Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.

0
Version

ACE Exam

Question 1 of 50.
When Destination Network Address Translation is being performed, the destination in the corresponding
Security Policy Rule should use:
The Pre-NAT destination zone and Post-NAT IP addresses.
The Post-NAT destination zone and Post-NAT IP addresses.
The Post-NAT destination zone and Pre-NAT IP addresses.
The Pre-NAT destination zone and Pre-NAT IP addresses.

Mark for follow up

Question 2 of 50.
Both SSL decryption and SSH decryption are disabled by default.
True

False

Mark for follow up

Question 3 of 50.
When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2
tunneling in policies by specifying the SSH-tunnel App-ID?
SSH Proxy
SSL Forward Proxy
SSL Inbound Inspection
SSL Reverse Proxy

Mark for follow up

Question 4 of 50.
What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut off
communication?
The default gateway of the firewall.
The MGT interface address.
The local loopback address.
Any layer 3 interface address specified by the firewall administrator.

Mark for follow up

Question 5 of 50.
In Palo Alto Networks terms, an application is:
A specific program detected within an identified stream that can be detected, monitored, and/or blocked.
A combination of port and protocol that can be detected, monitored, and/or blocked.
A file installed on a local machine that can be detected, monitored, and/or blocked.
Web-based traffic from a specific IP address that can be detected, monitored, and/or blocked.

Mark for follow up

Question 6 of 50.
An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.
True

False

Mark for follow up

Question 7 of 50.
Palo Alto Networks offers WildFire users three solution types. These solution types are the WildFire
Public Cloud, The WF-500 Private Appliance, and the WildFire Hybrid solution. What is the main reason
and purpose for the WildFire Hybrid solution?
The WildFire Hybrid solution enables companies to send to the WF-500 Private Appliance keeping them
internal to their network, as well providing the option to send other, general files to the WildFire Public
Cloud for analysis.
The WildFire Hybrid solution places WF-500s at multiple places in the cloud, so that firewall appliances
distributed throughout an enterprise's network receive WildFire verdicts with minimal latency while
retaining data privacy.

The WildFire Hybrid solution is only offered to companies that have sensitive files to protect and does not
require a WildFire subscription.
The WildFire Hybrid solution enables outside companies to share the same WF-500 Appliance while at the
same time allowing them to send only their private files to the private WF-500.
Mark for follow up

Question 8 of 50.
Security policy rules specify a source interface and a destination interface.
True

False

Mark for follow up

Question 9 of 50.
Which of the following statements is NOT True about Palo Alto Networks firewalls?
The default Admin account may be disabled or deleted.
By default the MGT Port's IP Address is 192.168.1.1/24.
Initial configuration may be accomplished thru the MGT interface or the Console port.
System defaults may be restored by performing a factory reset in Maintenance Mode.

Mark for follow up

Question 10 of 50.
In a Destination NAT configuration, the Translated Address field may be populated with either an IP
address or an Address Object.
True

False

Mark for follow up

Question 11 of 50.
With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the Peer ID is just the
public IP address of the device. In situations where the public IP address is not static, the Peer ID can be
a text value.
True

False

Mark for follow up

Question 12 of 50.
In which of the following can User-ID be used to provide a match condition?
Security Policies
NAT Policies
Zone Protection Policies
Threat Profiles

Mark for follow up

Question 13 of 50.
In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order to process
traffic.
True

False

Mark for follow up

Question 14 of 50.
When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most informative?
Initiating side, System log
Initiating side, Traffic log
Responding side, Traffic log
Responding side, System Log

Mark for follow up

Question 15 of 50.
Color-coded tags can be used on all of the items listed below EXCEPT:
Address Objects

Service Groups
Zones
Vulnerability Profiles

Mark for follow up

Question 16 of 50.
PAN-OS 7.0 introduced a new Security Profile type. What is the name of this new security profile type?
File Analysis
Threat Analysis
Malware Analysis
WildFire Analysis

Mark for follow up

Question 17 of 50.
WildFire analyzes files to determine whether or not they are malicious. When doing so, WildFire will
classify the file with an official verdict. This verdict is known as the WildFire Analysis verdict. Choose
the three correct classifications as a result of this analysis and classification?
Malware detection
Safeware
Spyware
Adware
Grayware
Benign
Mark for follow up

Question 18 of 50.
Can multiple administrator accounts be configured on a single firewall?
Yes

