PaloAltoNetworks ACE v2018-04-10 q172

PaloAltoNetworks.ACE.v2018-04-10.
q172
Exam Code: ACE
Exam Name: Accredited Configuration Engineer (ACE)
Certification Provider: Palo Alto Networks
Free Question Number: 172
Version: v2018-04-10
# of views: 749
# of Questions views: 28126
https://www.freecram.com/torrent/PaloAltoNetworks.ACE.v2018-04-10.q172.html
NEW QUESTION: 1
What Security Profile type must be configured to send files to the WildFire cloud, and with
what choices for the action setting?
A. A URL Filtering profile with the possible action of "Forward".
B. A Data Filtering profile with possible actions of "Forward" or "Continue and Forward".
C. A Vulnerability Protection profile with the possible action of "Forward".
D. A File Blocking profile with possible actions of "Forward" or "Continue and Forward".
Answer: D
NEW QUESTION: 2
Which of the following facts about dynamic updates is correct?
A. Application and Threat updates are released daily. Antivirus and URL Filtering updates
are released weekly.
B. Threat and URL Filtering updates are released daily. Application and Antivirus updates
are released weekly.
C. Application and Antivirus updates are released weekly. Threat and "Threat and URL
Filtering" updates are released weekly.
D. Antivirus updates are released daily. Application and Threat updates are released
weekly.
Answer: D
NEW QUESTION: 3
Previous to PAN-OS 7.0 the firewall was able to decode up to two levels. With PAN-OS 7.0
the firewall can now decode up to how many levels?
A. Six
B. Three
C. Five
D. Four
Answer: D
NEW QUESTION: 4
Which of the following services are enabled on the MGT interface by default?
A. Telnet
B. HTTP
C. HTTPS
D. SSH
Answer: C,D
NEW QUESTION: 5
In PAN-OS 7.0 which of the available choices serves as an alert warning by defining
patterns of suspicious traffic and network anomalies that may indicate a host has been
compromised?
A. Correlation Objects
B. Custom Signatures
C. Correlation Events
D. App-ID Signatures
E. Command & Control Signatures
Answer: B
NEW QUESTION: 6
Taking into account only the information in the screenshot above, answer the following
question:
A span port or a switch is connected to e1/4, but there are no traffic logs.
Which of the following conditions most likely explains this behavior?
A. The interface is not assigned a virtual router.
B. The interface is not up.
C. There is no zone assigned to the interface.
D. The interface is not assigned an IP address.
Answer: C
NEW QUESTION: 7
In PANOS 6.0, rule numbers are:
A. Numbers on a scale of 0 to 99 that specify priorities when two or more rules are in
conflict.
B. Numbers created to be unique identifiers in each firewall's policy database.
C. Numbers that specify the order in which security policies are evaluated.
D. Numbers created to make it easier for users to discuss a complicated or difficult
sequence of rules.
Answer: C
NEW QUESTION: 8
When employing the Brightcloud URL filtering database on the Palo Alto Networks
firewalls, the order of checking within a profile is:
A. None of the above
B. Block List, Allow List, Cache Files, Custom Categories, Predefined Categories, Dynamic
URL Filtering
C. Block List, Allow List, Custom Categories, Cache Files, Predefined Categories, Dynamic
URL Filtering
D. Dynamic URL Filtering, Block List, Allow List, Cache Files, Custom Categories,
Predefined Categories
Answer: C
NEW QUESTION: 9
Select the implicit rules that are applied to traffic that fails to match any administrator-
defined Security Policies.
A. Inter-zone traffic is allowed
B. Intra-zone traffic is allowed
C. Intra-zone traffic is denied
D. Inter-zone traffic is denied
Answer: B,D
NEW QUESTION: 10
A user complains that they are no longer able to access a needed work application after
you have implemented vulnerability and anti-spyware profiles. The user's application uses
a unique port. What is the most efficient way to allow the user access to this application?
A. In the Threat log, locate the event which is blocking access to the user's application and
create a IP- based exemption for this user.
B. Utilize an Application Override Rule, referencing the custom port utilized by this
application. Application Override rules bypass all Layer 7 inspection, thereby allowing
access to this application.
C. In the vulnerability and anti-spyware profiles, create an application exemption for the
user's application.
D. Create a custom Security rule for this user to access the required application. Do not
apply vulnerability and anti-spyware profiles to this rule.
Answer: A
NEW QUESTION: 11
Which of the following statements is NOT True about Palo Alto Networks firewalls?
A. System defaults may be restored by performing a factory reset in Maintenance Mode.
B. The Admin account may not be disabled.
C. Initial configuration may be accomplished thru the MGT interface or the Console port.
D. The Admin account may be disabled.
Answer: D
NEW QUESTION: 12
What built-in administrator role allows all rights except for the creation of administrative
accounts and virtual systems?
A. deviceadmin
B. A custom role is required for this level of access
C. superuser
D. vsysadmin
Answer: A
NEW QUESTION: 13
You can assign an IP address to an interface in Virtual Wire mode.
A. True
B. False
Answer: B
NEW QUESTION: 14
Which option allows an administrator to segrate Panorama and Syslog traffic, so that the
Management Interface is not employed when sending these types of traffic?
A. On the Device tab in the Web UI, create custom server profiles for Syslog and
Panorama
B. Define a Loopback interface for the Panorama and Syslog Devices
C. Custom entries in the Virtual Router, pointing to the IP addresses of the Panorama and
Syslog devices.
D. Service Route Configuration
Answer: D
NEW QUESTION: 15
Which of the following interface types can have an IP address assigned to it?
A. Virtual Wire
B. Tap
C. Layer 3
D. Layer 2
Answer: C
NEW QUESTION: 16
Which of the following are accurate statements describing the HA3 link in an Active-Active
HA deployment?
A. HA3 is used for session synchronization
B. The HA3 link is used to transfer Layer 7 information
C. HA3 is the control link
D. HA3 is used to handle asymmetric routing
Answer: A
Valid ACE Dumps shared by PrepAwayExam.com for Helping Passing ACE Exam!
PrepAwayExam.com now offer the newest ACE exam dumps, the
PrepAwayExam.com ACE exam questions have been updated and answers have
been corrected get the newest PrepAwayExam.com ACE dumps with Test Engine
here: https://www.prepawayexam.com/Palo-Alto-
Networks/braindumps.ACE.ete.file.html (222 Q&As Dumps, 40%OFF Special
Discount: freecram)
NEW QUESTION: 17
In order to route traffic between layer 3 interfaces on the PAN firewall you need:
A. Virtual Router
B. Security Profile
C. Vwire
D. VLAN
Answer: D
NEW QUESTION: 18
Which of the following represents HTTP traffic events that can be used to identify potential
Botnets?
A. Traffic from users that browse to IP addresses instead of fully-qualified domain names,
traffic to domains that have been registered in the last 60 days, downloading executable
files from unknown URL's
B. Traffic from users that browse to IP addresses instead of fully-qualified domain names,
traffic to domains that have been registered in the last 30 days.
C. Traffic from users that browse to IP addresses instead of fully-qualified domain names,
traffic to domains that have been registered in the last 60 days, downloading executable
