Beruflich Dokumente
Kultur Dokumente
0
Version
ACE Exam
Question 1 of 50.
An Interface.
A Security Profile.
A Security Policy.
A Zone.
Question 2 of 50.
Which of the following is a routing protocol supported in a Palo Alto Networks firewall?
ISIS
IGRP
EIGRP
RIPv2
Question 3 of 50.
What will the user experience when attempting to access a blocked hacking website through a
translation service such as Google Translate or Bing Translator?
A “Blocked” page response when the URL filtering policy to block is enforced.
Question 4 of 50.
A Config Lock may be removed by which of the following users? (Select all correct answers.)
Superusers
Any administrator
Device administrators
Question 5 of 50.
Which of the following can provide information to a Palo Alto Networks firewall for the purposes of
User-ID? (Select all correct answers.)
Domain Controller
RIPv2
SSL Certificates
Question 6 of 50.
When using Config Audit, the color yellow indicates which of the following?
Question 7 of 50.
Taking into account only the information in the screenshot above, answer the following question. An
administrator is using SSH on port 3333 and BitTorrent on port 7777. Which statements are True?
The BitTorrent traffic will be denied.
Question 8 of 50.
Question 9 of 50.
The Uplink
Question 10 of 50.
Question 11 of 50.
A specific program detected within an identified stream that can be detected, monitored, and/or
blocked.
A combination of port and protocol that can be detected, monitored, and/or blocked.
A file installed on a local machine that can be detected, monitored, and/or blocked.
Web-based traffic from a specific IP address that can be detected, monitored, and/or blocked.
Question 12 of 50.
Besides selecting the Heartbeat Backup option when creating an Active-Passive HA Pair, which of the
following also prevents "Split-Brain"?
Configuring a backup HA2 link that points to the MGT interface of the other device in the pair.
Creating a custom interface under Service Route Configuration, and assigning this interface as the
backup HA2 link.
Configuring an independent backup HA1 link.
Question 13 of 50.
Which of the following services are enabled on the MGT interface by default? (Select all correct
answers.)
HTTPS
SSH
Telnet
HTTP
Question 14 of 50.
In which of the following can User-ID be used to provide a match condition?
Security Policies
NAT Policies
Threat Profiles
Question 15 of 50.
Taking into account only the information in the screenshot above, answer the following question.
Which applications will be allowed on their standard ports? (Select all correct answers.)
Gnutella
BitTorrent
Skype
SSH
Question 16 of 50.
Question 17 of 50.
Question 18 of 50.
When configuring a Security Policy Rule based on FQDN Address Objects, which of the following
statements is True?
In order to create FQDN-based objects, you need to manually define a list of associated IP addresses.
The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN again each
time Security Profiles are evaluated.
The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN again at DNS
TTL expiration.
Question 19 of 50.
After the installation of a new Application and Threat database, the firewall must be rebooted.
True False
Question 20 of 50.
Anti-virus updates are released daily. Application and Threat updates are released weekly.
Application and Anti-virus updates are released weekly. Threat and “Threat and URL Filtering” updates
are released weekly.
Threat and URL Filtering updates are released daily. Application and Anti-virus updates are released
weekly.
Application and Threat updates are released daily. Anti-virus and URL Filtering updates are released
weekly.
Question 21 of 50.
Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day?
1000
50
500
10
Reconnaissance Protection is a feature used to protect the Palo Alto Networks firewall from port
scans. To enable this feature within the GUI go to…
Question 23 of 50.
With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the Peer ID is just
the public IP address of the device. In situations where the public IP address is not static, the Peer ID
can be a text value.
True False
Question 24 of 50.
After the installation of the Threat Prevention license, the firewall must be rebooted.
True False
Question 25 of 50.
In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-Based
Forwarding Rule? (Choose 3.)
Destination Application
Source User
Destination Zone
Source Zone
After the installation of a new version of PAN-OS, the firewall must be rebooted.
True False
Question 27 of 50.
Which of the following interface types can have an IP address assigned to it?
Layer 3
Layer 2
Tap
Virtual Wire
Question 28 of 50.
Previous to PAN-OS 7.0 the firewall was able to decode up to two levels. With PAN-OS 7.0 the firewall
can now decode up to how many levels?
Four
Five
Three
Six
Question 29 of 50.
When configuring a Decryption Policy rule, which option allows a firewall administrator to control
SSHv2 tunneling in policies by specifying the SSH-tunnel App-ID?
SSH Proxy
Question 30 of 50.
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you need a:
Virtual Router
VLAN
Virtual Wire
Security Profile
Question 31 of 50.
When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most
informative?
Question 32 of 50.
A config lock can be removed only by the administrator who set it.
A config lock can only be removed by the administrator who set it or by a superuser.
A config lock will expire after 24 hours, unless it was set by a superuser.
