Test - Accredited Configuration Engineer (ACE) Exam PAN-OS 5.

0 Version
Exam

Question 1 of 50.
If the Forward Proxy Ready shows no when running the command show system setting ssl-decrypt
setting, what is most likely the cause?
SSL forward proxy certificate is not generated n
Web interface certificate is not generated n
Forward proxy license is not enabled on the box n
SSL decryption rule is not created

Mark for follow up

Question 2 of 50.
When adding an application in a Policy-based Forwarding rule, only a subset of the entire App-ID
database is represented. Why would this be?

Policy-based forwarding can only indentify certain applications at this stage of the packet flow, as the
majority of applications are only identified once the session is created. s
Policy-based forwarding rules require that a companion Security policy rule, allowing the needed
Application traffic, must first be created.
The license for the Application ID database is no longer valid.
A custom application must first be defined before it can be added to a Policy-based forwarding rule.

Mark for follow up

Question 3 of 50.
What option should be configured when using User Identification?
Enable User Identification per Zone
Enable User Identification per Security Rule
Enable User Identification per interface
None of the above

Mark for follow up

Question 4 of 50.
What needs to be done prior to committing a configuration in Panorama after making a change via the
CLI or web interface on a device?
No additional actions required s
Synchronize the configuration between the device and Panorama
n

Make the same change again via Panorama n

Re-import the configuration from the device into Panorama n

Mark for follow up

Question 5 of 50.
Which local interface cannot be assigned to the IKE gateway?
Tunnel
L3
VLAN
Loopback

Mark for follow up

Question 6 of 50.
To allow the PAN device to resolve internal and external DNS host names for reporting and for security
policies, an administrator can do the following:
Create a DNS Proxy Object with a default DNS Server for external resolution and a DNS server for internal
domain. Then, in the device settings, point to this proxy object for DNS resolution.
In the device settings define internal hosts via a static list.
In the device settings set the Primary DNS server to an external server and the secondary to an internal
server.
Create a DNS Proxy Object with a default DNS Server for external resolution and a DNS server for internal
domain. Then, in the device settings, select the proxy object as the Primary DNS and create a custom
security rule which references that object for

Mark for follow up

Question 7 of 50.
With PAN-OS 5.0, how can a common NTP value be pushed to a cluster of firewalls?
Via a Panorama Template s
Via a shared object in Panorama n
Via a Panorama Device Group

Via a Device Group object in Panorama

Mark for follow up

Question 8 of 50.
Which of the following Global Protect features requires a separate license?
Use of dynamic selection between multiple Gateways
Use of a Portal to allow users to connect
Allowing users to connect
Manual Gateway Selection

Mark for follow up

Question 9 of 50.
Which of the following represents HTTP traffic events that can be used to identify potential Botnets?
Traffic from users that browse to IP addresses instead of fully-qualified domain names, downloading
W32.Welchia.Worm from a Windows share, traffic to domains that have been registered in the last 30 days,
downloading executable files from unknown URL's n
Traffic from users that browse to IP addresses instead of fully-qualified domain names, traffic to domains
that have been registered in the last 60 days, downloading executable files from unknown URL's
Traffic from users that browse to IP addresses instead of fully-qualified domain names, traffic to domains
that have been registered in the last 60 days, downloading executable files from unknown URL's, IRCbased Command and Control traffic n
Traffic from users that browse to IP addresses instead of fully-qualified domain names, traffic to domains
that have been registered in the last 30 days,

Mark for follow up

Question 10 of 50.
For correct routing to SSL VPN clients to occur, the following must be configured:
Network Address Translation must be enabled for the SSL VPN client IP pool n
A dynamic routing protocol between the Palo Alto Networks device and the next-hop gateway to advertise
the SSL VPN client IP pool n
A static route on the next-hop gateway of the SSL VPN client IP pool with a destination of the Palo Alto
Networks device n
No routing needs to be configured - the PAN device automatically responds to ARP requests for the SSL
VPN client IP pool s

Mark for follow up

Question 11 of 50.
Which option allows an administrator to segrate Panorama and Syslog traffic, so that the Management

Interface is not employed when sending these types of traffic?

Custom entries in the Virtual Router, pointing to the IP addresses of the Panorama and Syslog devices.
Define a Loopback interface for the Panorama and Syslog Devices
On the Device tab in the Web UI, create custom server profiles for Syslog and Panorama
Service Route Configuration

Mark for follow up

Question 12 of 50.
What new functionality is provided in PAN-OS 5.0 by Palo Alto Networks URL Filtering Database (PANDB)?
The "Log Container Page Only" option can be employed in a URL-Filtering policy to reduce the number of
logging events.
URL-Filtering can now be employed as a match condition in Security policy
IP-Based Threat Exceptions can now be driven by custom URL categories
Daily database downloads for updates are no longer required as devices stay in-sync with the cloud.

