8/12/2015 Empowering People: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44d4-8d3a-07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdri… 1/11

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version

ACE Exam

Question 1 of 50.

Which of the following can provide information to a Palo Alto Networks firewall for the purposes of User-ID? (Selectall correct answers.)

SSL Certificates

RIPv2

Domain Controller

Network Access Control (NAC) device

Mark for follow up

Question 2 of 50.

What general practice best describes how Palo Alto Networks firewall policies are applied to a session?

Last match applied. The rule with the highest rule number is applied. Most specific match applied. First match applied.

Mark for follow up

Question 3 of 50.

Which of the following platforms supports the Decryption Port Mirror function?

PA-3000 VM-Series 100 PA-2000 PA-4000

Mark for follow up

Question 4 of 50.

All of the interfaces on a Palo Alto Networks device must be of the same interface type.True False

Mark for follow up

Question 5 of 50.

What is the default setting for 'Action' in a Decryption Policy's rule?

Decrypt Any

8/12/2015 Empowering People: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44d4-8d3a-07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdri… 2/11

None No-Decrypt

Mark for follow up

Question 6 of 50.

In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order to process traffic.True False

Mark for follow up

Question 7 of 50.

Which of the following would be a reason to use the PAN-OS XML API to communicate with a Palo Alto Networksfirewall?

To allow the firewall to push User-ID information to a Network Access Control (NAC) device. To permit syslogging of User Identification events. To pull information from other network resources for User-ID.

Mark for follow up

Question 8 of 50.

Security policy rules specify a source interface and a destination interface.True False

Mark for follow up

Question 9 of 50.

Without a WildFire subscription, which of the following files can be submitted by the Firewall to the hosted WildFirevirtualized sandbox?

PDF files only MS Office doc/docx, xls/xlsx, and ppt/pptx files only PE and Java Applet (jar and class) only PE files only

Mark for follow up

Question 10 of 50.

Which of the following facts about dynamic updates is correct?

Application and Threat updates are released daily. Anti-virus and URL Filtering updates are released weekly. Application and Anti-virus updates are released weekly. Threat and “Threat and URL Filtering” updates are releasedweekly. Threat and URL Filtering updates are released daily. Application and Anti-virus updates are released weekly. Anti-virus updates are released daily. Application and Threat updates are released weekly.

Mark for follow up

8/12/2015 Empowering People: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44d4-8d3a-07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdri… 3/11

Question 11 of 50.

True or False: The PAN-DB URL Filtering Service is offered as both a Private Cloud solution and a Public Cloudsolution.True False

Mark for follow up

Question 12 of 50.

When configuring Admin Roles for Web UI access, what are the available access levels?

Allow and Deny only Enable and Disable only Enable, Read-Only, and Disable None, Superuser, Device Administrator

Mark for follow up

Question 13 of 50.

What is the maximum file size of .EXE files uploaded from the firewall to WildFire?

Configurable up to 2 megabytes. Always 10 megabytes. Configurable up to 10 megabytes. Always 2 megabytes.

Mark for follow up

Question 14 of 50.

Will an exported configuration contain Management Interface settings?Yes No

Mark for follow up

Question 15 of 50.

When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of evaluationwithin a profile is:

Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined categories. Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, Allow list. Block list, Allow list, Custom Categories, Cache files, Local URL DB file. Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cache files.

Mark for follow up

Question 16 of 50.

Color-coded tags can be used on all of the items listed below EXCEPT:

8/12/2015 Empowering People: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44d4-8d3a-07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdri… 4/11

Service Groups

Address Objects Vulnerability Profiles Zones

Mark for follow up

Question 17 of 50.

Reconnaissance Protection is a feature used to protect the Palo Alto Networks firewall from port scans. To enablethis feature within the GUI go to…

Network > Network Profiles > Zone Protection Objects > Zone Protection Interfaces > Interface Number > Zone Protection Policies > Profile > Zone Protection

Mark for follow up

Question 18 of 50.

Taking into account only the information in the screenshot above, answer the following question. Which applicationswill be allowed on their standard ports? (Select all correct answers.)

SSH

Skype

BitTorrent

Gnutella

Mark for follow up

Question 19 of 50.

Which link is used by an Active/Passive cluster to synchronize session information?

The Data Link The Uplink The Control Link The Management Link

Mark for follow up

8/12/2015 Empowering People: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44d4-8d3a-07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdri… 5/11

Question 20 of 50.

In PAN-OS 6.0 and later, rule numbers are:

Numbers that specify the order in which security policies are evaluated. Numbers created to be unique identifiers in each firewall’s policy database. Numbers on a scale of 0 to 99 that specify priorities when two or more rules are in conflict. Numbers created to make it easier for users to discuss a complicated or difficult sequence of rules.

