Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.

0 Version

ACE Exam

Question 1 of 50.
Select the implicit rules that are applied to traffic that fails to match any administrator-defined
Security Policies. (Choose all rules that are correct.)
Intra-zone traffic is allowed
Inter-zone traffic is denied
Intra-zone traffic is denied
Inter-zone traffic is allowed
Mark for follow up

Question 2 of 50.
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you need a:
Virtual Router
VLAN
Virtual Wire
Security Profile
Mark for follow up

Question 3 of 50.
Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day?
50
10
1000
500
Mark for follow up

Question 4 of 50.
WildFire may be used for identifying which of the following types of traffic?
RIPv2
DHCP
Malware
OSPF
Mark for follow up

Question 5 of 50.
Without a WildFire subscription, which of the following files can be submitted by the Firewall to
the hosted WildFire virtualized sandbox?
MS Office doc/docx, xls/xlsx, and ppt/pptx files only
PDF files only
PE files only
PE and Java Applet (jar and class) only
Mark for follow up

Question 6 of 50.
Attackers will employ a number of tactics to hide malware. One such tactic is to encode and/or
compress the file so as to hide the malware. With PAN-OS 7.0 the firewall can decode up to four
levels. But if an attacker has encoded the file beyond four levels, what can you as an administer do
to protect your users?
Create a File Blocking Profile for multi-level encoded files with the action set to block.
Create a File Blocking Profile for multi-level encoded files and apply it to a Decryption Policy.
Create a Decryption Profile for multi-level encoded files and apply it to a Decryption Policy.
Create a Decryption Policy for multi-level encoded files and set the action to block.
Mark for follow up

Question 7 of 50.
Which routing protocol is supported on the Palo Alto Networks platform?

BGP
RIPv1
ISIS
RSTP
Mark for follow up

Question 8 of 50.
Which of the following interface types can have an IP address assigned to it?
Layer 3
Layer 2
Tap
Virtual Wire
Mark for follow up

Question 9 of 50.
Users may be authenticated sequentially to multiple authentication servers by configuring:
An Authentication Sequence.
Multiple RADIUS servers sharing a VSA configuration.
A custom Administrator Profile.
An Authentication Profile.
Mark for follow up

Question 10 of 50.
Taking into account only the information in the screenshot above, answer the following question.
An administrator is pinging 4.4.4.4 and fails to receive a response. What is the most likely reason
for the lack of response?
The interface is down.
There is no route back to the machine originating the ping.
There is no Management Profile.
There is a Security Policy that prevents ping.
Mark for follow up

Question 11 of 50.
When an interface is in Tap mode and a Policys action is set to block, the interface will send a
TCP reset.
True False
Mark for follow up

Question 12 of 50.
Which of the Dynamic Updates listed below are issued on a daily basis? (Select all correct
answers.)
BrightCloud URL Filtering
Anti-virus
Applications
Applications and Threats
Mark for follow up

Question 13 of 50.
Which of the following CANNOT use the source user as a match criterion?
Policy Based Forwarding
Anti-virus Profile
DoS Protection
Secuirty Policies
QoS
Mark for follow up

Question 14 of 50.
Which of the following must be enabled in order for User-ID to function?
Captive Portal must be enabled.
User-ID must be enabled for the source zone of the traffic that is to be identified.
Captive Portal Policies must be enabled.

Security Policies must have the User-ID option enabled.

Mark for follow up

Question 15 of 50.
The screenshot above shows part of a firewalls configuration. If ping traffic can traverse this
device from e1/2 to e1/1, which of the following statements must be True about this firewalls
configuration? (Select all correct answers.)
There must be a security policy rule from Internet zone to trust zone that allows ping.
There must be appropriate routes in the default virtual router.
There must be a Management Profile that allows ping. (Then assign that Management Profile to
e1/1 and e1/2.)
There must be a security policy rule from trust zone to Internet zone that allows ping.
Mark for follow up

Question 16 of 50.
After the installation of the Threat Prevention license, the firewall must be rebooted.
True False
Mark for follow up

Question 17 of 50.
PAN-OS 7.0 introduced a new Security Profile type. What is the name of this new security profile
type?
Malware Analysis
File Analysis
Threat Analysis
WildFire Analysis
Mark for follow up

