Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.

0 Version

ACE Exam

Question 1 of 50.

Which of the following interface types can have an IP address assigned to it?

Layer 3
Layer 2
Tap
Virtual
Wire

Mark for follow up

Question 2 of 50.

Which of the following must be enabled in order for User-ID to function?

Security Policies must have the User-ID option enabled.

Captive Portal must be enabled.
Captive Portal Policies must be enabled.
User-ID must be enabled for the source zone of the traffic that is to be
identified.

Mark for follow up

Question 3 of 50.

Taking into account only the information in the screenshot above, answer the following
question. An administrator is using SSH on port 3333 and BitTorrent on port 7777. Which
statements are True?
The SSH traffic will be allowed.
The SSH traffic will be denied.
The BitTorrent traffic will be denied.
The BitTorrent traffic will be allowed.

Mark for follow up

Question 4 of 50.

When employing the BrightCloud URL filtering database in a Palo Alto Networks
firewall, the order of evaluation within a profile is:

Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow
list, Cache files.
Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories,
Predefined categories.
Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL
filtering, Allow list.

Mark for follow up

Question 5 of 50.

An enterprise PKI system is required to deploy SSL Forward Proxy decryption

capabilities.
True False

Mark for follow up

Question 6 of 50.

Which of the following CANNOT use the source user as a match criterion?
 Secuirty Policies
QoS
Anti-virus Profile
DoS Protection
Policy Based
Forwarding

Mark for follow up

Question 7 of 50.

Which of the following is True of an application filter?

An application filter is used by malware to evade detection by firewalls and anti-virus

software.
An application filter automatically adapts when an application moves from one IP
address to another.
An application filter automatically includes a new application when one of the new
application’s characteristics are included in the filter.
An application filter specifies the users allowed to access an application.

Mark for follow up

Question 8 of 50.

Which type of license is required to perform Decryption Port Mirroring?

A subscription-based SSL Port license

A subscription-based PAN-PA-Decrypt
license
A free PAN-PA-Decrypt license
A Client Decryption license

Mark for follow up

Question 9 of 50.

Palo Alto Networks offers WildFire users three solution types. These solution types are the
WildFire Public Cloud, The WF-500 Private Appliance, and the WildFire Hybrid solution.
What is the main reason and purpose for the WildFire Hybrid solution?

The WildFire Hybrid solution is only offered to companies that have sensitive files to
protect and does not require a WildFire subscription.
The WildFire Hybrid solution enables outside companies to share the same WF-500
Appliance while at the same time allowing them to send only their private files to the
private WF-500.
The WildFire Hybrid solution enables companies to send to the WF-500 Private
Appliance keeping them internal to their network, as well providing the option to
send other, general files to the WildFire Public Cloud for analysis.
The WildFire Hybrid solution places WF-500s at multiple places in the cloud, so that
firewall appliances distributed throughout an enterprise's network receive WildFire
verdicts with minimal latency while retaining data privacy.

Mark for follow up

Question 10 of 50.

Previous to PAN-OS 7.0 the firewall was able to decode up to two levels. With PAN-OS
7.0 the firewall can now decode up to how many levels?

Five
Six
Four
Three

Mark for follow up

Question 11 of 50.

All of the interfaces on a Palo Alto Networks device must be of the same interface type.
 True False

Mark for follow up

Question 12 of 50.

PAN-OS 7.0 introduced a new Security Profile type. What is the name of this new security
profile type?

WildFire
Analysis
Threat Analysis
Malware Analysis
File Analysis

Mark for follow up

Question 13 of 50.

An interface in Virtual Wire mode must be assigned an IP address.

True False

Mark for follow up

Question 14 of 50.

Taking into account only the information in the screenshot above, answer the following
question. Which applications will be allowed on their standard ports? (Select all correct
answers.)
SSH
Gnutella
Skype
 BitTorrent

Mark for follow up

Question 15 of 50.

Which of the following services are enabled on the MGT interface by default? (Select all
correct answers.)
HTTPS
SSH
Telnet
HTTP

Mark for follow up

Question 16 of 50.

When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be
most informative?

Responding side, System

Log
Initiating side, Traffic log
Responding side, Traffic log
Initiating side, System log

Mark for follow up

Question 17 of 50.

WildFire may be used for identifying which of the following types of traffic?

Malware
 OSPF
RIPv2
DHCP

Mark for follow up

Question 18 of 50.

Which of the following statements is NOT True about Palo Alto Networks firewalls?

By default the MGT Port's IP Address is 192.168.1.1/24.

System defaults may be restored by performing a factory reset in Maintenance
Mode.
The default Admin account may be disabled or deleted.
Initial configuration may be accomplished thru the MGT interface or the Console
port.

Mark for follow up

Question 19 of 50.