files from unknown URL's, IRC-based Command and Control traffic
D. Traffic from users that browse to IP addresses instead of fully-qualified domain names,
downloading W32.Welchia.Worm from a Windows share, traffic to domains that have been
registered in the last 30 days, downloading executable files from unknown URL's
Answer: B
NEW QUESTION: 19
In Active/Active HA environments, redundancy for the HA3 interface can be achieved by:
A. Configuring HA3 as an Aggregate Ethernet bundle
B. Configuring HA3 in a redundant group
C. Configuring multiple HA3 interfaces
D. Configuring a corresponding HA4 interface
Answer: A
NEW QUESTION: 20
When troubleshooting Phase 1 of an IPSec VPN tunnel, what location will have the most
informative logs?
A. Responding side, System Logs
B. Responding side, Traffic Logs
C. Initiating side, Traffic Logs
D. Initiating side, System Logs
Answer: A
NEW QUESTION: 21
After the installation of a new Application and Threat database, the firewall must be
rebooted.
A. True
B. False
Answer: B
NEW QUESTION: 22
Which statement accurately reflects the functionality of using regions as objects in Security
policies?
A. Regions cannot be used in the "Source User" field of the Security Policies, unless the
administrator has set up custom regions.
B. The administrator can set up custom regions, including latitude and longitude, to specify
the geographic position of that particular region. These custom regions can be used in the
"Source User" field of the Security Policies.
C. Predefined regions are provided for countries, not but not for cities. The administrator
can set up custom regions, including latitude and longitude, to specify the geographic
position of that particular region.
D. The administrator can set up custom regions, including latitude and longitude, to specify
the geographic position of that particular region. Both predefined regions and custom
regions can be used in the
"Source User" field.
Answer: C
NEW QUESTION: 23
What happens at the point of Threat Prevention license expiration?
A. Threat Prevention is no longer used; applicable traffic is allowed
B. Threat Prevention no longer used; traffic is allowed or blocked by configuration per
Security Rule
C. Threat Prevention no longer used; applicable traffic is blocked
D. Threat Prevention no longer updated; existing database still effective
Answer: D
NEW QUESTION: 24
Enabling "Highlight Unused Rules" in the Security policy window will:
A. Highlight all rules that did not immediately match traffic.
B. Highlight all rules that did not match traffic since the rule was created or since last
reboot of the firewall.
C. Allow the administrator to temporarily disable rules that do not match traffic, for testing
purposes.
D. Allows the administrator to troubleshoot rules when a validation error occurs at the time
of commit.
Answer: B
NEW QUESTION: 25
Which of the following interfaces types will have a MAC address?
A. Tap
B. Layer 2
C. Vwire
D. Layer 3
Answer: B
NEW QUESTION: 26
Which fields can be altered in the default Vulnerability profile?
A. Severity
B. Category
C. None
D. CVE
Answer: C
NEW QUESTION: 27
Which of the following must be configured when deploying User-ID to obtain information
from an 802.1x authenticator?
A. XML API for User-ID Agent
B. A User-ID agent, with the "Use for NTLM Authentication" option enabled.
C. An Agentless deployment of User-ID, employing only the Palo Alto Networks Firewall
D. Terminal Server Agent
Answer: A
NEW QUESTION: 28
When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what
must be done to allow a user to authenticate through multiple methods?
A. This cannot be done. A single user can only use one authentication type.
B. This cannot be done. Although multiple authentication methods exist, a firewall must
choose a single, global authentication type and all users must use this method.
C. Create multiple authentication profiles for the same user.
D. Create an Authentication Sequence, dictating the order of authentication profiles.
Answer: D
NEW QUESTION: 29
You have decided to implement a Virtual Wire Subinterface. Which options can be used to
classify traffic?
A. Either VLAN tag or IP address, provided that each tag or ID is contained in the same
zone.
B. VLAN tag, or VLAN tag plus IP address (IP address, IP range, or subnet).
C. Subinterface ID and VLAN tag only
D. By Zone and/or IP Classifier
Answer: B
NEW QUESTION: 30
After the installation of the Threat Prevention license, the firewall must be rebooted.
A. False
B. True
Answer: A
NEW QUESTION: 31
Which one of the options describes the sequence of the GlobalProtect agent connecting to
a Gateway?
A. The agent connects to the portal, obtains a list of the Gateways, and connects to the
Gateway with the fastest SSL connect time
B. The agent connects to the portal, obtains a list of the Gateways, and connects to the
Gateway with the fastest PING response time
C. The agent connects to the closest Gateway and sends the HIP report to the portal
D. The agent connects to the portal and randomly establishes connect to the first available
Gateway
Answer: B
Discount: freecram)
NEW QUESTION: 32
In PAN-OS 6.0, rule numbers were introduced. Rule Numbers are:
A. Dynamic numbers that refer to a security policy's order and are especially useful when
filtering security policies by tags
B. Static numbers that must be manually re-numbered whenever a new security policy is
added
C. Numbers referring to when the security policy was created and do not have a bearing
on the order of policy enforcement
Answer: A
NEW QUESTION: 33
After the installation of a new version of PANOS, the firewall must be rebooted.
A. False
B. True
Answer: B
NEW QUESTION: 34
All of the interfaces on a Palo Alto Networks device must be of the same interface type.
A. True
B. False
Answer: B
NEW QUESTION: 35
Which of the following Global Protect features requires a separate license?
A. Use of a Portal to allow users to connect
B. Use of dynamic selection between multiple Gateways
C. Manual Gateway Selection
D. Allowing users to connect
Answer: B
NEW QUESTION: 36
Besides selecting the Heartbeat Backup option when creating an ActivePassive HA Pair,
which of the following also prevents "SplitBrain"?
A. Configuring a backup HA2 link that points to the MGT interface of the other device in the
pair.
B. Under "Packet Forwarding", selecting the VR Sync checkbox.
C. Creating a custom interface under Service Route Configuration, and assigning this
interface as the backup HA2 link.
D. Configuring an independent backup HA1 link.
Answer: A
NEW QUESTION: 37
How do you limit the amount of information recorded in the URL Content Filtering Logs?
A. Enable URL log caching
B. Enable DSRI
C. Disable URL packet captures
D. Enable Log container page only
Answer: D
NEW QUESTION: 38
When an interface is in Tap mode and a policy action is set to block, the interface will send
a TCP reset.
A. False
B. True
Answer: A
NEW QUESTION: 39
What is the size limitation of files manually uploaded to WildFire?
A. Hard-coded at 2 megabytes
B. Configurable up to 20 megabytes
C. Hard-coded at 10 megabytes
D. Configurable up to 10 megabytes
Answer: D
NEW QUESTION: 40
Which fields can be altered in the default Vulnerability Protection Profile?
A. Severity
B. Category
C. None
Answer: C
NEW QUESTION: 41
When allowing an Application in a Security policy on a PAN-OS 5.0 device, would a
dependency Application need to also be enabled if the application does not employ HTTP,
