Ace

Paloalto Networks ACE
Exam
Title
Accredited Configuration Engineer

(ACE)
Updated
Version 6.1
Product
Type
100 Q&A
Best Material, Great Results. www.certkingdom.com
QUESTION 1
To properly configure DOS protection to limit the number of sessions individually from specific source IPs you
would configure a DOS Protection rule with the following characteristics:
A. Action: Protect, Classified Profile with "Resources Protection" configured, and Classified Address with
"source-ip-only" configured
B. Action: Deny, Aggregate Profile with "Resources Protection" configured
C. Action: Protect, Aggregate Profile with "Resources Protection" configured
D. Action: Deny, Classified Profile with "Resources Protection" configured, and Classified Address with
"source-ip-only" configured
Answer: A
QUESTION 2
Can multiple administrator accounts be configured on a single firewall?
A. Yes
B. No
Answer: A
QUESTION 3
WildFire Analysis Reports are available for the following Operating Systems (select all that apply)
A. Windows XP
B. Windows 7
C. Windows 8
D. Mac OS-X
Answer: A,B,C
QUESTION 4
When setting up GlobalProtect, what is the job of the GlobalProtect Portal? Select the best answer
A. To maintain the list of remote GlobalProtect Portals and list of categories for checking the client machine
B. To maintain the list of GlobalProtect Gateways and list of categories for checking the client machine
C. To load balance GlobalProtect client connections to GlobalProtect Gateways
D. None of the above
Answer: B
QUESTION 5
Administrative Alarms can be enabled for which of the following except?
A. Certificate Expirations
B. Security Violation Thresholds
C. Security Policy Tags
D. Traffic Log capacity

Answer: A
QUESTION 6
In order to route traffic between layer 3 interfaces on the PAN firewall you need:
A. VLAN
B. Vwire
C. Security Profile
D. Virtual Router
Answer: A
QUESTION 7
In PAN-OS 5.0, how is Wildfire enabled?
A. Via the URL-Filtering "Continue" Action
B. Wildfire is automaticaly enabled with a valid URL-Filtering license
C. A custom file blocking action must be enabled for all PDF and PE type files
D. Via the "Forward" and "Continue and Forward" File-Blocking actions
Answer: A
QUESTION 8
Which one of the options describes the sequence of the GlobalProtect agent connecting to a Gateway?
A. The agent connects to the portal, obtains a list of the Gateways, and connects to the Gateway with the fastest
SSL connect time
B. The agent connects to the portal and randomly establishes connect to the first available Gateway
C. The agent connects to the portal, obtains a list of the Gateways, and connects to the Gateway with the fastest
PING response time
D. The agent connects to the closest Gateway and sends the HIP report to the portal
Answer: C
QUESTION 9
A "Continue" action can be configured on the following Security Profiles:
A. URL Filtering, File Blocking, and Data Filtering
B. URL Filteringn
C. URL Filtering and Antivirus
D. URL Filtering and File Blocking
Answer: D
QUESTION 10
Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based (customized
user roles)
A. True
B. False
Answer: A
QUESTION 11
Which of the following types of protection are available in DoS policy?
A. Session Limit, SYN Flood, UDP Flood
B. Session Limit, Port Scanning, Host Swapping, UDP Flood
C. Session Limit, SYN Flood, Host Swapping, UDP Flood
D. Session Limit, SYN Flood, Port Scanning, Host Swapping
Answer: A
QUESTION 12
Both SSL decryption and SSH decryption are disabled by default.
A. True
B. False
Answer: A
QUESTION 13
Which of the following is NOT a valid option for built-in CLI access roles?
A. read/write
B. superusers
C. vsysadmin
D. deviceadmin
Answer: A
QUESTION 14
You have decided to implement a Virtual Wire Subinterface. Which options can be used to classify traffic?
A. Either VLAN tag or IP address, provided that each tag or ID is contained in the same zone.
B. Subinterface ID and VLAN tag only
C. By Zone and/or IP Classifier
D. VLAN tag, or VLAN tag plus IP address (IP address, IP range, or subnet).
Answer: D
QUESTION 15
Configuring a pair of devices into an Active/Active HA pair provides support for:
A. Higher session count

