You are on page 1of 112

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?lo...

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version


ACE Exam

Question 1 of 50.
Which link is used by an Active/Passive cluster to synchronize session information?
The Data Link
The Control Link
The Uplink
The Management Link
Mark for follow up

Question 2 of 50.
Select the implicit rules that are applied to traffic that fails to match any administrator-defined Security Policies. (Choose all rules that are correct.)
Intra-zone traffic is allowed
Inter-zone traffic is denied
Intra-zone traffic is denied
Inter-zone traffic is allowed

Mark for follow up

Question 3 of 50.
In a Destination NAT configuration, the Translated Address field may be populated with either an IP address or an Address Object.
True

False

Mark for follow up

Question 4 of 50.
Which of the following is NOT a valid option for built-in CLI Admin roles?
deviceadmin
devicereader
superuser
read/write
Mark for follow up

Question 5 of 50.

Taking into account only the information in the screenshot above, answer the following question. An administrator is pinging 4.4.4.4 and fails to receive a response. What is the most
likely reason for the lack of response?
There is a Security Policy that prevents ping.
There is no route back to the machine originating the ping.
There is no Management Profile.
The interface is down.

1 of 9

7/12/16, 5:22 PM

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?lo...

Mark for follow up

Question 6 of 50.
As the Palo Alto Networks Administrator responsible for User-ID, you need to enable mapping of network users that do not sign-in using LDAP. Which information source would
allow for reliable User-ID mapping while requiring the least effort to configure?
WMI Query
Captive Portal
Active Directory Security Logs
Exchange CAS Security logs
Mark for follow up

Question 7 of 50.
As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterwards, not knowing they are attempting to access a blocked web-based application, users
call the Help Desk to complain about network connectivity issues. What is the cause of the increased number of help desk calls?
The File Blocking Block Page was disabled.
Some App-ID's are set with a Session Timeout value that is too low.
Application Block Pages will only be displayed when Captive Portal is configured.
The firewall admin did not create a custom response page to notify potential users that their attempt to access the web-based application is being blocked due to company policy.
Mark for follow up

Question 8 of 50.
The following can be configured as a next hop in a static route:
Virtual Systems
Virtual Switch
Virtual Router
A Policy-Based Forwarding Rule
Mark for follow up

Question 9 of 50.
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:
Increased speed on downloads of file types that are explicitly enabled.
Password-protected access to specific file downloads for authorized users.
Protection against unwanted downloads by showing the user a response page indicating that a file is going to be downloaded.
The ability to use Authentication Profiles, in order to protect against unwanted downloads.
Mark for follow up

Question 10 of 50.
What is the maximum file size of .EXE files uploaded from the firewall to WildFire?
Always 10 megabytes.
Always 2 megabytes.
Configurable up to 10 megabytes.
Configurable up to 2 megabytes.
Mark for follow up

Question 11 of 50.
Security policy rules specify a source interface and a destination interface.
True

False

Mark for follow up

Question 12 of 50.

2 of 9

7/12/16, 5:22 PM

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?lo...

Considering the information in the screenshot above, what is the order of evaluation for this URL Filtering Profile?
Allow List, Block List, Custom Categories, URL Categories (BrightCloud or PAN-DB).
URL Categories (BrightCloud or PAN-DB), Custom Categories, Block List, Allow List.
Block List, Allow List, Custom Categories, URL Categories (BrightCloud or PAN-DB).
Block List, Allow List, URL Categories (BrightCloud or PAN-DB), Custom Categories.
Mark for follow up

Question 13 of 50.
In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order to process traffic.
True

False

Mark for follow up

Question 14 of 50.
All of the interfaces on a Palo Alto Networks device must be of the same interface type.
True

False

Mark for follow up

Question 15 of 50.
Color-coded tags can be used on all of the items listed below EXCEPT:
Zones
Vulnerability Profiles
Address Objects
Service Groups
Mark for follow up

Question 16 of 50.
How do you reduce the amount of information recorded in the URL Content Filtering Logs?
Enable "Log container page only".
Disable URL packet captures.
Enable URL log caching.
Enable DSRI.
Mark for follow up

Question 17 of 50.

3 of 9

7/12/16, 5:22 PM

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?lo...

Which type of license is required to perform Decryption Port Mirroring?


A subscription-based SSL Port license
A free PAN-PA-Decrypt license
A Client Decryption license
A subscription-based PAN-PA-Decrypt license
Mark for follow up

Question 18 of 50.
Traffic going to a public IP address is being translated by a Palo Alto Networks firewall to an internal servers private IP address. Which IP address should the Security Policy use as
the "Destination IP" in order to allow traffic to the server?
The servers private IP
The firewalls gateway IP
The servers public IP
The firewalls MGT IP
Mark for follow up

Question 19 of 50.
Which of the following must be enabled in order for User-ID to function?
Security Policies must have the User-ID option enabled.
Captive Portal must be enabled.
User-ID must be enabled for the source zone of the traffic that is to be identified.
Captive Portal Policies must be enabled.
Mark for follow up

Question 20 of 50.
Which of the following can provide information to a Palo Alto Networks firewall for the purposes of User-ID? (Select all correct answers.)
RIPv2
Domain Controller
Network Access Control (NAC) device
SSL Certificates

Mark for follow up

Question 21 of 50.
You can assign an IP address to an interface in Virtual Wire mode.
True

False

Mark for follow up

Question 22 of 50.

Taking into account only the information in the screenshot above, answer the following question. An administrator is using SSH on port 3333 and BitTorrent on port 7777. Which
statements are True?
The SSH traffic will be allowed.
The SSH traffic will be denied.
The BitTorrent traffic will be allowed.
The BitTorrent traffic will be denied.

4 of 9

7/12/16, 5:22 PM

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?lo...

Mark for follow up

Question 23 of 50.
An interface in Virtual Wire mode must be assigned an IP address.
True

False

Mark for follow up

Question 24 of 50.
Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day?
10
50
500
1000
Mark for follow up

Question 25 of 50.
WildFire analyzes files to determine whether or not they are malicious. When doing so, WildFire will classify the file with an official verdict. This verdict is known as the WildFire
Analysis verdict. Choose the three correct classifications as a result of this analysis and classification?
Malware detection
Spyware
Grayware
Adware
Safeware
Benign

Mark for follow up

Question 26 of 50.
Choose the best answer: In PAN-OS, the WildFire Subscription Service allows updates for malware signatures to be distributed as often as
Once an hour
Once a day
Once a week
Once every 15 minutes
Mark for follow up

Question 27 of 50.
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you need a:
Virtual Router
VLAN
Virtual Wire
Security Profile
Mark for follow up

Question 28 of 50.
Which of the following platforms supports the Decryption Port Mirror function?
PA-3000
VM-Series 100
PA-2000
PA-4000
Mark for follow up

Question 29 of 50.

5 of 9

7/12/16, 5:22 PM

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?lo...

When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2 tunneling in policies by specifying the SSH-tunnel App-ID?
SSH Proxy
SSL Forward Proxy
SSL Inbound Inspection
SSL Reverse Proxy
Mark for follow up

Question 30 of 50.
Besides selecting the Heartbeat Backup option when creating an Active-Passive HA Pair, which of the following also prevents "Split-Brain"?
Configuring a backup HA2 link that points to the MGT interface of the other device in the pair.
Creating a custom interface under Service Route Configuration, and assigning this interface as the backup HA2 link.
Configuring an independent backup HA1 link.
Under Packet Forwarding, selecting the VR Sync checkbox.
Mark for follow up

Question 31 of 50.
When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most informative?
Initiating side, System log
Responding side, Traffic log
Responding side, System Log
Initiating side, Traffic log
Mark for follow up

Question 32 of 50.
Which statement about config locks is True?
A config lock will expire after 24 hours, unless it was set by a superuser.
A config lock can be removed only by the administrator who set it.
A config lock can only be removed by the administrator who set it or by a superuser.
A config lock can be removed only by a superuser.
Mark for follow up

Question 33 of 50.
What are two sources of information for determining whether the firewall has been successful in communicating with an external User-ID Agent?
System Logs and the indicator light under the User-ID Agent settings in the firewall.
System Logs and Authentication Logs.
System Logs and an indicator light on the chassis.
Traffic Logs and Authentication Logs.
Mark for follow up

Question 34 of 50.
Users may be authenticated sequentially to multiple authentication servers by configuring:
An Authentication Sequence.
A custom Administrator Profile.
Multiple RADIUS servers sharing a VSA configuration.
An Authentication Profile.
Mark for follow up

Question 35 of 50.
After the installation of a new Application and Threat database, the firewall must be rebooted.
True

6 of 9

False

7/12/16, 5:22 PM

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?lo...

Mark for follow up

Question 36 of 50.
Which feature can be configured to block sessions that the firewall cannot decrypt?
Decryption Profile in Decryption Policy
Decryption Profile in PBF
Decryption Profile in Security Profile
Decryption Profile in Security Policy
Mark for follow up

Question 37 of 50.
In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-Based Forwarding Rule? (Choose 3.)
Destination Application
Source Zone
Destination Zone
Source User

Mark for follow up

Question 38 of 50.
Which of the following statements is NOT True about Palo Alto Networks firewalls?
The default Admin account may be disabled or deleted.
System defaults may be restored by performing a factory reset in Maintenance Mode.
By default the MGT Port's IP Address is 192.168.1.1/24.
Initial configuration may be accomplished thru the MGT interface or the Console port.
Mark for follow up

Question 39 of 50.
Previous to PAN-OS 7.0 the firewall was able to decode up to two levels. With PAN-OS 7.0 the firewall can now decode up to how many levels?
Four
Six
Three
Five
Mark for follow up

Question 40 of 50.
A Config Lock may be removed by which of the following users? (Select all correct answers.)
The administrator who set it
Any administrator
Superusers
Device administrators

Mark for follow up

Question 41 of 50.
Which of the following is True of an application filter?
An application filter automatically includes a new application when one of the new applications characteristics are included in the filter.
An application filter automatically adapts when an application moves from one IP address to another.
An application filter specifies the users allowed to access an application.
An application filter is used by malware to evade detection by firewalls and anti-virus software.
Mark for follow up

7 of 9

7/12/16, 5:22 PM

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?lo...

Question 42 of 50.
Palo Alto Networks offers WildFire users three solution types. These solution types are the WildFire Public Cloud, The WF-500 Private Appliance, and the WildFire Hybrid solution.
What is the main reason and purpose for the WildFire Hybrid solution?
The WildFire Hybrid solution enables companies to send to the WF-500 Private Appliance keeping them internal to their network, as well providing the option to send other, general files to the
WildFire Public Cloud for analysis.
The WildFire Hybrid solution enables outside companies to share the same WF-500 Appliance while at the same time allowing them to send only their private files to the private WF-500.
The WildFire Hybrid solution places WF-500s at multiple places in the cloud, so that firewall appliances distributed throughout an enterprise's network receive WildFire verdicts with minimal
latency while retaining data privacy.
The WildFire Hybrid solution is only offered to companies that have sensitive files to protect and does not require a WildFire subscription.
Mark for follow up

Question 43 of 50.

Taking into account only the information in the screenshot above, answer the following question. Which applications will be allowed on their standard ports? (Select all correct
answers.)
BitTorrent
SSH
Skype
Gnutella

Mark for follow up

Question 44 of 50.
WildFire may be used for identifying which of the following types of traffic?
DHCP
Malware
RIPv2
OSPF
Mark for follow up

Question 45 of 50.
After the installation of a new version of PAN-OS, the firewall must be rebooted.
True

False

Mark for follow up

Question 46 of 50.
When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must be done to allow a user to authenticate through multiple methods?
This cannot be done. A single user can only use one authentication type.
Create an Authentication Sequence, dictating the order of authentication profiles.
This cannot be done. Although multiple authentication methods exist, a firewall must choose a single, global authentication type--and all users must use this method.
Create multiple authentication profiles for the same user.
Mark for follow up

Question 47 of 50.
An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.
True

8 of 9

False

7/12/16, 5:22 PM

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?lo...

Mark for follow up

Question 48 of 50.
Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based (customized user roles) for Administrator Accounts.
True

False

Mark for follow up

Question 49 of 50.
What general practice best describes how Palo Alto Networks firewall policies are applied to a session?
The rule with the highest rule number is applied.
First match applied.
Last match applied.
Most specific match applied.
Mark for follow up

Question 50 of 50.
When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of evaluation within a profile is:
Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined categories.
Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cache files.
Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, Allow list.
Mark for follow up

Save / Return Later

9 of 9

Summary

7/12/16, 5:22 PM

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?lo...

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version


ACE Exam

Question 1 of 50.
Which of the following interface types can have an IP address assigned to it?
Layer 3
Layer 2
Tap
Virtual Wire
Mark for follow up

Question 2 of 50.
What general practice best describes how Palo Alto Networks firewall policies are applied to a session?
First match applied.
The rule with the highest rule number is applied.
Last match applied.
Most specific match applied.
Mark for follow up

Question 3 of 50.
Will an exported configuration contain Management Interface settings?
Yes

No

Mark for follow up

Question 4 of 50.
Which of the following are methods that HA clusters use to identify network outages?
Path and Link Monitoring
Link and Session Monitors
VR and VSYS Monitors
Heartbeat and Session Monitors
Mark for follow up

Question 5 of 50.
In a Destination NAT configuration, the Translated Address field may be populated with either an IP address or an Address Object.
True

False

Mark for follow up

Question 6 of 50.
Which of the following statements is NOT True about Palo Alto Networks firewalls?
The default Admin account may be disabled or deleted.
System defaults may be restored by performing a factory reset in Maintenance Mode.
By default the MGT Port's IP Address is 192.168.1.1/24.
Initial configuration may be accomplished thru the MGT interface or the Console port.
Mark for follow up

Question 7 of 50.
Which of the following is a routing protocol supported in a Palo Alto Networks firewall?
RIPv2

1 of 9

7/11/16, 5:16 PM

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?lo...

IGRP
ISIS
EIGRP
Mark for follow up

Question 8 of 50.
Traffic going to a public IP address is being translated by a Palo Alto Networks firewall to an internal servers private IP address. Which IP address should the Security Policy use as
the "Destination IP" in order to allow traffic to the server?
The firewalls gateway IP
The servers private IP
The firewalls MGT IP
The servers public IP
Mark for follow up

Question 9 of 50.

Taking into account only the information in the screenshot above, answer the following question. An administrator is using SSH on port 3333 and BitTorrent on port 7777. Which
statements are True?
The SSH traffic will be denied.
The SSH traffic will be allowed.
The BitTorrent traffic will be denied.
The BitTorrent traffic will be allowed.

Mark for follow up

Question 10 of 50.
In PAN-OS 6.0 and later, rule numbers are:
Numbers that specify the order in which security policies are evaluated.
Numbers created to be unique identifiers in each firewalls policy database.
Numbers on a scale of 0 to 99 that specify priorities when two or more rules are in conflict.
Numbers created to make it easier for users to discuss a complicated or difficult sequence of rules.
Mark for follow up

Question 11 of 50.
Which of the following facts about dynamic updates is correct?
Application and Threat updates are released daily. Anti-virus and URL Filtering updates are released weekly.
Threat and URL Filtering updates are released daily. Application and Anti-virus updates are released weekly.
Application and Anti-virus updates are released weekly. Threat and Threat and URL Filtering updates are released weekly.
Anti-virus updates are released daily. Application and Threat updates are released weekly.
Mark for follow up

Question 12 of 50.
Reconnaissance Protection is a feature used to protect the Palo Alto Networks firewall from port scans. To enable this feature within the GUI go to
Network > Network Profiles > Zone Protection
Objects > Zone Protection
Interfaces > Interface Number > Zone Protection
Policies > Profile > Zone Protection

2 of 9

7/11/16, 5:16 PM

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?lo...

Mark for follow up

Question 13 of 50.
True or False: The WildFire Analysis Profile can only be configured to send unknown files to the WildFire Public Cloud only.
True

False

Mark for follow up

Question 14 of 50.
When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must be done to allow a user to authenticate through multiple methods?
Create an Authentication Sequence, dictating the order of authentication profiles.
This cannot be done. Although multiple authentication methods exist, a firewall must choose a single, global authentication type--and all users must use this method.
This cannot be done. A single user can only use one authentication type.
Create multiple authentication profiles for the same user.
Mark for follow up

Question 15 of 50.
After the installation of a new Application and Threat database, the firewall must be rebooted.
True

False

Mark for follow up

Question 16 of 50.
An interface in tap mode can transmit packets on the wire.
True

False

Mark for follow up

Question 17 of 50.
What will the user experience when attempting to access a blocked hacking website through a translation service such as Google Translate or Bing Translator?
A Blocked page response when the URL filtering policy to block is enforced.
A Success page response when the site is successfully translated.
The browser will be redirected to the original website address.
An "HTTP Error 503 - Service unavailable" message.
Mark for follow up

Question 18 of 50.
When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of evaluation within a profile is:
Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cache files.
Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined categories.
Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, Allow list.
Mark for follow up

Question 19 of 50.
You can assign an IP address to an interface in Virtual Wire mode.
True

False

Mark for follow up

Question 20 of 50.
Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based (customized user roles) for Administrator Accounts.
True

3 of 9

False

7/11/16, 5:16 PM

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?lo...