Mark for follow up

Question 13 of 50.
For non-Microsoft clients, what Captive Portal method is supported?
NTLM Auth
User Agent
Local Database
Web Form Captive Portal

Mark for follow up

Question 14 of 50.
In order to route traffic between layer 3 interfaces on the PAN firewall you need:
VLAN
Vwire
Security Profile
Virtual Router

Mark for follow up

Question 15 of 50.
What built-in administrator role allows all rights except for the creation of administrative accounts and
virtual systems?
superuser
vsysadmin
A custom role is required for this level of access
deviceadmin

Mark for follow up

Question 16 of 50.
What is the name of the debug save file for IPSec VPN tunnels?
set vpn all up
test vpn ike-sa
request vpn IPsec-sa test
Ikemgr.pcap

Mark for follow up

Question 17 of 50.
To create a custom signature object for an Application Override Policy, which of the following fields are
mandatory?
Category s
Regular Expressions
Ports
Characteristics

Mark for follow up

Question 18 of 50.
Which routing protocol is supported on the Palo Alto Networks platform?
BGP
RSTP
ISIS

RIPv1

Mark for follow up

Question 19 of 50.
What happens at the point of Threat Prevention license expiration?
Threat Prevention no longer updated; existing database still effective
Threat Prevention is no longer used; applicable traffic is allowed
Threat Prevention no longer used; applicable traffic is blocked
Threat Prevention no longer used; traffic is allowed or blocked by configuration per Security Rule

Mark for follow up

Question 20 of 50.
Administrative Alarms can be enabled for which of the following except?
Certificate Expirations
Security Violation Thresholds
Security Policy Tags
Traffic Log capacity

Mark for follow up

Question 21 of 50.
Which of the following types of protection are available in DoS policy?
Session Limit, SYN Flood, UDP Flood
Session Limit, Port Scanning, Host Swapping, UDP Flood
Session Limit, SYN Flood, Host Swapping, UDP Flood
Session Limit, SYN Flood, Port Scanning, Host Swapping

Mark for follow up

Question 22 of 50.
Which one of the options describes the sequence of the GlobalProtect agent connecting to a Gateway?
The agent connects to the portal, obtains a list of the Gateways, and connects to the Gateway with the
fastest SSL connect time s

The agent connects to the portal and randomly establishes connect to the first available Gateway n
The agent connects to the portal, obtains a list of the Gateways, and connects to the Gateway with the
fastest PING response time n
The agent connects to the closest Gateway and sends the HIP report to the portal

Mark for follow up

Question 23 of 50.
A local/enterprise PKI system is required to deploy outbound forward proxy SSL decryption capabilities.
True
False

Mark for follow up

Question 24 of 50.
To properly configure DOS protection to limit the number of sessions individually from specific source
IPs you would configure a DOS Protection rule with the following characteristics:
Action: Protect, Classified Profile with "Resources Protection" configured, and Classified Address with
"source-ip-only" configured
Action: Deny, Aggregate Profile with "Resources Protection" configured
Action: Protect, Aggregate Profile with "Resources Protection" configured
Action: Deny, Classified Profile with "Resources Protection" configured, and Classified Address with
"source-ip-only" configured

Mark for follow up

Question 25 of 50.
When setting up GlobalProtect, what is the job of the GlobalProtect Portal? Select the best answer
To maintain the list of remote GlobalProtect Portals and list of categories for checking the client machine
To maintain the list of GlobalProtect Gateways and list of categories for checking the client machine
To load balance GlobalProtect client connections to GlobalProtect Gateways
None of the above

Mark for follow up

Question 31 of 50.
Which of the following fields is not available in DoS policy?
Destination Zone
Source Zone

Application
Service

Mark for follow up

Question 27 of 50.
Which of the following are accurate statements describing the HA3 link in an Active-Active HA
deployment?
HA3 is used for session synchronization n
The HA3 link is used to transfer Layer 7 information
HA3 is used to handle asymmetric routing n
HA3 is the control link n

Mark for follow up

Question 28 of 50.
What is the correct policy to most effectively block Skype?
Allow Skype, block Skype-probe
Allow Skype-probe, block Skype y
Block Skype-probe, block Skype
Block Skype

Mark for follow up

Question 29 of 50.
Which best describes how Palo Alto Networks firewall rules are applied to a session?
last match applied
first match applied
all matches applied
most specific match applied

Mark for follow up

Question 30 of 50.