B. Redundant Virtual Routers
C. Asymmetric routing environments
D. Lower fail-over times
Answer: B
QUESTION 16
Traffic going to a public IP address is being translated by your PANW firewall to your web server's private IP.
Which IP should the Security Policy use as the "Destination IP" in order to allow traffic to the server.
A. The servers public IP
B. The firewalls gateway IP
C. The servers private IP
D. The firewalls MGT IP
Answer: A
QUESTION 17
In PAN-OS 5.0, which of the following features is supported with regards to IPv6?
A. OSPF
B. NAT64
C. IPSec VPN tunnels
Answer: B
QUESTION 18
Which local interface cannot be assigned to the IKE gateway?
A. Tunnel
B. L3
C. VLAN
D. Loopback
Answer: A
QUESTION 19
Which of the following must be configured when deploying User-ID to obtain information from an 802.1x
authenticator?
A. Terminal Server Agent
B. An Agentless deployment of User-ID, employing only the Palo Alto Networks Firewall
C. A User-ID agent, with the "Use for NTLM Authentication" option enabled.
D. XML API for User-ID Agent
Answer: D
QUESTION 20
For non-Microsoft clients, what Captive Portal method is supported?
A. NTLM Auth
B. User Agent
C. Local Database
D. Web Form Captive Portal
Answer: D
QUESTION 21
When Destination Network Address Translation is being performed, the destination in the corresponding
Security Policy Rule should use:
A. The PostNAT destination zone and PostNAT IP address.
B. The PreNAT destination zone and PreNAT IP address.
C. The PreNAT destination zone and PostNAT IP address.
D. The PostNAT destination zone and PreNAT IP address.
Answer: D
QUESTION 22
What are two sources of information for determining if the firewall has been successful in communicating with
an external User-ID Agent?
A. System Logs and the indicator light under the User-ID Agent settings in the firewall
B. There's only one location - System Logs
C. There's only one location - Traffic Logs
D. System Logs and indicator light on the chassis
Answer: A
QUESTION 23
To allow the PAN device to resolve internal and external DNS host names for reporting and for security
policies, an administrator can do the following:
A. Create a DNS Proxy Object with a default DNS Server for external resolution and a DNS server for internal
domain. Then, in the device settings, point to this proxy object for DNS resolution.
B. In the device settings define internal hosts via a static list.
C. In the device settings set the Primary DNS server to an external server and the secondary to an internal
server.
D. Create a DNS Proxy Object with a default DNS Server for external resolution and a DNS server for internal
domain. Then, in the device settings, select the proxy object as the Primary DNS and create a custom security
rule which references that object for
Answer: A
QUESTION 24
What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on the firewall?
(Select all correct answers.)
A. Improved DNSbased C&C signatures.
B. Improved PANDB malware detection.
C. Improved BrightCloud malware detection.
D. Improved malware detection in WildFire.
Answer: A,B,D
QUESTION 25
An Outbound SSL forward-proxy decryption rule cannot be created using which type of zone?
A. Virtual Wire
B. Tap
C. L3
D. L2
Answer: A
QUESTION 26
Which best describes how Palo Alto Networks firewall rules are applied to a session?
A. last match applied
B. first match applied
C. all matches applied
D. most specific match applied
Answer: B
QUESTION 27
Select the implicit rules enforced on traffic failing to match any user defined Security Policies:
A. Intra-zone traffic is denied
B. Inter-zone traffic is denied
C. Intra-zone traffic is allowed
D. Inter-zone traffic is allowed
Answer: B,C
QUESTION 28
Which statement accurately reflects the functionality of using regions as objects in Security policies?
A. Predefined regions are provided for countries, not but not for cities. The administrator can set up custom
regions, including latitude and longitude, to specify the geographic position of that particular region.
B. The administrator can set up custom regions, including latitude and longitude, to specify the geographic
position of that particular region. These custom regions can be used in the "Source User" field of the Security
Policies.
C. Regions cannot be used in the "Source User" field of the Security Policies, unless the administrator has set
up custom regions.
D. The administrator can set up custom regions, including latitude and longitude, to specify the geographic
position of that particular region. Both predefined regions and custom regions can be used in the "Source User"
field.
Answer: A
QUESTION 29
Enabling "Highlight Unsused Rules" in the Security policy window will:
A. Hightlight all rules that did not immmediately match traffic.
B. Hightlight all rules that did not match traffic since the rule was created or since last reboot of the firewall
C. Allows the administrator to troubleshoot rules when a validation error occurs at the time of commit.
D. Allow the administrator to temporarily disable rules that do not match traffic, for testing purposes
Answer: B
QUESTION 30
What new functionality is provided in PAN-OS 5.0 by Palo Alto Networks URL Filtering Database (PAN-DB)?
A. The "Log Container Page Only" option can be employed in a URL-Filtering policy to reduce the number of
logging events.
B. URL-Filtering can now be employed as a match condition in Security policy
C. IP-Based Threat Exceptions can now be driven by custom URL categories
D. Daily database downloads for updates are no longer required as devices stay in-sync with the cloud.
Answer: D
QUESTION 31
Which fields can be altered in the default Vulnerability Protection Profile?
A. Category
B. Severity
C. None
Answer: C
QUESTION 32
What option should be configured when using User Identification?
A. Enable User Identification per Zone
B. Enable User Identification per Security Rule
C. Enable User Identification per interface
Answer: A
QUESTION 33
When employing the Brightcloud URL filtering database on the Palo Alto Networks firewalls, the order of
checking within a profile is:
A. Block List, Allow List, Custom Categories, Cache Files, Predefined Categories, Dynamic URL Filtering
