Professional Documents
Culture Documents
0 Version
ACE Exam
Question 1 of 50.
Which of the following interface types can have an IP address assigned to it?
Layer 3
Layer 2
Tap
Virtual
Wire
Question 2 of 50.
Question 3 of 50.
Taking into account only the information in the screenshot above, answer the following
question. An administrator is using SSH on port 3333 and BitTorrent on port 7777. Which
statements are True?
The SSH traffic will be allowed.
The SSH traffic will be denied.
The BitTorrent traffic will be denied.
The BitTorrent traffic will be allowed.
Question 4 of 50.
When employing the BrightCloud URL filtering database in a Palo Alto Networks
firewall, the order of evaluation within a profile is:
Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow
list, Cache files.
Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories,
Predefined categories.
Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL
filtering, Allow list.
Question 5 of 50.
Question 6 of 50.
Which of the following CANNOT use the source user as a match criterion?
Secuirty Policies
QoS
Anti-virus Profile
DoS Protection
Policy Based
Forwarding
Question 7 of 50.
Question 8 of 50.
Palo Alto Networks offers WildFire users three solution types. These solution types are the
WildFire Public Cloud, The WF-500 Private Appliance, and the WildFire Hybrid solution.
What is the main reason and purpose for the WildFire Hybrid solution?
The WildFire Hybrid solution is only offered to companies that have sensitive files to
protect and does not require a WildFire subscription.
The WildFire Hybrid solution enables outside companies to share the same WF-500
Appliance while at the same time allowing them to send only their private files to the
private WF-500.
The WildFire Hybrid solution enables companies to send to the WF-500 Private
Appliance keeping them internal to their network, as well providing the option to
send other, general files to the WildFire Public Cloud for analysis.
The WildFire Hybrid solution places WF-500s at multiple places in the cloud, so that
firewall appliances distributed throughout an enterprise's network receive WildFire
verdicts with minimal latency while retaining data privacy.
Question 10 of 50.
Previous to PAN-OS 7.0 the firewall was able to decode up to two levels. With PAN-OS
7.0 the firewall can now decode up to how many levels?
Five
Six
Four
Three
Question 11 of 50.
All of the interfaces on a Palo Alto Networks device must be of the same interface type.
True False
Question 12 of 50.
PAN-OS 7.0 introduced a new Security Profile type. What is the name of this new security
profile type?
WildFire
Analysis
Threat Analysis
Malware Analysis
File Analysis
Question 13 of 50.
Question 14 of 50.
Taking into account only the information in the screenshot above, answer the following
question. Which applications will be allowed on their standard ports? (Select all correct
answers.)
SSH
Gnutella
Skype
BitTorrent
Question 15 of 50.
Which of the following services are enabled on the MGT interface by default? (Select all
correct answers.)
HTTPS
SSH
Telnet
HTTP
Question 16 of 50.
When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be
most informative?
Question 17 of 50.
WildFire may be used for identifying which of the following types of traffic?
Malware
OSPF
RIPv2
DHCP
Question 18 of 50.
Which of the following statements is NOT True about Palo Alto Networks firewalls?
Question 19 of 50.
Question 20 of 50.
In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-
Based Forwarding Rule? (Choose 3.)
Source Zone
Destination Zone
Destination Application
Source User
Question 21 of 50.
Which of the Dynamic Updates listed below are issued on a daily basis? (Select all correct
answers.)
BrightCloud URL Filtering
Applications and Threats
Anti-virus
Applications
Question 22 of 50.
What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is
chosen on the firewall? (Select all correct answers.)
Improved DNS-based C&C signatures.
Improved BrightCloud malware detection.
Improved PAN-DB malware detection.
Improved malware detection in WildFire.
Question 23 of 50.
Which of the following are methods that HA clusters use to identify network outages?
Question 24 of 50.
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall,
you need a:
Virtual Router
VLAN
Virtual Wire
Security
Profile
Question 25 of 50.
The next available address in the configured pool is used, and the source port number
is changed.
The next available IP address in the configured pool is used, but the source port
number is unchanged.
A single IP address is used, and the source port number is changed.
A single IP address is used, and the source port number is unchanged.
Mark for follow up
Question 26 of 50.
When configuring Admin Roles for Web UI access, what are the available access levels?
Question 27 of 50.
What will the user experience when attempting to access a blocked hacking website
through a translation service such as Google Translate or Bing Translator?