As the Palo Alto Networks administrator responsible for User Identification, you are looking for the
simplest method of mapping network users that do not sign into LDAP. Which information source would
allow reliable User ID mapping for these users, requiring the least amount of configuration?
WMI Query
Exchange CAS Security Logs s
Captive Portal
Active Directory Security Logs

Mark for follow up

Question 31 of 50.
Which mode will allow a user to choose how they wish to connect to the GlobalProtect Network as they
would like?
Single Sign-On Mode
On Demand Mode
Always On Mode
Optional Mode

Mark for follow up

Question 32 of 50.
Which of the following are necessary components of a GlobalProtect solution?
GlobalProtect Gateway, GlobalProtect Agent, GlobalProtect Server
GlobalProtect Gateway, GlobalProtect Agent, GlobalProtect Portal
GlobalProtect NetConnect, GlobalProtect Agent, GlobalProtect Portal, GlobalProtect Server
GlobalProtect Gateway, GlobalProtect NetConnect, GlobalProtect Agent, GlobalProtect Portal,
GlobalProtect Server

Mark for follow up

Question 33 of 50.
Which of the following must be configured when deploying User-ID to obtain information from an 802.1x
authenticator?
Terminal Server Agent
An Agentless deployment of User-ID, employing only the Palo Alto Networks Firewall
A User-ID agent, with the "Use for NTLM Authentication" option enabled.
XML API for User-ID Agent

Mark for follow up

Question 34 of 50.
Which of the following options may be enabled to reduce system overhead when using Content ID?
STP
VRRP
RSTP
DSRI

Mark for follow up

Question 35 of 50.
When creating an application filter, which of the following is true?
They are used by malware
Excessive bandwidth may be used as a filter match criteria
They are called dynamic because they automatically adapt to new IP addresses
They are called dynamic because they will automatically include new applications from an application
signature update if the new application's type is included in the filter

Mark for follow up

Question 36 of 50.
Which fields can be altered in the default Vulnerability profile?
Severity
Category
CVE
None

Mark for follow up

Question 37 of 50.
When a user logs in via Captive Portal, their user information can be checked against:
Terminal Server Agent
Security Logs

XML API
Radius

Mark for follow up

Question 38 of 50.
A "Continue" action can be configured on the following Security Profiles:
URL Filtering, File Blocking, and Data Filtering n
URL Filteringn
URL Filtering and Antivirus n
URL Filtering and File Blocking n

Mark for follow up

Question 39 of 50.
As the Palo Alto Networks administrator, you have enabled Application Block pages. Afterward, some
users do not receive web-based feedback for all denied applications. Why would this be?
Some users are accessing the Palo Alto Networks firewall through a virtual system that does not have
Application Block pages enabled. n
Application Block Pages will only be displayed when Captive Portal is configured n
Some Application ID's are set with a Session Timeout value that is too low. n
Application Block Pages will only be displayed when users attempt to access a denied web-based
application. s

Mark for follow up

Question 40 of 50.
Wildfire may be used for identifying which of the following types of traffic?
URL content
DHCP
DNS
Viruses

Mark for follow up

Question 41 of 50.
When Network Address Translation has been performed on traffic, Destination Zones in Security rules
should be based on:

Post-NAT addresses s
the same zones used in the NAT rules n
Pre-NAT addresses n
None of the above

Mark for follow up

Question 42 of 50.
In Active/Active HA environments, redundancy for the HA3 interface can be achieved by
Configuring a corresponding HA4 interface
Configuring HA3 as an Aggregate Ethernet bundle
Configuring multiple HA3 interfaces
Configuring HA3 in a redundant group

Mark for follow up

Question 43 of 50.
An Outbound SSL forward-proxy decryption rule cannot be created using which type of zone?
Virtual Wire n
Tap s
L3
L2

Mark for follow up

Question 44 of 50.
When a Palo Alto Networks firewall is forwarding traffic through interfaces configured for L2 mode,
security policies can be set to match on multicast IP addresses.
True
False

Mark for follow up

Question 45 of 50.
In an Anti-Virus profile, changing the action to Block for IMAP or POP decoders will result in the
following:

The connection from the server will be reset

The Anti-virus profile will behave as if Alert had been specified for the action
The traffic will be dropped by the firewall
Error 541 being sent back to the server