Mark for follow up

Question 21 of 50.
Which of the following must be enabled in order for User-ID to function?
Captive Portal Policies must be enabled.
Captive Portal must be enabled.
Security Policies must have the User-ID option enabled.
User-ID must be enabled for the source zone of the traffic that is to be identified.
Mark for follow up

Question 22 of 50.
When configuring the firewall for User-ID, what is the maximum number of Domain Controllers that can be configured?
50
10
150
100
Mark for follow up

Question 23 of 50.
Which of the following can provide information to a Palo Alto Networks firewall for the purposes of User-ID? (Select all correct answers.)
SSL Certificates
Domain Controller
RIPv2
Network Access Control (NAC) device

Mark for follow up

Question 24 of 50.
When you have created a Security Policy Rule that allows Facebook, what must you do to block all other web-browsing traffic?
Nothing. You can depend on PAN-OS to block the web-browsing traffic that is not needed for Facebook use.
Create an additional rule that blocks all other traffic.
When creating the policy, ensure that web-browsing is included in the same rule.
Ensure that the Service column is defined as "application-default" for this Security policy. Doing this will automatically include the implicit web-browsing application dependency.
Mark for follow up

Question 25 of 50.

Taking into account only the information in the screenshot above, answer the following question. Which applications will be allowed on their standard ports? (Select all correct
answers.)
SSH
BitTorrent
Skype
Gnutella

Mark for follow up

4 of 9

7/11/16, 5:16 PM

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?lo...

Question 26 of 50.
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you need a:
Virtual Router
VLAN
Virtual Wire
Security Profile
Mark for follow up

Question 27 of 50.
As the Palo Alto Networks Administrator responsible for User-ID, you need to enable mapping of network users that do not sign-in using LDAP. Which information source would
allow for reliable User-ID mapping while requiring the least effort to configure?
WMI Query
Exchange CAS Security logs
Active Directory Security Logs
Captive Portal
Mark for follow up

Question 28 of 50.
An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.
True

False

Mark for follow up

Question 29 of 50.
When using Config Audit, the color yellow indicates which of the following?
A setting has been changed between the two config files
A setting has been deleted from a config file.
A setting has been added to a config file
An invalid value has been used in a config file.
Mark for follow up

Question 30 of 50.
With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the Peer ID is just the public IP address of the device. In situations where the public IP address is
not static, the Peer ID can be a text value.
True

False

Mark for follow up

Question 31 of 50.
True or False: The PAN-DB URL Filtering Service is offered as both a Private Cloud solution and a Public Cloud solution.
True

False

Mark for follow up

Question 32 of 50.
Which of the following is NOT a valid option for built-in CLI Admin roles?
deviceadmin
superuser
read/write
devicereader
Mark for follow up

Question 33 of 50.

5 of 9

7/11/16, 5:16 PM

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?lo...

Which pre-defined Admin Role has all rights except the rights to create administrative accounts and virtual systems?
vsysadmin
Superuser
Device Administrator
A custom admin role must be created for this specific combination of rights.
Mark for follow up

Question 34 of 50.
When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2 tunneling in policies by specifying the SSH-tunnel App-ID?
SSH Proxy
SSL Forward Proxy
SSL Inbound Inspection
SSL Reverse Proxy
Mark for follow up

Question 35 of 50.
Which feature can be configured to block sessions that the firewall cannot decrypt?
Decryption Profile in Decryption Policy
Decryption Profile in PBF
Decryption Profile in Security Profile
Decryption Profile in Security Policy
Mark for follow up

Question 36 of 50.
Users may be authenticated sequentially to multiple authentication servers by configuring:
An Authentication Sequence.
A custom Administrator Profile.
Multiple RADIUS servers sharing a VSA configuration.
An Authentication Profile.
Mark for follow up

Question 37 of 50.
After the installation of a new version of PAN-OS, the firewall must be rebooted.
True

False

Mark for follow up

Question 38 of 50.
In PAN-OS 7.0 which of the available choices serves as an alert warning by defining patterns of suspicious traffic and network anomalies that may indicate a host has been
compromised?
Command & Control Signatures
Correlation Objects
App-ID Signatures
Custom Signatures
Correlation Events
Mark for follow up

Question 39 of 50.
Which statement about config locks is True?
A config lock can only be removed by the administrator who set it or by a superuser.
A config lock can be removed only by a superuser.
A config lock can be removed only by the administrator who set it.

6 of 9

7/11/16, 5:16 PM

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?lo...

A config lock will expire after 24 hours, unless it was set by a superuser.
Mark for follow up

Question 40 of 50.
Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day?
1000
500
50
10
Mark for follow up

Question 41 of 50.
Which of the following CANNOT use the source user as a match criterion?
DoS Protection
Anti-virus Profile
QoS
Secuirty Policies
Policy Based Forwarding
Mark for follow up

Question 42 of 50.
Color-coded tags can be used on all of the items listed below EXCEPT:
Zones
Address Objects
Vulnerability Profiles
Service Groups
Mark for follow up

Question 43 of 50.
Which of the following is True of an application filter?
An application filter is used by malware to evade detection by firewalls and anti-virus software.
An application filter specifies the users allowed to access an application.
An application filter automatically includes a new application when one of the new applications characteristics are included in the filter.
An application filter automatically adapts when an application moves from one IP address to another.
Mark for follow up

Question 44 of 50.
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:
Password-protected access to specific file downloads for authorized users.
Increased speed on downloads of file types that are explicitly enabled.
Protection against unwanted downloads by showing the user a response page indicating that a file is going to be downloaded.
The ability to use Authentication Profiles, in order to protect against unwanted downloads.
Mark for follow up

Question 45 of 50.
Select the implicit rules that are applied to traffic that fails to match any administrator-defined Security Policies. (Choose all rules that are correct.)
Intra-zone traffic is allowed
Inter-zone traffic is denied
Intra-zone traffic is denied
Inter-zone traffic is allowed

7 of 9

7/11/16, 5:16 PM

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?lo...

Mark for follow up

Question 46 of 50.

Taking into account only the information in the screenshot above, answer the following question: A span port or a switch is connected to e1/4, but there are no traffic logs. Which of
the following conditions most likely explains this behavior?
The interface is not assigned an IP address.
The interface is not assigned a virtual router.
The interface is not up.
There is no zone assigned to the interface.
Mark for follow up

Question 47 of 50.
What will be the user experience when the safe search option is NOT enabled for Google search but the firewall has "Safe Search Enforcement" Enabled?
The user will be redirected to a different search site that is specified by the firewall administrator.
The Firewall will enforce Safe Search if the URL filtering license is still valid.
A task bar pop-up message will be presented to enable Safe Search.
A block page will be presented with instructions on how to set the strict Safe Search option for the Google search.
Mark for follow up

Question 48 of 50.
Which type of license is required to perform Decryption Port Mirroring?
A Client Decryption license
A subscription-based PAN-PA-Decrypt license
A subscription-based SSL Port license
A free PAN-PA-Decrypt license
Mark for follow up

Question 49 of 50.
Besides selecting the Heartbeat Backup option when creating an Active-Passive HA Pair, which of the following also prevents "Split-Brain"?
Creating a custom interface under Service Route Configuration, and assigning this interface as the backup HA2 link.
Configuring an independent backup HA1 link.
Configuring a backup HA2 link that points to the MGT interface of the other device in the pair.
Under Packet Forwarding, selecting the VR Sync checkbox.
Mark for follow up

Question 50 of 50.
Which of the following services are enabled on the MGT interface by default? (Select all correct answers.)
HTTPS
SSH
Telnet
HTTP

8 of 9

7/11/16, 5:16 PM

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?lo...

Mark for follow up

Save / Return Later

9 of 9

Summary

7/11/16, 5:16 PM

20/12/2015

RealizeYourPotential:paloaltonetworks

TestAccreditedConfigurationEngineer(ACE)ExamPANOS7.0Version
ACEExam

Question1of50.
WhenconfiguringaSecurityPolicyRulebasedonFQDNAddressObjects,whichofthefollowingstatementsisTrue?

ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagaineachtimeSecurityProfilesareevaluated.
ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagainatDNSTTLexpiration.
InordertocreateFQDNbasedobjects,youneedtomanuallydefinealistofassociatedIPaddresses.

Markforfollowup

Question2of50.
UsingtheAPIinPANOS6.1,WildFiresubscriberscanuploaduptohowmanysamplesperday?

50
1000
500
10

Markforfollowup

Question3of50.
InPaloAltoNetworksterms,anapplicationis:

Aspecificprogramdetectedwithinanidentifiedstreamthatcanbedetected,monitored,and/orblocked.
Acombinationofportandprotocolthatcanbedetected,monitored,and/orblocked.
Afileinstalledonalocalmachinethatcanbedetected,monitored,and/orblocked.
WebbasedtrafficfromaspecificIPaddressthatcanbedetected,monitored,and/orblocked.

Markforfollowup

Question4of50.
Whatisthedefaultsettingfor'Action'inaDecryptionPolicy'srule?

Any
NoDecrypt
None
Decrypt

Markforfollowup

Question5of50.
WhenDestinationNetworkAddressTranslationisbeingperformed,thedestinationinthecorrespondingSecurityPolicyRuleshoulduse:

ThePostNATdestinationzoneandPreNATIPaddresses.
ThePostNATdestinationzoneandPostNATIPaddresses.
ThePreNATdestinationzoneandPostNATIPaddresses.
ThePreNATdestinationzoneandPreNATIPaddresses.

Markforfollowup

Question6of50.
AlloftheinterfacesonaPaloAltoNetworksdevicemustbeofthesameinterfacetype.
True
False

Markforfollowup

Question7of50.
WhenusingConfigAudit,thecoloryellowindicateswhichofthefollowing?

Asettinghasbeenchangedbetweenthetwoconfigfiles
Asettinghasbeendeletedfromaconfigfile.
Asettinghasbeenaddedtoaconfigfile

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4eed00144d48d3a07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

1/8

20/12/2015

RealizeYourPotential:paloaltonetworks

Aninvalidvaluehasbeenusedinaconfigfile.

Markforfollowup

Question8of50.
WhichofthefollowingisNOTavalidoptionforbuiltinCLIAdminroles?

read/write
superuser
deviceadmin
devicereader

Markforfollowup

Question9of50.
Securitypolicyrulesspecifyasourceinterfaceandadestinationinterface.
True
False

Markforfollowup

Question10of50.

Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion.AnadministratorisusingSSHonport3333andBitTorrentonport7777.Which
statementsareTrue?
TheBitTorrenttrafficwillbeallowed.
TheSSHtrafficwillbedenied.
TheBitTorrenttrafficwillbedenied.
TheSSHtrafficwillbeallowed.

Markforfollowup

Question11of50.
AftertheinstallationoftheThreatPreventionlicense,thefirewallmustberebooted.
True
False

Markforfollowup

Question12of50.
Attackerswillemployanumberoftacticstohidemalware.Onesuchtacticistoencodeand/orcompressthefilesoastohidethemalware.WithPANOS7.0thefirewallcandecode
uptofourlevels.Butifanattackerhasencodedthefilebeyondfourlevels,whatcanyouasanadministerdotoprotectyourusers?

CreateaDecryptionProfileformultilevelencodedfilesandapplyittoaDecryptionPolicy.
CreateaFileBlockingProfileformultilevelencodedfilesandapplyittoaDecryptionPolicy.
CreateaFileBlockingProfileformultilevelencodedfileswiththeactionsettoblock.
CreateaDecryptionPolicyformultilevelencodedfilesandsettheactiontoblock.

Markforfollowup

Question13of50.
WillanexportedconfigurationcontainManagementInterfacesettings?
Yes
No

Markforfollowup

Question14of50.
WhentroubleshootingPhase1ofanIPsecVPNtunnel,whichlocationandlogwillbemostinformative?

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4eed00144d48d3a07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

2/8

20/12/2015

RealizeYourPotential:paloaltonetworks

Initiatingside,Systemlog
Initiatingside,Trafficlog
Respondingside,SystemLog
Respondingside,Trafficlog

Markforfollowup

Question15of50.
WhichofthefollowinginterfacetypescanhaveanIPaddressassignedtoit?

Layer3
Layer2
Tap
VirtualWire

Markforfollowup

Question16of50.
Aninterfaceintapmodecantransmitpacketsonthewire.
True
False

Markforfollowup

Question17of50.
SelecttheimplicitrulesthatareappliedtotrafficthatfailstomatchanyadministratordefinedSecurityPolicies.(Chooseallrulesthatarecorrect.)
Intrazonetrafficisallowed
Interzonetrafficisdenied
Intrazonetrafficisdenied
Interzonetrafficisallowed

Markforfollowup

Question18of50.
WhichstatementaboutconfiglocksisTrue?

Aconfiglockcanonlyberemovedbytheadministratorwhosetitorbyasuperuser.
Aconfiglockcanberemovedonlybytheadministratorwhosetit.
Aconfiglockwillexpireafter24hours,unlessitwassetbyasuperuser.
Aconfiglockcanberemovedonlybyasuperuser.

Markforfollowup

Question19of50.
WhenyouhavecreatedaSecurityPolicyRulethatallowsFacebook,whatmustyoudotoblockallotherwebbrowsingtraffic?

Nothing.YoucandependonPANOStoblockthewebbrowsingtrafficthatisnotneededforFacebookuse.
Whencreatingthepolicy,ensurethatwebbrowsingisincludedinthesamerule.
Createanadditionalrulethatblocksallothertraffic.
EnsurethattheServicecolumnisdefinedas"applicationdefault"forthisSecuritypolicy.Doingthiswillautomaticallyincludetheimplicitwebbrowsingapplicationdependency.

Markforfollowup

Question20of50.
WithoutaWildFiresubscription,whichofthefollowingfilescanbesubmittedbytheFirewalltothehostedWildFirevirtualizedsandbox?

PEfilesonly
MSOfficedoc/docx,xls/xlsx,andppt/pptxfilesonly
PDFfilesonly
PEandJavaApplet(jarandclass)only

Markforfollowup

Question21of50.
Usersmaybeauthenticatedsequentiallytomultipleauthenticationserversbyconfiguring:

AnAuthenticationSequence.

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4eed00144d48d3a07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

3/8

20/12/2015

RealizeYourPotential:paloaltonetworks

AnAuthenticationProfile.
AcustomAdministratorProfile.
MultipleRADIUSserverssharingaVSAconfiguration.

Markforfollowup

Question22of50.
WildFiremaybeusedforidentifyingwhichofthefollowingtypesoftraffic?

Malware
RIPv2
DHCP
OSPF

Markforfollowup

Question23of50.
Whenusingremoteauthenticationforusers(LDAP,RADIUS,ActiveDirectory,etc.),whatmustbedonetoallowausertoauthenticatethroughmultiplemethods?

CreateanAuthenticationSequence,dictatingtheorderofauthenticationprofiles.
Thiscannotbedone.Althoughmultipleauthenticationmethodsexist,afirewallmustchooseasingle,globalauthenticationtypeandallusersmustusethismethod.
Thiscannotbedone.Asingleusercanonlyuseoneauthenticationtype.
Createmultipleauthenticationprofilesforthesameuser.

Markforfollowup

Question24of50.

Consideringtheinformationinthescreenshotabove,whatistheorderofevaluationforthisURLFilteringProfile?

AllowList,BlockList,CustomCategories,URLCategories(BrightCloudorPANDB).
URLCategories(BrightCloudorPANDB),CustomCategories,BlockList,AllowList.
BlockList,AllowList,CustomCategories,URLCategories(BrightCloudorPANDB).
BlockList,AllowList,URLCategories(BrightCloudorPANDB),CustomCategories.

Markforfollowup

Question25of50.
WhichtypeoflicenseisrequiredtoperformDecryptionPortMirroring?

AClientDecryptionlicense
AsubscriptionbasedSSLPortlicense
AfreePANPADecryptlicense
AsubscriptionbasedPANPADecryptlicense

Markforfollowup

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4eed00144d48d3a07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

4/8

20/12/2015

RealizeYourPotential:paloaltonetworks

Question26of50.
Canmultipleadministratoraccountsbeconfiguredonasinglefirewall?
Yes
No

Markforfollowup

Question27of50.

Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion:Aspanportoraswitchisconnectedtoe1/4,buttherearenotrafficlogs.Whichofthe
followingconditionsmostlikelyexplainsthisbehavior?

TheinterfaceisnotassignedanIPaddress.
Theinterfaceisnotup.
Thereisnozoneassignedtotheinterface.
Theinterfaceisnotassignedavirtualrouter.

Markforfollowup

Question28of50.
WhichpredefinedAdminRolehasallrightsexcepttherightstocreateadministrativeaccountsandvirtualsystems?

Superuser
vsysadmin
DeviceAdministrator
Acustomadminrolemustbecreatedforthisspecificcombinationofrights.

Markforfollowup

Question29of50.

Thescreenshotaboveshowspartofafirewallsconfiguration.Ifpingtrafficcantraversethisdevicefrome1/2toe1/1,whichofthefollowingstatementsmustbeTrueaboutthis
firewallsconfiguration?(Selectallcorrectanswers.)
Theremustbeappropriateroutesinthedefaultvirtualrouter.
TheremustbeasecuritypolicyrulefromInternetzonetotrustzonethatallowsping.
TheremustbeasecuritypolicyrulefromtrustzonetoInternetzonethatallowsping.
TheremustbeaManagementProfilethatallowsping.(ThenassignthatManagementProfiletoe1/1ande1/2.)

Markforfollowup

Question30of50.
WhichofthefollowingisaroutingprotocolsupportedinaPaloAltoNetworksfirewall?