Mark for follow up

No

Question 19 of 50.
What is the default setting for 'Action' in a Decryption Policy's rule?
Any
None
Decrypt
No-Decrypt

Mark for follow up

Question 20 of 50.
Will an exported configuration contain Management Interface settings?
Yes

No

Mark for follow up

Question 21 of 50.
Besides selecting the Heartbeat Backup option when creating an Active-Passive HA Pair, which of the
following also prevents "Split-Brain"?
Creating a custom interface under Service Route Configuration, and assigning this interface as the backup
HA2 link.
Under Packet Forwarding, selecting the VR Sync checkbox.
Configuring a backup HA2 link that points to the MGT interface of the other device in the pair.
Configuring an independent backup HA1 link.

Mark for follow up

Question 22 of 50.
Attackers will employ a number of tactics to hide malware. One such tactic is to encode and/or compress
the file so as to hide the malware. With PAN-OS 7.0 the firewall can decode up to four levels. But if an
attacker has encoded the file beyond four levels, what can you as an administer do to protect your
users?
Create a Decryption Policy for multi-level encoded files and set the action to block.
Create a File Blocking Profile for multi-level encoded files and apply it to a Decryption Policy.

Create a Decryption Profile for multi-level encoded files and apply it to a Decryption Policy.
Create a File Blocking Profile for multi-level encoded files with the action set to block.

Mark for follow up

Question 23 of 50.
Which of the following is True of an application filter?
An application filter is used by malware to evade detection by firewalls and anti-virus software.
An application filter automatically adapts when an application moves from one IP address to another.
An application filter specifies the users allowed to access an application.
An application filter automatically includes a new application when one of the new applications
characteristics are included in the filter.
Mark for follow up

Question 24 of 50.
What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on the
firewall? (Select all correct answers.)
Improved PAN-DB malware detection.
Improved DNS-based C&C signatures.
Improved malware detection in WildFire.
Improved BrightCloud malware detection.
Mark for follow up

Question 25 of 50.
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:
Protection against unwanted downloads by showing the user a response page indicating that a file is going
to be downloaded.
Increased speed on downloads of file types that are explicitly enabled.
Password-protected access to specific file downloads for authorized users.
The ability to use Authentication Profiles, in order to protect against unwanted downloads.

Mark for follow up

Question 26 of 50.
Users may be authenticated sequentially to multiple authentication servers by configuring:
An Authentication Sequence.
A custom Administrator Profile.
An Authentication Profile.
Multiple RADIUS servers sharing a VSA configuration.

Mark for follow up

Question 27 of 50.
Which of the following platforms supports the Decryption Port Mirror function?
PA-3000
VM-Series 100
PA-2000
PA-4000

Mark for follow up

Question 28 of 50.
User-ID is enabled in the configuration of
A Zone.
An Interface.
A Security Policy.
A Security Profile.

Mark for follow up

Question 29 of 50.
After the installation of a new Application and Threat database, the firewall must be rebooted.
True

False

Mark for follow up

Question 30 of 50.
You can assign an IP address to an interface in Virtual Wire mode.
True

False

Mark for follow up

Question 31 of 50.
The following can be configured as a next hop in a static route:
Virtual Systems
A Policy-Based Forwarding Rule
Virtual Router
Virtual Switch

Mark for follow up

Question 32 of 50.
Choose the best answer: In PAN-OS, the WildFire Subscription Service allows updates for malware
signatures to be distributed as often as
Once an hour
Once a week
Once every 15 minutes
Once a day

Mark for follow up

Question 33 of 50.
What will be the user experience when the safe search option is NOT enabled for Google search but the
firewall has "Safe Search Enforcement" Enabled?

The user will be redirected to a different search site that is specified by the firewall administrator.
The Firewall will enforce Safe Search if the URL filtering license is still valid.
A block page will be presented with instructions on how to set the strict Safe Search option for the Google
search.
A task bar pop-up message will be presented to enable Safe Search.

Mark for follow up

Question 34 of 50.
Which of the following facts about dynamic updates is correct?
Application and Threat updates are released daily. Anti-virus and URL Filtering updates are released
weekly.
Threat and URL Filtering updates are released daily. Application and Anti-virus updates are released
weekly.
Anti-virus updates are released daily. Application and Threat updates are released weekly.
Application and Anti-virus updates are released weekly. Threat and Threat and URL Filtering updates are
released weekly.
Mark for follow up

Question 35 of 50.
Without a WildFire subscription, which of the following files can be submitted by the Firewall to the
hosted WildFire virtualized sandbox?
MS Office doc/docx, xls/xlsx, and ppt/pptx files only
PE files only
PDF files only
PE and Java Applet (jar and class) only

Mark for follow up

Question 36 of 50.

