Beruflich Dokumente
Kultur Dokumente
0 ACE Examine
No.
1.
2.
Question
Ans.
Local Database
B.
User Agent
C.
D.
NTLM Auth
Which statement accurately reflects the functionality of using regions as objects in Security policies?
A.
The administrator can set up custom regions, including latitude and longitude, to specify the geographic
position of that particular region. Both predefined regions and custom regions can be used in the Source
User field.
B.
Predefined regions are provided for countries, not but not for cities. The administrator can set up custom
regions, including latitude and longitude, to specify the geographic position of that particular region.
C.
Regions cannot be used in the Source User field of the Security Policies, unless the administrator has
set up custom regions.
D.
The administrator can set up custom regions, including latitude and longitude, to specify the geographic
position of that particular region. These custom regions can be used in the Source User field of the
Security Policies.
3.
When using 802.1Q with aggregate links, what TAG-ID must be configured on the virtual wire in order
4.
A.
B.
C.
D.
B.
URL database no longer used; HTTP traffic is allowed or blocked by configuration per URL Filtering
Profile
5.
C.
D.
For correct routing to SSL VPN clients to occur, the following must be configured:
A.
A static route on the next-hop gateway of the SSL VPN client IP pool with a distination of the PAN device
B.
No routing needs to be configured the PAN device automatically responds to ARP requests for the SSL
VPN client IP pool
C.
A dynamic routing protocol between the PAN device and the next-hop gateway to advertise the SSL VPN
client IP pool
D.
Network Address Translation must be enable for the SSL VPN client IP pool
Page.1 / 12
6.
Youd like to schedule a firewall policy to only allow a certain application during a particular time of day.
7.
A.
Policies / Application
B.
C.
Policies / Profile
D.
Policies / Service
A customer would like to identify any TCP port scans or UDP ports scans traversing their network links.
8.
9.
10.
11.
12.
A.
B.
C.
D.
With SSH decryption enabled, the SCP application will be identified as:
A.
sftp
B.
scp
C.
ssh
D.
ssh-tunnel
B.
C.
D.
B.
C.
Virtual System
D.
Virtual Router
Which of the following can be configured as a next hop in a Policy-Based Forwarding Rule:
A.
Virtual Router
B.
C.
A Redistribution Profile
D.
Virtual System
For a security policy to allow inbound NATed traffic to a web server with a private IP address in the trust
zone, the entry in the Destination Address column of the security rule should be based on the private IP
address of the web server.
A.
True
B.
False
Page.2 / 12
13.
The Drive-By Download protection feature, under File Blocking profiles in Contend-ID, provides:
A.
an administrator the ability to leverage Authentication Profiles in order to protect against unwanted
downloads.
B.
C.
D.
Protection against unwanted downloads, by alerting the user with a response page indicating that a file is
going to be downloaded.
14.
15.
B.
C.
D.
Block Skype
If a customer has a group of users that are evenly distributed between both LDAP and RADIUS, how
can you ensure that a Palo Alto networks firewall will always check both user databases when
identifying users?
16.
17.
A.
B.
Employ an Authentication Sequence which references two authentication profiles, the preferred order.
C.
Use User-ID agent for LDAP and Captive Portal for RADIUS
D.
Use two Captive Portal Policies, one which utilizes LDAP, one which utilizes RADIUS
True
B.
False
Thre best practice to advertise an interface IP via OSPF without it acting as an OSPF neighbor and
18.
A.
B.
Configure a static route and configure a routing policy to import the static route into the OSPF area
C.
D.
Configure a routing policy to import the connected subnet into the OSPF area
Botnet Detection, under the Minitor tab, will accomplish the following:
A.
B.
Prevent Botnet-infect client computers from responding to Command and Control data.
C.
Provide the administrator with packet captures that can be used later to create custom signatures for
Present a report of known bonnets, based upon conditions stipulated by the administrator, found over a
period of time.
19.
B.
C.
D.
Threat Prevention no longer used; traffic is allowed or blocked by configuration per Security Rule
Page.3 / 12
20.
21.
Tunnel
B.
Loopback
C.
L3
D.
VLAN
In QoS, which of the following would be the highest priority traffic from the options listed below on a
22.
A.
B.
C.
D.
If a customer has 1 forest with 3 domains and wants a resilient PAN Agent deployment, what is the most
23.
A.
B.
C.
D.
When setting up GlobalProtect, what is the job of the GlobalProtect Portal? Select the best answer
A.
To maintain the list of GlobalProtect Gateways and list of categories for checking the client machine
B.
To apply Global server Load Balancing to Global Protect clients to other GlobalProtect Portals or
Gateways.
24.
C.
To maintain the list of remote GlobalProtect Portals and list of categories for checking the client machine
D.
It is possible to use different SSL forward proxy certificaties for different vsys in a multi-vsys
environment.
25.
26.
A.
True
B.
False
B.
C.
D.
B.
C.
D.
Page.4 / 12
27.
