Beruflich Dokumente
Kultur Dokumente
1 Version
ACE Exam
Question 1 of 50.
Decrypt
None
Any
No-
Decrypt
Question 2 of 50.
Which of the following platforms supports the Decryption Port Mirror function?
PA-3000
VM-Series
100
PA-2000
PA-4000
Question 3 of 50.
ISIS
RSTP
Question 4 of 50.
What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut
off communication?
Question 5 of 50.
The screenshot above shows part of a firewall’s configuration. If ping traffic can traverse
this device from e1/2 to e1/1, which of the following statements must be True about this
firewall’s configuration? (Select all correct answers.)
There must be a security policy rule from trust zone to Internet zone that allows
ping.
There must be a Management Profile that allows ping. (Then assign that Management
Profile to e1/1 and e1/2.)
There must be appropriate routes in the default virtual router.
There must be a security policy rule from Internet zone to trust zone that allows
ping.
Mark for follow up
Question 6 of 50.
After the installation of a new version of PAN-OS, the firewall must be rebooted.
True False
Question 7 of 50.
Question 8 of 50.
Traffic going to a public IP address is being translated by a Palo Alto Networks firewall to
an internal server’s private IP address. Which IP address should the Security Policy use as
the "Destination IP" in order to allow traffic to the server?
Application and Anti-virus updates are released weekly. Threat and “Threat and URL
Filtering” updates are released weekly.
Application and Threat updates are released daily. Anti-virus and URL Filtering
updates are released weekly.
Anti-virus updates are released daily. Application and Threat updates are released
weekly.
Threat and URL Filtering updates are released daily. Application and Anti-virus
updates are released weekly.
Question 10 of 50.
What is the maximum file size of .EXE files uploaded from the firewall to WildFire?
Always 2 megabytes.
Always 10 megabytes.
Configurable up to 10
megabytes.
Configurable up to 2 megabytes.
Question 11 of 50.
What Security Profile type must be configured to send files to the WildFire cloud, and
with what choices for the action setting?
Question 12 of 50.
In a Destination NAT configuration, the Translated Address field may be populated with
either an IP address or an Address Object.
True False
Question 13 of 50.
Taking into account only the information in the screenshot above, answer the following
question: A span port or a switch is connected to e1/4, but there are no traffic logs. Which
of the following conditions most likely explains this behavior?
Question 14 of 50.
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall,
you need a:
Virtual Router
VLAN
Virtual Wire
Security
Profile
Question 15 of 50.
When configuring Admin Roles for Web UI access, what are the available access levels?
Question 16 of 50.
Select the implicit rules that are applied to traffic that fails to match any administrator-
defined Security Policies. (Choose all rules that are correct.)
Intra-zone traffic is allowed
Inter-zone traffic is denied
Intra-zone traffic is denied
Inter-zone traffic is allowed
Question 17 of 50.
What general practice best describes how Palo Alto Networks firewall policies are applied
to a session?
The rule with the highest rule number is
applied.
First match applied.
Last match applied.
Most specific match applied.
Question 18 of 50.
Display rules that caused a validation error to occur at the time a Commit was
performed.
Highlight all rules that have not matched traffic since the rule was created or since
the last reboot of the firewall.
Highlight all rules that did not match traffic within an administrator-specified time
period.
Temporarily disable rules that have not matched traffic since the rule was created or
since the last reboot of the firewall.
Question 19 of 50.
Which of the following can provide information to a Palo Alto Networks firewall for the
purposes of User-ID? (Select all correct answers.)
RIPv2
Network Access Control (NAC) device
SSL Certificates
Domain Controller
Question 21 of 50.
How do you reduce the amount of information recorded in the URL Content Filtering
Logs?
Question 22 of 50.
What will the user experience when attempting to access a blocked hacking website
through a translation service such as Google Translate or Bing Translator?
Question 23 of 50.
When an interface is in Tap mode and a Policy’s action is set to “block”, the interface will
send a TCP reset.
True False
Question 24 of 50.
When configuring a Decryption Policy rule, which option allows a firewall administrator
to control SSHv2 tunneling in policies by specifying the SSH-tunnel App-ID?