SSL, MSRPC, RPC, t.120, RTSP, RTMP, and NETBIOS-SS.
A. Yes
B. No
Answer: A
NEW QUESTION: 42
An interface in tap mode can transmit packets on the wire.
A. True
B. False
Answer: B
NEW QUESTION: 43
When configuring a Decryption Policy rule, which option allows a firewall administrator to
control SSHv2 tunneling in policies by specifying the SSHtunnel AppID?
A. SSL Reverse Proxy
B. SSL Inbound Inspection
C. SSL Forward Proxy
D. SSH Proxy
Answer: D
NEW QUESTION: 44
Which mode will allow a user to choose when they wish to connect to the Global Protect
Network?
A. Always On mode
B. Single SignOn mode
C. On Demand mode
D. Optional mode
Answer: C
NEW QUESTION: 45
When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall,
the order of evaluation within a profile is:
A. Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL
filtering, Allow list.
B. Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
C. Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined
categories.
D. Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list,
Cache files.
Answer: D
NEW QUESTION: 46
Can multiple administrator accounts be configured on a single firewall?
A. Yes
B. No
Answer: A
Discount: freecram)
NEW QUESTION: 47
Select the implicit rules that are applied to traffic that fails to match any administrator
defined Security Policies.
A. Interzone traffic is allowed
B. Interzone traffic is denied
C. Intrazone traffic is allowed
D. Intrazone traffic is denied
Answer: B,C
NEW QUESTION: 48
Which of the Dynamic Updates listed below are issued on a daily basis?
A. Applications and Threats
B. Global Protect
C. URL Filtering
D. Antivirus
Answer: C,D
NEW QUESTION: 49
Which statement below is True?
A. PANOS uses BrightCloud for URL Filtering, replacing PANDB.
B. PANOS uses PANDB as the default URL Filtering database, but also supports
BrightCloud.
C. PANOS uses BrightCloud as its default URL Filtering database, but also supports
PANDB.
D. PANOS uses PANDB for URL Filtering, replacing BrightCloud.
Answer: B
NEW QUESTION: 50
The "Disable Server Return Inspection" option on a security profile:
A. Can only be configured in Tap Mode
B. Does not perform higher-level inspection of traffic from the side that originated the TCP
SYN packet
C. Should only be enabled on security policies allowing traffic to a trusted server.
D. Only performs inspection of traffic from the side that originated the TCP SYN-ACK
packet
Answer: C
NEW QUESTION: 51
When Network Address Translation has been performed on traffic, Destination Zones in
Security rules should be based on:
A. Pre-NAT addresses
B. None of the above
C. The same zones used in the NAT rules
D. Post-NAT addresses
Answer: D
NEW QUESTION: 52
Color-coded tags can be used on all of the items listed below EXCEPT:
A. Vulnerability Profiles
B. Address Objects
C. Zones
D. Service Groups
Answer: A
NEW QUESTION: 53
Users may be authenticated sequentially to multiple authentication servers by configuring:
A. A custom Administrator Profile.
B. An Authentication Profile.
C. An Authentication Sequence.
D. Multiple RADIUS servers sharing a VSA configuration.
Answer: C
NEW QUESTION: 54
WildFire analyzes files to determine whether or not they are malicious. When doing so,
WildFire will classify the file with an official verdict. This verdict is known as the WildFire
Analysis verdict. Choose the three correct classifications as a result of this analysis and
classification?
A. Malware detection
B. Benign
C. Adware
D. Spyware
E. Safeware
F. Grayware
Answer: A,B,F
NEW QUESTION: 55
Which of the following statements is NOT True regarding a Decryption Mirror interface?
A. Supports SSL outbound
B. Can be a member of any VSYS
C. Supports SSL inbound
D. Requires superuser privilege
Answer: B
NEW QUESTION: 56
What needs to be done prior to committing a configuration in Panorama after making a
change via the CLI or web interface on a device?
A. No additional actions required
B. Synchronize the configuration between the device and Panorama
C. Make the same change again via Panorama
D. Re-import the configuration from the device into Panorama
Answer: A
NEW QUESTION: 57
For correct routing to SSL VPN clients to occur, the following must be configured:
A. No routing needs to be configured - the PAN device automatically responds to ARP
requests for the SSL VPN client IP pool
B. Network Address Translation must be enabled for the SSL VPN client IP pool
C. A static route on the next-hop gateway of the SSL VPN client IP pool with a destination
of the Palo Alto Networks device
D. A dynamic routing protocol between the Palo Alto Networks device and the next-hop
gateway to advertise the SSL VPN client IP pool
Answer: B
NEW QUESTION: 58
UserID is enabled in the configuration of:
A. a Zone.
B. a Security Policy.
C. a Security Profile.
D. an Interface.
Answer: A
NEW QUESTION: 59
In a Destination NAT configuration, the Translated Address field may be populated with
either an IP address or an Address Object.
A. False
B. True
Answer: B
NEW QUESTION: 60
When using Config Audit, the color yellow indicates which of the following?
A. An invalid value has been used in a config file.
B. A setting has been changed between the two config files
C. A setting has been deleted from a config file.
D. A setting has been added to a config file
Answer: B
NEW QUESTION: 61
In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order
to process traffic.
A. False
B. True
Answer: B
Discount: freecram)
NEW QUESTION: 62
Which of the following platforms supports the Decryption Port Mirror function?
A. VMSeries 100
B. PA3000
C. PA2000
D. PA4000
Answer: B
NEW QUESTION: 63
question. Which applications will be allowed on their standard ports?
A. SSH
B. Skype
C. BitTorrent
D. Gnutella
Answer: A,C
NEW QUESTION: 64
Configuring a pair of devices into an Active/Active HA pair provides support for:
A. Redundant Virtual Routers
B. Lower fail-over times
C. Asymmetric routing environments
D. Higher session count
Answer: A
NEW QUESTION: 65
Which of the following is NOT a valid option for builtin CLI Admin roles?
A. devicereader
B. deviceadmin
C. read/write
D. superuser
Answer: C
NEW QUESTION: 66
When a user logs in via Captive Portal, their user information can be checked against:
A. Terminal Server Agent
B. Security Logs
C. XML API
D. Radius
Answer: D
NEW QUESTION: 67
Which of the following objects cannot use User-ID as a match criteria?
A. QoS
B. None of the above
C. Security Policies
D. Policy Based Forwarding
E. DoS Protection
Answer: B
NEW QUESTION: 68
What is the correct policy to most effectively block Skype?
A. Allow Skype, block Skype-probe
B. Block Skype-probe, block Skype
C. Block Skype
D. Allow Skype-probe, block Skype
Answer: A
NEW QUESTION: 69
With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the
Peer ID is just the public IP address of the device. In situations where the public IP
address is not static, the Peer ID can be a text value.
A. True
B. False
Answer: A
NEW QUESTION: 70
In PANOS 6.0 and later, which of these items may be used as match criterion in a
PolicyBased Forwarding Rule? (Choose three.)
A. Application
B. Destination Zone
C. Source Zone
D. Source User
Answer: A,C,D
NEW QUESTION: 71
Which of the following types of protection are available in DoS policy?
A. Session Limit, SYN Flood, UDP Flood
B. Session Limit, Port Scanning, Host Swapping, UDP Flood
C. Session Limit, SYN Flood, Port Scanning, Host Swapping
D. Session Limit, SYN Flood, Host Swapping, UDP Flood