When creating a custom vulnerability profile and selecting Block IP as the action, how long will the IP
address be blocked?
28.
A.
B.
C.
Two Hours
D.
One Hours
To properly configure DOS protection to limit the number of sessions individually from specific source
IPs you would configure a DOS Protection rule with the following characteristics:
A.
B.
Action: Protect, Clasified Profile with Resources Protection configured, and Classified Address with
source-ip-only configured
C.
D.
Action: Deny, Classified Profile with Resources Protection configured, and Classified Address with
source-ip-only configured
29.
A local/enterprise PKI system is required to deploy outbound forward proxy SSL decryption
capabilities.
30.
A.
True
B.
False
When Network Address Translation has been performed on traffic, Destination Zones in Security rules
31.
32.
33.
A.
Post-NAT address
B.
C.
Pre-NAT Address
D.
Application
B.
Service
C.
Destination Zone
D.
Source Zone
When a user logs in via Captive Portal, their user information is checked against:
A.
Radius
B.
Kerberos
C.
Local database
D.
Active Directory
Which of the following is not defined or assigned as part of the security rules?
A.
NAT rules
B.
Applications
C.
Security profiles
D.
Page.5 / 12
34.
Which one of the options describes the sequence of the GlobalProtect agent connecting to a Gateway?
A.
The agent connect to the portal, obtains a list of the Gateways, and connects to the Gateway with the
fastest SSL connect time
B.
The agent connects to the portal and randomly establishes connect to the first available Gateway
C.
The agent connects to the portal, obtains a list of the Gateways, and connects to the Gateway with the
fastest PING response time
D.
35.
36.
37.
The agent connects to the closet Gateway and send the HIP report to the portal
ssh-tunnel
B.
rdp
C.
xwindow
D.
ssh
B.
Authentication Profile
C.
Authentication Sequence
D.
B.
C.
GlobalProtect Server
D.
38.
To allow the PAN device to resolve internal and external DNS host names for reporting and for security
Create a DNS Proxy Object with a default DNS Server for external resolution and a DNS server for
internal domain. Then, in the device settings, select the proxy object as the Primary DNS and create a
custom security rule which references that object for
B.
C.
Create a DNS Proxy Object with a default DNS Server for external resolution and a DNS server for
internal domain. Then, in the device settings, point to this proxy object for DNS resolution.
D.
In the device settings set the Primary DNS server to an external server and the secondary to an internal
server.
39.
On a PA-4050 with tap interfaces configured on one copper port and one fiber port, how many virtual
12
B.
11
C.
10
D.
Page.6 / 12
40.
41.
An Outbound SSL forward-proxy decryption rule cannot be created using which type of zone?
A.
Virtual Wire
B.
L3
C.
L2
D.
Tap
Which of the following represents potential HTTP traffic events that can be used to identify potential
Botnets?
A.
Traffic from users that browse to IP addresses instead of fully-qualified domain names, traffic to domains
that have been registered in the last 30 days, Downloading executable files from unknown URLs
B.
Traffic from users that browse to IP addresses instead of fully-qualified domain names, traffic to domains
that have be registereded in the last 60 days, downloading executable files from unknown URLs
C.
Traffic from users that browse to IP addresses instead of fully-qualified domain names, traffic to domains
that have be registereded in the last 60 days, downloading executable files from unknown URLs,
IRC-based Command and Control traffic
D.
Traffic from users that browse to IP addresses instead of fully-qualified domain names, downloading
W32.Welchia.Worm from a Windows share, traffic to domain that have been registered in the last 30
days, downloading executable files from unknown URLs
42.
43.
How many bytes of the URL are captured in the URL log?
A.
2047
B.
1023
C.
511
D.
255
In the event that the show proxy setting command displays a ready state of no, what is most likely
the cause?
44.
A.
B.
C.
D.
Which of the following are accurate statements describing the HA3 link in an Active-Active HA
deployment?
45.
A.
B.
C.
D.
The maximum number of interfaces that can be configured in a single Virtual Wire object is:
A.
B.
C.
D.
Page.7 / 12
46.
If you want to prevent client PCs using SSH port-forwarding to bypass firewall enforcement, what is the
47.
A.
B.
C.
D.
Which mode will allow a user to choose how they wish to connect to the GlobalProtect Network as they
would like?
48.
A.
Always On Mode
B.
C.
Optional Mode
D.
On Demand Mode
Which two statements are true about the Session Owner device in an Active/Active HA pair?
A.
The Session Owner performs all Layer 3 and Layer 4 packet processing, the Session owner is
responsible for generating traffic logs
B.
The Session Owner is responsible for generate traffic logs, the Active Primary device is always the
Session Owner.
C.
The Session owner performs Layer 3 and Layer 4 packet processing, the Active Primary device is always
the Session Owner
D.
49.
50.
51.
The Session Owner does all Layer 7 processing, The Active Primary device is always the Session Owner
B.
C.
D.