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4eed00144d48d3a07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

5/8

20/12/2015

RealizeYourPotential:paloaltonetworks

RIPv2
IGRP
EIGRP
ISIS

Markforfollowup

Question31of50.
WildFireanalyzesfilestodeterminewhetherornottheyaremalicious.Whendoingso,WildFirewillclassifythefilewithanofficialverdict.ThisverdictisknownastheWildFire
Analysisverdict.Choosethethreecorrectclassificationsasaresultofthisanalysisandclassification?
Benign
Spyware
Safeware
Adware
Grayware
Malwaredetection

Markforfollowup

Question32of50.
WhenemployingtheBrightCloudURLfilteringdatabaseinaPaloAltoNetworksfirewall,theorderofevaluationwithinaprofileis:

Blocklist,Allowlist,CustomCategories,Cachefiles,LocalURLDBfile.
DynamicURLfiltering,Blocklist,Allowlist,Cachefiles,Customcategories,Predefinedcategories.
Blocklist,CustomCategories,Predefinedcategories,DynamicURLfiltering,Allowlist,Cachefiles.
Blocklist,CustomCategories,Cachefiles,Predefinedcategories,DynamicURLfiltering,Allowlist.

Markforfollowup

Question33of50.
InPANOS7.0whichoftheavailablechoicesservesasanalertwarningbydefiningpatternsofsuspicioustrafficandnetworkanomaliesthatmayindicateahosthasbeen
compromised?

CorrelationObjects
AppIDSignatures
Command&ControlSignatures
CustomSignatures
CorrelationEvents

Markforfollowup

Question34of50.
TrueorFalse:TheWildFireAnalysisProfilecanonlybeconfiguredtosendunknownfilestotheWildFirePublicCloudonly.
True
False

Markforfollowup

Question35of50.
WhichofthefollowingmostaccuratelydescribesDynamicIPinaSourceNATconfiguration?

ThenextavailableIPaddressintheconfiguredpoolisused,butthesourceportnumberisunchanged.
AsingleIPaddressisused,andthesourceportnumberischanged.
Thenextavailableaddressintheconfiguredpoolisused,andthesourceportnumberischanged.
AsingleIPaddressisused,andthesourceportnumberisunchanged.

Markforfollowup

Question36of50.
WhatwillbetheuserexperiencewhenthesafesearchoptionisNOTenabledforGooglesearchbutthefirewallhas"SafeSearchEnforcement"Enabled?

AblockpagewillbepresentedwithinstructionsonhowtosetthestrictSafeSearchoptionfortheGooglesearch.
Theuserwillberedirectedtoadifferentsearchsitethatisspecifiedbythefirewalladministrator.
AtaskbarpopupmessagewillbepresentedtoenableSafeSearch.
TheFirewallwillenforceSafeSearchiftheURLfilteringlicenseisstillvalid.

Markforfollowup

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4eed00144d48d3a07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

6/8

20/12/2015

RealizeYourPotential:paloaltonetworks

Question37of50.
InPANOS6.0andlater,whichoftheseitemsmaybeusedasmatchcriterioninaPolicyBasedForwardingRule?(Choose3.)
DestinationApplication
SourceZone
SourceUser
DestinationZone

Markforfollowup

Question38of50.
A"Continue"actioncanbeconfiguredonwhichofthefollowingSecurityProfiles?

URLFilteringandFileBlocking
URLFilteringonly
URLFiltering,FileBlocking,andDataFiltering
URLFilteringandAntivirus

Markforfollowup

Question39of50.
PaloAltoNetworksfirewallssupporttheuseofbothDynamic(builtinuserroles)andRoleBased(customizeduserroles)forAdministratorAccounts.
True
False

Markforfollowup

Question40of50.
Whichofthefollowingfactsaboutdynamicupdatesiscorrect?

Antivirusupdatesarereleaseddaily.ApplicationandThreatupdatesarereleasedweekly.
ApplicationandThreatupdatesarereleaseddaily.AntivirusandURLFilteringupdatesarereleasedweekly.
ApplicationandAntivirusupdatesarereleasedweekly.ThreatandThreatandURLFilteringupdatesarereleasedweekly.
ThreatandURLFilteringupdatesarereleaseddaily.ApplicationandAntivirusupdatesarereleasedweekly.

Markforfollowup

Question41of50.
PrevioustoPANOS7.0thefirewallwasabletodecodeuptotwolevels.WithPANOS7.0thefirewallcannowdecodeuptohowmanylevels?

Four
Three
Five
Six

Markforfollowup

Question42of50.
WhichofthefollowingwouldbeareasontousethePANOSXMLAPItocommunicatewithaPaloAltoNetworksfirewall?

TopullinformationfromothernetworkresourcesforUserID.
TopermitsysloggingofUserIdentificationevents.
ToallowthefirewalltopushUserIDinformationtoaNetworkAccessControl(NAC)device.

Markforfollowup

Question43of50.
PANOS7.0introducedanewSecurityProfiletype.Whatisthenameofthisnewsecurityprofiletype?

ThreatAnalysis
WildFireAnalysis
MalwareAnalysis
FileAnalysis

Markforfollowup

Question44of50.

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4eed00144d48d3a07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

7/8

20/12/2015

RealizeYourPotential:paloaltonetworks

YoucanassignanIPaddresstoaninterfaceinVirtualWiremode.
True
False

Markforfollowup

Question45of50.
WhichofthefollowingaremethodsthatHAclustersusetoidentifynetworkoutages?

LinkandSessionMonitors
PathandLinkMonitoring
HeartbeatandSessionMonitors
VRandVSYSMonitors

Markforfollowup

Question46of50.
WhenaninterfaceisinTapmodeandaPolicysactionissettoblock,theinterfacewillsendaTCPreset.
True
False

Markforfollowup

Question47of50.
HowdoyoureducetheamountofinformationrecordedintheURLContentFilteringLogs?

Enable"Logcontainerpageonly".
DisableURLpacketcaptures.
EnableURLlogcaching.
EnableDSRI.

Markforfollowup

Question48of50.
WhatwilltheuserexperiencewhenattemptingtoaccessablockedhackingwebsitethroughatranslationservicesuchasGoogleTranslateorBingTranslator?

ABlockedpageresponsewhentheURLfilteringpolicytoblockisenforced.
ASuccesspageresponsewhenthesiteissuccessfullytranslated.
Thebrowserwillberedirectedtotheoriginalwebsiteaddress.
An"HTTPError503Serviceunavailable"message.

Markforfollowup

Question49of50.
TrueorFalse:ThePANDBURLFilteringServiceisofferedasbothaPrivateCloudsolutionandaPublicCloudsolution.
True
False

Markforfollowup

Question50of50.
WithIKEPhase1,eachdeviceisidentifiedtotheotherbyaPeerID.Inmostcases,thePeerIDisjustthepublicIPaddressofthedevice.InsituationswherethepublicIPaddressis
notstatic,thePeerIDcanbeatextvalue.
True
False

Markforfollowup

Save/ReturnLater

Summary

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4eed00144d48d3a07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

8/8

Palo Alto Networks PCNSE6

Palo Alto Networks Certified Network Security


Engineer 6.0
Version: 4.1

Palo Alto Networks PCNSE6 Exam


QUESTION NO: 1
Which authentication method can provide role-based administrative access to firewalls running
PAN-OS?
A. LDAP
B. Certificate-based authentication
C. Kerberos
D. RADIUS with Vendor Specific Attributes
Answer: D
Explanation:

QUESTION NO: 2 HOTSPOT


Assuming that the default antivirus profile is installed, match each decoder with its default action.
Answer options may be used more than once or not at all.

www.braindumps.com

Palo Alto Networks PCNSE6 Exam

Answer:

www.braindumps.com

Palo Alto Networks PCNSE6 Exam

Explanation:
FTP, SMB Block
HTTP Block
POP3, SMTP Alert
IMAP Alert

QUESTION NO: 3
Which three engines are built into the Single-Pass Parallel Processing Architecture? Choose 3
answers

www.braindumps.com

Palo Alto Networks PCNSE6 Exam


A. Application Identification (App-ID)
B. Group Identification (Group-ID)
C. User Identification (User-ID)
D. Threat Identification (Threat-ID)
E. Content Identification (Content-ID)
Answer: A,C,E
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/white-papers/single-pass-parallel-processing-architecture.pdf page 5

QUESTION NO: 4 HOTSPOT


Within a Zone Protection Profile, under the Reconnaissance Protection tab, there are several
possible values for Action:

Match each Reconnaissance Protection Action to its description.


Answer options may be used more than once or not at all.

www.braindumps.com

Palo Alto Networks PCNSE6 Exam

Answer:

www.braindumps.com

Palo Alto Networks PCNSE6 Exam


Explanation:
Allow: Permits the port scan attempts.
Alert: Generates an alert for each scan that matches the threshold within the specified time
interval.
Block: Drops all traffic from the source to the destination.
Block IP: Drops all traffic for a specific period of time (in seconds). There are two options:
Source: Blocks traffic from the source
Source-and-Destination: Blocks traffic for the source-destination pair
https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/5078-102-514892/Understanding_DoS_Protection.pdf

QUESTION NO: 5
What is a prerequisite for configuring a pair of Palo Alto Networks firewalls in an Active/Passive
High Availability (HA) pair?
A. The peer HA1 IP address must be the same on both firewalls.
B. The management interfaces must be on the same network.
C. The firewalls must have the same set of licenses.
D. The HA interfaces must be directly connected to each other.
Answer: C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/60/pan-os/pan-os/section_4.pdf page 134

QUESTION NO: 6
Which source address translation type will allow multiple devices to share a single translated
source address while using a single NAT Policy rule?
A. Dynamic IP and Port
B. Dynamic IP
C. Bi-directional
D. Static IP
Answer: A
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/panwww.braindumps.com

Palo Alto Networks PCNSE6 Exam


os/networking/nat.html

QUESTION NO: 7 HOTSPOT


Match each type of report provided by the firewall with its description.
Answer options may be used more than once or not at all.

Answer:

www.braindumps.com

Palo Alto Networks PCNSE6 Exam

Explanation:
PDF Summary Reports Reports that combine up to 18 custom or predefined reports from the
Threat, Application, Traffic, URL Filtering Categories into one document.
Report Groups Reports the combine other custom and predefined reports into a single file to be
emailed to one or more recipients.
Custom Reports Reports created by an administrator that filter on conditions and columns
User or Groups Activity Reports Reports on the application use and URL activity for a specific
user or a group
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/61/panorama/Panorama_AdminGuide/section_6.pdf page 151

QUESTION NO: 8

www.braindumps.com

Palo Alto Networks PCNSE6 Exam


How can a Palo Alto Networks firewall be configured to send syslog messages in a format
compatible with nonstandard syslog servers?
A. Enable support for non-standard syslog messages under device management.
B. Select a non-standard syslog server profile.
C. Create a custom log format under the syslog server profile.
D. Check the custom-format checkbox in the syslog server profile.
Answer: C
Reference: https://live.paloaltonetworks.com/docs/DOC-2021 Page 16 of PDF available there.

QUESTION NO: 9
Which Public Key Infrastructure component is used to authenticate users for GlobalProtect when
the Connect Method is set to "pre-logon"?
A. Certificate Revocation List
B. Trusted root certificate
C. Machine certificate
D. Online Certificate Status Protocol
Answer: C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/60/globalprotect/Global_Protect_6.0.pdf page 12.

QUESTION NO: 10
A company is in the process of upgrading their existing Palo Alto Networks firewalls from version
6.1.0 to 6.1.1.
Which three methods can the firewall administrator use to install PAN-OS 6.1.1 across the
enterprise? Choose 3 answers
A. Push the PAN-OS 6.1.1 updates from the support site to install on each firewall.
B. Download PAN-OS 6.1.1 files from the support site and install them on each firewall after
manually uploading.
C. Download PAN-OS 6.1.1 to a USB drive and the firewall will automatically update after the USB
drive is inserted in the firewall.
www.braindumps.com

10

Palo Alto Networks PCNSE6 Exam


D. Push the PAN-OS 6.1.1 update from one firewall to all of the other remaining after updating one
firewall.
E. Download and push PAN-OS 6.1.1 from Panorama to each firewall.
F. Download and install PAN-OS 6.1.1 directly on each firewall.
Answer: B,E,F
Reference: https://live.paloaltonetworks.com/docs/DOC-1062

QUESTION NO: 11
Given the following routing table:

Which configuration change on the firewall would cause it to use 10.66.24.88 as the nexthop for
the 192.168.93.0/30 network?
A. Configuring the Administrative Distance for RIP to be higher than that of OSPF Ext
B. Configuring the metric for RIP to be higher than that of OSPF Int
C. Configuring the metric for RIP to be lower than that of OSPF Ext
D. Configuring the Administrative Distance for RIP to be lower than that of OSPF Int
Answer: D
Reference: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/5284-102-317278/Route%20Redistribution%20and%20Filtering%20TechNote%20-%20Rev%20B.pdf

QUESTION NO: 12

www.braindumps.com

11

Palo Alto Networks PCNSE6 Exam


A company hosts a publicly-accessible web server behind their Palo Alto Networks firewall, with
this configuration information:
-

Users outside the company are in the "Untrust-L3" zone.


The web server physically resides in the "Trust-L3" zone.
Web server public IP address: 1.1.1.1
Web server private IP address: 192.168.1.10

Which NAT Policy rule will allow users outside the company to access the web server?

A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
Explanation:

QUESTION NO: 13
A company has purchased a WildFire subscription and would like to implement dynamic updates
to download the most recent content as often as possible.
What is the shortest time interval the company can configure their firewall to check for WildFire
updates?
A. Every 24 hours
B. Every 30 minutes
C. Every 15 minutes
D. Every 1 hour
www.braindumps.com

12

Palo Alto Networks PCNSE6 Exam


E. Every 5 minutes
Answer: C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/60/wildfire/WF_Admin/section_1.pdf page 11

QUESTION NO: 14
Which method is the most efficient for determining which administrator made a specific change to
the running config?
A. In the Configuration log, set a filter for the edit command and look for the object that was
changed.
B. In the System log, set a filter for the name of the object that was changed.
C. In Config Audit, compare the current running config to all of the saved configurations until the
change is found.
D. In Config Audit, compare the current running config to previous committed versions until the
change is found.
Answer: B
Explanation:

QUESTION NO: 15
You are configuring a File Blocking Profile to be applied to all outbound traffic uploading a specific
file type, and there is a specific application that you want to match in the policy.
What are three valid actions that can be set when the specified file is detected? Choose 3 answers
A. Reset-both
B. Block
C. Continue
D. Continue-and-forward
E. Upload
Answer: B,C,D
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/60/pan-os/pan-os/section_8.pdf page 287

www.braindumps.com

13

Palo Alto Networks PCNSE6 Exam

QUESTION NO: 16
Two firewalls are configured in an Active/Passive High Availability (HA) pair with the following
election settings:

Firewall 5050-B is presently in the "Active" state and 5050-A is presently in the "Passive" state.
Firewall 5050-B reboots causing 5050-A to become Active.
Which firewall will be in the "Active" state after firewall 5050-B has completed its reboot and is
back online?
A. Both firewalls are active (split brain)
B. Firewall 5050-B
C. Firewall 5050-A
D. It could be either firewall
Answer: B
Reference: https://live.paloaltonetworks.com/docs/DOC-2926

QUESTION NO: 17
Which two statements are true about DoS Protection Profiles and Policies? Choose 2 answers
A. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks on a zone basis,
regardless of interface(s). They provide reconnaissance protection against TCP/UDP port scans
and host sweeps.
B. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks. They provide
resource protection by limiting the number of sessions that can be used.
C. They mitigate against volumetric attacks that leverage known vulnerabilities, brute force
methods, amplification, spoofing, and other vulnerabilities.
D. They mitigate against SYN, UDP, ICMP, ICMPv6, and other IP Flood attacks by utilizing
"random early drop".

www.braindumps.com

14

Palo Alto Networks PCNSE6 Exam


Answer: B,D
Reference: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/7158-102-325328/Application%20DDoS%20Mitigation.pdf page 4

QUESTION NO: 18
Where can the maximum concurrent SSL VPN Tunnels be set for Vsys2 when provisioning a Palo
Alto Networks firewall for multiple virtual systems?
A. In the GUI under Network->Global Protect->Gateway->Vsys2
B. In the GUI under Device->Setup->Session->Session Settings
C. In the GUI under Device->Virtual Systems->Vsys2->Resource
D. In the GUI under Network->Global Protect->Portal->Vsys2
Answer: C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/tech-briefs/virtual-systems.pdf page 6

QUESTION NO: 19
A security engineer has been asked by management to optimize how Palo Alto Networks firewall
syslog messages are forwarded to a syslog receiver. There are currently 20 PA-5060 s, each of
which is configured to forward syslogs individually.
The security engineer would like to leverage their two M-100 appliances to send syslog messages
from a single source and has already deployed one in Panorama mode and the other as a Log
Collector.
What is the remaining step in implementing this solution?
A. Configure Collector Log Forwarding
B. Configure a Syslog Proxy Profile
C. Configure a Panorama Log Forwarding Profile
D. Enable Syslog Aggregation
Answer: A
Reference: https://live.paloaltonetworks.com/docs/DOC-7987

www.braindumps.com

15

Palo Alto Networks PCNSE6 Exam

QUESTION NO: 20
What can cause missing SSL packets when performing a packet capture on data plane
interfaces?
A. There is a hardware problem with the offloading FPGA on the management plane.
B. The missing packets are offloaded to the management plane CPU.
C. The packets are hardware offloaded to the offload processor on the data plane.
D. The packets are not captured because they are encrypted.
Answer: C
Reference: https://live.paloaltonetworks.com/docs/DOC-8621