A "Continue" action can be configured on which of the following Security Profiles?

URL Filtering and File Blocking

URL Filtering only
URL Filtering, File Blocking, and Data
Filtering
URL Filtering and Anti-virus

Mark for follow up

Question 20 of 50.
In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-
Based Forwarding Rule? (Choose 3.)
Source Zone
Destination Zone
Destination Application
Source User

Mark for follow up

Question 21 of 50.

Which of the Dynamic Updates listed below are issued on a daily basis? (Select all correct
answers.)
BrightCloud URL Filtering
Applications and Threats
Anti-virus
Applications

Mark for follow up

Question 22 of 50.

What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is
chosen on the firewall? (Select all correct answers.)
Improved DNS-based C&C signatures.
Improved BrightCloud malware detection.
Improved PAN-DB malware detection.
Improved malware detection in WildFire.

Mark for follow up

Question 23 of 50.
Which of the following are methods that HA clusters use to identify network outages?

VR and VSYS Monitors

Link and Session Monitors
Path and Link Monitoring
Heartbeat and Session
Monitors

Mark for follow up

Question 24 of 50.

In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall,
you need a:

Virtual Router
VLAN
Virtual Wire
Security
Profile

Mark for follow up

Question 25 of 50.

Which of the following most accurately describes Dynamic IP in a Source NAT

configuration?

The next available address in the configured pool is used, and the source port number
is changed.
The next available IP address in the configured pool is used, but the source port
number is unchanged.
A single IP address is used, and the source port number is changed.
A single IP address is used, and the source port number is unchanged.
 Mark for follow up

Question 26 of 50.

When configuring Admin Roles for Web UI access, what are the available access levels?

None, Superuser, Device

Administrator
Enable, Read-Only, and Disable
Allow and Deny only
Enable and Disable only

Mark for follow up

Question 27 of 50.

What will the user experience when attempting to access a blocked hacking website
through a translation service such as Google Translate or Bing Translator?

A “Blocked” page response when the URL filtering policy to block is

enforced.
A “Success” page response when the site is successfully translated.
The browser will be redirected to the original website address.
An "HTTP Error 503 - Service unavailable" message.

Mark for follow up

Question 28 of 50.

What general practice best describes how Palo Alto Networks firewall policies are applied
to a session?

Last match applied.

First match applied.
 The rule with the highest rule number is
applied.
Most specific match applied.

Mark for follow up

Question 29 of 50.

Which link is used by an Active/Passive cluster to synchronize session information?

The Uplink
The Data Link
The Management
Link
The Control Link

Mark for follow up

Question 30 of 50.

What will be the user experience when the safe search option is NOT enabled for Google
search but the firewall has "Safe Search Enforcement" Enabled?

A task bar pop-up message will be presented to enable Safe Search.

A block page will be presented with instructions on how to set the strict Safe Search
option for the Google search.
The Firewall will enforce Safe Search if the URL filtering license is still valid.
The user will be redirected to a different search site that is specified by the firewall
administrator.

Mark for follow up

Question 31 of 50.
Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples
per day?

50
1000

500
10

Mark for follow up

Question 32 of 50.

An interface in tap mode can transmit packets on the wire.

True False

Mark for follow up

Question 33 of 50.

After the installation of a new version of PAN-OS, the firewall must be rebooted.
True False

Mark for follow up

Question 34 of 50.

Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and
Role-Based (customized user roles) for Administrator Accounts.
True False

Mark for follow up

Question 35 of 50.

After the installation of the Threat Prevention license, the firewall must be rebooted.
True False

Mark for follow up

Question 36 of 50.

Which pre-defined Admin Role has all rights except the rights to create administrative
accounts and virtual systems?

A custom admin role must be created for this specific combination of

rights.
vsysadmin
Superuser
Device Administrator

Mark for follow up

Question 37 of 50.

What is the maximum file size of .EXE files uploaded from the firewall to WildFire?

Configurable up to 2 megabytes.
Always 2 megabytes.
Always 10 megabytes.
Configurable up to 10
megabytes.

Mark for follow up

Question 38 of 50.
How do you reduce the amount of information recorded in the URL Content Filtering
Logs?

Enable "Log container page

only".
Disable URL packet captures.
Enable URL log caching.
Enable DSRI.

Mark for follow up

Question 39 of 50.

As the Palo Alto Networks Administrator you have enabled Application Block pages.
Afterwards, not knowing they are attempting to access a blocked web-based application,
users call the Help Desk to complain about network connectivity issues. What is the cause
of the increased number of help desk calls?

Some App-ID's are set with a Session Timeout value that is too low.
The File Blocking Block Page was disabled.
Application Block Pages will only be displayed when Captive Portal is configured.
The firewall admin did not create a custom response page to notify potential users
that their attempt to access the web-based application is being blocked due to
company policy.