B. Block List, Allow List, Cache Files, Custom Categories, Predefined Categories, Dynamic URL Filtering
C. Dynamic URL Filtering, Block List, Allow List, Cache Files, Custom Categories, Predefined Categories
Answer: A
QUESTION 34
Taking into account only the information in the screenshot above, answer the following question. In order for
ping traffic to traverse this device from e1/2 to e1/1, what else needs to be configured? Select all that apply.
A. Security policy from trust zone to Internet zone that allows ping
B. Create the appropriate routes in the default virtual router
C. Security policy from Internet zone to trust zone that allows ping
D. Create a Management profile that allows ping. Assign that management profile to e1/1 and e1/2
Answer: A,D
QUESTION 35
Wildfire may be used for identifying which of the following types of traffic?
A. Malware
B. DNS
C. DHCP
D. URL Content
Answer: A
QUESTION 36
Which of the following would be a reason to use an XML API to communicate with a Palo Alto Networks
firewall?
A. So that information can be pulled from other network resources for User-ID
B. To allow the firewall to push UserID information to a Network Access Control (NAC) device.
C. To permit sys logging of User Identification events
Answer: B
QUESTION 37
With IKE, each device is identified to the other by a Peer ID. In most cases, this is just the public IP address of
the device. In situations where the public ID is not static, this value can be replaced with a domain name or
other text value
A. True
B. False
Answer: A
QUESTION 38
What happens at the point of Threat Prevention license expiration?
A. Threat Prevention no longer updated; existing database still effective
B. Threat Prevention is no longer used; applicable traffic is allowed
C. Threat Prevention no longer used; applicable traffic is blocked
D. Threat Prevention no longer used; traffic is allowed or blocked by configuration per Security Rule
Answer: A
QUESTION 39
Which of the following objects cannot use User-ID as a match criteria?
A. Security Policies
B. QoS
C. Policy Based Forwarding
D. DoS Protection
E. None of the above
Answer: E
QUESTION 40
Subsequent to the installation of new licenses, the firewall must be rebooted
A. True
B. False
Answer: B
10
QUESTION 41
When allowing an Application in a Security policy on a PAN-OS 5.0 device, would a dependency Application
need to also be enabled if the application does not employ HTTP, SSL, MSRPC, RPC, t.120, RTSP, RTMP, and
NETBIOS-SS.
A. Yes
B. No
Answer: A
QUESTION 42
Which of the following options may be enabled to reduce system overhead when using Content ID?
A. STP
B. VRRP
C. RSTP
D. DSRI
Answer: D
QUESTION 43
In PAN-OS 5.0, how is Wildfire enabled?
A. Via the "Forward" and "Continue and Forward" File-Blocking actions
B. A custom file blocking action must be enabled for all PDF and PE type files
C. Wildfire is automatically enabled with a valid URL-Filtering license
D. Via the URL-Filtering "Continue" Action.
Answer: A
QUESTION 44
To create a custom signature object for an Application Override Policy, which of the following fields are
mandatory?
A. Category
B. Regular Expressions
C. Ports
D. Characteristics
Answer: D
QUESTION 45
When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of
evaluation within a profile is:
A. Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cache files.
B. Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
C. Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, Allow list.
11
D. Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined categories.
Answer: A
QUESTION 46
A user complains that they are no longer able to access a needed work application after you have implemented
vulnerability and anti-spyware profiles. The user's application uses a unique port. What is the most efficient
way to allow the user access to this application?
A. Utilize an Application Override Rule, referencing the custom port utilzed by this application. Application
Override rules bypass all Layer 7 inspection, thereby allowing access to this application.
B. In the Threat log, locate the event which is blocking access to the user's application and create a IP-based
exemption for this user.
C. In the vulnerability and anti-spyware profiles, create an application exemption for the
user's application.
D. Create a custom Security rule for this user to access the required application. Do not apply vulnerability and
anti-spyware profiles to this rule.
Answer: B
QUESTION 47
When Network Address Translation has been performed on traffic, Destination Zones in Security rules should
be based on:
A. Post-NAT addresses
B. The same zones used in the NAT rules
C. Pre-NAT addresses
Answer: A
QUESTION 48
If the Forward Proxy Ready shows no when running the command show system setting ssl-decrypt setting,
what is most likely the cause?
A. SSL forward proxy certificate is not generated
B. Web interface certificate is not generated
C. Forward proxy license is not enabled on the box n
D. SSL decryption rule is not created
Answer: D
QUESTION 49
What is the size limitation of files manually uploaded to WildFire
A. Configuarable up to 10 megabytes
B. Hard-coded at 10 megabytes
C. Hard-coded at 2 megabytes
12
D. Configuarable up to 20 megabytes
Answer: A
QUESTION 50
Which routing protocol is supported on the Palo Alto Networks platform?
A. BGP
B. RSTP
C. ISIS
D. RIPv1
Answer: A
QUESTION 51
Users can be authenticated serially to multiple authentication servers by configuring:
A. Multiple RADIUS Servers sharing a VSA configuration
B. Authentication Sequence
C. Authentication Profile
D. A custom Administrator Profile
Answer: B
QUESTION 52
With PAN-OS 5.0, how can a common NTP value be pushed to a cluster of firewalls?
A. Via a Panorama Template
B. Via a shared object in Panorama
C. Via a Panorama Device Group
D. Via a Device Group object in Panorama
Answer: B
QUESTION 53
Youd like to schedule a firewall policy to only allow a certain application during a particular time of day.
Where can this policy option be configured?
A. Policies > Security > Service
B. Policies > Security > Options
C. Policies > Security > Application
D. Policies > Security > Profile
Answer: D
QUESTION 54
The following can be configured as a next hop in a Static Route:
13
A. A Policy-Based Forwarding Rule