Answer: A
NEW QUESTION: 72
Which of the following would be a reason to use an XML API to communicate with a Palo
Alto Networks firewall?
A. So that information can be pulled from other network resources for User-ID
B. To allow the firewall to push UserID information to a Network Access Control (NAC)
device.
C. To permit sys logging of User Identification events
Answer: B
NEW QUESTION: 73
An interface in Virtual Wire mode must be assigned an IP address.
A. False
B. True
Answer: A
NEW QUESTION: 74
Select the implicit rules enforced on traffic failing to match any user defined Security
Policies:
A. Intra-zone traffic is denied
B. Intra-zone traffic is allowed
C. Inter-zone traffic is allowed
D. Inter-zone traffic is denied
Answer: B,D
NEW QUESTION: 75
Which of the following CANNOT use the source user as a match criterion?
A. Secuirty Policies
B. DoS Protection
C. Policy Based Forwarding
D. Antivirus Profile
E. QoS
Answer: D
NEW QUESTION: 76
When creating an application filter, which of the following is true?
A. They are called dynamic because they will automatically include new applications from
an application signature update if the new application's type is included in the filter
B. They are called dynamic because they automatically adapt to new IP addresses
C. They are used by malware
D. Excessive bandwidth may be used as a filter match criteria
Answer: A
Discount: freecram)
NEW QUESTION: 77
Which of the following is a routing protocol supported in a Palo Alto Networks firewall?
A. RIPv2
B. ISIS
C. EIGRP
D. IGRP
Answer: A
NEW QUESTION: 78
A "Continue" action can be configured on the following Security Profiles:
A. URL Filtering and Antivirus
B. URL Filtering
C. URL Filtering, File Blocking, and Data Filtering
D. URL Filtering and File Blocking
Answer: D
NEW QUESTION: 79
In PAN-OS 5.0, which of the following features is supported with regards to IPv6?
B. NAT64
C. IPSec VPN tunnels
D. OSPF
Answer: B
NEW QUESTION: 80
Which of the Dynamic Updates listed below are issued on a daily basis?
A. Antivirus
B. Applications
C. BrightCloud URL Filtering
D. Applications and Threats
Answer: A,C
NEW QUESTION: 81
Wildfire may be used for identifying which of the following types of traffic?
A. URL content
B. Viruses
C. DNS
D. DHCP
Answer: B
NEW QUESTION: 82
An Outbound SSL forward-proxy decryption rule cannot be created using which type of
zone?
A. L3
B. Tap
C. L2
D. Virtual Wire
Answer: D
NEW QUESTION: 83
Which feature can be configured to block sessions that the firewall cannot decrypt?
A. Decryption Profile in PBF
B. Decryption Profile in Security Policy
C. Decryption Profile in Security Profile
D. Decryption Profile in Decryption Policy
Answer: D
NEW QUESTION: 84
What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is
chosen on the firewall?
A. Improved BrightCloud malware detection.
B. Improved malware detection in WildFire.
C. Improved PANDB malware detection.
D. Improved DNS-based C&C signatures.
Answer: B,C,D
NEW QUESTION: 85
A Config Lock may be removed by which of the following users?
A. Any administrator
B. Device administrators
C. Superusers
D. The administrator who set it
Answer: C,D
NEW QUESTION: 86
Which link is used by an Active-Passive cluster to synchronize session information?
A. The Management Link
B. The Control Link
C. The Data Link
D. The Uplink
Answer: C
NEW QUESTION: 87
question. In order for ping traffic to traverse this device from e1/2 to e1/1, what else needs
to be configured?
A. Security policy from trust zone to Internet zone that allows ping
B. Security policy from Internet zone to trust zone that allows ping
C. Create a Management profile that allows ping. Assign that management profile to e1/1
and e1/2
D. Create the appropriate routes in the default virtual router
Answer: A,C
NEW QUESTION: 88
With PAN-OS 5.0, how can a common NTP value be pushed to a cluster of firewalls?
A. Via a Panorama Device Group
B. Via a Device Group object in Panorama
C. Via a shared object in Panorama
D. Via a Panorama Template
Answer: C
NEW QUESTION: 89
Which type of license is required to perform Decryption Port Mirroring?
A. A subscriptionbased
B. A free PANPADecrypt license
C. A Client Decryption license
D. A subscriptionbased PANPADecrypt license
E. SSL Port license
Answer: B
NEW QUESTION: 90
Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples
per day?
A. 1000
B. 50
C. 10
D. 500
Answer: A
NEW QUESTION: 91
Which of the following must be enabled in order for UserID to function?
A. Captive Portal must be enabled.
B. UserID must be enabled for the source zone of the traffic that is to be identified.
C. Security Policies must have the UserID option enabled.
D. Captive Portal Policies must be enabled.
Answer: B
Discount: freecram)
NEW QUESTION: 92
When configuring the firewall for UserID, what is the maximum number of Domain
Controllers that can be configured?
A. 10
B. 100
C. 150
D. 50
Answer: B
NEW QUESTION: 93
In an Anti-Virus profile, changing the action to "Block" for IMAP or POP decoders will result
in the following:
A. The Anti-virus profile will behave as if "Alert" had been specified for the action
B. The traffic will be dropped by the firewall
C. The connection from the server will be reset
D. Error 541 being sent back to the server
Answer: A
NEW QUESTION: 94
What is the function of the GlobalProtect Portal?
A. To loadbalance
B. GlobalProtect client connections to GlobalProtect Gateways.
C. To provide redundancy for tunneled connections through the GlobalProtect Gateways.
D. To maintain the list of Global Protect Gateways and specify HIP data that the agent
should report.
E. To maintain the list of remote GlobalProtect Portals and the list of categories for
checking the client machine.
Answer: E
NEW QUESTION: 95
When creating a Security Policy to allow Facebook in PAN-OS 5.0, how can you be sure
that no other web-browsing traffic is permitted?
A. No other configuration is required on the part of the administrator, since implicit
application dependencies will be added automatically.
B. Ensure that the Service column is defined as "application-default" for this security rule.
This will automatically include the implicit web-browsing application dependency.
C. When creating the rule, ensure that web-browsing is added to the same rule. Both
applications will be processed by the Security policy, allowing only Facebook to be
accessed. Any other applications can be permitted in subsequent rules.
D. Create a subsequent rule which blocks all other traffic
Answer: A
NEW QUESTION: 96
A "Continue" action can be configured on which of the following Security Profiles?
A. URL Filtering and File Blocking
B. URL Filtering and Anti-virus
C. URL Filtering only
D. URL Filtering, File Blocking, and Data Filtering
Answer: A
NEW QUESTION: 97
Will an exported configuration contain Management Interface settings?
A. Yes
B. No
Answer: A
NEW QUESTION: 98
As the Palo Alto Networks Administrator responsible for UserID, you need to enable
mapping of network users that do not sign in using LDAP. Which information source would
allow for reliable UserID mapping while requiring the least effort to configure?
A. Captive Portal
B. Exchange CAS Security logs
C. Active Directory Security Logs
D. WMI Query
Answer: C
NEW QUESTION: 99
The following can be configured as a next hop in a Static Route:
A. Virtual System
B. A Policy-Based Forwarding Rule
C. Virtual Router
D. A Dynamic Routing Protocol
Answer: C
NEW QUESTION: 100