Taking into account only the information in the screenshot above, answer the following question. An
administrator is pinging 4.4.4.4 and fails to receive a response. What is the most likely reason for the
lack of response?
There is a Security Policy that prevents ping.

The interface is down.

There is no Management Profile.
There is no route back to the machine originating the ping.

Mark for follow up

Question 37 of 50.
In PAN-OS 7.0 which of the available choices serves as an alert warning by defining patterns of
suspicious traffic and network anomalies that may indicate a host has been compromised?
Custom Signatures
Correlation Objects
Correlation Events
App-ID Signatures
Command & Control Signatures

Mark for follow up

Question 38 of 50.
Select the implicit rules that are applied to traffic that fails to match any administrator-defined Security
Policies. (Choose all rules that are correct.)
Intra-zone traffic is allowed
Inter-zone traffic is denied
Intra-zone traffic is denied
Inter-zone traffic is allowed
Mark for follow up

Question 39 of 50.
Which statement below is True?
PAN-OS uses PAN-DB for URL Filtering, replacing BrightCloud.
PAN-OS uses PAN-DB as the default URL Filtering database, but also supports BrightCloud.
PAN-OS uses BrightCloud as its default URL Filtering database, but also supports PAN-DB.
PAN-OS uses BrightCloud for URL Filtering, replacing PAN-DB.

Mark for follow up

Question 40 of 50.
What general practice best describes how Palo Alto Networks firewall policies are applied to a session?
The rule with the highest rule number is applied.
Most specific match applied.
Last match applied.
First match applied.

Mark for follow up

Question 41 of 50.
As the Palo Alto Networks Administrator responsible for User-ID, you need to enable mapping of network
users that do not sign-in using LDAP. Which information source would allow for reliable User-ID
mapping while requiring the least effort to configure?
Captive Portal
Active Directory Security Logs
WMI Query
Exchange CAS Security logs

Mark for follow up

Question 42 of 50.
Which of the following is NOT a valid option for built-in CLI Admin roles?
devicereader
superuser
deviceadmin
read/write

Mark for follow up

Question 43 of 50.

Taking into account only the information in the screenshot above, answer the following question. Which
applications will be allowed on their standard ports? (Select all correct answers.)
Gnutella
BitTorrent
Skype
SSH
Mark for follow up

Question 44 of 50.
Previous to PAN-OS 7.0 the firewall was able to decode up to two levels. With PAN-OS 7.0 the firewall can
now decode up to how many levels?
Six
Three
Five
Four

Mark for follow up

Question 45 of 50.

Taking into account only the information in the screenshot above, answer the following question: A span
port or a switch is connected to e1/4, but there are no traffic logs. Which of the following conditions
most likely explains this behavior?
The interface is not assigned a virtual router.
The interface is not assigned an IP address.
The interface is not up.
There is no zone assigned to the interface.

Mark for follow up

Question 46 of 50.
An interface in tap mode can transmit packets on the wire.

True

False

Mark for follow up

Question 47 of 50.
Which pre-defined Admin Role has all rights except the rights to create administrative accounts and
virtual systems?
A custom admin role must be created for this specific combination of rights.
Device Administrator
Superuser
vsysadmin

Mark for follow up

Question 48 of 50.
Which type of license is required to perform Decryption Port Mirroring?
A subscription-based PAN-PA-Decrypt license
A free PAN-PA-Decrypt license
A Client Decryption license
A subscription-based SSL Port license

Mark for follow up

Question 49 of 50.
Which of the following interface types can have an IP address assigned to it?
Layer 3
Layer 2
Tap
Virtual Wire

Mark for follow up

Question 50 of 50.

Taking into account only the information in the screenshot above, answer the following question. An
administrator is using SSH on port 3333 and BitTorrent on port 7777. Which statements are True?
The SSH traffic will be allowed.
The BitTorrent traffic will be allowed.
The SSH traffic will be denied.
The BitTorrent traffic will be denied.
Mark for follow up

Save / Return Later

Summary