QUESTION NO: 21
A company has a policy that denies all applications they classify as bad and permits only
applications they classify as good. The firewall administrator created the following security policy
on the company s firewall:

Which two benefits are gained from having both rule 2 and rule 3 present? Choose 2 answers
A. Different security profiles can be applied to traffic matching rules 2 and 3.
B. Separate Log Forwarding profiles can be applied to rules 2 and 3.
C. Rule 2 denies traffic flowing across different TCP and UDP ports than rule 3.
D. A report can be created that identifies unclassified traffic on the network.
Answer: A,D
Explanation:

QUESTION NO: 22

www.braindumps.com

16

Palo Alto Networks PCNSE6 Exam


Company employees have been given access to the GlobalProtect Portal at
https://portal.company.com:

Assume the following:


1. The firewall is configured to resolve DNS names using the internal DNS server.
2. The URL portal.company.com resolves to the external interface of the firewall on the companys
external DNS server and to the internal interface of the firewall on the company s internal DNS
server.
3. The URL gatewayl.company.com resolves to the external interface of the firewall on the
companys external DNS server and to the internal interface of the firewall on the company s
internal DNS server.
This Gateway configuration will have which two outcomes? Choose 2 answers
A. Clients outside the network will be able to connect to the external gateway Gateway1.
B. Clients inside the network will be able to connect to the internal gateway Gateway1.
C. Clients outside the network will NOT be able to connect to the external gateway Gateway1.
D. Clients inside the network will NOT be able to connect to the internal gateway Gateway1.
Answer: A,B
Explanation:

QUESTION NO: 23
www.braindumps.com

17

Palo Alto Networks PCNSE6 Exam


What is the maximum usable storage capacity of an M-100 appliance?
A. 2TB
B. 4TB
C. 6TB
D. STB
Answer: B
Reference:
https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/set-uppanorama/set-up-the-m-100-appliance.html

QUESTION NO: 24
A user is reporting that they cannot download a PDF file from the internet.
Which action will show whether the downloaded file has been blocked by a Security Profile?
A. Filter the Session Browser for all sessions from the user with the application "adobe".
B. Filter the System log for "Download Failed" messages.
C. Filter the Traffic logs for all traffic from the user that resulted in a Deny action.
D. Filter the Data Filtering logs for the users traffic and the name of the PDF file.
Answer: D
Explanation:

QUESTION NO: 25
What has happened when the traffic log shows an internal host attempting to open a session to a
properly configured sinkhole address?
A. The internal host is trying to resolve a DNS query by connecting to a rogue DNS server.
B. The internal host attempted to use DNS to resolve a known malicious domain into an IP
address.
C. A rogue DNS server is now using the sinkhole address to direct traffic to a known malicious
domain.
D. A malicious domain is trying to contact an internal DNS server.
Answer: B
www.braindumps.com

18

Palo Alto Networks PCNSE6 Exam


Reference: https://www.paloaltonetworks.jp/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/pan-os/NewFeaturesGuide.pdf page 14

QUESTION NO: 26
Which Security Policy rule configuration option disables antivirus and anti-spyware scanning of
server-to-client flows only?
A. Apply an Application Override Policy
B. Disable Server Response Inspection
C. Add server IP to Security Policy exception
D. Disable HIP Profile
Answer: B
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/gettingstarted/set-up-basic-security-policies.html

QUESTION NO: 27
Which two interface types provide support for network address translation (NAT)? Choose 2
answers
A. HA
B. Tap
C. Layer3
D. Virtual Wire
E. Layer2
Answer: C,D
Reference: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/1517-102-711647/Understanding_NAT-4.1-RevC.pdf

QUESTION NO: 28
A firewall is being attacked with a port scan. Which component can prevent this attack?

www.braindumps.com

19

Palo Alto Networks PCNSE6 Exam


A. DoS Protection
B. Anti-Spyware
C. Vulnerability Protection
D. Zone Protection
Answer: D
Reference: https://live.paloaltonetworks.com/docs/DOC-4501

QUESTION NO: 29
A Palo Alto Networks firewall has the following interface configuration;

Hosts are directly connected on the following interfaces:


Ethernet 1/6 - Host IP 192.168.62.2
Ethernet 1/3 - Host IP 10.46.40.63
The security administrator is investigating why ICMP traffic between the hosts is not working.
She first ensures that ail traffic is allowed between zones based on the following security policy
rule:

The routing table of the firewall shows the following output:

www.braindumps.com

20

Palo Alto Networks PCNSE6 Exam

Which interface configuration change should be applied to ethernet1/6 to allow the two hosts to
communicate based on this information?
A. Change the Management Profile.
B. Change the security policy to explicitly allow ICMP on this interface.
C. Change the configured zone to DMZ.
D. Change the Virtual Router setting to VR1.
Answer: D
Explanation:

QUESTION NO: 30 HOTSPOT


Match the components with their role in preventing threats.
Answer options may be used more than once or not at all.

www.braindumps.com

21

Palo Alto Networks PCNSE6 Exam

Answer:

Explanation:
Panorama Dynamically updates firewall policy with VM context for NSX
Physical Firewall Inspects North-South traffic for threats
Wildfire Generates zero-day threat signatures
VM series firewall- Inspects east-west traffic for threats

www.braindumps.com

22

Palo Alto Networks PCNSE6 Exam

QUESTION NO: 31
After migrating from an ASA firewall, the VPN connection between a remote network and the Palo
Alto Networks firewall is not establishing correctly. The following entry is appearing in the logs:
pfs group mismatched: my:0 peer:2
Which setting should be changed on the Palo Alto Firewall to resolve this error message?
A. Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from group2 to no-pfs.
B. Update the IKE Crypto profile for the Vendor IKE gateway from no-pfs to group2.
C. Update the IPSEC Crypto profile for the Vendor IPSec Tunnel from no-pfs to group2.
D. Update the IKE Crypto profile for the Vendor IKE gateway from group2 to no-pfs.
Answer: C
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/vpns/interpretvpn-error-messages.html

QUESTION NO: 32
Which two interface types can be used when configuring GlobalProtect Portal? Choose 2 answers
A. Virtual Wire
B. Loopback
C. Tunnel
D. Layer3
Answer: B,D
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/61/globalprotect/globalprotect-admin-guide.pdf page 10

QUESTION NO: 33

www.braindumps.com

23

Palo Alto Networks PCNSE6 Exam


After pushing a security policy from Panorama to a PA-3020 firewall, the firewall administrator
notices that traffic logs from the PA-3020 are not appearing in Panorama's traffic logs.
What could be the problem?
A. The firewall is not licensed for logging to this Panorama device.
B. Panorama is not licensed to receive logs from this particular firewall.
C. None of the firewalls policies have been assigned a Log Forwarding profile.
D. A Server Profile has not been configured for logging to this Panorama device.
Answer: C
Explanation:

QUESTION NO: 34
Palo Alto Networks maintains a dynamic database of malicious domains. Which two Security
Platform components use this database to prevent threats? Choose 2 answers
A. Brute-force signatures
B. DNS-based command-and-control signatures
C. PAN-DB URL Filtering
D. BrightCloud URL Filtering
Answer: B,C
Reference: https://www.paloaltonetworks.com/products/features/apt-prevention.html

QUESTION NO: 35
Which three inspections can be performed with a next-generation firewall but NOT with a legacy
firewall? Choose 3 answers
A. Recognizing when SSH sessions are using SSH v1 instead of SSH v2
B. Validating that UDP port 53 packets are not being used to tunnel data for another protocol
C. Identifying unauthorized applications that attempt to connect over non-standard ports
D. Allowing a packet through from an external DNS server only if an internal host recently queried
that DNS server
E. Removing from the session table any TCP session without traffic for 3600 seconds
Answer: B,C,D
www.braindumps.com

24

Palo Alto Networks PCNSE6 Exam


Explanation:

QUESTION NO: 36
Which mechanism is used to trigger a High Availability (HA) failover if a firewall interface goes
down?
A. Link Monitoring
B. Heartbeat Polling
C. Preemption
D. SNMP Polling
Answer: A
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/60/pan-os/pan-os/section_4.pdf page 130

QUESTION NO: 37 HOTSPOT


Match the description of an application field with its name.
Answer options may be used more than once or not at all.

www.braindumps.com

25

Palo Alto Networks PCNSE6 Exam


Answer:

Explanation:
A TCP three-way handshake completed successfully but the firewall does not have an appropriate
App-ID signature unknown-tcp
A TCP handshake completed successfully, but only one more packet was sent not enough to
identify the application insufficient-data
Data received has been discarded because it matched an explicit deny rule for that traffic notapplicable
A TCP three-way handshake die NOT complete OR no additional data was sent after a successful
TCP three-way handshake incomplete
UDP data has been received but the firewall does not have an appropriate App-ID signature
unknown-udp.
Reference: https://live.paloaltonetworks.com/docs/DOC-1549

QUESTION NO: 38
How is the Forward Untrust Certificate used?
A. It issues certificates encountered on the Untrust security zone.
B. It is used for Captive Portal to identify unknown users.
C. It is used when web servers request a client certificate.
D. It is the issuer for an external certificate which is not trusted by the firewall.
Answer: D
Explanation:
www.braindumps.com

26

Palo Alto Networks PCNSE6 Exam

QUESTION NO: 39
By default, all PA-5060 syslog data is forwarded out the Management interface. What needs to be
configured in order to send syslog data out of a different interface?
A. Configure Service Route Only for Threats and URL Filtering, and the traffic will use the same
route.
B. Configure an Interface Management Profile and apply it to the interface that the syslogs will be
sent through.
C. Configure a Service Route for the Syslog service to use a dataplane interface.
D. Create a Log-Forwarding Profile that points to the device that will receive the syslogs.
Answer: C
Reference: https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/reports-andlogging/define-remote-logging-destinations.html

QUESTION NO: 40
A network administrator uses Panorama to push security policies to managed firewalls at branch
offices.
Which policy type should be configured on Panorama if the administrator wishes to allow local
administrators at the branch office sites to override these policies?
A. Implicit Rules
B. Post Rules
C. Default Rules
D. Pre Rules
Answer: D
Explanation:

QUESTION NO: 41
A network engineer experienced network reachability problems through the firewall. The routing
table on the device is complex. To troubleshoot the problem the engineer ran a Command Line
www.braindumps.com

27

Palo Alto Networks PCNSE6 Exam


Interface (CLI) command to determine the egress interface for traffic destined to 98.139.183.24.
The command resulted in the following output:

How should this output be interpreted?


A. There is no route for the IP address 98.139.183.24, and there is a default route for outbound
traffic.
B. There is no interface in the firewall with the IP address 98.139.183.24.
C. In virtual-router vrl, there is a route in the routing table for the network 98.139.0.0/16.
D. There is no route for the IP address 98.139.183.24, and there is no default route.
Answer: D
Explanation:

QUESTION NO: 42
A website is presenting an RSA 2048-bit key. By default, what will the size of the key in the
certificate sent by the firewall to the client be when doing SSL Decryption?
A. 512 bits
B. 1024 bits
C. 2048 bits
D. 4096 bits
Answer: C
Reference: https://www.paloaltonetworks.com/documentation/61/panos/newfeaturesguide/management-features/configurable-key-size-for-ssl-forward-proxy-servercertificates.html

QUESTION NO: 43
A hotel chain is using a system to centrally control a variety of items in guest rooms. The client
www.braindumps.com

28

Palo Alto Networks PCNSE6 Exam


devices in each guest room communicate to the central controller using TCP and frequently
disconnect due to a premature timeouts when going through a Palo Alto Networks firewall.
Which action will address this issue without affecting all TCP traffic traversing the firewall?
A. Create a security policy without security profiles, allowing the client-to-server traffic.
B. Create an application override policy, assigning the client-to-server traffic to a custom
application.
C. Create an application with a specified TCP timeout and assign traffic to it with an application
override policy.
D. Create an application override policy, assigning the server-to-client traffic to a custom
application.
Answer: C
Explanation:

QUESTION NO: 44
Ethernet 1/1 has been configured with the following subinterfaces:

The following security policy is applied:

The Interface Management Profile permits the following:

www.braindumps.com

29

Palo Alto Networks PCNSE6 Exam

Your customer is trying to ping 10.10.10.1 from VLAN 800 IP 10.10.10.2/24


What will be the result of this ping?
A. The ping will be successful because the management profile applied to Ethernet1/1 allows ping.
B. The ping will not be successful because the virtual router is different from the other
subinterfaces.
C. The ping will not be successful because there is no management profile attached to
Ethernet1/1.799.
D. The ping will not be successful because the security policy does not apply to VLAN 800.
E. The ping will be successful because the security policy permits this traffic.
Answer: D
Explanation:

QUESTION NO: 45
What are the three Security Policy rule Type classifications supported in PAN-OS 6.1?
A. Security, NAT, Policy-Based Forwarding

www.braindumps.com

30

Palo Alto Networks PCNSE6 Exam


B. Intrazone, Interzone, Global
C. Intrazone, Interzone, Universal
D. Application, User, Content
Answer: C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/framemaker/61/pan-os/NewFeaturesGuide.pdf page 18-19

QUESTION NO: 46
Which two steps are required to make Microsoft Active Directory users appear in the firewalls
traffic log? Choose 2 answers
A. Enable User-ID on the zone object for the source zone.
B. Enable User-ID on the zone object for the destination zone.
C. Configure a RADIUS server profile to point to a domain controller.
D. Run the User-ID Agent using an Active Directory account that has "domain administrator"
permissions.
E. Run the User-ID Agent using an Active Directory account that has "event log viewer"
permissions.
Answer: A,E
Explanation:

QUESTION NO: 47
It is discovered that WebandNetTrends Unlimiteds new web server software produces traffic that
the Palo Alto Networks firewall sees as "unknown-tcp" traffic.
Which two configurations would identify the application while preserving the ability of the firewall to
perform content and threat detection on the traffic? Choose 2 answers
A. A custom application, with a name properly describing the new web server s purpose
B. A custom application and an application override policy that assigns traffic going to and from
the web server to the custom application
C. An application override policy that assigns the new web server traffic to the built-in application
"web-browsing"
D. A custom application with content and threat detection enabled, which includes a signature,
identifying the new web server s traffic

www.braindumps.com

31

Palo Alto Networks PCNSE6 Exam


Answer: A,B
Explanation:

QUESTION NO: 48
The IT department has received complaints about VoIP call jitter when the sales staff is making or
receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the
rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a
user reports the jitter.
Which feature can be used to identify, in real-time, the applications taking up the most bandwidth?
A. Application Command Center (ACC)
B. QoS Statistics
C. QoS Log
D. Applications Report
Answer: A
Reference: http://www.newnet66.org/Support/Resources/Using-The-ACC.pdf

QUESTION NO: 49
A company has a web server behind their Palo Alto Networks firewall that they would like to make
accessible to the public. They have decided to configure a destination NAT Policy rule.
Given the following zone information:
-

DMZzone: DMZ-L3
Public zone: Untrust-L3
Web server zone: Trust-L3
Public IP address (Untrust-L3): 1.1.1.1
Private IP address (Trust-L3): 192.168.1.50

What should be configured as the destination zone on the Original Packet tab of the NAT Policy
rule?
A. DMZ-L3
B. Any
C. Untrust-L3
D. Trust-L3
www.braindumps.com

32

Palo Alto Networks PCNSE6 Exam


Answer: C
Explanation:

QUESTION NO: 50
Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering
log?
A. Allow
B. Alert
C. Log
D. Default
Answer: B
Reference: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/urlfiltering/configure-url-filtering.html

QUESTION NO: 51
Where in the firewall GUI can an administrator see how many sessions of web-browsing traffic
have occurred in the last day?
A. Monitor->Session Browser
B. Monitor->App Scope->Summary
C. Objects->Applications->web-browsing
D. ACC->Application
Answer: D
Reference: http://www.newnet66.org/Support/Resources/Using-The-ACC.pdf

QUESTION NO: 52
The WildFire Cloud or WF-500 appliance provide information to which two Palo Alto Networks
security services? Choose 2 answers
A. Threat Prevention
www.braindumps.com

33

Palo Alto Networks PCNSE6 Exam


B. App-ID
C. URL Filtering
D. PAN-OS
E. GlobalProtect Data File
Answer: A,E
Reference: https://www.paloaltonetworks.com/products/technologies/wildfire.html

QUESTION NO: 53
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded
with tens of thousands of bogus UDP connections per second to a single destination IP address
and port.
Which option, when enabled with the correct threshold, would mitigate this attack without dropping
legitimate traffic to other hosts inside the network?
A. Zone Protection Policy with UDP Flood Protection
B. Classified DoS Protection Policy using destination IP only with a Protect action
C. QoS Policy to throttle traffic below maximum limit
D. Security Policy rule to deny traffic to the IP address and port that is under attack
Answer: B
Reference: https://live.paloaltonetworks.com/docs/DOC-1746