Question 18 of 50.
Which of the following is NOT a valid option for built-in CLI Admin roles?

deviceadmin
superuser
devicereader
read/write
Mark for follow up

Question 19 of 50.
In which of the following can User-ID be used to provide a match condition?
Security Policies
NAT Policies
Zone Protection Policies
Threat Profiles
Mark for follow up

Question 20 of 50.
After the installation of a new Application and Threat database, the firewall must be rebooted.
True False
Mark for follow up

Question 21 of 50.
User-ID is enabled in the configuration of
A Security Policy.
A Security Profile.
A Zone.
An Interface.
Mark for follow up

Question 22 of 50.
Enabling "Highlight Unused Rules" in the Security Policy window will:
Highlight all rules that did not match traffic within an administrator-specified time period.

Display rules that caused a validation error to occur at the time a Commit was performed.
Highlight all rules that have not matched traffic since the rule was created or since the last
reboot of the firewall.
Temporarily disable rules that have not matched traffic since the rule was created or since the
last reboot of the firewall.
Mark for follow up

Question 23 of 50.
What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut off
communication?
The default gateway of the firewall.
Any layer 3 interface address specified by the firewall administrator.
The local loopback address.
The MGT interface address.
Mark for follow up

Question 24 of 50.
What is the maximum file size of .EXE files uploaded from the firewall to WildFire?
Always 10 megabytes.
Always 2 megabytes.
Configurable up to 10 megabytes.
Configurable up to 2 megabytes.
Mark for follow up

Question 25 of 50.
When configuring Admin Roles for Web UI access, what are the available access levels?
Enable and Disable only
None, Superuser, Device Administrator
Enable, Read-Only, and Disable
Allow and Deny only
Mark for follow up

Question 26 of 50.
An interface in Virtual Wire mode must be assigned an IP address.
True False
Mark for follow up

Question 27 of 50.
Choose the best answer: In PAN-OS, the WildFire Subscription Service allows updates for malware
signatures to be distributed as often as
Once an hour
Once a day
Once every 15 minutes
Once a week
Mark for follow up

Question 28 of 50.
Color-coded tags can be used on all of the items listed below EXCEPT:
Vulnerability Profiles
Zones
Service Groups
Address Objects
Mark for follow up

Question 29 of 50.
What will be the user experience when the safe search option is NOT enabled for Google search
but the firewall has "Safe Search Enforcement" Enabled?
A block page will be presented with instructions on how to set the strict Safe Search option for
the Google search.
A task bar pop-up message will be presented to enable Safe Search.
The Firewall will enforce Safe Search if the URL filtering license is still valid.
The user will be redirected to a different search site that is specified by the firewall
administrator.
Mark for follow up

Question 30 of 50.
As the Palo Alto Networks Administrator responsible for User-ID, you need to enable mapping of
network users that do not sign-in using LDAP. Which information source would allow for reliable
User-ID mapping while requiring the least effort to configure?
Exchange CAS Security logs
WMI Query
Captive Portal
Active Directory Security Logs
Mark for follow up

Question 31 of 50.
An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.
True False
Mark for follow up

Question 32 of 50.
Which type of license is required to perform Decryption Port Mirroring?
A free PAN-PA-Decrypt license
A subscription-based SSL Port license
A subscription-based PAN-PA-Decrypt license
A Client Decryption license
Mark for follow up

Question 33 of 50.
The following can be configured as a next hop in a static route:
Virtual Systems
A Policy-Based Forwarding Rule
Virtual Router
Virtual Switch
Mark for follow up

Question 34 of 50.
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID,
provides:
Increased speed on downloads of file types that are explicitly enabled.
The ability to use Authentication Profiles, in order to protect against unwanted downloads.
Protection against unwanted downloads by showing the user a response page indicating that a
file is going to be downloaded.
Password-protected access to specific file downloads for authorized users.
Mark for follow up

Question 35 of 50.
Which statement about config locks is True?
A config lock will expire after 24 hours, unless it was set by a superuser.
A config lock can be removed only by a superuser.
A config lock can only be removed by the administrator who set it or by a superuser.
A config lock can be removed only by the administrator who set it.
Mark for follow up