B. Virtual System
C. A Dynamic Routing Protocol
D. Virtual Router
Answer: D
QUESTION 55
When creating an application filter, which of the following is true?
A. They are used by malware
B. Excessive bandwidth may be used as a filter match criteria
C. They are called dynamic because they automatically adapt to new IP addresses
D. They are called dynamic because they will automatically include new applications from an application
signature update if the new application's type is included in the filter
Answer: D
QUESTION 56
Which of the following Global Protect features requires a separate license?
A. Use of dynamic selection between multiple Gateways
B. Use of a Portal to allow users to connect
C. Allowing users to connect
D. Manual Gateway Selection
Answer: A
QUESTION 57
When configuring a Decryption Policy, which of the following are available as matching criteria in a policy?
(Choose 3)
A. Source Zone
B. Source User
C. Service
D. URL-Category
E. Application
Answer: A,B,D
QUESTION 58
Will an exported configuration contain Management Interface settings?
A. Yes
B. No
Answer: A
14
QUESTION 59
As the Palo Alto Networks administrator responsible for User Identification, you are looking for the simplest
method of mapping network users that do not sign into LDAP. Which information source would allow reliable
User ID mapping for these users, requiring the least amount of configuration?
A. WMI Query
B. Exchange CAS Security Logs
C. Captive Portal
D. Active Directory Security Logs
Answer: C
QUESTION 60
Which of the Dynamic Updates listed below are issued on a daily basis?
A. Global Protect
B. URL Filtering
C. Antivirus
D. Applications and Threats
Answer: B,C
QUESTION 61
When a Palo Alto Networks firewall is forwarding traffic through interfaces configured for L2 mode, security
policies can be set to match on multicast IP addresses.
A. True
B. False
Answer: B
QUESTION 62
In Active/Active HA environments, redundancy for the HA3 interface can be achieved by
A. Configuring a corresponding HA4 interface
B. Configuring HA3 as an Aggregate Ethernet bundle
C. Configuring multiple HA3 interfaces
D. Configuring HA3 in a redundant group
Answer: B
QUESTION 63
What option should be configured when using User-ID
A. Enable User-ID per zone
B. Enable User-ID per interface
C. Enable User-ID per Security Policy
15
Answer: C
QUESTION 64
For correct routing to SSL VPN clients to occur, the following must be configured:
A. Network Address Translation must be enabled for the SSL VPN client IP pool
B. A dynamic routing protocol between the Palo Alto Networks device and the next-hop gateway to advertise
the SSL VPN client IP pool
C. A static route on the next-hop gateway of the SSL VPN client IP pool with a destination of the Palo Alto
Networks device
D. No routing needs to be configured - the PAN device automatically responds to ARP requests for the SSL
VPN client IP pool
Answer: A
QUESTION 65
Taking into account only the information in the screenshot above, answer the following question. Which
applications will be allowed on their standard ports? (Select all correct answers.)
A. BitTorrent
B. Gnutella
C. Skype
D. SSH
Answer: A,D
QUESTION 66
Which of the following are accurate statements describing the HA3 link in an Active-Active HA deployment?
A. HA3 is used for session synchronization
B. The HA3 link is used to transfer Layer 7 information
16
C. HA3 is used to handle asymmetric routing