Mark for follow up

Question 40 of 50.

When an interface is in Tap mode and a Policy’s action is set to “block”, the interface will
send a TCP reset.
True False

Mark for follow up

Question 41 of 50.

Which statement below is True?

PAN-OS uses BrightCloud for URL Filtering, replacing PAN-DB.

PAN-OS uses PAN-DB for URL Filtering, replacing BrightCloud.
PAN-OS uses BrightCloud as its default URL Filtering database, but also supports
PAN-DB.
PAN-OS uses PAN-DB as the default URL Filtering database, but also supports
BrightCloud.

Mark for follow up

Question 42 of 50.

In PAN-OS 7.0 which of the available choices serves as an alert warning by defining
patterns of suspicious traffic and network anomalies that may indicate a host has been
compromised?

App-ID Signatures
Correlation Objects
Custom Signatures
Correlation Events
Command & Control
Signatures

Mark for follow up

Question 43 of 50.

Which of the following is a routing protocol supported in a Palo Alto Networks firewall?

IGRP
RIPv2
 EIGRP

ISIS

Mark for follow up

Question 44 of 50.

What are two sources of information for determining whether the firewall has been
successful in communicating with an external User-ID Agent?

System Logs and an indicator light on the chassis.

System Logs and the indicator light under the User-ID Agent settings in the
firewall.
Traffic Logs and Authentication Logs.
System Logs and Authentication Logs.

Mark for follow up

Question 45 of 50.

Which feature can be configured to block sessions that the firewall cannot decrypt?

Decryption Profile in Security Profile

Decryption Profile in Decryption
Policy
Decryption Profile in Security Policy
Decryption Profile in PBF

Mark for follow up

Question 46 of 50.

Both SSL decryption and SSH decryption are disabled by default.

True False
 Mark for follow up

Question 47 of 50.

When configuring a Decryption Policy rule, which option allows a firewall administrator
to control SSHv2 tunneling in policies by specifying the SSH-tunnel App-ID?

SSH Proxy
SSL Forward Proxy
SSL Inbound
Inspection
SSL Reverse Proxy

Mark for follow up

Question 48 of 50.

The screenshot above shows part of a firewall’s configuration. If ping traffic can traverse
this device from e1/2 to e1/1, which of the following statements must be True about this
firewall’s configuration? (Select all correct answers.)
There must be a Management Profile that allows ping. (Then assign that Management
Profile to e1/1 and e1/2.)
There must be a security policy rule from trust zone to Internet zone that allows
ping.
There must be a security policy rule from Internet zone to trust zone that allows
ping.
There must be appropriate routes in the default virtual router.

Mark for follow up

Question 49 of 50.
As of PAN-OS 7.0, when configuring a Decryption Policy Rule, which of the following is
NOT an available option as matching criteria in the rule?

URL
Category
Application
Service
Source User
Source Zone

Mark for follow up

Question 50 of 50.

Considering the information in the screenshot above, what is the order of evaluation for
this URL Filtering Profile?

Allow List, Block List, Custom Categories, URL Categories (BrightCloud or PAN-
DB).
Block List, Allow List, URL Categories (BrightCloud or PAN-DB), Custom
Categories.
Block List, Allow List, Custom Categories, URL Categories (BrightCloud or PAN-
DB).
URL Categories (BrightCloud or PAN-DB), Custom Categories, Block List, Allow
List.

Mark for follow up

(9 Results)
View: All Questions Correct Questions Incorrect Questions
ID Question Correct
Taking into account only the
8087 Incorrect
information in the screenshot above,
 answer the following question. An
administrator is using SSH on port
3333 and BitTorrent on port 7777.
Which statements are True?

The screenshot above shows part of

a firewall’s configuration. If ping
traffic can traverse this device from
8082 e1/2 to e1/1, which of the following Incorrect
statements must be True about this
firewall’s configuration? (Select all
correct answers.)

What general practice best describes

8581 how Palo Alto Networks firewall Incorrect
policies are applied to a session?

What will be the user experience

when the safe search option is NOT
8646 enabled for Google search but the Incorrect
firewall has "Safe Search
Enforcement" Enabled?

When configuring Admin Roles for

8625 Web UI access, what are the Incorrect
available access levels?

Which of the following are methods

8551 that HA clusters use to identify Incorrect
network outages?

Which of the following is True of an

8601 Incorrect
application filter?

Using the API in PAN-OS 6.1,

11149 WildFire subscribers can upload up Incorrect
to how many samples per day?

In PAN-OS 7.0 which of the

available choices serves as an alert
13816 Incorrect
warning by defining patterns of
suspicious traffic and network
anomalies that may indicate a host
has been compromised?