In which of the following can UserID be used to provide a match condition?
A. NAT Policies
B. Security Policies
C. Zone Protection Policies
D. Threat Profiles
Answer: B
NEW QUESTION: 101

When configuring a Security Policy Rule based on FQDN Address Objects, which of the
following statements is True?
A. The firewall resolves the FQDN first when the policy is committed, and resolves the
FQDN again each time Security Profiles are evaluated.
B. In order to create FQDN-based objects, you need to manually define a list of associated
IP addresses.
C. The firewall resolves the FQDN first when the policy is committed, and resolves the
FQDN again at DNS TTL expiration.
Answer: C
NEW QUESTION: 102

Which local interface cannot be assigned to the IKE gateway?
A. Tunnel
B. VLAN
C. L3
D. Loopback
Answer: A
NEW QUESTION: 103

As of PAN-OS 7.0, when configuring a Decryption Policy Rule, which of the following is
NOT an available option as matching criteria in the rule?
A. Application
B. Source User
C. URL Category
D. Source Zone
E. Service
Answer: A
Explanation/Reference:
NEW QUESTION: 104
Which routing protocol is supported on the Palo Alto Networks platform?
A. BGP
B. RSTP
C. ISIS
D. RIPv1
Answer: D
NEW QUESTION: 105

Which of the following fields is not available in DoS policy?
A. Service
B. Source Zone
C. Application
D. Destination Zone
Answer: C
NEW QUESTION: 106

WildFire Analysis Reports are available for the following Operating Systems:
A. Windows 7
B. Windows XP
C. Windows 8
D. Mac OS-X
Answer: A,B,C
Discount: freecram)
NEW QUESTION: 107

What is the name of the debug save file for IPSec VPN tunnels?
A. request vpn IPsec-sa test
B. Ikemgr.pcap
C. test vpn ike-sa
D. set vpn all up
Answer: B
NEW QUESTION: 108
When you have created a Security Policy Rule that allows Facebook, what must you do to
block all other web browsing traffic?
A. Nothing. You can depend on PANOS to block the webbrowsing traffic that is not needed
for Facebook use.
B. Ensure that the Service column is defined as "applicationdefault" for this Security policy.
Doing this will automatically include the implicit webbrowsing application dependency.
C. When creating the policy, ensure that webbrowsing is included in the same rule.
D. Create an additional rule that blocks all other traffic.
Answer: A
NEW QUESTION: 109

What option should be configured when using User-ID?
B. Enable User-ID per interface
C. Enable User-ID per Security Policy
D. Enable User-ID per zone
Answer: C
NEW QUESTION: 110

When adding an application in a Policy-based Forwarding rule, only a subset of the entire
App-ID database is represented. Why would this be?
A. A custom application must first be defined before it can be added to a Policy-based
forwarding rule.
B. Policy-based forwarding can only indentify certain applications at this stage of the
packet flow, as the majority of applications are only identified once the session is created.
C. The license for the Application ID database is no longer valid.
D. Policy-based forwarding rules require that a companion Security policy rule, allowing the
needed Application traffic, must first be created.
Answer: B
NEW QUESTION: 111

question. An administrator is pinging 4.4.4.4 and fails to receive a response. What is the
most likely reason for the lack of response?
A. There is a Security Policy that prevents ping.
B. The interface is down.
C. There is no Management Profile.
D. There is no route back to the machine originating the ping.
Answer: C
NEW QUESTION: 112

What are two sources of information for determining if the firewall has been successful in
communicating with an external User-ID Agent?
A. There's only one location - System Logs
B. System Logs and the indicator light under the User-ID Agent settings in the firewall
C. There's only one location - Traffic Logs
D. System Logs and indicator light on the chassis
Answer: B
NEW QUESTION: 113

"What is the result of an Administrator submitting a WildFire report's verdict back to Palo
Alto Networks as
"Incorrect"?
A. The signature will be updated for False positive and False negative files in the next AV
signature update.
B. The signature will be updated for False positive and False negative files in the next
Application signature update.
C. You will receive an update within 15 minutes.
D. You will receive an email to disable the signature manually.
Answer: A
NEW QUESTION: 114

The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID,
provides:
A. The Administrator the ability to leverage Authentication Profiles in order to protect
against unwanted downloads
B. Password-protected access to specific file downloads, for authorized users increased
speed on the downloads of the allowed file types
C. Protection against unwanted downloads, by alerting the user with a response page
indicating that file is going to be downloaded
Answer: A
NEW QUESTION: 115
Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-
Based (customized user roles).
A. True
B. False
Answer: A
NEW QUESTION: 116