Mark for follow up

Question 21 of 50.

WildFire analyzes files to determine whether or not they are malicious. When doing so, WildFire will classify the filewith an official verdict. This verdict is known as the WildFire Analysis verdict. Choose the three correctclassifications as a result of this analysis and classification?

Benign

Grayware

Adware

Malware detection

Spyware

Safeware

Mark for follow up

Question 22 of 50.

What will the user experience when attempting to access a blocked hacking website through a translation servicesuch as Google Translate or Bing Translator?

A “Blocked” page response when the URL filtering policy to block is enforced. A “Success” page response when the site is successfully translated. The browser will be redirected to the original website address. An "HTTP Error 503 - Service unavailable" message.

Mark for follow up

Question 23 of 50.

In which of the following can User-ID be used to provide a match condition? (Select all correct answers.)

Security Policies NAT Policies Zone Protection Policies Threat Profiles

Mark for follow up

Question 24 of 50.

Enabling "Highlight Unused Rules" in the Security Policy window will:

Highlight all rules that did not match traffic within an administrator-specified time period.

8/12/2015 Empowering People: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44d4-8d3a-07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdri… 6/11

Display rules that caused a validation error to occur at the time a Commit was performed. Temporarily disable rules that have not matched traffic since the rule was created or since the last reboot of thefirewall. Highlight all rules that have not matched traffic since the rule was created or since the last reboot of the firewall.

Mark for follow up

Question 25 of 50.

As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candidate configuration.These changes may be undone by Device > Setup > Operations > Configuration Management>....and then whatoperation?

Revert to Running Configuration Revert to last Saved Configuration Load Configuration Version Import Named Configuration Snapshot

Mark for follow up

Question 26 of 50.

When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2 tunneling inpolicies by specifying the SSH-tunnel App-ID?

SSH Proxy SSL Forward Proxy SSL Inbound Inspection SSL Reverse Proxy

Mark for follow up

Question 27 of 50.

What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on the firewall? (Selectall correct answers.)

Improved malware detection in WildFire.

Improved BrightCloud malware detection.

Improved DNS-based C&C signatures.

Improved PAN-DB malware detection.

Mark for follow up

Question 28 of 50.

In a Destination NAT configuration, the Translated Address field may be populated with either an IP address or anAddress Object.True False

Mark for follow up

Question 29 of 50.

8/12/2015 Empowering People: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44d4-8d3a-07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdri… 7/11

Besides selecting the Heartbeat Backup option when creating an Active-Passive HA Pair, which of the following alsoprevents "Split-Brain"?

Creating a custom interface under Service Route Configuration, and assigning this interface as the backup HA2 link. Under “Packet Forwarding”, selecting the VR Sync checkbox. Configuring a backup HA2 link that points to the MGT interface of the other device in the pair. Configuring an independent backup HA1 link.

Mark for follow up

Question 30 of 50.

After the installation of a new version of PAN-OS, the firewall must be rebooted.True False

Mark for follow up

Question 31 of 50.

Which of the following must be enabled in order for User-ID to function?

Security Policies must have the User-ID option enabled. User-ID must be enabled for the source zone of the traffic that is to be identified. Captive Portal must be enabled. Captive Portal Policies must be enabled.

Mark for follow up

Question 32 of 50.

As of PAN-OS 7.0, when configuring a Decryption Policy Rule, which of the following is NOT an available option asmatching criteria in the rule?

URL Category Source Zone Application Source User Service

Mark for follow up

Question 33 of 50.

The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:

The ability to use Authentication Profiles, in order to protect against unwanted downloads. Protection against unwanted downloads by showing the user a response page indicating that a file is going to bedownloaded. Increased speed on downloads of file types that are explicitly enabled. Password-protected access to specific file downloads for authorized users.

Mark for follow up

8/12/2015 Empowering People: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44d4-8d3a-07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdri… 8/11

Question 34 of 50.

When you have created a Security Policy Rule that allows Facebook, what must you do to block all other web-browsing traffic?

Ensure that the Service column is defined as "application-default" for this Security policy. Doing this will automaticallyinclude the implicit web-browsing application dependency. Nothing. You can depend on PAN-OS to block the web-browsing traffic that is not needed for Facebook use. Create an additional rule that blocks all other traffic. When creating the policy, ensure that web-browsing is included in the same rule.

Mark for follow up

Question 35 of 50.

When configuring the firewall for User-ID, what is the maximum number of Domain Controllers that can beconfigured?

150 100 10 50

Mark for follow up

Question 36 of 50.

