Palo Alto Networks PANOS 4.

0 ACE Examine
No.
1.

2.

Question

Ans.

For non-Microsoft clients, what Captive Portal method is supported?

A.

Local Database

B.

User Agent

C.

Web Form Captive Portal

D.

NTLM Auth

Which statement accurately reflects the functionality of using regions as objects in Security policies?
A.

The administrator can set up custom regions, including latitude and longitude, to specify the geographic
position of that particular region. Both predefined regions and custom regions can be used in the Source
User field.

B.

Predefined regions are provided for countries, not but not for cities. The administrator can set up custom
regions, including latitude and longitude, to specify the geographic position of that particular region.

C.

Regions cannot be used in the Source User field of the Security Policies, unless the administrator has
set up custom regions.

D.

The administrator can set up custom regions, including latitude and longitude, to specify the geographic
position of that particular region. These custom regions can be used in the Source User field of the
Security Policies.

3.

When using 802.1Q with aggregate links, what TAG-ID must be configured on the virtual wire in order

for LACP on a Cisco switch to operate properly?

4.

A.

B.

C.

D.

What happens on URL license expiration?

A.

URL database no longer update; category actions still effective

B.

URL database no longer used; HTTP traffic is allowed or blocked by configuration per URL Filtering

Profile

5.

C.

URL database no longer used; applicable traffic is blocked

D.

URL database no longer used; applicable traffic is allowed

For correct routing to SSL VPN clients to occur, the following must be configured:

A.

A static route on the next-hop gateway of the SSL VPN client IP pool with a distination of the PAN device

B.

No routing needs to be configured the PAN device automatically responds to ARP requests for the SSL
VPN client IP pool

C.

A dynamic routing protocol between the PAN device and the next-hop gateway to advertise the SSL VPN
client IP pool

D.

Network Address Translation must be enable for the SSL VPN client IP pool

Palo Alto ACE 4.0 Exam

Page.1 / 12

6.

Youd like to schedule a firewall policy to only allow a certain application during a particular time of day.

Where can this policy option be configured?

7.

A.

Policies / Application

B.

Policies / Options column

C.

Policies / Profile

D.

Policies / Service

A customer would like to identify any TCP port scans or UDP ports scans traversing their network links.

Where can this type of security policy be configured?

8.

9.

10.

11.

12.

A.

Policies / Profile / Zone Protection

B.

Interfaces / Interface number / Zone Protection

C.

Objects / Zone Protection

D.

Network / Network Profiles / Zone Protection

With SSH decryption enabled, the SCP application will be identified as:
A.

sftp

B.

scp

C.

ssh

D.

ssh-tunnel

Which best describes the firewall rules to be applied to a session?

A.

all matches applied

B.

last match applied

C.

first match applied

D.

most specific match applied

The following can be configured as a next hop in a Static Route:

A.

A Policy-Based Forwarding Rule

B.

A Dynamic Routing Protocol

C.

Virtual System

D.

Virtual Router

Which of the following can be configured as a next hop in a Policy-Based Forwarding Rule:
A.

Virtual Router

B.

A Dynamic Routing Protocol

C.

A Redistribution Profile

D.

Virtual System

For a security policy to allow inbound NATed traffic to a web server with a private IP address in the trust

zone, the entry in the Destination Address column of the security rule should be based on the private IP
address of the web server.
A.

True

B.

False

Palo Alto ACE 4.0 Exam

Page.2 / 12

13.

The Drive-By Download protection feature, under File Blocking profiles in Contend-ID, provides:
A.

an administrator the ability to leverage Authentication Profiles in order to protect against unwanted
downloads.

B.

Password-protected access to specific file downloads, for authorized users.

C.

Increased speed on the downloads of the allowed file types.

D.

Protection against unwanted downloads, by alerting the user with a response page indicating that a file is
going to be downloaded.

14.

15.

What is the currect policy to most effectively block Skype?

A.

Block Skype-probe, block Skype

B.

Allow Skype, block Skype-probe

C.

Allow Skype-probe, block Skype

D.

Block Skype

If a customer has a group of users that are evenly distributed between both LDAP and RADIUS, how

can you ensure that a Palo Alto networks firewall will always check both user databases when
identifying users?

16.

17.

A.

Use two authentication profiles and two Captive Portal policies

B.

Employ an Authentication Sequence which references two authentication profiles, the preferred order.

C.

Use User-ID agent for LDAP and Captive Portal for RADIUS

D.