To allow the PAN device to resolve internal and external DNS host names for reporting
and for security policies, an administrator can do the following:
A. Create a DNS Proxy Object with a default DNS Server for external resolution and a
DNS server for internal domain. Then, in the device settings, select the proxy object as the
Primary DNS and create a custom security rule which references that object for
B. In the device settings set the Primary DNS server to an external server and the
secondary to an internal server.
C. Create a DNS Proxy Object with a default DNS Server for external resolution and a
DNS server for internal domain. Then, in the device settings, point to this proxy object for
DNS resolution.
D. In the device settings define internal hosts via a static list.
Answer: C
NEW QUESTION: 117

Users can be authenticated serially to multiple authentication servers by configuring:
A. Authentication Profile
B. A custom Administrator Profile
C. Multiple RADIUS Servers sharing a VSA configuration
D. Authentication Sequence
Answer: D
NEW QUESTION: 118

What new functionality is provided in PAN-OS 5.0 by Palo Alto Networks URL Filtering
Database (PAN- DB)?
A. The "Log Container Page Only" option can be employed in a URL-Filtering policy to
reduce the number of logging events.
B. Daily database downloads for updates are no longer required as devices stay in-sync
with the cloud.
C. IP-Based Threat Exceptions can now be driven by custom URL categories
D. URL-Filtering can now be employed as a match condition in Security policy
Answer: B
NEW QUESTION: 119

When configuring Security rules based on FQDN objects, which of the following
statements are true?
A. The firewall resolves the FQDN first when the policy is committed, and is refreshed
each time Security rules are evaluated.
B. In order to create FQDN-based objects, you need to manually define a list of associated
IP. Up to 10 IP addresses can be configured for each FQDN entry.
C. The firewall resolves the FQDN first when the policy is committed, and is refreshed at
TTL expiration.
There is no limit on the number of IP addresses stored for each resolved FQDN.
D. The firewall resolves the FQDN first when the policy is committed, and is refreshed at
TTL expiration.
The resolution of this FQDN stores up to 10 different IP addresses.
Answer: B
NEW QUESTION: 120

Which of the following most accurately describes Dynamic IP in a Source NAT
configuration?
A. A single IP address is used, and the source port number is changed.
B. The next available IP address in the configured pool is used, but the source port
number is unchanged.
C. The next available address in the configured pool is used, and the source port number
is changed.
D. A single IP address is used, and the source port number is unchanged.
Answer: C
NEW QUESTION: 121

With IKE, each device is identified to the other by a Peer ID. In most cases, this is just the
public IP address of the device. In situations where the public ID is not static, this value
can be replaced with a domain name or other text value
A. True
B. False
Answer: A
Discount: freecram)
NEW QUESTION: 122

Which of the following options may be enabled to reduce system overhead when using
Content ID?
A. DSRI
B. STP
C. RSTP
D. VRRP
Answer: A
NEW QUESTION: 123

Which of the following is NOT a valid option for built-in CLI access roles?
A. deviceadmin
B. read/write
C. vsysadmin
D. superusers
Answer: B
NEW QUESTION: 124

Wildfire may be used for identifying which of the following types of traffic?
A. URL Content
B. DHCP
C. Malware
D. DNS
Answer: C
NEW QUESTION: 125

In PAN-OS 5.0, how is Wildfire enabled?
A. Wildfire is automatically enabled with a valid URL-Filtering license
B. A custom file blocking action must be enabled for all PDF and PE type files
C. Via the URL-Filtering "Continue" Action.
D. Via the "Forward" and "Continue and Forward" File-Blocking actions
Answer: D
NEW QUESTION: 126

When a Palo Alto Networks firewall is forwarding traffic through interfaces configured for
L2 mode, security policies can be set to match on multicast IP addresses.
A. True
B. False
Answer: B
NEW QUESTION: 127

Without a WildFire subscription, which of the following files can be submitted by the
Firewall to the hosted WildFire virtualized sandbox?
A. PDF files only
B. PE and Java Applet (jar and class) only
C. PE files only
D. MS Office doc/docx, xls/xlsx, and ppt/pptx files only
Answer: D
NEW QUESTION: 128

As a Palo Alto Networks firewall administrator, you have made unwanted changes to the
Candidate configuration. These changes may be undone by Device > Setup > Operations
> Configuration Management>.... and then what operation?
A. Import Named Configuration Snapshot
B. Revert to Running Configuration
C. Revert to last Saved Configuration
D. Load Configuration Version
Answer: B
NEW QUESTION: 129

What is the default DNS Sinkhole address used by Palo Alto Networks Firewall to cut off
communication?
A. Localhost address
B. MGT interface address
C. Loopback interface address
D. Any one Layer 3 interface address
Answer: C
NEW QUESTION: 130

In PAN-OS 5.0, how is Wildfire enabled?
A. Via the "Forward" and "Continue and Forward" File-Blocking actions
B. A custom file blocking action must be enabled for all PDF and PE type files
C. Wildfire is automatically enabled with a valid URL-Filtering license
D. Via the URL-Filtering "Continue" Action
Answer: D
NEW QUESTION: 131

When Destination Network Address Translation is being performed, the destination in the
corresponding Security Policy Rule should use:
A. The PostNAT destination zone and PreNAT IP address.
B. The PreNAT destination zone and PostNAT IP address.
C. The PostNAT destination zone and PostNAT IP address.
D. The PreNAT destination zone and PreNAT IP address.
Answer: A
NEW QUESTION: 132

For non-Microsoft clients, what Captive Portal method is supported?
A. User Agent
B. Local Database
C. Web Form Captive Portal
D. NTLM Auth
Answer: C
NEW QUESTION: 133
question. An administrator is using SSH on port 3333 and BitTorrent on port 7777. Which
statements are true?
A. The SSH traffic will be allowed.
B. The SSH traffic will be denied.
C. The BitTorrent traffic will be allowed.
D. The BitTorrent traffic will be denied.
Answer: A,D
NEW QUESTION: 134

As the Palo Alto Networks administrator, you have enabled Application Block pages.
Afterward, some users do not receive web-based feedback for all denied applications. Why
would this be?
A. Application Block Pages will only be displayed when Captive Portal is configured
B. Some Application ID's are set with a Session Timeout value that is too low.
C. Application Block Pages will only be displayed when users attempt to access a denied
web-based application.
D. Some users are accessing the Palo Alto Networks firewall through a virtual system that
does not have Application Block pages enabled.
Answer: C
NEW QUESTION: 135

To create a custom signature object for an Application Override Policy, which of the
following fields are mandatory?
A. Characteristics
B. Category
C. Ports
D. Regular Expressions
Answer: A
NEW QUESTION: 136

You'd like to schedule a firewall policy to only allow a certain application during a particular
time of day.
Where can this policy option be configured?
A. Policies > Security > Service
B. Policies > Security > Application
C. Policies > Security > Profile
D. Policies > Security > Options
Answer: C
Discount: freecram)
NEW QUESTION: 137