QUESTION NO: 54
Which three processor types are found on the data plane of a PA-5050? Choose 3 answers
A. Multi-Core Security Processor
B. Signature Match Processor
C. Network Processor
D. Protocol Decoder Processor
E. Management Processor
Answer: A,B,C
Reference: https://www.paloaltonetworks.com/content/dam/paloaltonetworkscom/en_US/assets/pdf/white-papers/single-pass-parallel-processing-architecture.pdf page 8

www.braindumps.com

34

Palo Alto Networks PCNSE6 Exam

QUESTION NO: 55
A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto
Networks firewall.
Which method will show the global counters associated with the traffic after configuring the
appropriate packet filters?
A. From the CLI, issue the show counter interface command for the egress interface.
B. From the GUI, select "Show global counters" under the Monitor tab.
C. From the CLI, issue the show counter global filter packet-filter yes command.
D. From the CLI, issue the show counter interface command for the ingress interface.
Answer: C
Reference: https://live.paloaltonetworks.com/docs/DOC-7971

QUESTION NO: 56
In the following display, ethernetl/6 is configured with an interface management profile that allows
ping with no restriction on the source address:

Given the following security policy rule base:

What is the result of a ping sent from an address on the Trust-L3 zone to the IP address of
ethernet1/6?
A. The firewall will send an ICMP redirect message to the client.

www.braindumps.com

35

Palo Alto Networks PCNSE6 Exam


B. The client will receive an ICMP "destination unreachable" packet.
C. The interface will respond.
D. The traffic will be dropped by the firewall.
Answer: D
Explanation:

QUESTION NO: 57
A security architect has been asked to implement User-ID in a MacOS environment with no
enterprise email, using a Sun LDAP server for user authentication.
In this environment, which two User-ID methods are effective for mapping users to IP addresses?
Choose 2 answers
A. Terminal Server Agent
B. Mac OS Agent
C. Captive Portal
D. GlobalProtect
Answer: C,D
Explanation:

QUESTION NO: 58
Which feature can be configured with an IPv6 address?
A. Static Route
B. RIPv2
C. DHCP Server
D. BGP
Answer: A
Reference: https://live.paloaltonetworks.com/docs/DOC-5493

QUESTION NO: 59

www.braindumps.com

36

Palo Alto Networks PCNSE6 Exam


A company wants to run their pair of PA-200 firewalls in a High Availability Active/Passive
configuration and will be using HA-Lite.
Which capability can be used in this situation?
A. Configuration Sync
B. Link Aggregation
C. Session Sync
D. Jumbo Frames
Answer: A
Reference: https://live.paloaltonetworks.com/docs/DOC-3091

QUESTION NO: 60 HOTSPOT


A company has a Palo Alto Networks firewall with a single VSYS that has both locally defined
rules as well as shared and device-group rules pushed from Panorama.
In what order are the policies evaluated?

www.braindumps.com

37

Palo Alto Networks PCNSE6 Exam

Answer:
www.braindumps.com

38

Palo Alto Networks PCNSE6 Exam

Explanation:
1st: Shared Pre Rules
2nd: Device Group Pre Rules
www.braindumps.com

39

Palo Alto Networks PCNSE6 Exam


3rd: Firewall Local Rules
4th: Device Group Post Rules
5th Shared Post Rules
Reference: https://live.paloaltonetworks.com/docs/DOC-8842

www.braindumps.com

40

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version


ACE Exam

Question 1 of 50.
User-ID is enabled in the configuration of
A Security Policy.
A Zone.
An Interface.
A Security Profile.
Mark for follow up

Question 2 of 50.
What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on the firewall? (Select all correct answers.)
Improved malware detection in WildFire.
Improved PAN-DB malware detection.
Improved DNS-based C&C signatures.
Improved BrightCloud malware detection.
Mark for follow up

Question 3 of 50.
WildFire analyzes files to determine whether or not they are malicious. When doing so, WildFire will classify the file with an official verdict. This verdict is known as the WildFire
Analysis verdict. Choose the three correct classifications as a result of this analysis and classification?
Grayware
Adware
Benign
Spyware
Malware detection
Safeware
Mark for follow up

Question 4 of 50.
In which of the following can User-ID be used to provide a match condition?
Security Policies
NAT Policies
Zone Protection Policies
Threat Profiles
Mark for follow up

Question 5 of 50.
What is the default setting for 'Action' in a Decryption Policy's rule?
Any
No-Decrypt
Decrypt
None
Mark for follow up

Question 6 of 50.
Which of the following CANNOT use the source user as a match criterion?
QoS
Secuirty Policies
Policy Based Forwarding
DoS Protection
Anti-virus Profile

Mark for follow up

Question 7 of 50.
Which of the Dynamic Updates listed below are issued on a daily basis? (Select all correct answers.)
Applications and Threats
Applications
BrightCloud URL Filtering
Anti-virus
Mark for follow up

Question 8 of 50.
WildFire may be used for identifying which of the following types of traffic?
OSPF
RIPv2
DHCP
Malware
Mark for follow up

Question 9 of 50.
Which of the following platforms supports the Decryption Port Mirror function?
PA-3000
VM-Series 100
PA-2000
PA-4000
Mark for follow up

Question 10 of 50.
Color-coded tags can be used on all of the items listed below EXCEPT:
Service Groups
Zones
Address Objects
Vulnerability Profiles
Mark for follow up

Question 11 of 50.

Taking into account only the information in the screenshot above, answer the following question. An administrator is using SSH on port 3333 and BitTorrent on port 7777. Which
statements are True?
The SSH traffic will be denied.
The BitTorrent traffic will be denied.
The SSH traffic will be allowed.
The BitTorrent traffic will be allowed.
Mark for follow up

Question 12 of 50.
Which of the following facts about dynamic updates is correct?
Application and Threat updates are released daily. Anti-virus and URL Filtering updates are released weekly.

Application and Anti-virus updates are released weekly. Threat and Threat and URL Filtering updates are released weekly.
Threat and URL Filtering updates are released daily. Application and Anti-virus updates are released weekly.
Anti-virus updates are released daily. Application and Threat updates are released weekly.
Mark for follow up

Question 13 of 50.
An interface in tap mode can transmit packets on the wire.
True
False
Mark for follow up

Question 14 of 50.
What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut off communication?
The MGT interface address.
The default gateway of the firewall.
Any layer 3 interface address specified by the firewall administrator.
The local loopback address.
Mark for follow up

Question 15 of 50.
When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must be done to allow a user to authenticate through multiple methods?
This cannot be done. A single user can only use one authentication type.
This cannot be done. Although multiple authentication methods exist, a firewall must choose a single, global authentication type--and all users must use this method.
Create multiple authentication profiles for the same user.
Create an Authentication Sequence, dictating the order of authentication profiles.
Mark for follow up

Question 16 of 50.
Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day?
10
500
1000
50
Mark for follow up

Question 17 of 50.
In Palo Alto Networks terms, an application is:
A specific program detected within an identified stream that can be detected, monitored, and/or blocked.
A combination of port and protocol that can be detected, monitored, and/or blocked.
A file installed on a local machine that can be detected, monitored, and/or blocked.
Web-based traffic from a specific IP address that can be detected, monitored, and/or blocked.
Mark for follow up

Question 18 of 50.
True or False: The WildFire Analysis Profile can only be configured to send unknown files to the WildFire Public Cloud only.
True
False
Mark for follow up

Question 19 of 50.
Traffic going to a public IP address is being translated by a Palo Alto Networks firewall to an internal servers private IP address. Which IP address should the Security Policy use as
the "Destination IP" in order to allow traffic to the server?
The firewalls gateway IP
The servers private IP
The servers public IP
The firewalls MGT IP

Mark for follow up

Question 20 of 50.
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:
Increased speed on downloads of file types that are explicitly enabled.
The ability to use Authentication Profiles, in order to protect against unwanted downloads.
Protection against unwanted downloads by showing the user a response page indicating that a file is going to be downloaded.
Password-protected access to specific file downloads for authorized users.
Mark for follow up

Question 21 of 50.
An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.
True
False
Mark for follow up

Question 22 of 50.
Which of the following would be a reason to use the PAN-OS XML API to communicate with a Palo Alto Networks firewall?
To permit syslogging of User Identification events.
To allow the firewall to push User-ID information to a Network Access Control (NAC) device.
To pull information from other network resources for User-ID.
Mark for follow up

Question 23 of 50.
Can multiple administrator accounts be configured on a single firewall?
Yes
No
Mark for follow up

Question 24 of 50.
What will be the user experience when the safe search option is NOT enabled for Google search but the firewall has "Safe Search Enforcement" Enabled?
A task bar pop-up message will be presented to enable Safe Search.
The user will be redirected to a different search site that is specified by the firewall administrator.
A block page will be presented with instructions on how to set the strict Safe Search option for the Google search.
The Firewall will enforce Safe Search if the URL filtering license is still valid.
Mark for follow up

Question 25 of 50.
Will an exported configuration contain Management Interface settings?
Yes
No
Mark for follow up

Question 26 of 50.
Choose the best answer: In PAN-OS, the WildFire Subscription Service allows updates for malware signatures to be distributed as often as
Once a day
Once an hour
Once every 15 minutes
Once a week
Mark for follow up

Question 27 of 50.
Enabling "Highlight Unused Rules" in the Security Policy window will:
Display rules that caused a validation error to occur at the time a Commit was performed.
Temporarily disable rules that have not matched traffic since the rule was created or since the last reboot of the firewall.
Highlight all rules that did not match traffic within an administrator-specified time period.

Highlight all rules that have not matched traffic since the rule was created or since the last reboot of the firewall.

Mark for follow up

Question 28 of 50.
Besides selecting the Heartbeat Backup option when creating an Active-Passive HA Pair, which of the following also prevents "Split-Brain"?
Under Packet Forwarding, selecting the VR Sync checkbox.
Configuring a backup HA2 link that points to the MGT interface of the other device in the pair.
Creating a custom interface under Service Route Configuration, and assigning this interface as the backup HA2 link.
Configuring an independent backup HA1 link.
Mark for follow up

Question 29 of 50.
You can assign an IP address to an interface in Virtual Wire mode.
True
False
Mark for follow up

Question 30 of 50.
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you need a:
Virtual Router
VLAN
Virtual Wire
Security Profile
Mark for follow up

Question 31 of 50.
As of PAN-OS 7.0, when configuring a Decryption Policy Rule, which of the following is NOT an available option as matching criteria in the rule?
Source Zone
URL Category
Source User
Service
Application
Mark for follow up

Question 32 of 50.
When you have created a Security Policy Rule that allows Facebook, what must you do to block all other web-browsing traffic?
Ensure that the Service column is defined as "application-default" for this Security policy. Doing this will automatically include the implicit web-browsing application dependency.
Create an additional rule that blocks all other traffic.
When creating the policy, ensure that web-browsing is included in the same rule.
Nothing. You can depend on PAN-OS to block the web-browsing traffic that is not needed for Facebook use.
Mark for follow up

Question 33 of 50.

Taking into account only the information in the screenshot above, answer the following question. An administrator is pinging 4.4.4.4 and fails to receive a response. What is the most
likely reason for the lack of response?
There is no Management Profile.
The interface is down.
There is a Security Policy that prevents ping.
There is no route back to the machine originating the ping.
Mark for follow up

Question 34 of 50.
Which type of license is required to perform Decryption Port Mirroring?
A Client Decryption license
A free PAN-PA-Decrypt license
A subscription-based SSL Port license
A subscription-based PAN-PA-Decrypt license
Mark for follow up

Question 35 of 50.
When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most informative?
Initiating side, System log
Responding side, System Log
Responding side, Traffic log
Initiating side, Traffic log
Mark for follow up

Question 36 of 50.
Users may be authenticated sequentially to multiple authentication servers by configuring:
A custom Administrator Profile.
An Authentication Sequence.
An Authentication Profile.
Multiple RADIUS servers sharing a VSA configuration.
Mark for follow up

Question 37 of 50.
After the installation of the Threat Prevention license, the firewall must be rebooted.
True
False
Mark for follow up

Question 38 of 50.
As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candidate configuration. These changes may be undone by Device > Setup > Operations >
Configuration Management>....and then what operation?
Revert to Running Configuration
Revert to last Saved Configuration
Load Configuration Version
Import Named Configuration Snapshot

Mark for follow up

Question 39 of 50.
Which of the following must be enabled in order for User-ID to function?
Security Policies must have the User-ID option enabled.
User-ID must be enabled for the source zone of the traffic that is to be identified.
Captive Portal must be enabled.
Captive Portal Policies must be enabled.
Mark for follow up

Question 40 of 50.
When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2 tunneling in policies by specifying the SSH-tunnel App-ID?
SSH Proxy
SSL Forward Proxy
SSL Inbound Inspection
SSL Reverse Proxy
Mark for follow up

Question 41 of 50.

The screenshot above shows part of a firewalls configuration. If ping traffic can traverse this device from e1/2 to e1/1, which of the following statements must be True about this
firewalls configuration? (Select all correct answers.)
There must be a Management Profile that allows ping. (Then assign that Management Profile to e1/1 and e1/2.)
There must be a security policy rule from trust zone to Internet zone that allows ping.
There must be appropriate routes in the default virtual router.
There must be a security policy rule from Internet zone to trust zone that allows ping.
Mark for follow up

Question 42 of 50.
A Config Lock may be removed by which of the following users? (Select all correct answers.)
Any administrator
The administrator who set it
Superusers
Device administrators
Mark for follow up

Question 43 of 50.
Without a WildFire subscription, which of the following files can be submitted by the Firewall to the hosted WildFire virtualized sandbox?
PE and Java Applet (jar and class) only
PE files only
PDF files only
MS Office doc/docx, xls/xlsx, and ppt/pptx files only
Mark for follow up

Question 44 of 50.
Which statement about config locks is True?
A config lock will expire after 24 hours, unless it was set by a superuser.
A config lock can be removed only by the administrator who set it.
A config lock can be removed only by a superuser.
A config lock can only be removed by the administrator who set it or by a superuser.
Mark for follow up

Question 45 of 50.
Which of the following can provide information to a Palo Alto Networks firewall for the purposes of User-ID? (Select all correct answers.)
Domain Controller
SSL Certificates
RIPv2
Network Access Control (NAC) device
Mark for follow up

Question 46 of 50.
A "Continue" action can be configured on which of the following Security Profiles?
URL Filtering and File Blocking
URL Filtering only
URL Filtering, File Blocking, and Data Filtering
URL Filtering and Anti-virus
Mark for follow up

Question 47 of 50.
All of the interfaces on a Palo Alto Networks device must be of the same interface type.
True
False
Mark for follow up

Question 48 of 50.
An interface in Virtual Wire mode must be assigned an IP address.
True
False
Mark for follow up

Question 49 of 50.
What is the maximum file size of .EXE files uploaded from the firewall to WildFire?
Always 10 megabytes.
Always 2 megabytes.
Configurable up to 2 megabytes.
Configurable up to 10 megabytes.
Mark for follow up

Question 50 of 50.

Taking into account only the information in the screenshot above, answer the following question: A span port or a switch is connected to e1/4, but there are no traffic logs. Which of
the following conditions most likely explains this behavior?
The interface is not assigned an IP address.
The interface is not up.
The interface is not assigned a virtual router.
There is no zone assigned to the interface.
Mark for follow up

Save / Return Later

Summary

4/7/2015

Empowering People: paloaltonetworks

TestAccreditedConfigurationEngineer(ACE)ExamPANOS6.1Version
ACEExam

Question1of50.
Thefollowingcanbeconfiguredasanexthopinastaticroute:

APolicyBasedForwardingRule
VirtualSystems
VirtualRouter
VirtualSwitch

Markforfollowup

Question2of50.
AsaPaloAltoNetworksfirewalladministrator,youhavemadeunwantedchangestotheCandidateconfiguration.ThesechangesmaybeundonebyDevice>Setup>Operations>
ConfigurationManagement>....andthenwhatoperation?

ReverttoRunningConfiguration
ReverttolastSavedConfiguration
LoadConfigurationVersion
ImportNamedConfigurationSnapshot

Markforfollowup

Question3of50.
WhichstatementbelowisTrue?

PANOSusesBrightCloudforURLFiltering,replacingPANDB.
PANOSusesBrightCloudasitsdefaultURLFilteringdatabase,butalsosupportsPANDB.
PANOSusesPANDBasthedefaultURLFilteringdatabase,butalsosupportsBrightCloud.
PANOSusesPANDBforURLFiltering,replacingBrightCloud.

Markforfollowup

Question4of50.
WhenemployingtheBrightCloudURLfilteringdatabaseinaPaloAltoNetworksfirewall,theorderofevaluationwithinaprofileis:

Blocklist,CustomCategories,Predefinedcategories,DynamicURLfiltering,Allowlist,Cachefiles.
Blocklist,Allowlist,CustomCategories,Cachefiles,LocalURLDBfile.
Blocklist,CustomCategories,Cachefiles,Predefinedcategories,DynamicURLfiltering,Allowlist.
DynamicURLfiltering,Blocklist,Allowlist,Cachefiles,Customcategories,Predefinedcategories.

Markforfollowup

Question5of50.
WithIKEPhase1,eachdeviceisidentifiedtotheotherbyaPeerID.Inmostcases,thePeerIDisjustthepublicIPaddressofthedevice.InsituationswherethepublicIPaddressis
notstatic,thePeerIDcanbeatextvalue.
True
False

Markforfollowup

Question6of50.