D. HA3 is the control link
Answer: A
QUESTION 67
When troubleshooting Phase 1 of an IPSec VPN tunnel, what location will have the most informative logs?
A. Responding side, Traffic Logs
B. Initiating side, Traffic Logs
C. Responding side, System Logs
D. Initiating side, System Logs
Answer: C
QUESTION 68
Which option allows an administrator to segrate Panorama and Syslog traffic, so that the Management Interface
is not employed when sending these types of traffic?
A. Custom entries in the Virtual Router, pointing to the IP addresses of the Panorama and Syslog devices.
B. Define a Loopback interface for the Panorama and Syslog Devices
C. On the Device tab in the Web UI, create custom server profiles for Syslog and Panorama
D. Service Route Configuration
Answer: D
QUESTION 69
How do you limit the amount of information recorded in the URL Content Filtering Logs?
A. Enable DSRI
B. Disable URL packet captures
C. Enable URL log caching
D. Enable Log container page only
Answer: D
QUESTION 70
Which mode will allow a user to choose how they wish to connect to the GlobalProtect Network as they would
like?
A. Single Sign-On Mode
B. On Demand Mode
C. Always On Mode
D. Optional Mode
Answer: B
17
QUESTION 71
Which of the following describes the sequence of the Global Protect agent connecting to a Gateway?
A. The Agent connects to the Portal obtains a list of Gateways, and connects to the Gateway with the fastest
SSL response time
B. The agent connects to the closest Gateway and sends the HIP report to the portal
C. The agent connects to the portal, obtains a list of gateways, and connects to the gateway with the fastest
PING response time
D. The agent connects to the portal and randomly establishes a connection to the first available gateway
Answer: A
QUESTION 72
A local/enterprise PKI system is required to deploy outbound forward proxy SSL decryption capabilities.
A. True
B. False
Answer: B
QUESTION 73
In PAN-OS 6.0, rule numbers were introduced. Rule Numbers are:
A. Dynamic numbers that refer to a security policys order and are especially useful when filtering security
policies by tags
B. Numbers referring to when the security policy was created and do not have a bearing on the order of policy
enforcement
C. Static numbers that must be manually re-numbered whenever a new security policy is added
Answer: A
QUESTION 74
Which of the following fields is not available in DoS policy?
A. Destination Zone
B. Source Zone
C. Application
D. Service
Answer: C
QUESTION 75
After configuring Captive Portal in Layer 3 mode, users in the Trust Zone are not receiving the Captive Portal
authentication page when they launch their web browsers. How can this be corrected?
A. Ensure that all users in the Trust Zone are using NTLM-capable browsers
B. Enable "Response Pages" in the Interface Management Profile that is applied to the L3 Interface in the Trust
Zone.
18
C. Confirm that Captive Portal Timeout value is not set below 2 seconds
D. Enable "Redirect " as the Mode type in the Captive Portal Settings
Answer: A,B
QUESTION 76
As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candidate
configuration. These changes may be undone by Device > Setup > Operations
>
Configuration Management>....and then what operation?
A. Revert to Running Configuration
B. Revert to last Saved Configuration
C. Load Configuration Version
D. Import Named Configuration Snapshot
Answer: A
QUESTION 77
What is the correct policy to most effectively block Skype?
A. Allow Skype, block Skype-probe
B. Allow Skype-probe, block Skype
C. Block Skype-probe, block Skype
D. Block Skype
Answer: A
QUESTION 78
Wildfire may be used for identifying which of the following types of traffic?
A. URL content
B. DHCP
C. DNS
D. Viruses
Answer: D
QUESTION 79
When creating a Security Policy to allow Facebook in PAN-OS 5.0, how can you be sure that no other webbrowsing traffic is permitted?
A. Ensure that the Service column is defined as "application-default" for this security rule. This will
automatically include the implicit web-browsing application dependency.
B. Create a subsequent rule which blocks all other traffic
C. When creating the rule, ensure that web-browsing is added to the same rule. Both applications will be
processed by the Security policy, allowing only Facebook to be accessed. Any other applications can be