Use two Captive Portal Policies, one which utilizes LDAP, one which utilizes RADIUS

HA path monitoring can be configured in Virtual Wire mode.

A.

True

B.

False

Thre best practice to advertise an interface IP via OSPF without it acting as an OSPF neighbor and

without it creating unnecessary Type 5 LSAs is:

18.

A.

Configure the interface as a passive OSPF interface

B.

Configure a static route and configure a routing policy to import the static route into the OSPF area

C.

Configure the interface as a Virtual Link

D.

Configure a routing policy to import the connected subnet into the OSPF area

Botnet Detection, under the Minitor tab, will accomplish the following:
A.

To block the installation of Botnets through an advanced deep-packet inspection algorithm.

B.

Prevent Botnet-infect client computers from responding to Command and Control data.

C.

Provide the administrator with packet captures that can be used later to create custom signatures for

preventing unknown botnets.

D.

Present a report of known bonnets, based upon conditions stipulated by the administrator, found over a
period of time.

19.

What happens at the point of Threat Prevention license expiration?

A.

Threat Prevention is no longer used; applicable traffic is allowed

B.

Threat Prevention no longer used; applicable traffic is blocked

C.

Threat prevention no longer updated; existing database still effective

D.

Threat Prevention no longer used; traffic is allowed or blocked by configuration per Security Rule

Palo Alto ACE 4.0 Exam

Page.3 / 12

20.

21.

Which local interface cannot be assigned to IKE gateway?

A.

Tunnel

B.

Loopback

C.

L3

D.

VLAN

In QoS, which of the following would be the highest priority traffic from the options listed below on a

saturated 100Mbps link?

22.

A.

Class 1 traffic, set to high and guaranteed 1 Mbps.

B.

Class 8 traffic, set to real time.

C.

Class 8 traffic, set to real time and guaranteed 1 Mbps

D.

Class 1 traffic, set to high.

If a customer has 1 forest with 3 domains and wants a resilient PAN Agent deployment, what is the most

appropriate agent architecture?

23.

A.

Two agents deployed on virtual servers on a server within the forest

B.

Agents deployed on two separate servers within the forest

C.

Two agents deployed per domain, on separate servers

D.

An agent deployed on a server within each domain

When setting up GlobalProtect, what is the job of the GlobalProtect Portal? Select the best answer
A.

To maintain the list of GlobalProtect Gateways and list of categories for checking the client machine

B.

To apply Global server Load Balancing to Global Protect clients to other GlobalProtect Portals or

Gateways.

24.

C.

To maintain the list of remote GlobalProtect Portals and list of categories for checking the client machine

D.

To load balance GlobalProtect client connections to GlobalProtect Gateways

It is possible to use different SSL forward proxy certificaties for different vsys in a multi-vsys

environment.

25.

26.

A.

True

B.

False

Which of the following types of protection are available in DoS policy?

A.

Session Limit, Port Scanning, Host Swapping, UDP Flood

B.

Session Limit, SYN Flood, Host Swapping, UDP Flood

C.

Session Limit, SYN Flood, Port Scanning, Host Swapping

D.

Session Limit, SYN Flood, UDP Flood

To reduce the amount of URL logs generated you can configure:

A.

The following CLI command: set system url-log-length 256

B.

A URL Filtering Profile with Log container page only enabled

C.

A URL Filtering Profile with Dynamic URL Filtering enable

D.

A URL Filtering Profile with the block list set to Alert

Palo Alto ACE 4.0 Exam

Page.4 / 12

27.

When creating a custom vulnerability profile and selecting Block IP as the action, how long will the IP

address be blocked?

28.

A.

Configurable from one second to one hour

B.

Configurable from one second to two hours

C.

Two Hours

D.

One Hours

To properly configure DOS protection to limit the number of sessions individually from specific source

IPs you would configure a DOS Protection rule with the following characteristics:
A.

Action: Deny, Aggregate Profile with Resources Protection configured

B.

Action: Protect, Clasified Profile with Resources Protection configured, and Classified Address with
source-ip-only configured

C.

Action: Protect, Aggregate Profile with Resources Protection configured

D.

Action: Deny, Classified Profile with Resources Protection configured, and Classified Address with
source-ip-only configured

29.

A local/enterprise PKI system is required to deploy outbound forward proxy SSL decryption

capabilities.

30.

A.

True

B.

False

When Network Address Translation has been performed on traffic, Destination Zones in Security rules

should be based on:

31.

32.

33.

A.

Post-NAT address

B.

the same zones used in the NAT rules

C.

Pre-NAT Address

D.