Thescreenshotaboveshowspartofafirewallsconfiguration.Ifpingtrafficcantraversethisdevicefrome1/2toe1/1,whichofthefollowingstatementsmustbeTrueaboutthis
firewallsconfiguration?(Selectallcorrectanswers.)
TheremustbeasecuritypolicyfromInternetzonetotrustzonethatallowsping.
TheremustbeasecuritypolicyfromtrustzonetoInternetzonethatallowsping.
Theremustbeappropriateroutesinthedefaultvirtualrouter.
TheremustbeaManagementProfilethatallowsping.(ThenassignthatManagementProfiletoe1/1ande1/2.)

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.

1/7

4/7/2015

Empowering People: paloaltonetworks

Markforfollowup

Question7of50.
Whichfeaturecanbeconfiguredtoblocksessionsthatthefirewallcannotdecrypt?

DecryptionProfileinSecurityPolicy
DecryptionProfileinDecryptionPolicy
DecryptionProfileinPBF
DecryptionProfileinSecurityProfile

Markforfollowup

Question8of50.
AlloftheinterfacesonaPaloAltoNetworksdevicemustbeofthesameinterfacetype.
True
False

Markforfollowup

Question9of50.
WhichofthefollowingwouldbeareasontousethePANOSXMLAPItocommunicatewithaPaloAltoNetworksfirewall?

TopermitsysloggingofUserIdentificationevents.
TopullinformationfromothernetworkresourcesforUserID.
ToallowthefirewalltopushUserIDinformationtoaNetworkAccessControl(NAC)device.

Markforfollowup

Question10of50.
WhichofthefollowingstatementsisNOTTrueaboutPaloAltoNetworksfirewalls?

InitialconfigurationmaybeaccomplishedthrutheMGTinterfaceortheConsoleport.
ThedefaultAdminaccountmaybedisabledordeleted.
BydefaulttheMGTPort'sIPAddressis192.168.1.1/24.
SystemdefaultsmayberestoredbyperformingafactoryresetinMaintenanceMode.

Markforfollowup

Question11of50.
AftertheinstallationofanewversionofPANOS,thefirewallmustberebooted.
True
False

Markforfollowup

Question12of50.
WhichoftheDynamicUpdateslistedbelowareissuedonadailybasis?(Selectallcorrectanswers.)
BrightCloudURLFiltering
ApplicationsandThreats
Applications
Antivirus

Markforfollowup

Question13of50.
ColorcodedtagscanbeusedonalloftheitemslistedbelowEXCEPT:

AddressObjects
ServiceGroups
Zones
VulnerabilityProfiles

Markforfollowup

Question14of50.
InaPaloAltoNetworksfirewall,everyinterfaceinusemustbeassignedtoazoneinordertoprocesstraffic.
True
False

Markforfollowup

Question15of50.
YoucanassignanIPaddresstoaninterfaceinVirtualWiremode.
True
False

Markforfollowup

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.

2/7

4/7/2015

Empowering People: paloaltonetworks

Question16of50.
InordertoroutetrafficbetweenLayer3interfacesonthePaloAltoNetworksfirewall,youneeda:

VirtualRouter
VLAN
VirtualWire
SecurityProfile

Markforfollowup

Question17of50.
Aninterfaceintapmodecantransmitpacketsonthewire.
True
False

Markforfollowup

Question18of50.
WhenDestinationNetworkAddressTranslationisbeingperformed,thedestinationinthecorrespondingSecurityPolicyRuleshoulduse:

ThePostNATdestinationzoneandPostNATIPaddress.
ThePreNATdestinationzoneandPreNATIPaddress.
ThePreNATdestinationzoneandPostNATIPaddress.
ThePostNATdestinationzoneandPreNATIPaddress.

Markforfollowup

Question19of50.

Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion.Whichapplicationswillbeallowedontheirstandardports?(Selectallcorrect
answers.)
BitTorrent
Gnutella
Skype
SSH

Markforfollowup

Question20of50.
WhenconfiguringaSecurityPolicyRulebasedonFQDNAddressObjects,whichofthefollowingstatementsisTrue?

InordertocreateFQDNbasedobjects,youneedtomanuallydefinealistofassociatedIPaddresses.
ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagaineachtimeSecurityProfilesareevaluated.
ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagainatDNSTTLexpiration.

Markforfollowup

Question21of50.
Usersmaybeauthenticatedsequentiallytomultipleauthenticationserversbyconfiguring:

AnAuthenticationSequence.
MultipleRADIUSserverssharingaVSAconfiguration.
AcustomAdministratorProfile.
AnAuthenticationProfile.

Markforfollowup

Question22of50.
WillanexportedconfigurationcontainManagementInterfacesettings?
Yes
No

Markforfollowup

Question23of50.
WhenusingConfigAudit,thecoloryellowindicateswhichofthefollowing?

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.

3/7

4/7/2015

Empowering People: paloaltonetworks

Asettinghasbeenchangedbetweenthetwoconfigfiles
Asettinghasbeendeletedfromaconfigfile.
Asettinghasbeenaddedtoaconfigfile
Aninvalidvaluehasbeenusedinaconfigfile.

Markforfollowup

Question24of50.
Whenusingremoteauthenticationforusers(LDAP,RADIUS,ActiveDirectory,etc.),whatmustbedonetoallowausertoauthenticatethroughmultiplemethods?

CreateanAuthenticationSequence,dictatingtheorderofauthenticationprofiles.
Createmultipleauthenticationprofilesforthesameuser.
Thiscannotbedone.Asingleusercanonlyuseoneauthenticationtype.
Thiscannotbedone.Althoughmultipleauthenticationmethodsexist,afirewallmustchooseasingle,globalauthenticationtypeandallusersmustusethismethod.

Markforfollowup

Question25of50.
WhentroubleshootingPhase1ofanIPsecVPNtunnel,whichlocationandlogwillbemostinformative?

Respondingside,SystemLog
Initiatingside,Trafficlog
Initiatingside,Systemlog
Respondingside,Trafficlog

Markforfollowup

Question26of50.
UserIDisenabledintheconfigurationof

AZone.
ASecurityProfile.
AnInterface.
ASecurityPolicy.

Markforfollowup

Question27of50.
WhatwilltheuserexperiencewhenattemptingtoaccessablockedhackingwebsitethroughatranslationservicesuchasGoogleTranslateorBingTranslator?

ABlockedpageresponsewhentheURLfilteringpolicytoblockisenforced.
ASuccesspageresponsewhenthesiteissuccessfullytranslated.
Thebrowserwillberedirectedtotheoriginalwebsiteaddress.
An"HTTPError503Serviceunavailable"message.

Markforfollowup

Question28of50.
WhenyouhavecreatedaSecurityPolicyRulethatallowsFacebook,whatmustyoudotoblockallotherwebbrowsingtraffic?

Nothing.YoucandependonPANOStoblockthewebbrowsingtrafficthatisnotneededforFacebookuse.
EnsurethattheServicecolumnisdefinedas"applicationdefault"forthisSecuritypolicy.Doingthiswillautomaticallyincludetheimplicitwebbrowsingapplicationdependency.
Createanadditionalrulethatblocksallothertraffic.
Whencreatingthepolicy,ensurethatwebbrowsingisincludedinthesamerule.

Markforfollowup

Question29of50.
BothSSLdecryptionandSSHdecryptionaredisabledbydefault.
True
False

Markforfollowup

Question30of50.
A"Continue"actioncanbeconfiguredonwhichofthefollowingSecurityProfiles?

URLFilteringandFileBlocking
URLFilteringonly
URLFiltering,FileBlocking,andDataFiltering
URLFilteringandAntivirus

Markforfollowup

Question31of50.
WhichofthefollowinginterfacetypescanhaveanIPaddressassignedtoit?

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.

4/7

4/7/2015

Empowering People: paloaltonetworks

Layer3
Layer2
Tap
VirtualWire

Markforfollowup

Question32of50.
Whatarethebenefitsgainedwhenthe"EnablePassiveDNSMonitoring"checkboxischosenonthefirewall?(Selectallcorrectanswers.)
ImprovedDNSbasedC&Csignatures.
ImprovedPANDBmalwaredetection.
ImprovedBrightCloudmalwaredetection.
ImprovedmalwaredetectioninWildFire.

Markforfollowup

Question33of50.
Securitypoliciesspecifyasourceinterfaceandadestinationinterface.
True
False

Markforfollowup

Question34of50.

Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion.AnadministratorisusingSSHonport3333andBitTorrentonport7777.Which
statementsareTrue?
TheSSHtrafficwillbedenied.
TheBitTorrenttrafficwillbeallowed.
TheSSHtrafficwillbeallowed.
TheBitTorrenttrafficwillbedenied.

Markforfollowup

Question35of50.
WhichofthefollowingmostaccuratelydescribesDynamicIPinaSourceNATconfiguration?

AsingleIPaddressisused,andthesourceportnumberisunchanged.
ThenextavailableIPaddressintheconfiguredpoolisused,butthesourceportnumberisunchanged.
AsingleIPaddressisused,andthesourceportnumberischanged.
Thenextavailableaddressintheconfiguredpoolisused,andthesourceportnumberischanged.

Markforfollowup

Question36of50.
WhataretwosourcesofinformationfordeterminingwhetherthefirewallhasbeensuccessfulincommunicatingwithanexternalUserIDAgent?

SystemLogsandAuthenticationLogs.
SystemLogsandtheindicatorlightundertheUserIDAgentsettingsinthefirewall.
SystemLogsandanindicatorlightonthechassis.
TrafficLogsandAuthenticationLogs.

Markforfollowup

Question37of50.
WhichpredefinedAdminRolehasallrightsexcepttherightstocreateadministrativeaccountsandvirtualsystems?

Superuser
DeviceAdministrator
Acustomadminrolemustbecreatedforthisspecificcombinationofrights.
vsysadmin

Markforfollowup

Question38of50.
AnenterprisePKIsystemisrequiredtodeploySSLForwardProxydecryptioncapabilities.

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.

5/7

4/7/2015

Empowering People: paloaltonetworks

True
False

Markforfollowup

Question39of50.

Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion:Aspanportoraswitchisconnectedtoe1/4,buttherearenotrafficlogs.Whichof
thefollowingconditionsmostlikelyexplainsthisbehavior?

Theinterfaceisnotup.
Thereisnozoneassignedtotheinterface.
TheinterfaceisnotassignedanIPaddress.
Theinterfaceisnotassignedavirtualrouter.

Markforfollowup

Question40of50.
WhichtypeoflicenseisrequiredtoperformDecryptionPortMirroring?

AsubscriptionbasedSSLPortlicense
AfreePANPADecryptlicense
AClientDecryptionlicense
AsubscriptionbasedPANPADecryptlicense

Markforfollowup

Question41of50.
Canmultipleadministratoraccountsbeconfiguredonasinglefirewall?
Yes
No

Markforfollowup

Question42of50.
WhichofthefollowingCANNOTusethesourceuserasamatchcriterion?

DoSProtection
SecuirtyPolicies
AntivirusProfile
PolicyBasedForwarding
QoS

Markforfollowup

Question43of50.
WhichofthefollowingmustbeenabledinorderforUserIDtofunction?

CaptivePortalPoliciesmustbeenabled.
UserIDmustbeenabledforthesourcezoneofthetrafficthatistobeidentified.
CaptivePortalmustbeenabled.
SecurityPoliciesmusthavetheUserIDoptionenabled.

Markforfollowup

Question44of50.
InaDestinationNATconfiguration,theTranslatedAddressfieldmaybepopulatedwitheitheranIPaddressoranAddressObject.
True
False

Markforfollowup

Question45of50.
WhenconfiguringthefirewallforUserID,whatisthemaximumnumberofDomainControllersthatcanbeconfigured?

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.

6/7

4/7/2015

Empowering People: paloaltonetworks

50
100
10
150

Markforfollowup

Question46of50.
BesidesselectingtheHeartbeatBackupoptionwhencreatinganActivePassiveHAPair,whichofthefollowingalsoprevents"SplitBrain"?

CreatingacustominterfaceunderServiceRouteConfiguration,andassigningthisinterfaceasthebackupHA2link.
ConfiguringanindependentbackupHA1link.
ConfiguringabackupHA2linkthatpointstotheMGTinterfaceoftheotherdeviceinthepair.
UnderPacketForwarding,selectingtheVRSynccheckbox.

Markforfollowup

Question47of50.
PaloAltoNetworksfirewallssupporttheuseofbothDynamic(builtinuserroles)andRoleBased(customizeduserroles)forAdministratorAccounts.
True
False

Markforfollowup

Question48of50.
WhenconfiguringaDecryptionPolicyrule,whichoptionallowsafirewalladministratortocontrolSSHv2tunnelinginpoliciesbyspecifyingtheSSHtunnelAppID?

SSHProxy
SSLForwardProxy
SSLInboundInspection
SSLReverseProxy

Markforfollowup

Question49of50.
InwhichofthefollowingcanUserIDbeusedtoprovideamatchcondition?(Selectallcorrectanswers.)

SecurityPolicies
NATPolicies
ZoneProtectionPolicies
ThreatProfiles

Markforfollowup

Question50of50.
InPANOS6.0,rulenumbersare:

Numbersthatspecifytheorderinwhichsecuritypoliciesareevaluated.
Numberscreatedtobeuniqueidentifiersineachfirewallspolicydatabase.
Numbersonascaleof0to99thatspecifyprioritieswhentwoormorerulesareinconflict.
Numberscreatedtomakeiteasierforuserstodiscussacomplicatedordifficultsequenceofrules.

Markforfollowup

Save/ReturnLater

Summary

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.

7/7

1Which of the following would be a reason to use the PAN-OS XML API to communicate with a Palo Alto
Networks firewall?
To pull info from other NW resources for USER-ID

2After the installation of a new version of PAN-OS, the firewall must be rebooted.
True

3The "Disable Server Response Inspection" option on a Security Profile


Internal Trusted Server

4Which pre-defined Admin Role has all rights except the rights to create administrative accounts and
virtual systems?
Device Admin

5Which of the following statements is NOT True about Palo Alto Networks firewalls?
The Admin account may be disabled

6In Palo Alto Networks terms, an application is:


A specific program detected within an identified stream that can be detected, monitored and/or blocked

7Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based
(customized user roles) for Administrator Accounts.
True

8When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of
evaluation within a profile is:
Block list, Allow list, Custom Cat, Cache files, Loc URL DB

9When configuring Admin Roles for Web UI access, what are the available access levels?
Enable, RO & Disable

10What general practice best describes how Palo Alto Networks firewall policies are applied to a session?
First match applied

11Which of the following is NOT a valid option for built-in CLI Admin roles?
Read/Write

12Can multiple administrator accounts be configured on a single firewall?


Yes

13Which of the following CANNOT use the source user as a match criterion?
AV profile

14When configuring the firewall for User-ID, what is the maximum number of Domain Controllers that can
be configured?
100

15After the installation of the Threat Prevention license, the firewall must be rebooted.
False

16In which of the following can User-ID be used to provide a match condition? (Select all correct answers.)
Sec Policies

17What is the function of the GlobalProtect Portal?


To maintain list of Glob Prot GWs & specify HIP data that the agent should report

18When configuring User-ID on a Palo Alto Networks firewall, what is the proper procedure to limit User
mappings to a particular DHCP scope?
In the Zone in which UID is enabled, create a UID ACL Include list using same IP ranges as allocated in
DHCP scope

19A "Continue" action can be configured on which of the following Security Profiles?
URL filtering & File Blocking

20What will the user experience when attempting to access a blocked hacking website through a
translation service such as Google Translate or Bing Translator?
A Blocked page response when the URL filt policy to block is enf

21Traffic going to a public IP address is being translated by a Palo Alto Networks firewall to an internal
servers private IP address. Which IP address should the Security Policy use as the "Destination IP" in
order to allow traffic to the server?
The Server's Pub IP

22Which of the following facts about dynamic updates is correct?


AV daily. App & Threat updates weekly

23What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut off
communication?
Local Loop add

24When you have created a Security Policy Rule that allows Facebook, what must you do to block all other
web-browsing traffic?
Nothing

25Which of the following are necessary components of a GlobalProtect solution?