permitted in subsequent rules.
19
D. No other configuration is required on the part of the administrator, since implicit application dependencies
will be added automaticaly.
Answer: D
QUESTION 80
When a user logs in via Captive Portal, their user information can be checked against:
A. Terminal Server Agent
B. Security Logs
C. XML API
D. Radius
Answer: D
QUESTION 81
What needs to be done prior to committing a configuration in Panorama after making a change via the CLI or
web interface on a device?
A. No additional actions required
B. Synchronize the configuration between the device and Panorama
C. Make the same change again via Panorama
D. Re-import the configuration from the device into Panorama
Answer: A
QUESTION 82
Which of the following interfaces types will have a MAC address?
A. Layer 3
B. Tap
C. Vwire
D. Layer 2
Answer: D
QUESTION 83
In PANOS 6.0, rule numbers are:
A. Numbers that specify the order in which security policies are evaluated.
B. Numbers created to be unique identifiers in each firewalls policy database.
C. Numbers on a scale of 0 to 99 that specify priorities when two or more rules are in conflict.
D. Numbers created to make it easier for users to discuss a complicated or difficult sequence of rules.
Answer: A
QUESTION 84
When configuring Security rules based on FQDN objects, which of the following statements are true?
20
A. The firewall resolves the FQDN first when the policy is committed, and is refreshed each time Security rules
are evaluated.
B. The firewall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration.
There is no limit on the number of IP addresses stored for each resolved FQDN.
C. In order to create FQDN-based objects, you need to manually define a list of associated IP. Up to 10 IP
addresses can be configured for each FQDN entry.
D. The firewall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration. The
resolution of this FQDN stores up to 10 different IP addresses.
Answer: C
QUESTION 85
What built-in administrator role allows all rights except for the creation of administrative accounts and virtual
systems?
A. superuser
B. vsysadmin
C. A custom role is required for this level of access
D. deviceadmin
Answer: D
QUESTION 86
When adding an application in a Policy-based Forwarding rule, only a subset of the entire App-ID database is
represented. Why would this be?
A. Policy-based forwarding can only indentify certain applications at this stage of the packet flow, as the
majority of applications are only identified once the session is created.
B. Policy-based forwarding rules require that a companion Security policy rule, allowing the needed
Application traffic, must first be created.
C. The license for the Application ID database is no longer valid.
D. A custom application must first be defined before it can be added to a Policy-based forwarding rule.
Answer: A
QUESTION 87
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:
A. Password-protected access to specific file downloads, for authorized users increased speed on the downloads
of the allowed file types
B. Protection against unwanted downloads, by alerting the user with a response page indicating that file is going
to be downloaded
C. The Administrator the ability to leverage Authentication Profiles in order to protect against unwanted
downloads
Answer: C
21
QUESTION 88
What is the default DNS Sinkhole address used by Palo Alto Networks Firewall to cut off communication?
A. MGT interface address
B. Loopback interface address
C. Any one Layer 3 interface address
D. Localhost address
Answer: B
QUESTION 89
When an interface is in Tap mode and a policy action is set to block, the interface will send a TCP reset.
A. True
B. False
Answer: B
QUESTION 90
Which of the following are methods HA clusters use to identify network outages?
A. Path and Link Monitoring
B. VR and VSys Monitors
C. Heartbeat and Session Monitors
D. Link and Session Monitors
Answer: A
QUESTION 91
What is the default setting for 'Action' in a Decryption Policy's rule?
A. No-decrypt
B. Decrypt
C. Any
D. None
Answer: D
QUESTION 92
What will the user experience when browsing a Blocked hacking website such as www.2600.com via Google
Translator?
A. The URL filtering policy to Block is enforced
B. It will be translated successfully
C. It will be redirected to www.2600.com