None of the above

Which of the following fields is not available in DoS policy?

A.

Application

B.

Service

C.

Destination Zone

D.

Source Zone

When a user logs in via Captive Portal, their user information is checked against:
A.

Radius

B.

Kerberos

C.

Local database

D.

Active Directory

Which of the following is not defined or assigned as part of the security rules?
A.

NAT rules

B.

Applications

C.

Security profiles

D.

File Blocking profile

Palo Alto ACE 4.0 Exam

Page.5 / 12

34.

Which one of the options describes the sequence of the GlobalProtect agent connecting to a Gateway?
A.

The agent connect to the portal, obtains a list of the Gateways, and connects to the Gateway with the
fastest SSL connect time

B.

The agent connects to the portal and randomly establishes connect to the first available Gateway

C.

The agent connects to the portal, obtains a list of the Gateways, and connects to the Gateway with the
fastest PING response time

D.
35.

36.

37.

The agent connects to the closet Gateway and send the HIP report to the portal

With SSH decryption enabled, X-Window forwarding will be identified as:

A.

ssh-tunnel

B.

rdp

C.

xwindow

D.

ssh

Users can be authenticated serially to multiple authentication servers by configuring:

A.

A custom Administrator Profile

B.

Authentication Profile

C.

Authentication Sequence

D.

Multiple RADIUS Servers sharing a VSA configuration

Which of the following are necessary components of a GlobalProtect solution?

A.

GlobalProtect NetConnect, GlobalProtect Agent, GlobalProtect Portal, Globalprotect Server

B.

GlobalProtect Gateway, GlobalProtect Agent, GlobalProtect Server

C.

GlobalProtect Gateway, GlobalProtect netConnect, GlobalProtect Agent, GlobalProtect Portal,

GlobalProtect Server
D.
38.

GlobalProtect Gateway, GlobalProtect Agent, GlobalProtect Portal

To allow the PAN device to resolve internal and external DNS host names for reporting and for security

policy, an administrator can do the following:

A.

Create a DNS Proxy Object with a default DNS Server for external resolution and a DNS server for
internal domain. Then, in the device settings, select the proxy object as the Primary DNS and create a
custom security rule which references that object for

B.

In the device setting define internal hosts via a static list.

C.

Create a DNS Proxy Object with a default DNS Server for external resolution and a DNS server for
internal domain. Then, in the device settings, point to this proxy object for DNS resolution.

D.

In the device settings set the Primary DNS server to an external server and the secondary to an internal
server.

39.

On a PA-4050 with tap interfaces configured on one copper port and one fiber port, how many virtual

wires can be configured using the remaining ports?

A.

12

B.

11

C.

10

D.

Palo Alto ACE 4.0 Exam

Page.6 / 12

40.

41.

An Outbound SSL forward-proxy decryption rule cannot be created using which type of zone?
A.

Virtual Wire

B.

L3

C.

L2

D.

Tap

Which of the following represents potential HTTP traffic events that can be used to identify potential

Botnets?
A.

Traffic from users that browse to IP addresses instead of fully-qualified domain names, traffic to domains
that have been registered in the last 30 days, Downloading executable files from unknown URLs

B.

Traffic from users that browse to IP addresses instead of fully-qualified domain names, traffic to domains
that have be registereded in the last 60 days, downloading executable files from unknown URLs

C.

Traffic from users that browse to IP addresses instead of fully-qualified domain names, traffic to domains
that have be registereded in the last 60 days, downloading executable files from unknown URLs,
IRC-based Command and Control traffic

D.

Traffic from users that browse to IP addresses instead of fully-qualified domain names, downloading
W32.Welchia.Worm from a Windows share, traffic to domain that have been registered in the last 30
days, downloading executable files from unknown URLs

42.

43.

How many bytes of the URL are captured in the URL log?
A.

2047

B.

1023

C.

511

D.

255

In the event that the show proxy setting command displays a ready state of no, what is most likely

the cause?

44.

A.

SSL decryption rule is not create

B.

SSL forward proxy certificate is no generated

C.

Web interface certificate is no generated

D.

Forward proxy license is not enable on the box

Which of the following are accurate statements describing the HA3 link in an Active-Active HA

deployment?

45.

A.

HA3 is used to handle asymmetric routing, HA3 is the data link

B.

HA3 is a Layer 2 link, HA3 is used to handle asymmetric routing

C.

HA3 is used for session synchronization, HA3 is a Layer 2 link

D.

HA3 is the control link, HA3 is a layer 2 link

The maximum number of interfaces that can be configured in a single Virtual Wire object is:
A.