GP GW , GP Agent, GP Portal

26-

Taking into account only the information in the screenshot above, answer the following question. Which
applications will be allowed on their standard ports? (Select all correct answers.)
SSH & BitTorrent

27Which of the following platforms supports the Decryption Port Mirror function?
PA-3000

28When Destination Network Address Translation is being performed, the destination in the corresponding
Security Policy Rule should use:
Post-NAT Dest zone & Post-NAT IP
29In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-Based Forwarding
Rule? (Choose 3.)
Source User, Source Zone, App
30Which type of license is required to perform Decryption Port Mirroring?
Free PAN-PA decrypt
31An interface in tap mode can transmit packets on the wire.
False
32Which of the following interface types can have an IP address assigned to it? (Select all correct answers.)
L3
33Which statement about config locks is True?
Admin who set it OR SuperUser
34Which routing protocol is supported on the Palo Alto Networks platform?
BGP
RIPv2
35Which link is used by an Active/Passive cluster to synchronize session information?
Data Link
36Which of the following must be enabled in order for User-ID to function?
UID must be enabled for Src zone of the traffic that is to be identified
37Which of the following most accurately describes Dynamic IP in a Source NAT configuration?
Next available IP in the configured pool is used but Src port unchanged

38A Config Lock may be removed by which of the following users? (Select all correct answers.)
The Admin who set it & SuperUser
39Select the implicit rules that are applied to traffic that fails to match any administrator-defined Security
Policies. (Choose all rules that are correct.)
Intra-zone allowed
Inter-zone denied
40Enabling "Highlight Unused Rules" in the Security Policy window will:
High all rules that have not matched traffic since Rule was created or last Reboot of FW
41Which statement below is True?
PAN-OS uses PAN-DB as Def URL filt DB but supports BrightCloud
42Both SSL decryption and SSH decryption are disabled by default.
True
43When configuring a Security Policy Rule based on FQDN Address Objects, which of the following statements
is True?
The FW resolves FQDN when the policy is committed & resolves the FQDN again each time again at DNS TTL
expiration
44In a Destination NAT configuration, the Translated Address field may be populated with either an IP address
or an Address Object.
True
45Security policies specify a source interface and a destination interface.
False
46When configuring a Decryption Policy Rule, which of the following are available as matching criteria in the
rule? (Choose 3 answers.)
Source User
Source Zone
URL cat

47When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most informative?
Responding side System log
48What is the result of an Administrator submitting a WildFire reports verdict back to Palo Alto Networks as
Incorrect?
The sig will be updated for False + & F- files in next AV sig update
49An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.
False
50Without a WildFire subscription, which of the following files can be submitted by the Firewall to the hosted
WildFire virtualized sandbox?
PE files only
51Which of the following statements is NOT True about Palo Alto Networks firewalls?
The Admin account may be disabled
52In PAN-OS 6.0, rule numbers are:
Numbers that specify the order in which sec pol are evaluated
53In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order to process traffic.
True
54Reconnaissance Protection is a feature used to protect the Palo Alto Networks firewall from port scans. To
enable this feature within the GUI go to
Nw-NW prof-Zone protection
55Using the API in PAN-OS 6.0, WildFire subscribers can upload up to how many samples per day?
100
56All of the interfaces on a Palo Alto Networks device must be of the same interface type.
False

57The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:
Protection against unwanted dnlds by showing user response pg indic file is dnlding
58Color-coded tags can be used on all of the items listed below EXCEPT:
Vulnerability profs
59Will an exported configuration contain Management Interface settings?
Yes
60-

Taking into account only the information in the screenshot above, answer the following question. An
administrator is using SSH on port 3333 and BitTorrent on port 7777. Which statements are True?
SSH denied
BitTorrent allowed

61When using Config Audit, the color yellow indicates which of the following?
A setting has been changed between 2 config files

62-

As the Palo Alto Networks Administrator responsible for User-ID, you need to enable mapping of
network users that do not sign-in using LDAP. Which information source would allow for reliable User-ID
mapping while requiring the least effort to configure?
Exchange CAS sec logs

63The following can be configured as a next hop in a static route:

Virtual Router

64Which of the following options may be enabled to reduce heavy server load conditions when using ContentID?
DSRI
65What are two sources of information for determining whether the firewall has been successful in
communicating with an external User-ID Agent?
Sys Logs & Indicator light under UID agent settings in the FW
66As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterwards, not
knowing they are attempting to access a blocked web-based application, users call the Help Desk to
complain about network connectivity issues. What is the cause of the increased number of help desk calls?
The FW admin didnt create custom response pg to notify potential users that their attempt to access the
Web based app is blocked due to policy
67After the installation of a new Application and Threat database, the firewall must be rebooted.
False
68-

Taking into account only the information in the screenshot above, answer the following question. Which
applications will be allowed on their standard ports? (Select all correct answers.)
SSH & BitTorrent

69An interface in Virtual Wire mode must be assigned an IP address.

False

70What is the maximum file size of .EXE files uploaded from the firewall to WildFire?
Configurable upto 10 MB
71Which feature can be configured to block sessions that the firewall cannot decrypt?
Decryp Prof in Decryp Pol
72Which of the following search engines are supported by the "Safe Search Enforcement" option? (Select all
correct answers.)
Yahoo Google Bing
73Which of the following statements is NOT True regarding a Decryption Mirror interface?
Can be a member of any Vsys
74Which mode will allow a user to choose when they wish to connect to the Global Protect Network?
On demand mode
75-

Which of the following describes the sequence of the GlobalProtect Agent connecting to a GlobalProtect
Gateway?
Fastest SSL response time

76Which of the following are methods that HA clusters use to identify network outages?

Path & Link monitoring

77Which of the following is True of an application filter?


An application filter automatically includes a new application when one of the new applications characteristics are
included in the filter.

78When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2
tunneling in policies by specifying the SSH-tunnel App-ID?
SSH proxy

79In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you need a:
Virtual Router

80What will be the user experience when the safe search option is NOT enabled for Google search but the
firewall has "Safe Search Enforcement" Enabled?

A block page will be presented with instructions on how to set strict Safe Search for Google.

81User-ID is enabled in the configuration of


A Zone

1/20/2015

EmpoweringPeople:paloaltonetworks

TestAccreditedConfigurationEngineer(ACE)ExamPANOS6.0Version
ACEExam

Question1of50.
WhichofthefollowingstatementsisNOTTrueregardingaDecryptionMirrorinterface?

SupportsSSLoutbound
SupportsSSLinbound
CanbeamemberofanyVSYS
Requiressuperuserprivilege

Markforfollowup

Question2of50.
HowdoyoureducetheamountofinformationrecordedintheURLContentFilteringLogs?

Enable"Logcontainerpageonly".
DisableURLpacketcaptures.
EnableURLlogcaching.
EnableDSRI.

Markforfollowup

Question3of50.
WhichroutingprotocolissupportedonthePaloAltoNetworksplatform?

BGP
RIPv1
ISIS
RSTP

Markforfollowup

Question4of50.
Whenusingremoteauthenticationforusers(LDAP,RADIUS,ActiveDirectory,etc.),whatmustbedonetoallowauser
toauthenticatethroughmultiplemethods?

Createmultipleauthenticationprofilesforthesameuser.
Thiscannotbedone.Asingleusercanonlyuseoneauthenticationtype.
CreateanAuthenticationSequence,dictatingtheorderofauthenticationprofiles.
Thiscannotbedone.Althoughmultipleauthenticationmethodsexist,afirewallmustchooseasingle,global
authenticationtypeandallusersmustusethismethod.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

1/12

1/20/2015

EmpoweringPeople:paloaltonetworks

Markforfollowup

Question5of50.
InaDestinationNATconfiguration,theTranslatedAddressfieldmaybepopulatedwitheitheranIPaddressoran
AddressObject.
True
False

Markforfollowup

Question6of50.
WhichofthefollowingCANNOTusethesourceuserasamatchcriterion?

DoSProtection
SecuirtyPolicies
QoS
AntivirusProfile
PolicyBasedForwarding

Markforfollowup

Question7of50.
AConfigLockmayberemovedbywhichofthefollowingusers?(Selectallcorrectanswers.)
Deviceadministrators
Anyadministrator
Theadministratorwhosetit
Superusers

Markforfollowup

Question8of50.

Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion.Anadministratoris
usingSSHonport3333andBitTorrentonport7777.WhichstatementsareTrue?
TheBitTorrenttrafficwillbedenied.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

2/12

1/20/2015

EmpoweringPeople:paloaltonetworks

TheSSHtrafficwillbeallowed.
TheBitTorrenttrafficwillbeallowed.
TheSSHtrafficwillbedenied.

Markforfollowup

Question9of50.
WithIKEPhase1,eachdeviceisidentifiedtotheotherbyaPeerID.Inmostcases,thePeerIDisjustthepublicIP
addressofthedevice.InsituationswherethepublicIPaddressisnotstatic,thePeerIDcanbeatextvalue.
True
False

Markforfollowup

Question10of50.
WhatSecurityProfiletypemustbeconfiguredtosendfilestotheWildFirecloud,andwithwhatchoicesfortheaction
setting?

ADataFilteringprofilewithpossibleactionsofForwardorContinueandForward.
AVulnerabilityProtectionprofilewiththepossibleactionofForward.
AFileBlockingprofilewithpossibleactionsofForwardorContinueandForward.
AURLFilteringprofilewiththepossibleactionofForward.

Markforfollowup

Question11of50.
BothSSLdecryptionandSSHdecryptionaredisabledbydefault.
True
False

Markforfollowup

Question12of50.
WhichofthefollowingwouldbeareasontousethePANOSXMLAPItocommunicatewithaPaloAltoNetworks
firewall?

TopermitsysloggingofUserIdentificationevents.
TopullinformationfromothernetworkresourcesforUserID.
ToallowthefirewalltopushUserIDinformationtoaNetworkAccessControl(NAC)device.

Markforfollowup

Question13of50.
WithoutaWildFiresubscription,whichofthefollowingfilescanbesubmittedbytheFirewalltothehostedWildFire
virtualizedsandbox?

MSOfficedoc/docx,xls/xlsx,andppt/pptxfilesonly
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

3/12

1/20/2015

EmpoweringPeople:paloaltonetworks

PEandJavaApplet(jarandclass)only
PEfilesonly
PDFfilesonly

Markforfollowup

Question14of50.
WhatisthefunctionoftheGlobalProtectPortal?

TomaintainthelistofGlobalProtectGatewaysandspecifyHIPdatathattheagentshouldreport.
ToloadbalanceGlobalProtectclientconnectionstoGlobalProtectGateways.
TomaintainthelistofremoteGlobalProtectPortalsandthelistofcategoriesforcheckingtheclientmachine.
ToprovideredundancyfortunneledconnectionsthroughtheGlobalProtectGateways.

Markforfollowup

Question15of50.
WhichofthefollowinginterfacetypescanhaveanIPaddressassignedtoit?(Selectallcorrectanswers.)

Layer3
Layer2
Tap
VirtualWire

Markforfollowup

Question16of50.
WhichofthefollowingmostaccuratelydescribesDynamicIPinaSourceNATconfiguration?

Thenextavailableaddressintheconfiguredpoolisused,andthesourceportnumberischanged.
AsingleIPaddressisused,andthesourceportnumberisunchanged.
AsingleIPaddressisused,andthesourceportnumberischanged.
ThenextavailableIPaddressintheconfiguredpoolisused,butthesourceportnumberisunchanged.

Markforfollowup

Question17of50.
WildFiremaybeusedforidentifyingwhichofthefollowingtypesoftraffic?

RIPv2
DHCP
OSPF
Malware

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

4/12

1/20/2015

EmpoweringPeople:paloaltonetworks

Markforfollowup

Question18of50.
WhichlinkisusedbyanActive/Passiveclustertosynchronizesessioninformation?

TheUplink
TheControlLink
TheManagementLink
TheDataLink

Markforfollowup

Question19of50.
Usersmaybeauthenticatedsequentiallytomultipleauthenticationserversbyconfiguring:

MultipleRADIUSserverssharingaVSAconfiguration.
AcustomAdministratorProfile.
AnAuthenticationSequence.
AnAuthenticationProfile.

Markforfollowup

Question20of50.
WhichstatementaboutconfiglocksisTrue?

Aconfiglockcanberemovedonlybyasuperuser.
Aconfiglockwillexpireafter24hours,unlessitwassetbyasuperuser.
Aconfiglockcanonlyberemovedbytheadministratorwhosetitorbyasuperuser.
Aconfiglockcanberemovedonlybytheadministratorwhosetit.

Markforfollowup

Question21of50.
Whichfeaturecanbeconfiguredtoblocksessionsthatthefirewallcannotdecrypt?

DecryptionProfileinSecurityProfile
DecryptionProfileinPBF
DecryptionProfileinDecryptionPolicy
DecryptionProfileinSecurityPolicy

Markforfollowup

Question22of50.
AlloftheinterfacesonaPaloAltoNetworksdevicemustbeofthesameinterfacetype.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

5/12

1/20/2015

True

EmpoweringPeople:paloaltonetworks

False

Markforfollowup

Question23of50.
AsthePaloAltoNetworksAdministratoryouhaveenabledApplicationBlockpages.Afterwards,notknowingtheyare
attemptingtoaccessablockedwebbasedapplication,userscalltheHelpDesktocomplainaboutnetworkconnectivity
issues.Whatisthecauseoftheincreasednumberofhelpdeskcalls?

SomeAppID'saresetwithaSessionTimeoutvaluethatistoolow.
ApplicationBlockPageswillonlybedisplayedwhenCaptivePortalisconfigured.
Thefirewalladmindidnotcreateacustomresponsepagetonotifypotentialusersthattheirattempttoaccesstheweb
basedapplicationisbeingblockedduetopolicy.
TheFileBlockingBlockPagewasdisabled.

Markforfollowup

Question24of50.
WhenconfiguringaDecryptionPolicyrule,whichoptionallowsafirewalladministratortocontrolSSHv2tunnelingin
policiesbyspecifyingtheSSHtunnelAppID?

SSHProxy
SSLForwardProxy
SSLInboundInspection
SSLReverseProxy

Markforfollowup

Question25of50.
WhatisthedefaultDNSsinkholeaddressusedbythePaloAltoNetworksFirewalltocutoffcommunication?

Anylayer3interfaceaddressspecifiedbythefirewalladministrator.
TheMGTinterfaceaddress.
Thelocalloopbackaddress.
Thedefaultgatewayofthefirewall.

Markforfollowup

Question26of50.

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

6/12

1/20/2015

EmpoweringPeople:paloaltonetworks

Consideringtheinformationinthescreenshotabove,whatistheorderofevaluationforthisURLFilteringProfile?

BlockList,AllowList,URLCategories(BrightCloudorPANDB),CustomCategories.
AllowList,BlockList,CustomCategories,URLCategories(BrightCloudorPANDB).
BlockList,AllowList,CustomCategories,URLCategories(BrightCloudorPANDB).
URLCategories(BrightCloudorPANDB),CustomCategories,BlockList,AllowList.

Markforfollowup

Question27of50.
Securitypoliciesspecifyasourceinterfaceandadestinationinterface.
True
False

Markforfollowup

Question28of50.
Enabling"HighlightUnusedRules"intheSecurityPolicywindowwill:

Highlightallrulesthatdidnotmatchtrafficwithinanadministratorspecifiedtimeperiod.
Highlightallrulesthathavenotmatchedtrafficsincetherulewascreatedorsincethelastrebootofthefirewall.
DisplayrulesthatcausedavalidationerrortooccuratthetimeaCommitwasperformed.
Temporarilydisablerulesthathavenotmatchedtrafficsincetherulewascreatedorsincethelastrebootofthefirewall.

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

7/12

1/20/2015

EmpoweringPeople:paloaltonetworks

Markforfollowup

Question29of50.
WhentroubleshootingPhase1ofanIPsecVPNtunnel,whichlocationandlogwillbemostinformative?

Respondingside,Trafficlog
Respondingside,SystemLog
Initiatingside,Trafficlog
Initiatingside,Systemlog

Markforfollowup

Question30of50.
InPANOS6.0,rulenumbersare:

Numbersthatspecifytheorderinwhichsecuritypoliciesareevaluated.
Numberscreatedtobeuniqueidentifiersineachfirewallspolicydatabase.
Numbersonascaleof0to99thatspecifyprioritieswhentwoormorerulesareinconflict.
Numberscreatedtomakeiteasierforuserstodiscussacomplicatedordifficultsequenceofrules.

Markforfollowup

Question31of50.
WhenyouhavecreatedaSecurityPolicyRulethatallowsFacebook,whatmustyoudotoblockallotherwebbrowsing
traffic?

Whencreatingthepolicy,ensurethatwebbrowsingisincludedinthesamerule.
Nothing.YoucandependonPANOStoblockthewebbrowsingtrafficthatisnotneededforFacebookuse.
EnsurethattheServicecolumnisdefinedas"applicationdefault"forthisSecuritypolicy.Doingthiswillautomatically
includetheimplicitwebbrowsingapplicationdependency.
Createanadditionalrulethatblocksallothertraffic.

Markforfollowup

Question32of50.
WhenusingConfigAudit,thecoloryellowindicateswhichofthefollowing?

Asettinghasbeenchangedbetweenthetwoconfigfiles
Asettinghasbeendeletedfromaconfigfile.
Asettinghasbeenaddedtoaconfigfile
Aninvalidvaluehasbeenusedinaconfigfile.

Markforfollowup

Question33of50.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

8/12

1/20/2015

EmpoweringPeople:paloaltonetworks

WillanexportedconfigurationcontainManagementInterfacesettings?
Yes
No

Markforfollowup

Question34of50.
Aninterfaceintapmodecantransmitpacketsonthewire.
True
False

Markforfollowup

Question35of50.
WhichofthefollowingisaroutingprotocolsupportedinaPaloAltoNetworksfirewall?

EIGRP
RIPv2
IGRP
ISIS

Markforfollowup

Question36of50.
InPaloAltoNetworksterms,anapplicationis:

Aspecificprogramdetectedwithinanidentifiedstreamthatcanbedetected,monitored,and/orblocked.
Acombinationofportandprotocolthatcanbedetected,monitored,and/orblocked.
Afileinstalledonalocalmachinethatcanbedetected,monitored,and/orblocked.
WebbasedtrafficfromaspecificIPaddressthatcanbedetected,monitored,and/orblocked.

Markforfollowup

Question37of50.
ReconnaissanceProtectionisafeatureusedtoprotectthePaloAltoNetworksfirewallfromportscans.Toenablethis
featurewithintheGUIgoto

Network>NetworkProfiles>ZoneProtection
Objects>ZoneProtection
Interfaces>InterfaceNumber>ZoneProtection
Policies>Profile>ZoneProtection

Markforfollowup

Question38of50.
WhichofthefollowingisNOTavalidoptionforbuiltinCLIAdminroles?

