
False
Markforfollowup
Question28of50.
Enabling"HighlightUnusedRules"intheSecurityPolicywindowwill:
Highlightallrulesthatdidnotmatchtrafficwithinanadministratorspecifiedtimeperiod.
Highlightallrulesthathavenotmatchedtrafficsincetherulewascreatedorsincethelastrebootofthefirewall.
DisplayrulesthatcausedavalidationerrortooccuratthetimeaCommitwasperformed.
Temporarilydisablerulesthathavenotmatchedtrafficsincetherulewascreatedorsincethelastrebootofthefirewall.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.as
7/12
1/20/2015
EmpoweringPeople:paloaltonetworks
Markforfollowup
Question29of50.
WhentroubleshootingPhase1ofanIPsecVPNtunnel,whichlocationandlogwillbemostinformative?
Respondingside,Trafficlog
Respondingside,SystemLog
Initiatingside,Trafficlog
Initiatingside,Systemlog
Markforfollowup
Question30of50.
InPANOS6.0,rulenumbersare:
Numbersthatspecifytheorderinwhichsecuritypoliciesareevaluated.
Numberscreatedtobeuniqueidentifiersineachfirewallspolicydatabase.
Numbersonascaleof0to99thatspecifyprioritieswhentwoormorerulesareinconflict.
Numberscreatedtomakeiteasierforuserstodiscussacomplicatedordifficultsequenceofrules.
Markforfollowup
Question31of50.
WhenyouhavecreatedaSecurityPolicyRulethatallowsFacebook,whatmustyoudotoblockallotherwebbrowsing
traffic?
Whencreatingthepolicy,ensurethatwebbrowsingisincludedinthesamerule.
Nothing.YoucandependonPANOStoblockthewebbrowsingtrafficthatisnotneededforFacebookuse.
EnsurethattheServicecolumnisdefinedas"applicationdefault"forthisSecuritypolicy.Doingthiswillautomatically
includetheimplicitwebbrowsingapplicationdependency.
Createanadditionalrulethatblocksallothertraffic.
Markforfollowup
Question32of50.
WhenusingConfigAudit,thecoloryellowindicateswhichofthefollowing?
Asettinghasbeenchangedbetweenthetwoconfigfiles
Asettinghasbeendeletedfromaconfigfile.
Asettinghasbeenaddedtoaconfigfile
Aninvalidvaluehasbeenusedinaconfigfile.
Markforfollowup
Question33of50.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.as
8/12
1/20/2015
EmpoweringPeople:paloaltonetworks
WillanexportedconfigurationcontainManagementInterfacesettings?
Yes
No
Markforfollowup
Question34of50.
Aninterfaceintapmodecantransmitpacketsonthewire.
True
False
Markforfollowup
Question35of50.
WhichofthefollowingisaroutingprotocolsupportedinaPaloAltoNetworksfirewall?
EIGRP
RIPv2
IGRP
ISIS
Markforfollowup
Question36of50.
InPaloAltoNetworksterms,anapplicationis:
Aspecificprogramdetectedwithinanidentifiedstreamthatcanbedetected,monitored,and/orblocked.
Acombinationofportandprotocolthatcanbedetected,monitored,and/orblocked.
Afileinstalledonalocalmachinethatcanbedetected,monitored,and/orblocked.
WebbasedtrafficfromaspecificIPaddressthatcanbedetected,monitored,and/orblocked.
Markforfollowup
Question37of50.
ReconnaissanceProtectionisafeatureusedtoprotectthePaloAltoNetworksfirewallfromportscans.Toenablethis
featurewithintheGUIgoto
Network>NetworkProfiles>ZoneProtection
Objects>ZoneProtection
Interfaces>InterfaceNumber>ZoneProtection
Policies>Profile>ZoneProtection
Markforfollowup
Question38of50.
WhichofthefollowingisNOTavalidoptionforbuiltinCLIAdminroles?
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.as
9/12
1/20/2015
EmpoweringPeople:paloaltonetworks
deviceadmin
superuser
read/write
devicereader
Markforfollowup
Question39of50.
InwhichofthefollowingcanUserIDbeusedtoprovideamatchcondition?(Selectallcorrectanswers.)
SecurityPolicies
NATPolicies
ZoneProtectionPolicies
ThreatProfiles
Markforfollowup
Question40of50.
Ausercomplainsthatsheisnolongerabletoaccessaneededworkapplicationaftertheadministratorimplemented
vulnerabilityandantispywareprofiles.Howbestcantheadministratorresolvethisissuesotheuserwillonceagain
haveaccesstotheneededapplication?