SSH Proxy
SSL Forward Proxy
SSL Inbound
Inspection
SSL Reverse Proxy
Question 25 of 50.
Choose the best answer: In PAN-OS, the WildFire Subscription Service allows updates for
malware signatures to be distributed as often as…
Once an hour
Once a week
Once a day
Once every 15
minutes
Question 26 of 50.
Question 27 of 50.
A Config Lock may be removed by which of the following users? (Select all correct
answers.)
Superusers
Any administrator
Device administrators
The administrator who set it
Question 28 of 50.
When configuring a Security Policy Rule based on FQDN Address Objects, which of the
following statements is True?
The firewall resolves the FQDN first when the policy is committed, and resolves the
FQDN again each time Security Profiles are evaluated.
The firewall resolves the FQDN first when the policy is committed, and resolves the
FQDN again at DNS TTL expiration.
In order to create FQDN-based objects, you need to manually define a list of
associated IP addresses.
Question 29 of 50.
As a Palo Alto Networks firewall administrator, you have made unwanted changes to the
Candidate configuration. These changes may be undone by Device > Setup > Operations >
Configuration Management>....and then what operation?
Question 30 of 50.
Which of the following statements is NOT True about Palo Alto Networks firewalls?
Initial configuration may be accomplished thru the MGT interface or the Console
port.
The default Admin account may be disabled or deleted.
System defaults may be restored by performing a factory reset in Maintenance
Mode.
By default the MGT Port's IP Address is 192.168.1.1/24.
Question 31 of 50.
All of the interfaces on a Palo Alto Networks device must be of the same interface type.
True False
Question 32 of 50.
Reconnaissance Protection is a feature used to protect the Palo Alto Networks firewall
from port scans. To enable this feature within the GUI go to…
Question 33 of 50.
When employing the BrightCloud URL filtering database in a Palo Alto Networks
firewall, the order of evaluation within a profile is:
Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow
list, Cache files.
Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories,
Predefined categories.
Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL
filtering, Allow list.
Question 34 of 50.
Color-coded tags can be used on all of the items listed below EXCEPT:
Zones
Vulnerability
Profiles
Service Groups
Address Objects
Mark for follow up
Question 35 of 50.
Question 36 of 50.
A subscription-based PAN-PA-Decrypt
license
A subscription-based SSL Port license
A Client Decryption license
A free PAN-PA-Decrypt license
Question 37 of 50.
A Policy-Based Forwarding
Rule
Virtual Switch
Virtual Systems
Virtual Router
Question 38 of 50.
After the installation of the Threat Prevention license, the firewall must be rebooted.
True False
Question 39 of 50.
After the installation of a new Application and Threat database, the firewall must be
rebooted.
True False
Question 40 of 50.
Question 41 of 50.
Which of the following is True of an application filter?
Question 42 of 50.
Taking into account only the information in the screenshot above, answer the following
question. Which applications will be allowed on their standard ports? (Select all correct
answers.)
SSH
BitTorrent
Skype
Gnutella
Question 43 of 50.
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID,
provides:
Question 44 of 50.
Question 45 of 50.
When you have created a Security Policy Rule that allows Facebook, what must you do to
block all other web-browsing traffic?
Nothing. You can depend on PAN-OS to block the web-browsing traffic that is not
needed for Facebook use.
Create an additional rule that blocks all other traffic.
When creating the policy, ensure that web-browsing is included in the same rule.
Ensure that the Service column is defined as "application-default" for this Security
policy. Doing this will automatically include the implicit web-browsing application
dependency.
Question 46 of 50.
Taking into account only the information in the screenshot above, answer the following
question. An administrator is pinging 4.4.4.4 and fails to receive a response. What is the
most likely reason for the lack of response?
Question 47 of 50.
When Destination Network Address Translation is being performed, the destination in the
corresponding Security Policy Rule should use:
Question 48 of 50.
Which of the following services are enabled on the MGT interface by default? (Select all
correct answers.)
HTTPS
SSH
Telnet
HTTP
When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be
most informative?
Question 50 of 50.
Which of the following are methods that HA clusters use to identify network outages?