In PAN-OS 7.0 which of the available choices serves as an alert warning by defining patterns of
suspicious traffic and network anomalies that may indicate a host has been compromised?
Custom Signatures
Correlation Objects
App-ID Signatures
Correlation Events
Question 34 of 50.
WildFire analyzes files to determine whether or not they are malicious. When doing so, WildFire will
classify the file with an official verdict. This verdict is known as the WildFire Analysis verdict. Choose
the three correct classifications as a result of this analysis and classification?
Grayware
Benign
Safeware
Adware
Spyware
Malware detection
Question 35 of 50.
Attackers will employ a number of tactics to hide malware. One such tactic is to encode and/or
compress the file so as to hide the malware. With PAN-OS 7.0 the firewall can decode up to four levels.
But if an attacker has encoded the file beyond four levels, what can you as an administer do to protect
your users?
Create a Decryption Policy for multi-level encoded files and set the action to block.
Create a File Blocking Profile for multi-level encoded files with the action set to block.
Create a Decryption Profile for multi-level encoded files and apply it to a Decryption Policy.
Create a File Blocking Profile for multi-level encoded files and apply it to a Decryption Policy.
Question 37 of 50.
When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must be done
to allow a user to authenticate through multiple methods?
This cannot be done. Although multiple authentication methods exist, a firewall must choose a single,
global authentication type--and all users must use this method.
Create an Authentication Sequence, dictating the order of authentication profiles.
This cannot be done. A single user can only use one authentication type.
Question 38 of 50.
What are two sources of information for determining whether the firewall has been successful in
communicating with an external User-ID Agent?
System Logs and the indicator light under the User-ID Agent settings in the firewall.
Question 39 of 50.
Taking into account only the information in the screenshot above, answer the following question: A
span port or a switch is connected to e1/4, but there are no traffic logs. Which of the following
conditions most likely explains this behavior?
Question 40 of 50.
When you have created a Security Policy Rule that allows Facebook, what must you do to block all
other web-browsing traffic?
When creating the policy, ensure that web-browsing is included in the same rule.
Nothing. You can depend on PAN-OS to block the web-browsing traffic that is not needed for Facebook
use.
Create an additional rule that blocks all other traffic.
Ensure that the Service column is defined as "application-default" for this Security policy. Doing this will
automatically include the implicit web-browsing application dependency.
Question 41 of 50.
Color-coded tags can be used on all of the items listed below EXCEPT:
Zones
Vulnerability Profiles
Address Objects
Service Groups
Question 42 of 50.
The screenshot above shows part of a firewall’s configuration. If ping traffic can traverse this device
from e1/2 to e1/1, which of the following statements must be True about this firewall’s configuration?
(Select all correct answers.)
There must be a security policy rule from Internet zone to trust zone that allows ping.
There must be a security policy rule from trust zone to Internet zone that allows ping.
Question 43 of 50.
PAN-OS uses BrightCloud as its default URL Filtering database, but also supports PAN-DB.
PAN-OS uses PAN-DB as the default URL Filtering database, but also supports BrightCloud.
Question 44 of 50.
Without a WildFire subscription, which of the following files can be submitted by the Firewall to the
hosted WildFire virtualized sandbox?
PE files only
Question 45 of 50.
Which feature can be configured to block sessions that the firewall cannot decrypt?
Decryption Profile in Security Profile
Question 46 of 50.
Numbers that specify the order in which security policies are evaluated.
Numbers on a scale of 0 to 99 that specify priorities when two or more rules are in conflict.
Numbers created to make it easier for users to discuss a complicated or difficult sequence of rules.
Question 47 of 50.
Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based
(customized user roles) for Administrator Accounts.
True False
Question 48 of 50.
Question 49 of 50.
Palo Alto Networks offers WildFire users three solution types. These solution types are the WildFire
Public Cloud, The WF-500 Private Appliance, and the WildFire Hybrid solution. What is the main reason
and purpose for the WildFire Hybrid solution?
The WildFire Hybrid solution enables outside companies to share the same WF-500 Appliance while at
the same time allowing them to send only their private files to the private WF-500.
The WildFire Hybrid solution places WF-500s at multiple places in the cloud, so that firewall appliances
distributed throughout an enterprise's network receive WildFire verdicts with minimal latency while
retaining data privacy.
The WildFire Hybrid solution is only offered to companies that have sensitive files to protect and does
not require a WildFire subscription.
The WildFire Hybrid solution enables companies to send to the WF-500 Private Appliance keeping them
internal to their network, as well providing the option to send other, general files to the WildFire Public
Cloud for analysis.
Question 50 of 50.
What will be the user experience when the safe search option is NOT enabled for Google search but
the firewall has "Safe Search Enforcement" Enabled?
The Firewall will enforce Safe Search if the URL filtering license is still valid.
The user will be redirected to a different search site that is specified by the firewall administrator.
A block page will be presented with instructions on how to set the strict Safe Search option for the
Google search.