Palo Alto Networks offers WildFire users three solution types. These solution types are the WildFire Public Cloud,The WF-500 Private Appliance, and the WildFire Hybrid solution. What is the main reason and purpose for theWildFire Hybrid solution?

The WildFire Hybrid solution enables outside companies to share the same WF-500 Appliance while at the sametime allowing them to send only their private files to the private WF-500. The WildFire Hybrid solution enables companies to send to the WF-500 Private Appliance keeping them internal totheir network, as well providing the option to send other, general files to the WildFire Public Cloud for analysis. The WildFire Hybrid solution places WF-500s at multiple places in the cloud, so that firewall appliances distributedthroughout an enterprise's network receive WildFire verdicts with minimal latency while retaining data privacy. The WildFire Hybrid solution is only offered to companies that have sensitive files to protect and does not require aWildFire subscription.

Mark for follow up

Question 37 of 50.

PAN-OS 7.0 introduced a new Security Profile type. What is the name of this new security profile type?

File Analysis Threat Analysis WildFire Analysis Malware Analysis

Mark for follow up

Question 38 of 50.

8/12/2015 Empowering People: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44d4-8d3a-07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdri… 9/11

Taking into account only the information in the screenshot above, answer the following question. An administrator isusing SSH on port 3333 and BitTorrent on port 7777. Which statements are True?

The SSH traffic will be denied.

The SSH traffic will be allowed.

The BitTorrent traffic will be allowed.

The BitTorrent traffic will be denied.

Mark for follow up

Question 39 of 50.

Which of the following services are enabled on the MGT interface by default? (Select all correct answers.)HTTPS

SSH

Telnet

HTTP

Mark for follow up

Question 40 of 50.

Which of the following CANNOT use the source user as a match criterion?

Policy Based Forwarding DoS Protection QoS Anti-virus Profile Secuirty Policies

Mark for follow up

Question 41 of 50.

As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterwards, not knowing theyare attempting to access a blocked web-based application, users call the Help Desk to complain about networkconnectivity issues. What is the cause of the increased number of help desk calls?

Application Block Pages will only be displayed when Captive Portal is configured. Some App-ID's are set with a Session Timeout value that is too low. The firewall admin did not create a custom response page to notify potential users that their attempt to access theweb-based application is being blocked due to company policy.

8/12/2015 Empowering People: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44d4-8d3a-07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdr… 10/11

The File Blocking Block Page was disabled.

Mark for follow up

Question 42 of 50.

When configuring a Security Policy Rule based on FQDN Address Objects, which of the following statements isTrue?

In order to create FQDN-based objects, you need to manually define a list of associated IP addresses. The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN again at DNS TTLexpiration. The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN again each time SecurityProfiles are evaluated.

Mark for follow up

Question 43 of 50.

An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.True False

Mark for follow up

Question 44 of 50.

Which of the following is NOT a valid option for built-in CLI Admin roles?

deviceadmin read/write superuser devicereader

Mark for follow up

Question 45 of 50.

Previous to PAN-OS 7.0 the firewall was able to decode up to two levels. With PAN-OS 7.0 the firewall can nowdecode up to how many levels?

Five Four Three Six

Mark for follow up

Question 46 of 50.

Which type of license is required to perform Decryption Port Mirroring?

A subscription-based SSL Port license A free PAN-PA-Decrypt license A Client Decryption license

8/12/2015 Empowering People: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4ee-d001-44d4-8d3a-07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdr… 11/11

A subscription-based PAN-PA-Decrypt license

Mark for follow up

Question 47 of 50.

When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must be done to allow auser to authenticate through multiple methods?

This cannot be done. Although multiple authentication methods exist, a firewall must choose a single, globalauthentication type--and all users must use this method. Create an Authentication Sequence, dictating the order of authentication profiles. This cannot be done. A single user can only use one authentication type. Create multiple authentication profiles for the same user.

Mark for follow up

Question 48 of 50.

As the Palo Alto Networks Administrator responsible for User-ID, you need to enable mapping of network users thatdo not sign-in using LDAP. Which information source would allow for reliable User-ID mapping while requiring theleast effort to configure?

WMI Query Exchange CAS Security logs Active Directory Security Logs Captive Portal

Mark for follow up

Question 49 of 50.

Which feature can be configured to block sessions that the firewall cannot decrypt?

Decryption Profile in Security Policy Decryption Profile in Decryption Policy Decryption Profile in PBF Decryption Profile in Security Profile

Mark for follow up

Question 50 of 50.

Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based (customized userroles) for Administrator Accounts.True False

Mark for follow up

Save / Return Later Summary