URL Filtering
B.
performs higher-level inspection of traffic from the side that originated the TCP SYN packet
C.
does not perform higher-level inspection of traffic from the side that originated the TCY SYN packet
D.
performs high-level inspection of traffic from the side that originated the TCP SYN-ACK packet
What needs to be done prior to committing a configuration in Panorama after making a change via the
52.
A.
B.
C.
D.
Which of the following answers represents a group of address objects that can be used in a PANOS 4.0
Security rule?
A.
B.
C.
D.
Page.8 / 12
53.
54.
What is the default action against virus detection over SMTP protocol?
A.
None
B.
Alert
C.
Reset
D.
Drop
What rights to the domain does the Terminal Services Agent require in order to identify users on a
terminal server?
55.
56.
57.
58.
59.
60.
A.
Domain Admin
B.
Domain User
C.
D.
In order to route between layer 3 interfaces on the PAN firewall you need:
A.
Virtual Router
B.
Security Profile
C.
Vwire
D.
VLAN
What is required to configure multiple Phase 2 IPSec VPN tunnels to the same Phase 1 gateway?
A.
Multiple P2 tunnels with different Peer IDs on the same tunnel interfaces
B.
C.
Multiple P2 tunnels with different Proxy IDs on the same tunnel interface
D.
B.
C.
D.
B.
C.
D.
In the zone configuration that includes the interface for the URL filtered traffic
Which of the following are valid HA states in an Active/Active High Availability deployment?
A.
B.
C.
D.
B.
C.
D.
Page.9 / 12
61.
62.
Which of the following licenses is necessary in order to provide more accurate Botnet reporting?
A.
B.
C.
URL-Filtering License
D.
When using Panorama, how much storage capacity is available for logs? Select the best answer:
A.
A 160GB virtual drive is attached by default to the Panorama VM; virtually unlimited storage can be
implemented via an NFS mount.
B.
A 2TB virtual drive is attached by default to the Panorama VM; this drive must be mounted via NFS
C.
VMware allows unlimited storage to the Panorama VM; an NFS mount can be added to offload the
storage to another server
D.
VMware allows 2 TB of locally attached storage, but an NFS mount can be added for virtually unlimited
storage
63.
When forwarding multicast packets in L2 mode, we can configure security policies to match on
multicast IP address.
64.
A.
True
B.
False
With URL filtering, the order of checking within a profile is 1) allow list; 2) block list; 3) Custom
65.
66.
A.
True
B.
False
Which of the following can be configured as a next hop in a Policy-Based Forwarding Rule:
A.
A Redistribution Profile
B.
Virtual System
C.
D.
Virtual Router
When configuring Security rules based on FQDN objects, which of the following statements are true?
A.
The firewall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration. The
resolution of this FQDN stores up to 10 different IP addresses.
B.
The firewall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration.
There is no limit on the number of IP addresses stored for each resolved FQDN.
C.
The firewall resolves the FQDN first when the policy is committed, and is refreshed each time Security
rules are evaluated.
D.
In order to create FQDN-based objects, you need to manually define a list of associated IP. Up to 10 IP
address can be configured for each FQDN entry.
67.
Youve installed and configured a User Identification Agent on a remote computer, but when the agent
user interface is launched the message Connection Failed is shown and no usernames are resolved.
What is the most likely cause of this problem?
A.
The User Identification Agent timeout values are not configured correctly.
B.
C.
D.
The User Identificaiton Agent service does not have read permission to the Active Directory Security log
Page.10 / 12
68.
69.
70.
B.
C.
D.
What is the CLI command that will initiate all IPsec VPN tunnels on a device?
A.
B.
C.
D.
When creating an application filter, which of the following characteristics cannot be selected as a
match?
71.
72.
73.
74.
75.
76.
A.
Excessive bandwidth
B.
Used by malware
C.
Transfers files
D.
Excessive sessions
In PANOS 4.0 or greater, which of the following is an accurate statement in regard to support for IPv6?
A.
B.
C.
User ID is only supported in IPv6 when the Palo Alto Networks firewall is deployed in Vwire mode.
D.
PANOS supports dual-stack IP. for IPv4 and IPv6. This includes Virtual Wire and Layer 3 deployments.
B.
The TCP SYN-ACK response packet was not seen before the session timed out
C.
D.
The following routing protocols are supported on the Palo Alto Networks platform:
A.
RIPv1
B.
ISIS
C.
BGP
D.
RSTP
True
B.
False
A different SSL inbound certificate can be added for a different SSL inbound decryption rule.
A.
True
B.
False
When loading SSL inbound certificates via the web interface, the dataplane must be restarted befor
True
B.
False
Page.11 / 12
77.
In order to generate a scheduled report in panorama, you must forward logs from the device to
Panorama?
78.
A.
True
B.
False
All management services must communicate through the MGT interface on a Palo Alto Networks
firewall.
79.
80.
A.
True
B.
False
True
B.
False
If an HTTP application is misclassified, the only option is to submit a new application request to Palo
Alto Networks.
A.
True
B.
False
Page.12 / 12