Mark for follow up

Question 46 of 50.
After configuring Captive Portal in Layer 3 mode, users in the Trust Zone are not receiving the Captive
Portal authentication page when they launch their web browsers. How can this be corrected?
Ensure that all users in the Trust Zone are using NTLM-capable browsers (wrong)
Enable "Response Pages" in the Interface Management Profile that is applied to the L3 Interface in the
Trust Zone.
Confirm that Captive Portal Timeout value is not set below 2 seconds
Enable "Redirect " as the Mode type in the Captive Portal Settings

Mark for follow up

Question 47 of 50.
The "Disable Server Return Inspection" option on a security profile:
Can only be configured in Tap Mode
Should only be enabled on security policies allowing traffic to a trusted server.
Does not perform higher-level inspection of traffic from the side that originated the TCP SYN packet
Only performs inspection of traffic from the side that originated the TCP SYN-ACK packet

Mark for follow up

Question 48 of 50.
A user complains that they are no longer able to access a needed work application after you have
implemented vulnerability and anti-spyware profiles. The user's application uses a unique port. What is
the most efficient way to allow the user access to this application?
Utilize an Application Override Rule, referencing the custom port utilzed by this application. Application
Override rules bypass all Layer 7 inspection, thereby allowing access to this application.
In the Threat log, locate the event which is blocking access to the user's application and create a IP-based
exemption for this user.
In the vulnerability and anti-spyware profiles, create an application exemption for the user's application.
Create a custom Security rule for this user to access the required application. Do not apply vulnerability and
anti-spyware profiles to this rule.

Mark for follow up

Question 49 of 50.
Youd like to schedule a firewall policy to only allow a certain application during a particular time of day.
Where can this policy option be configured?
Policies > Security > Service
Policies > Security > Options
Policies > Security > Application
Policies > Security > Profile

Mark for follow up

Question 50 of 50.
What is the size limitation of files manually uploaded to WildFire
Configuarable up to 10 megabytes
Hard-coded at 10 megabytes
Hard-coded at 2 megabytes
Configuarable up to 20 megabytes

Mark for follow up

Save / Return Later Summary

Question 10 of 50.
Enabling "Highlight Unsused Rules" in the Security policy window will:
Hightlight all rules that did not immmediately match traffic.
Hightlight all rules that did not match traffic since the rule was created or since last reboot of the firewall
Allows the administrator to troubleshoot rules when a validation error occurs at the time of commit.
Allow the administrator to temporarily disable rules that do not match traffic, for testing purposes

Mark for follow up

Question 47 of 50.
The "Disable Server Return Inspection" option on a security profile:
Can only be configured in Tap Mode
Should only be enabled on security policies allowing traffic to a trusted server.
Does not perform higher-level inspection of traffic from the side that originated the TCP SYN packet
Only performs inspection of traffic from the side that originated the TCP SYN-ACK packet

Mark for follow up

Question 30 of 50.
In PAN-OS 5.0, which of the following features is supported with regards to IPv6?
OSPF
NAT64
IPSec VPN tunnels
None of the above

Mark for follow up

Question 42 of 50.
Which statement accurately reflects the functionality of using regions as objects in Security policies?
Predefined regions are provided for countries, not but not for cities. The administrator can set up custom
regions, including latitude and longitude, to specify the geographic position of that particular region.
The administrator can set up custom regions, including latitude and longitude, to specify the geographic
position of that particular region. These custom regions can be used in the "Source User" field of the
Security Policies.
Regions cannot be used in the "Source User" field of the Security Policies, unless the administrator has
set up custom regions.
The administrator can set up custom regions, including latitude and longitude, to specify the geographic
position of that particular region. Both predefined regions and custom regions can be used in the "Source
User" field.

Mark for follow up

Question 49 of 50.
When employing the Brightcloud URL filtering database on the Palo Alto Networks firewalls, the order of
checking within a profile is:
Block List, Allow List, Custom Categories, Cache Files, Predefined Categories, Dynamic URL Filtering

Block List, Allow List, Cache Files, Custom Categories, Predefined Categories, Dynamic URL Filtering
Dynamic URL Filtering, Block List, Allow List, Cache Files, Custom Categories, Predefined Categories
None of the above

Mark for follow up

Question 24 of 50.
The following can be configured as a next hop in a Static Route:
A Policy-Based Forwarding Rule
Virtual System
A Dynamic Routing Protocol
Virtual Router

Mark for follow up

Question 34 of 50.
In PAN-OS 5.0, how is Wildfire enabled?
Via the "Forward" and "Continue and Forward" File-Blocking actions
A custom file blocking action must be enabled for all PDF and PE type files
Wildfire is automaticaly enabled with a valid URL-Filtering license
Via the URL-Filtering "Continue" Action.