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

9/12

1/20/2015

EmpoweringPeople:paloaltonetworks

deviceadmin
superuser
read/write
devicereader

Markforfollowup

Question39of50.
InwhichofthefollowingcanUserIDbeusedtoprovideamatchcondition?(Selectallcorrectanswers.)

SecurityPolicies
NATPolicies
ZoneProtectionPolicies
ThreatProfiles

Markforfollowup

Question40of50.
Ausercomplainsthatsheisnolongerabletoaccessaneededworkapplicationaftertheadministratorimplemented
vulnerabilityandantispywareprofiles.Howbestcantheadministratorresolvethisissuesotheuserwillonceagain
haveaccesstotheneededapplication?

InthevulnerabilityandantispywareProfiles,createanapplicationexemptionforthegroupsapplication.
ChecktheThreatLogandlocateaneventshowingtheusersapplicationbeingblocked.UsingthesourceIPaddress
displayedinthatevent,createanIPaddressbasedexemptionforthegroupthattheuserisamemberof.
CreateacustomSecurityPolicyforthisusersothatshewillbeabletoaccesstherequiredapplication.Besurenotto
applythevulnerabilityandantispywareprofilestothispolicy.
CreateandenableanApplicationOverridePolicy,specifyingtheportusedbythisapplication.

Markforfollowup

Question41of50.
AnenterprisePKIsystemisrequiredtodeploySSLForwardProxydecryptioncapabilities.
True
False

Markforfollowup

Question42of50.
UserIDisenabledintheconfigurationof

ASecurityPolicy.
AnInterface.
AZone.
ASecurityProfile.

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.a

10/12

1/20/2015

EmpoweringPeople:paloaltonetworks

Markforfollowup

Question43of50.
Whatarethebenefitsgainedwhenthe"EnablePassiveDNSMonitoring"checkboxischosenonthefirewall?(Selectall
correctanswers.)
ImprovedmalwaredetectioninWildFire.
ImprovedDNSbasedC&Csignatures.
ImprovedPANDBmalwaredetection.
ImprovedBrightCloudmalwaredetection.

Markforfollowup

Question44of50.
WhichofthefollowingplatformssupportstheDecryptionPortMirrorfunction?

PA3000
VMSeries100
PA2000
PA4000

Markforfollowup

Question45of50.
WhatistheresultofanAdministratorsubmittingaWildFirereportsverdictbacktoPaloAltoNetworksasIncorrect?

Youwillreceiveanupdatewithin15minutes.
ThesignaturewillbeupdatedforFalsepositiveandFalsenegativefilesinthenextAVsignatureupdate.
ThesignaturewillbeupdatedforFalsepositiveandFalsenegativefilesinthenextApplicationsignatureupdate.
Youwillreceiveanemailtodisablethesignaturemanually.

Markforfollowup

Question46of50.
Whichofthefollowingfactsaboutdynamicupdatesiscorrect?

ThreatandURLFilteringupdatesarereleaseddaily.ApplicationandAntivirusupdatesarereleasedweekly.
Antivirusupdatesarereleaseddaily.ApplicationandThreatupdatesarereleasedweekly.
ApplicationandAntivirusupdatesarereleasedweekly.ThreatandThreatandURLFilteringupdatesarereleased
weekly.
ApplicationandThreatupdatesarereleaseddaily.AntivirusandURLFilteringupdatesarereleasedweekly.

Markforfollowup

Question47of50.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.a

11/12

1/20/2015

EmpoweringPeople:paloaltonetworks

WhenconfiguringaSecurityPolicyRulebasedonFQDNAddressObjects,whichofthefollowingstatementsisTrue?

ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagainatDNSTTLexpiration.
ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagaineachtimeSecurity
Profilesareevaluated.
InordertocreateFQDNbasedobjects,youneedtomanuallydefinealistofassociatedIPaddresses.

Markforfollowup

Question48of50.
WhatgeneralpracticebestdescribeshowPaloAltoNetworksfirewallpoliciesareappliedtoasession?

Therulewiththehighestrulenumberisapplied.
Firstmatchapplied.
Lastmatchapplied.
Mostspecificmatchapplied.

Markforfollowup

Question49of50.
WhichofthefollowingstatementsisNOTTrueaboutPaloAltoNetworksfirewalls?

SystemdefaultsmayberestoredbyperformingafactoryresetinMaintenanceMode.
TheAdminaccountmaybedisabled.
InitialconfigurationmaybeaccomplishedthrutheMGTinterfaceortheConsoleport.
TheAdminaccountmaynotbedisabled.

Markforfollowup

Question50of50.
WhenconfiguringUserIDonaPaloAltoNetworksfirewall,whatistheproperproceduretolimitUsermappingstoa
particularDHCPscope?

InthezoneinwhichUserIdentificationisenabled,selectthe"RestrictAllocatedIP"checkbox.
InthezoneinwhichUserIdentificationisenabled,createaUserIdentificationACLIncludeListusingthesameIP
rangesasthoseallocatedintheDHCPscope.
UndertheUserIdentificationsettings,undertheUserMappingtab,selectthe"RestrictUserstoAllocatedIP"checkbox.
IntheDHCPsettingsonthePaloAltoNetworksfirewall,pointtheDHCPRelaytotheIPaddressoftheUserIDagent.

Markforfollowup

Save/ReturnLater

Summary

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=7557e2531f91470fa91ca284f048d2c3&evalLvl=5&redirect_url=%2fphnx%2fdriver.a

12/12

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid...

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version


ACE Exam

Question 1 of 50.
Which routing protocol is supported on the Palo Alto Networks platform?
BGP
RIPv1
ISIS
RSTP

Mark for follow up

Question 2 of 50.
Which type of license is required to perform Decryption Port Mirroring?
A free PAN-PA-Decrypt license
A Client Decryption license
A subscription-based PAN-PA-Decrypt license
A subscription-based SSL Port license

Mark for follow up

Question 3 of 50.
Which of the following is a routing protocol supported in a Palo Alto Networks firewall?
RIPv2
ISIS
IGRP
EIGRP

Mark for follow up

Question 4 of 50.
What is the maximum file size of .EXE files uploaded from the firewall to WildFire?
Configurable up to 10 megabytes.
Always 10 megabytes.
Configurable up to 2 megabytes.
Always 2 megabytes.

Mark for follow up

Question 5 of 50.
WildFire analyzes files to determine whether or not they are malicious. When doing so, WildFire will classify the file with an official verdict. This verdict is known as the WildFire Analysis
verdict. Choose the three correct classifications as a result of this analysis and classification?
Benign
Adware
Spyware
Malware detection
Safeware
Grayware

Mark for follow up

Question 6 of 50.
What is the default setting for 'Action' in a Decryption Policy's rule?
No-Decrypt
Decrypt
Any
None

Mark for follow up

Question 7 of 50.
When using Config Audit, the color yellow indicates which of the following?
A setting has been changed between the two config files

21/12/2015 11:39

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid...

A setting has been deleted from a config file.


A setting has been added to a config file
An invalid value has been used in a config file.

Mark for follow up

Question 8 of 50.
Select the implicit rules that are applied to traffic that fails to match any administrator-defined Security Policies. (Choose all rules that are correct.)
Intra-zone traffic is allowed
Inter-zone traffic is denied
Intra-zone traffic is denied
Inter-zone traffic is allowed

Mark for follow up

Question 9 of 50.
Without a WildFire subscription, which of the following files can be submitted by the Firewall to the hosted WildFire virtualized sandbox?
PE files only
PDF files only
MS Office doc/docx, xls/xlsx, and ppt/pptx files only
PE and Java Applet (jar and class) only

Mark for follow up

Question 10 of 50.
All of the interfaces on a Palo Alto Networks device must be of the same interface type.
True

False

Mark for follow up

Question 11 of 50.
In PAN-OS 6.0 and later, rule numbers are:
Numbers that specify the order in which security policies are evaluated.
Numbers created to be unique identifiers in each firewalls policy database.
Numbers on a scale of 0 to 99 that specify priorities when two or more rules are in conflict.
Numbers created to make it easier for users to discuss a complicated or difficult sequence of rules.

Mark for follow up

Question 12 of 50.
Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day?
500
50
1000
10

Mark for follow up

Question 13 of 50.
Security policy rules specify a source interface and a destination interface.
True

False

Mark for follow up

Question 14 of 50.
Which feature can be configured to block sessions that the firewall cannot decrypt?
Decryption Profile in Security Profile
Decryption Profile in Security Policy
Decryption Profile in Decryption Policy
Decryption Profile in PBF

Mark for follow up

Question 15 of 50.
Can multiple administrator accounts be configured on a single firewall?
Yes

No

21/12/2015 11:39

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid...

Mark for follow up

Question 16 of 50.
Which of the following services are enabled on the MGT interface by default? (Select all correct answers.)
HTTPS
SSH
Telnet
HTTP

Mark for follow up

Question 17 of 50.
In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order to process traffic.
True

False

Mark for follow up

Question 18 of 50.
When you have created a Security Policy Rule that allows Facebook, what must you do to block all other web-browsing traffic?
Create an additional rule that blocks all other traffic.
Nothing. You can depend on PAN-OS to block the web-browsing traffic that is not needed for Facebook use.
Ensure that the Service column is defined as "application-default" for this Security policy. Doing this will automatically include the implicit web-browsing application dependency.
When creating the policy, ensure that web-browsing is included in the same rule.

Mark for follow up

Question 19 of 50.

Taking into account only the information in the screenshot above, answer the following question. Which applications will be allowed on their standard ports? (Select all correct answers.)
BitTorrent
SSH
Gnutella
Skype

Mark for follow up

Question 20 of 50.
An interface in Virtual Wire mode must be assigned an IP address.
True

False

Mark for follow up

Question 21 of 50.
Traffic going to a public IP address is being translated by a Palo Alto Networks firewall to an internal servers private IP address. Which IP address should the Security Policy use as the
"Destination IP" in order to allow traffic to the server?
The firewalls gateway IP
The servers public IP
The servers private IP
The firewalls MGT IP

Mark for follow up

Question 22 of 50.
What are two sources of information for determining whether the firewall has been successful in communicating with an external User-ID Agent?
System Logs and Authentication Logs.
System Logs and the indicator light under the User-ID Agent settings in the firewall.
System Logs and an indicator light on the chassis.
Traffic Logs and Authentication Logs.

21/12/2015 11:39

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid...

Mark for follow up

Question 23 of 50.
An interface in tap mode can transmit packets on the wire.
True

False

Mark for follow up

Question 24 of 50.
User-ID is enabled in the configuration of
A Security Policy.
A Zone.
An Interface.
A Security Profile.

Mark for follow up

Question 25 of 50.
Users may be authenticated sequentially to multiple authentication servers by configuring:
An Authentication Profile.
An Authentication Sequence.
A custom Administrator Profile.
Multiple RADIUS servers sharing a VSA configuration.

Mark for follow up

Question 26 of 50.
Which of the following most accurately describes Dynamic IP in a Source NAT configuration?
The next available address in the configured pool is used, and the source port number is changed.
The next available IP address in the configured pool is used, but the source port number is unchanged.
A single IP address is used, and the source port number is unchanged.
A single IP address is used, and the source port number is changed.

Mark for follow up

Question 27 of 50.
WildFire may be used for identifying which of the following types of traffic?
RIPv2
Malware
DHCP
OSPF

Mark for follow up

Question 28 of 50.
Enabling "Highlight Unused Rules" in the Security Policy window will:
Highlight all rules that did not match traffic within an administrator-specified time period.
Highlight all rules that have not matched traffic since the rule was created or since the last reboot of the firewall.
Temporarily disable rules that have not matched traffic since the rule was created or since the last reboot of the firewall.
Display rules that caused a validation error to occur at the time a Commit was performed.

Mark for follow up

Question 29 of 50.
When configuring a Security Policy Rule based on FQDN Address Objects, which of the following statements is True?
The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN again each time Security Profiles are evaluated.
The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN again at DNS TTL expiration.
In order to create FQDN-based objects, you need to manually define a list of associated IP addresses.

Mark for follow up

Question 30 of 50.
When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2 tunneling in policies by specifying the SSH-tunnel App-ID?
SSH Proxy

21/12/2015 11:39

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid...

SSL Forward Proxy


SSL Inbound Inspection
SSL Reverse Proxy

Mark for follow up

Question 31 of 50.
When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must be done to allow a user to authenticate through multiple methods?
Create an Authentication Sequence, dictating the order of authentication profiles.
This cannot be done. Although multiple authentication methods exist, a firewall must choose a single, global authentication type--and all users must use this method.
Create multiple authentication profiles for the same user.
This cannot be done. A single user can only use one authentication type.

Mark for follow up

Question 32 of 50.
Which of the following is NOT a valid option for built-in CLI Admin roles?
read/write
deviceadmin
devicereader
superuser

Mark for follow up

Question 33 of 50.
When Destination Network Address Translation is being performed, the destination in the corresponding Security Policy Rule should use:
The Post-NAT destination zone and Pre-NAT IP addresses.
The Pre-NAT destination zone and Post-NAT IP addresses.
The Pre-NAT destination zone and Pre-NAT IP addresses.
The Post-NAT destination zone and Post-NAT IP addresses.

Mark for follow up

Question 34 of 50.
A "Continue" action can be configured on which of the following Security Profiles?
URL Filtering and File Blocking
URL Filtering only
URL Filtering, File Blocking, and Data Filtering
URL Filtering and Anti-virus

Mark for follow up

Question 35 of 50.
When configuring Admin Roles for Web UI access, what are the available access levels?
Enable, Read-Only, and Disable
None, Superuser, Device Administrator
Allow and Deny only
Enable and Disable only

Mark for follow up

Question 36 of 50.
Which of the following would be a reason to use the PAN-OS XML API to communicate with a Palo Alto Networks firewall?
To allow the firewall to push User-ID information to a Network Access Control (NAC) device.
To permit syslogging of User Identification events.
To pull information from other network resources for User-ID.

Mark for follow up

Question 37 of 50.
Previous to PAN-OS 7.0 the firewall was able to decode up to two levels. With PAN-OS 7.0 the firewall can now decode up to how many levels?
Three
Six
Five
Four

21/12/2015 11:39

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid...

Mark for follow up

Question 38 of 50.
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:
Increased speed on downloads of file types that are explicitly enabled.
The ability to use Authentication Profiles, in order to protect against unwanted downloads.
Password-protected access to specific file downloads for authorized users.
Protection against unwanted downloads by showing the user a response page indicating that a file is going to be downloaded.

Mark for follow up

Question 39 of 50.
In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-Based Forwarding Rule? (Choose 3.)
Source Zone
Destination Zone
Source User
Destination Application

Mark for follow up

Question 40 of 50.
Both SSL decryption and SSH decryption are disabled by default.
True

False

Mark for follow up

Question 41 of 50.
You can assign an IP address to an interface in Virtual Wire mode.
True

False

Mark for follow up

Question 42 of 50.

Taking into account only the information in the screenshot above, answer the following question. An administrator is pinging 4.4.4.4 and fails to receive a response. What is the most likely
reason for the lack of response?
There is no route back to the machine originating the ping.
The interface is down.
There is no Management Profile.
There is a Security Policy that prevents ping.

Mark for follow up

Question 43 of 50.
Which of the following is True of an application filter?
An application filter automatically adapts when an application moves from one IP address to another.
An application filter automatically includes a new application when one of the new applications characteristics are included in the filter.
An application filter specifies the users allowed to access an application.
An application filter is used by malware to evade detection by firewalls and anti-virus software.

Mark for follow up

Question 44 of 50.
In a Destination NAT configuration, the Translated Address field may be populated with either an IP address or an Address Object.
True

False

21/12/2015 11:39

Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid...

Mark for follow up

Question 45 of 50.
In PAN-OS 7.0 which of the available choices serves as an alert warning by defining patterns of suspicious traffic and network anomalies that may indicate a host has been compromised?
App-ID Signatures
Correlation Objects
Command & Control Signatures
Correlation Events
Custom Signatures

Mark for follow up

Question 46 of 50.
Which statement below is True?
PAN-OS uses PAN-DB as the default URL Filtering database, but also supports BrightCloud.
PAN-OS uses BrightCloud as its default URL Filtering database, but also supports PAN-DB.
PAN-OS uses BrightCloud for URL Filtering, replacing PAN-DB.
PAN-OS uses PAN-DB for URL Filtering, replacing BrightCloud.

Mark for follow up

Question 47 of 50.
Which of the following can provide information to a Palo Alto Networks firewall for the purposes of User-ID? (Select all correct answers.)
Network Access Control (NAC) device
Domain Controller
RIPv2
SSL Certificates

Mark for follow up

Question 48 of 50.
When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of evaluation within a profile is:
Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, Allow list.
Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined categories.
Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cache files.

Mark for follow up

Question 49 of 50.
As of PAN-OS 7.0, when configuring a Decryption Policy Rule, which of the following is NOT an available option as matching criteria in the rule?
Application
Source User
URL Category
Source Zone
Service

Mark for follow up

Question 50 of 50.
What will the user experience when attempting to access a blocked hacking website through a translation service such as Google Translate or Bing Translator?
A Blocked page response when the URL filtering policy to block is enforced.
A Success page response when the site is successfully translated.
The browser will be redirected to the original website address.
An "HTTP Error 503 - Service unavailable" message.

Mark for follow up

Save / Return Later

Summary

21/12/2015 11:39

You might also like