D. User will get "HTTP Error 503 - Service unavailable" message
Answer: A
22
QUESTION 93
Which link is used by an Active-Passive cluster to synchronize session information?
A. The Data Link
B. The Control Link
C. The Uplink
D. The Management Link
Answer: A
QUESTION 94
The "Disable Server Return Inspection" option on a security profile:
A. Can only be configured in Tap Mode
B. Should only be enabled on security policies allowing traffic to a trusted server.
C. Does not perform higher-level inspection of traffic from the side that originated the TCP SYN packet
D. Only performs inspection of traffic from the side that originated the TCP SYN-ACK packet
Answer: B
QUESTION 95
In an Anti-Virus profile, changing the action to Block for IMAP or POP decoders will result in the following:
A. The connection from the server will be reset
B. The Anti-virus profile will behave as if Alert had been specified for the action
C. The traffic will be dropped by the firewall
D. Error 541 being sent back to the server
Answer: B
QUESTION 96
What is the name of the debug save file for IPSec VPN tunnels?
A. set vpn all up
B. test vpn ike-sa
C. request vpn IPsec-sa test
D. Ikemgr.pcap
Answer: D
QUESTION 97
As the Palo Alto Networks administrator, you have enabled Application Block pages. Afterward, some users do
not receive web-based feedback for all denied applications. Why would this be?
A. Some users are accessing the Palo Alto Networks firewall through a virtual system that does not have
Application Block pages enabled.
B. Application Block Pages will only be displayed when Captive Portal is configured
23
C. Some Application ID's are set with a Session Timeout value that is too low.
D. Application Block Pages will only be displayed when users attempt to access a denied web-based
application.
Answer: D
QUESTION 98
Which of the following represents HTTP traffic events that can be used to identify potential Botnets?
A. Traffic from users that browse to IP addresses instead of fully-qualified domain names, downloading
W32.Welchia.Worm from a Windows share, traffic to domains that have been registered in the last 30 days,
downloading executable files from unknown URL's
B. Traffic from users that browse to IP addresses instead of fully-qualified domain names, traffic to domains
that have been registered in the last 60 days, downloading executable files from unknown URL's
C. Traffic from users that browse to IP addresses instead of fully-qualified domain names, traffic to domains
that have been registered in the last 60 days, downloading executable files from unknown URL's, IRC-based
Command and Control traffic
D. Traffic from users that browse to IP addresses instead of fully-qualified domain names, traffic to domains
that have been registered in the last 30 days.
Answer: D
QUESTION 99
Which of the following must be enabled in order for UserID to function?
A. Captive Portal Policies must be enabled.
B. UserID must be enabled for the source zone of the traffic that is to be identified.
C. Captive Portal must be enabled.
D. Security Policies must have the UserID option enabled.
Answer: B
QUESTION 100
Which fields can be altered in the default Vulnerability profile?
A. Severity
B. Category
C. CVE
D. None
Answer: D
24

Ace

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Ace

Hochgeladen von

Copyright:

Verfügbare Formate

Paloalto Networks ACE

Paloalto Networks ACE

Accredited Configuration Engineer

Best Material, Great Results. www.certkingdom.com

Paloalto Networks ACE

Paloalto Networks ACE

D. Traffic Log capacity

Paloalto Networks ACE

Paloalto Networks ACE

A. Higher session count

Paloalto Networks ACE

Paloalto Networks ACE

Paloalto Networks ACE

Paloalto Networks ACE

Paloalto Networks ACE

Best Material, Great Results. www.certkingdom.com

Paloalto Networks ACE

Paloalto Networks ACE

Paloalto Networks ACE

Paloalto Networks ACE

A. A Policy-Based Forwarding Rule

Paloalto Networks ACE

Paloalto Networks ACE

Paloalto Networks ACE

C. HA3 is used to handle asymmetric routing

Best Material, Great Results. www.certkingdom.com

Paloalto Networks ACE

Paloalto Networks ACE

Paloalto Networks ACE

Paloalto Networks ACE

Paloalto Networks ACE

Paloalto Networks ACE

Paloalto Networks ACE

Best Material, Great Results. www.certkingdom.com

Das könnte Ihnen auch gefallen