Mark for follow up

Question 44 of 50.
Traffic going to a public IP address is being translated by your PANW firewall to your web server's
private IP. Which IP should the Security Policy use as the "Destination IP" in order to allow traffic to the
server.
The servers public IP
The firewalls gateway IP
The servers private IP
The firewalls MGT IP

Mark for follow up

Question 17 of 50.
You have decided to implement a Virtual Wire Subinterface. Which options can be used to classify
traffic?

Either VLAN tag or IP address, provided that each tag or ID is contained in the same zone. n
Subinterface ID and VLAN tag only
By Zone and/or IP Classifier
VLAN tag, or VLAN tag plus IP address (IP address, IP range, or subnet). n

Mark for follow up

Question 20 of 50.
How do you limit the amount of information recorded in the URL Content Filtering Logs?
Enable DSRI
Disable URL packet captures
Enable URL log caching
Enable Log container page only

Mark for follow up

Question 32 of 50.
When allowing an Application in a Security policy on a PAN-OS 5.0 device, would a dependency
Application need to also be enabled if the application does not employ HTTP, SSL, MSRPC, RPC, t.120,
RTSP, RTMP, and NETBIOS-SS.
Yes
No

Mark for follow up

Question 21 of 50.
Users can be authenticated serially to multiple authentication servers by configuring:
Multiple RADIUS Servers sharing a VSA configuration
Authentication Sequence
Authentication Profile
A custom Administrator Profile

Mark for follow up

Question 9 of 50.
When a user logs in via Captive Portal, their user information can be checked against:

Terminal Server Agent

Security Logs
Radius
XML API

Mark for follow up

Question 37 of 50.
Which of the following features has been added to Panorama in version 5.0?
Firewalls in an HA configuration are automatically identifed as a pair when they are added as Managed
Devices
Pre- and Post Policies can now be created and pushed to all managed devices n
You may now use Templates to ease deployment of new systems to your environment n
Zone objects are imported into their own database table

Question 14 of 50.
When creating a Security Policy to allow Facebook in PAN-OS 5.0, how can you be sure that no other
web-browsing traffic is permitted?
Ensure that the Service column is defined as "application-default" for this security rule. This will
automatically include the implicit web-browsing application dependency.
Create a subsequent rule which blocks all other traffic n
When creating the rule, ensure that web-browsing is added to the same rule. Both applications will be
processed by the Security policy, allowing only Facebook to be accessed. Any other applications can be
permitted in subsequent rules. n
No other configuration is required on the part of the administrator, since implicit application dependencies
will be added automaticaly.

Mark for follow up

Question 43 of 50.
In PAN-OS 5.0, how is Wildfire enabled?
Via the URL-Filtering "Continue" Action.
Wildfire is automaticaly enabled with a valid URL-Filtering license
A custom file blocking action must be enabled for all PDF and PE type files n
Via the "Forward" and "Continue and Forward" File-Blocking actions n

Mark for follow up

Question 43 of 50.
When configuring Security rules based on FQDN objects, which of the following statements are true?
The firewall resolves the FQDN first when the policy is committed, and is refreshed each time Security rules
are evaluated. n
The firewall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration. There
is no limit on the number of IP addresses stored for each resolved FQDN. s
In order to create FQDN-based objects, you need to manually define a list of associated IP. Up to 10 IP
addresses can be configured for each FQDN entry. n
The firewall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration. The
resolution of this FQDN stores up to 10 different IP addresses.

Mark for follow up

Question 6 of 50.
Which of the following are accurate statements describing the HA3 link in an Active-Active HA
deployment?
HA3 is used for session synchronization n
HA3 is the control link
The HA3 link is used to transfer Layer 7 information
HA3 is used to handle asymmetric routing n

Mark for follow up

Question 43 of 50.
When troubleshooting Phase 1 of an IPSec VPN tunnel, what location will have the most informative
logs?
Responding side, Traffic Logs n
Initiating side, Traffic Logs n
Responding side, System Logs s
Initiating side, System Logs n

Mark for follow up

Question 43 of 50.
Configuring a pair of devices into an Active/Active HA pair provides support for:

Higher session count

Redundant Virtual Routers s
Asymmetric routing environments
Lower fail-over times

Mark for follow up