B.

C.

D.

Palo Alto ACE 4.0 Exam

Page.7 / 12

46.

If you want to prevent client PCs using SSH port-forwarding to bypass firewall enforcement, what is the

best way of accomplishing this ?

47.

A.

Enable SSH decryption, block SSH traffic

B.

Enable SSH decryption, block SSH tunnel traffic

C.

Enable SSL decryption, block SSH tunnel traffic

D.

Enable SSL decryption, block SSH traffic

Which mode will allow a user to choose how they wish to connect to the GlobalProtect Network as they

would like?

48.

A.

Always On Mode

B.

Single Sign-On Mode

C.

Optional Mode

D.

On Demand Mode

Which two statements are true about the Session Owner device in an Active/Active HA pair?
A.

The Session Owner performs all Layer 3 and Layer 4 packet processing, the Session owner is
responsible for generating traffic logs

B.

The Session Owner is responsible for generate traffic logs, the Active Primary device is always the
Session Owner.

C.

The Session owner performs Layer 3 and Layer 4 packet processing, the Active Primary device is always
the Session Owner

D.
49.

50.

51.

The Session Owner does all Layer 7 processing, The Active Primary device is always the Session Owner

A Continue action can be configured on the following Security Profiles:

A.

URL Filtering and Antivirus

B.

URL Filtering, File Blocking and Data Filtering

C.

URL Filtering and File Blocking

D.

URL Filtering

The Disable Server Return Inspection option on a security profile:

A.

can only be configured in Tap Mode

B.

performs higher-level inspection of traffic from the side that originated the TCP SYN packet

C.

does not perform higher-level inspection of traffic from the side that originated the TCY SYN packet

D.

performs high-level inspection of traffic from the side that originated the TCP SYN-ACK packet

What needs to be done prior to committing a configuration in Panorama after making a change via the

CLI or web interface on a device?

52.

A.

No additional actions required

B.

Re-import the configuration from the device into Panorama

C.

Synchronize the configuration between the device and Panorama

D.

Make the same change again via Panorama

Which of the following answers represents a group of address objects that can be used in a PANOS 4.0

Security rule?
A.

IP netmask, FQDN, IP Range, VLAN

B.

FQDN, IP range, VLAN

C.

IP Netmask, IP range, VLAN

D.

IP Netmask, IP range, FQDN

Palo Alto ACE 4.0 Exam

Page.8 / 12

53.

54.

What is the default action against virus detection over SMTP protocol?
A.

None

B.

Alert

C.

Reset

D.

Drop

What rights to the domain does the Terminal Services Agent require in order to identify users on a

terminal server?

55.

56.

57.

58.

59.

60.

A.

Domain Admin

B.

Domain User

C.

Does not need Domain permissions

D.

Read access to the Security logs

In order to route between layer 3 interfaces on the PAN firewall you need:
A.

Virtual Router

B.

Security Profile

C.

Vwire

D.

VLAN

What is required to configure multiple Phase 2 IPSec VPN tunnels to the same Phase 1 gateway?
A.

Multiple P2 tunnels with different Peer IDs on the same tunnel interfaces

B.

Multiple P2 tunnels with different Proxy IDs on different tunnel interfaces

C.

Multiple P2 tunnels with different Proxy IDs on the same tunnel interface

D.

Multiple tunnel interfaces

Active/Active HA can be configured to provide:

A.

Redundant Virtual routers

B.

Support for asymmetric routing environments

C.

Lower fail-over times

D.

Higher session count

What can you enable the Dynamic URL Filtering option?

A.

Under Device / Licenses / URL Filtering

B.

In the Zone Protection Profile settings

C.

In the URL Filtering security profile object

D.

In the zone configuration that includes the interface for the URL filtered traffic

Which of the following are valid HA states in an Active/Active High Availability deployment?
A.

Active Tentative, Tentative, Non-functional

B.

Active Primary, Tentative, Non-functional

C.

Active Primary, Active Tentative, Tentative

D.

Active Primary, Active Tentative, Non-functional

What option should be configured when using User Identification?

A.

Enable User Identification per Zone

B.

Enable User Identification per Security Rule

C.

Enable User Identification per interface

D.

None of the above

Palo Alto ACE 4.0 Exam

Page.9 / 12

61.

62.

Which of the following licenses is necessary in order to provide more accurate Botnet reporting?
A.

GlobalProtect Gateway License

B.

Virtual System License

C.

URL-Filtering License

D.