InthevulnerabilityandantispywareProfiles,createanapplicationexemptionforthegroupsapplication.
ChecktheThreatLogandlocateaneventshowingtheusersapplicationbeingblocked.UsingthesourceIPaddress
displayedinthatevent,createanIPaddressbasedexemptionforthegroupthattheuserisamemberof.
CreateacustomSecurityPolicyforthisusersothatshewillbeabletoaccesstherequiredapplication.Besurenotto
applythevulnerabilityandantispywareprofilestothispolicy.
CreateandenableanApplicationOverridePolicy,specifyingtheportusedbythisapplication.
Markforfollowup
Question41of50.
AnenterprisePKIsystemisrequiredtodeploySSLForwardProxydecryptioncapabilities.
True
False
Markforfollowup
Question42of50.
UserIDisenabledintheconfigurationof
ASecurityPolicy.
AnInterface.
AZone.
ASecurityProfile.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.a
10/12
1/20/2015
EmpoweringPeople:paloaltonetworks
Markforfollowup
Question43of50.
Whatarethebenefitsgainedwhenthe"EnablePassiveDNSMonitoring"checkboxischosenonthefirewall?(Selectall
correctanswers.)
ImprovedmalwaredetectioninWildFire.
ImprovedDNSbasedC&Csignatures.
ImprovedPANDBmalwaredetection.
ImprovedBrightCloudmalwaredetection.
Markforfollowup
Question44of50.
WhichofthefollowingplatformssupportstheDecryptionPortMirrorfunction?
PA3000
VMSeries100
PA2000
PA4000
Markforfollowup
Question45of50.
WhatistheresultofanAdministratorsubmittingaWildFirereportsverdictbacktoPaloAltoNetworksasIncorrect?
Youwillreceiveanupdatewithin15minutes.
ThesignaturewillbeupdatedforFalsepositiveandFalsenegativefilesinthenextAVsignatureupdate.
ThesignaturewillbeupdatedforFalsepositiveandFalsenegativefilesinthenextApplicationsignatureupdate.
Youwillreceiveanemailtodisablethesignaturemanually.
Markforfollowup
Question46of50.
Whichofthefollowingfactsaboutdynamicupdatesiscorrect?
ThreatandURLFilteringupdatesarereleaseddaily.ApplicationandAntivirusupdatesarereleasedweekly.
Antivirusupdatesarereleaseddaily.ApplicationandThreatupdatesarereleasedweekly.
ApplicationandAntivirusupdatesarereleasedweekly.ThreatandThreatandURLFilteringupdatesarereleased
weekly.
ApplicationandThreatupdatesarereleaseddaily.AntivirusandURLFilteringupdatesarereleasedweekly.
Markforfollowup
Question47of50.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.a
11/12
1/20/2015
EmpoweringPeople:paloaltonetworks
WhenconfiguringaSecurityPolicyRulebasedonFQDNAddressObjects,whichofthefollowingstatementsisTrue?
ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagainatDNSTTLexpiration.
ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagaineachtimeSecurity
Profilesareevaluated.
InordertocreateFQDNbasedobjects,youneedtomanuallydefinealistofassociatedIPaddresses.
Markforfollowup
Question48of50.
WhatgeneralpracticebestdescribeshowPaloAltoNetworksfirewallpoliciesareappliedtoasession?
Therulewiththehighestrulenumberisapplied.
Firstmatchapplied.
Lastmatchapplied.
Mostspecificmatchapplied.
Markforfollowup
Question49of50.
WhichofthefollowingstatementsisNOTTrueaboutPaloAltoNetworksfirewalls?
SystemdefaultsmayberestoredbyperformingafactoryresetinMaintenanceMode.
TheAdminaccountmaybedisabled.
InitialconfigurationmaybeaccomplishedthrutheMGTinterfaceortheConsoleport.
TheAdminaccountmaynotbedisabled.
Markforfollowup
Question50of50.
WhenconfiguringUserIDonaPaloAltoNetworksfirewall,whatistheproperproceduretolimitUsermappingstoa
particularDHCPscope?
InthezoneinwhichUserIdentificationisenabled,selectthe"RestrictAllocatedIP"checkbox.
InthezoneinwhichUserIdentificationisenabled,createaUserIdentificationACLIncludeListusingthesameIP
rangesasthoseallocatedintheDHCPscope.
UndertheUserIdentificationsettings,undertheUserMappingtab,selectthe"RestrictUserstoAllocatedIP"checkbox.
IntheDHCPsettingsonthePaloAltoNetworksfirewall,pointtheDHCPRelaytotheIPaddressoftheUserIDagent.
Markforfollowup
Save/ReturnLater
Summary
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.a
12/12