Question 28 of 50.
What general practice best describes how Palo Alto Networks firewall policies are applied
to a session?
Question 29 of 50.
The Uplink
The Data Link
The Management
Link
The Control Link
Question 30 of 50.
What will be the user experience when the safe search option is NOT enabled for Google
search but the firewall has "Safe Search Enforcement" Enabled?
Question 31 of 50.
Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples
per day?
50
1000
500
10
Question 32 of 50.
Question 33 of 50.
After the installation of a new version of PAN-OS, the firewall must be rebooted.
True False
Question 34 of 50.
Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and
Role-Based (customized user roles) for Administrator Accounts.
True False
After the installation of the Threat Prevention license, the firewall must be rebooted.
True False
Question 36 of 50.
Which pre-defined Admin Role has all rights except the rights to create administrative
accounts and virtual systems?
Question 37 of 50.
What is the maximum file size of .EXE files uploaded from the firewall to WildFire?
Configurable up to 2 megabytes.
Always 2 megabytes.
Always 10 megabytes.
Configurable up to 10
megabytes.
Question 38 of 50.
How do you reduce the amount of information recorded in the URL Content Filtering
Logs?
Question 39 of 50.
As the Palo Alto Networks Administrator you have enabled Application Block pages.
Afterwards, not knowing they are attempting to access a blocked web-based application,
users call the Help Desk to complain about network connectivity issues. What is the cause
of the increased number of help desk calls?
Some App-ID's are set with a Session Timeout value that is too low.
The File Blocking Block Page was disabled.
Application Block Pages will only be displayed when Captive Portal is configured.
The firewall admin did not create a custom response page to notify potential users
that their attempt to access the web-based application is being blocked due to
company policy.
Question 40 of 50.
When an interface is in Tap mode and a Policy’s action is set to “block”, the interface will
send a TCP reset.
True False
Question 42 of 50.
In PAN-OS 7.0 which of the available choices serves as an alert warning by defining
patterns of suspicious traffic and network anomalies that may indicate a host has been
compromised?
App-ID Signatures
Correlation Objects
Custom Signatures
Correlation Events
Command & Control
Signatures
Question 43 of 50.
Which of the following is a routing protocol supported in a Palo Alto Networks firewall?
IGRP
RIPv2
EIGRP
ISIS
Question 44 of 50.
What are two sources of information for determining whether the firewall has been
successful in communicating with an external User-ID Agent?
Question 45 of 50.
Which feature can be configured to block sessions that the firewall cannot decrypt?
Question 46 of 50.
Question 47 of 50.
When configuring a Decryption Policy rule, which option allows a firewall administrator
to control SSHv2 tunneling in policies by specifying the SSH-tunnel App-ID?
SSH Proxy
SSL Forward Proxy
SSL Inbound
Inspection
SSL Reverse Proxy
Question 48 of 50.
The screenshot above shows part of a firewall’s configuration. If ping traffic can traverse
this device from e1/2 to e1/1, which of the following statements must be True about this
firewall’s configuration? (Select all correct answers.)
There must be a Management Profile that allows ping. (Then assign that Management
Profile to e1/1 and e1/2.)
There must be a security policy rule from trust zone to Internet zone that allows
ping.
There must be a security policy rule from Internet zone to trust zone that allows
ping.
There must be appropriate routes in the default virtual router.
Question 49 of 50.
As of PAN-OS 7.0, when configuring a Decryption Policy Rule, which of the following is
NOT an available option as matching criteria in the rule?
URL
Category
Application
Service
Source User
Source Zone
Question 50 of 50.
Considering the information in the screenshot above, what is the order of evaluation for
this URL Filtering Profile?
Allow List, Block List, Custom Categories, URL Categories (BrightCloud or PAN-
DB).
Block List, Allow List, URL Categories (BrightCloud or PAN-DB), Custom
Categories.
Block List, Allow List, Custom Categories, URL Categories (BrightCloud or PAN-
DB).
URL Categories (BrightCloud or PAN-DB), Custom Categories, Block List, Allow
List.
(9 Results)
View: All Questions Correct Questions Incorrect Questions
ID Question Correct
Taking into account only the
8087 Incorrect
information in the screenshot above,
answer the following question. An
administrator is using SSH on port
3333 and BitTorrent on port 7777.
Which statements are True?