What is the default setting for 'Action' in a Decryption Policy's rule?
A. Any
B. None
C. No-decrypt
D. Decrypt
Answer: B
NEW QUESTION: 138
After configuring Captive Portal in Layer 3 mode, users in the Trust Zone are not receiving
the Captive Portal authentication page when they launch their web browsers. How can this
be corrected?
A. Enable "Redirect " as the Mode type in the Captive Portal Settings
B. Enable "Response Pages" in the Interface Management Profile that is applied to the L3
Interface in the Trust Zone.
C. Ensure that all users in the Trust Zone are using NTLM-capable browsers
D. Confirm that Captive Portal Timeout value is not set below 2 seconds
Answer: B,C
NEW QUESTION: 139

Which best describes how Palo Alto Networks firewall rules are applied to a session?
A. most specific match applied
B. first match applied
C. last match applied
D. all matches applied
Answer: B
NEW QUESTION: 140

If the Forward Proxy Ready shows "no" when running the command show system setting
ssl-decrypt setting, what is most likely the cause?
A. Forward proxy license is not enabled on the box n
B. SSL forward proxy certificate is not generated
C. SSL decryption rule is not created
D. Web interface certificate is not generated
Answer: C
NEW QUESTION: 141

Which mode will allow a user to choose how they wish to connect to the GlobalProtect
Network as they would like?
A. Always On Mode
B. Single Sign-On Mode
C. On Demand Mode
D. Optional Mode
Answer: C
NEW QUESTION: 142

A local/enterprise PKI system is required to deploy outbound forward proxy SSL decryption
capabilities.
A. True
B. False
Answer: B
NEW QUESTION: 143

When configuring UserID on a Palo Alto Networks firewall, what is the proper procedure to
limit User mappings to a particular DHCP scope?
A. In the DHCP settings on the Palo Alto Networks firewall, point the DHCP Relay to the IP
address of the UserID agent.
B. In the zone in which User Identification is enabled, select the "Restrict Allocated IP"
checkbox.
C. In the zone in which User Identification is enabled, create a User Identification ACL
Include List using the same IP ranges as those allocated in the DHCP scope.
D. Under the User Identification settings, under the User Mapping tab, select the "Restrict
Users to Allocated IP" checkbox.
Answer: C
NEW QUESTION: 144

To properly configure DOS protection to limit the number of sessions individually from
specific source IPs you would configure a DOS Protection rule with the following
characteristics:
A. Action: Protect, Classified Profile with "Resources Protection" configured, and Classified
Address with
"source-ip-only" configured
B. Action: Protect, Aggregate Profile with "Resources Protection" configured
C. Action: Deny, Classified Profile with "Resources Protection" configured, and Classified
Address with
"source-ip-only" configured
D. Action: Deny, Aggregate Profile with "Resources Protection" configured
Answer: A
NEW QUESTION: 145

When setting up GlobalProtect, what is the job of the GlobalProtect Portal?
A. To load balance GlobalProtect client connections to GlobalProtect Gateways
B. To maintain the list of GlobalProtect Gateways and list of categories for checking the
client machine
C. None of the above
D. To maintain the list of remote GlobalProtect Portals and list of categories for checking
the client machine
Answer: B
NEW QUESTION: 146

When configuring Admin Roles for Web UI access, what are the available access levels?
A. Enable, Read-Only and Disable
B. None, Superuser, Device Administrator
C. Enable and Disable only
D. Allow and Deny only
Answer: A
NEW QUESTION: 147

Both SSL decryption and SSH decryption are disabled by default.
A. True
B. False
Answer: A
NEW QUESTION: 148

What will the user experience when attempting to access a blocked hacking website
through a translation service such as Google Translate or Bing Translator?
A. A "Success" page response when the site is successfully translated.
B. A "Blocked" page response when the URL filtering policy to block is enforced.
C. An "HTTP Error 503 Service unavailable" message.
D. The browser will be redirected to the original website address.
Answer: B
NEW QUESTION: 149

Traffic going to a public IP address is being translated by your PANW firewall to your web
server's private IP. Which IP should the Security Policy use as the "Destination IP" in order
to allow traffic to the server.
A. The firewall's gateway IP
B. The firewall's MGT IP
C. The server's private IP
D. The server's public IP
Answer: D
NEW QUESTION: 150

As the Palo Alto Networks administrator responsible for User Identification, you are looking
for the simplest method of mapping network users that do not sign into LDAP. Which
information source would allow reliable User ID mapping for these users, requiring the
least amount of configuration?
A. Active Directory Security Logs
B. Captive Portal
C. WMI Query
D. Exchange CAS Security Logs
Answer: B
NEW QUESTION: 151

Security policies specify a source interface and a destination interface.
A. False
B. True
Answer: A
Discount: freecram)
NEW QUESTION: 152

When configuring a Decryption Policy Rule, which of the following are available as
matching criteria in the rule? (Choose three.)
A. Source User
B. URL Category
C. Source Zone
D. Application
E. Service
Answer: A,B,C
NEW QUESTION: 153

What option should be configured when using User Identification?
A. Enable User Identification per interface
B. Enable User Identification per Zone
C. None of the above
D. Enable User Identification per Security Rule
Answer: B
NEW QUESTION: 154

As the Palo Alto Networks Administrator you have enabled Application Block pages.
Afterwards, not knowing they are attempting to access a blocked web based application,
users call the Help Desk to complain about network connectivity issues. What is the cause
of the increased number of help desk calls?
A. The File Blocking Block Page was disabled.
B. The firewall admin did not create a custom response page to notify potential users that
their attempt to access the web based application is being blocked due to policy.
C. Application Block Pages will only be displayed when Captive Portal is configured.
D. Some AppID's are set with a Session Timeout value that is too low.
Answer: D
NEW QUESTION: 155

What are two sources of information for determining whether the firewall has been
successful in communicating with an external UserID Agent?
A. System Logs and the indicator light under the UserID Agent settings in the firewall.
B. System Logs and Authentication Logs.
C. Traffic Logs and Authentication Logs.
D. System Logs and an indicator light on the chassis.
Answer: A
NEW QUESTION: 156

Which of the following is True of an application filter?
A. An application filter automatically adapts when an application moves from one IP
address to another.
B. An application filter automatically includes a new application when one of the new
application's characteristics are included in the filter.
C. An application filter specifies the users allowed to access an application.
D. An application filter is used by malware to evade detection by firewalls and anti-virus
software.
Answer: A
NEW QUESTION: 157