Threat Prevention License

When using Panorama, how much storage capacity is available for logs? Select the best answer:
A.

A 160GB virtual drive is attached by default to the Panorama VM; virtually unlimited storage can be
implemented via an NFS mount.

B.

A 2TB virtual drive is attached by default to the Panorama VM; this drive must be mounted via NFS

C.

VMware allows unlimited storage to the Panorama VM; an NFS mount can be added to offload the
storage to another server

D.

VMware allows 2 TB of locally attached storage, but an NFS mount can be added for virtually unlimited
storage

63.

When forwarding multicast packets in L2 mode, we can configure security policies to match on

multicast IP address.

64.

A.

True

B.

False

With URL filtering, the order of checking within a profile is 1) allow list; 2) block list; 3) Custom

categories; 4) Pre-defined categories

65.

66.

A.

True

B.

False

Which of the following can be configured as a next hop in a Policy-Based Forwarding Rule:
A.

A Redistribution Profile

B.

Virtual System

C.

A Dynamic Routing Protocol

D.

Virtual Router

When configuring Security rules based on FQDN objects, which of the following statements are true?
A.

The firewall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration. The
resolution of this FQDN stores up to 10 different IP addresses.

B.

The firewall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration.
There is no limit on the number of IP addresses stored for each resolved FQDN.

C.

The firewall resolves the FQDN first when the policy is committed, and is refreshed each time Security
rules are evaluated.

D.

In order to create FQDN-based objects, you need to manually define a list of associated IP. Up to 10 IP
address can be configured for each FQDN entry.

67.

Youve installed and configured a User Identification Agent on a remote computer, but when the agent

user interface is launched the message Connection Failed is shown and no usernames are resolved.
What is the most likely cause of this problem?
A.

The User Identification Agent timeout values are not configured correctly.

B.

The User Identification Agent cannot communicate to the firewall

C.

The User Identification Agent software did not install properly.

D.

The User Identificaiton Agent service does not have read permission to the Active Directory Security log

Palo Alto ACE 4.0 Exam

Page.10 / 12

68.

69.

70.

In Active/Active HA environments, redundancy for the HA3 interface can be achieved by

A.

Configuring HA3 in a redundant group

B.

Configuring multiple HA3 interfaces

C.

Configuring a corresponding HA4 interface

D.

Configuring HA3 as an Aggregate Ethernet bundle

What is the CLI command that will initiate all IPsec VPN tunnels on a device?
A.

set vpn all up

B.

test vpn ike-sa

C.

request vpn IPsec-sa test

D.

test vpn IPsec-sa

When creating an application filter, which of the following characteristics cannot be selected as a

match?

71.

72.

73.

74.

75.

76.

A.

Excessive bandwidth

B.

Used by malware

C.

Transfers files

D.

Excessive sessions

In PANOS 4.0 or greater, which of the following is an accurate statement in regard to support for IPv6?
A.

PANOS supports Content ID in IPv6, but only in Layer 3 Mode.

B.

Threat Prevention capabilities are not supported in IPv6.

C.

User ID is only supported in IPv6 when the Palo Alto Networks firewall is deployed in Vwire mode.

D.

PANOS supports dual-stack IP. for IPv4 and IPv6. This includes Virtual Wire and Layer 3 deployments.

A traffic log entry with an Application of incomplete means:

A.

The App-ID engine could not find a matching application

B.

The TCP SYN-ACK response packet was not seen before the session timed out

C.

An invalid SSL certificate is in use

D.

Captive Portal has not been configured property

The following routing protocols are supported on the Palo Alto Networks platform:
A.

RIPv1

B.

ISIS

C.

BGP

D.

RSTP

A tunnel interface can only support one IP-Sec tunnel.

A.

True

B.

False

A different SSL inbound certificate can be added for a different SSL inbound decryption rule.
A.

True

B.

False

When loading SSL inbound certificates via the web interface, the dataplane must be restarted befor

they take effect.

A.

True

B.

False

Palo Alto ACE 4.0 Exam

Page.11 / 12

77.

In order to generate a scheduled report in panorama, you must forward logs from the device to

Panorama?

78.

A.

True

B.

False

All management services must communicate through the MGT interface on a Palo Alto Networks

firewall.

79.

80.

A.

True

B.

False

Security Profiles can be configured in Application Override policies.

A.

True

B.

False

If an HTTP application is misclassified, the only option is to submit a new application request to Palo

Alto Networks.
A.

True

B.

False

Palo Alto ACE 4.0 Exam

Page.12 / 12