Question 36 of 50.
Taking into account only the information in the screenshot above, answer the following question.
Which applications will be allowed on their standard ports? (Select all correct answers.)
BitTorrent
Gnutella
SSH
Skype
Mark for follow up

Question 37 of 50.
Reconnaissance Protection is a feature used to protect the Palo Alto Networks firewall from port

scans. To enable this feature within the GUI go to

Network > Network Profiles > Zone Protection
Objects > Zone Protection
Interfaces > Interface Number > Zone Protection
Policies > Profile > Zone Protection
Mark for follow up

Question 38 of 50.
You can assign an IP address to an interface in Virtual Wire mode.
True False
Mark for follow up

Question 39 of 50.
How do you reduce the amount of information recorded in the URL Content Filtering Logs?
Enable "Log container page only".
Disable URL packet captures.
Enable URL log caching.
Enable DSRI.
Mark for follow up

Question 40 of 50.
Will an exported configuration contain Management Interface settings?
Yes No
Mark for follow up

Question 41 of 50.
Which of the following statements is NOT True about Palo Alto Networks firewalls?
The default Admin account may be disabled or deleted.
By default the MGT Port's IP Address is 192.168.1.1/24.
Initial configuration may be accomplished thru the MGT interface or the Console port.

System defaults may be restored by performing a factory reset in Maintenance Mode.

Mark for follow up

Question 42 of 50.
Taking into account only the information in the screenshot above, answer the following question: A
span port or a switch is connected to e1/4, but there are no traffic logs. Which of the following
conditions most likely explains this behavior?
The interface is not assigned a virtual router.
The interface is not up.
There is no zone assigned to the interface.
The interface is not assigned an IP address.
Mark for follow up

Question 43 of 50.
Can multiple administrator accounts be configured on a single firewall?
Yes No
Mark for follow up

Question 44 of 50.
Which of the following is True of an application filter?
An application filter automatically adapts when an application moves from one IP address to
another.
An application filter is used by malware to evade detection by firewalls and anti-virus
software.
An application filter automatically includes a new application when one of the new
applications characteristics are included in the filter.
An application filter specifies the users allowed to access an application.
Mark for follow up

Question 45 of 50.
As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candidate
configuration. These changes may be undone by Device > Setup > Operations > Configuration

Management>....and then what operation?

Revert to Running Configuration
Revert to last Saved Configuration
Load Configuration Version
Import Named Configuration Snapshot
Mark for follow up

Question 46 of 50.
Which pre-defined Admin Role has all rights except the rights to create administrative accounts
and virtual systems?
A custom admin role must be created for this specific combination of rights.
vsysadmin
Device Administrator
Superuser
Mark for follow up

Question 47 of 50.
Considering the information in the screenshot above, what is the order of evaluation for this URL
Filtering Profile?
URL Categories (BrightCloud or PAN-DB), Custom Categories, Block List, Allow List.
Block List, Allow List, URL Categories (BrightCloud or PAN-DB), Custom Categories.
Allow List, Block List, Custom Categories, URL Categories (BrightCloud or PAN-DB).
Block List, Allow List, Custom Categories, URL Categories (BrightCloud or PAN-DB).
Mark for follow up

Question 48 of 50.
Which link is used by an Active/Passive cluster to synchronize session information?
The Uplink
The Management Link
The Control Link
The Data Link

Mark for follow up

Question 49 of 50.
Besides selecting the Heartbeat Backup option when creating an Active-Passive HA Pair, which of
the following also prevents "Split-Brain"?
Creating a custom interface under Service Route Configuration, and assigning this interface as
the backup HA2 link.
Under Packet Forwarding, selecting the VR Sync checkbox.
Configuring a backup HA2 link that points to the MGT interface of the other device in the pair.
Configuring an independent backup HA1 link.
Mark for follow up

Question 50 of 50.
As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterwards,
not knowing they are attempting to access a blocked web-based application, users call the Help
Desk to complain about network connectivity issues. What is the cause of the increased number of
help desk calls?
The File Blocking Block Page was disabled.
Some App-ID's are set with a Session Timeout value that is too low.
Application Block Pages will only be displayed when Captive Portal is configured.
The firewall admin did not create a custom response page to notify potential users that their
attempt to access the web-based application is being blocked due to company policy.
Mark for follow up