Which of the following are necessary components of a GlobalProtect solution?
A. GlobalProtect Gateway, GlobalProtect Agent, GlobalProtect Portal
B. GlobalProtect NetConnect, GlobalProtect Agent, GlobalProtect Portal, GlobalProtect
Server
C. GlobalProtect Gateway, GlobalProtect Agent, GlobalProtect Server
D. GlobalProtect Gateway, GlobalProtect NetConnect, GlobalProtect Agent, GlobalProtect
Portal, GlobalProtect Server
Answer: A
NEW QUESTION: 158

What will the user experience when browsing a Blocked hacking website such as
www.2600.com via Google Translator?
A. It will be translated successfully
B. User will get "HTTP Error 503 - Service unavailable" message
C. It will be redirected to www.2600.com
D. The URL filtering policy to Block is enforced
Answer: D
NEW QUESTION: 159

What is the maximum file size of .EXE files uploaded from the firewall to WildFire?
A. Always 2 megabytes.
B. Configurable up to 10 megabytes.
C. Configurable up to 2 megabytes.
D. Always 10 megabytes.
Answer: B
NEW QUESTION: 160

Which of the following would be a reason to use the PAN-OS XML API to communicate
with a Palo Alto Networks firewall?
A. To allow the firewall to push User-ID information to a Network Access Control (NAC)
device.
B. To pull information from other network resources for User-ID
C. To permit syslogging of User Identification events.
Answer: A
NEW QUESTION: 161

Administrative Alarms can be enabled for which of the following except?
A. Security Violation Thresholds
B. Traffic Log capacity
C. Security Policy Tags
D. Certificate Expirations
Answer: D
NEW QUESTION: 162

Subsequent to the installation of new licenses, the firewall must be rebooted
A. True
B. False
Answer: B
NEW QUESTION: 163

Which of the following can provide information to a Palo Alto Networks firewall for the
purposes of User- ID?
A. SSL Certificates
B. Network Access Control (NAC) device
C. RIPv2
D. Domain Controller
Answer: A,B,D
NEW QUESTION: 164

How do you reduce the amount of information recorded in the URL Content Filtering Logs?
A. Enable DSRI.
B. Disable URL packet captures.
C. Enable URL log caching.
D. Enable "Log container page only".
Answer: D
NEW QUESTION: 165

Which of the following are methods HA clusters use to identify network outages?
A. VR and VSys Monitors
B. Heartbeat and Session Monitors
C. Path and Link Monitoring
D. Link and Session Monitors
Answer: C
NEW QUESTION: 166

Which of the following can provide information to a Palo Alto Networks firewall for the
purposes of UserID?
A. RIPv2
B. Network Access Control (NAC) device
C. SSL Certificates
D. Domain Controller
Answer: B,C,D
Discount: freecram)
NEW QUESTION: 167

Traffic going to a public IP address is being translated by a Palo Alto Networks firewall to
an internal server's private IP address. Which IP address should the Security Policy use as
the "Destination IP" in order to allow traffic to the server?
A. The server's private IP
B. The server's public IP
C. The firewall's gateway IP
D. The firewall's MGT IP
Answer: B
NEW QUESTION: 168

An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.
A. True
B. False
Answer: B
NEW QUESTION: 169

When configuring a Decryption Policy, which of the following are available as matching
criteria in a policy?
(Choose three.)
A. Source User
B. Application
C. Source Zone
D. URL-Category
E. Service
Answer: A,C,D
NEW QUESTION: 170

Considering the information in the screenshot above, what is the order of evaluation for
this URL Filtering Profile?
A. Allow List, Block List, Custom Categories, URL Categories (BrightCloud or PANDB).
B. URL Categories (BrightCloud or PANDB),
C. Block List, Allow List, Custom Categories, URL Categories (BrightCloud or PANDB).
D. Custom Categories, Block List, Allow List.
E. Block List, Allow List, URL Categories (BrightCloud or PANDB), Custom Categories.
Answer: D
NEW QUESTION: 171

The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID,
provides:
A. Protection against unwanted downloads by showing the user a response page
indicating that a file is going to be downloaded.
B. Password-protected access to specific file downloads for authorized users.
C. Increased speed on downloads of file types that are explicitly enabled.
D. The ability to use Authentication Profiles, in order to protect against unwanted
downloads.
Answer: A
NEW QUESTION: 172

Which of the following describes the sequence of the Global Protect agent connecting to a
Gateway?
A. The agent connects to the closest Gateway and sends the HIP report to the portal
B. The agent connects to the portal and randomly establishes a connection to the first
available gateway
C. The agent connects to the portal, obtains a list of gateways, and connects to the
gateway with the fastest PING response time
D. The Agent connects to the Portal obtains a list of Gateways, and connects to the
Gateway with the fastest SSL response time
Answer: D
Discount: freecram)

PaloAltoNetworks ACE v2018-04-10 q172

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

PaloAltoNetworks ACE v2018-04-10 q172

Hochgeladen von

Copyright:

Verfügbare Formate

PaloAltoNetworks.ACE.v2018-04-10.

NEW QUESTION: 100

NEW QUESTION: 101

NEW QUESTION: 102

NEW QUESTION: 103

NEW QUESTION: 105

NEW QUESTION: 106

NEW QUESTION: 107

NEW QUESTION: 109

NEW QUESTION: 110

NEW QUESTION: 111

NEW QUESTION: 112

NEW QUESTION: 113

NEW QUESTION: 114

NEW QUESTION: 116

NEW QUESTION: 117

NEW QUESTION: 118

NEW QUESTION: 119

NEW QUESTION: 120

NEW QUESTION: 121

NEW QUESTION: 122

NEW QUESTION: 123

NEW QUESTION: 124

NEW QUESTION: 125

NEW QUESTION: 126

NEW QUESTION: 127

NEW QUESTION: 128

NEW QUESTION: 129

NEW QUESTION: 130

NEW QUESTION: 131

NEW QUESTION: 132

NEW QUESTION: 133

NEW QUESTION: 134

NEW QUESTION: 135

NEW QUESTION: 136

NEW QUESTION: 137

NEW QUESTION: 139

NEW QUESTION: 140

NEW QUESTION: 141

NEW QUESTION: 142

NEW QUESTION: 143

NEW QUESTION: 144

NEW QUESTION: 145

NEW QUESTION: 146

NEW QUESTION: 147

NEW QUESTION: 148

NEW QUESTION: 149

NEW QUESTION: 150

NEW QUESTION: 151

NEW QUESTION: 152

NEW QUESTION: 153

NEW QUESTION: 154

NEW QUESTION: 155

NEW QUESTION: 156

NEW QUESTION: 157

NEW QUESTION: 158

NEW QUESTION: 159

NEW QUESTION: 160

NEW QUESTION: 161

NEW QUESTION: 162

NEW QUESTION: 163

NEW QUESTION: 164

NEW QUESTION: 165