235032020-ace-exam
DESCRIPTION
sdTRANSCRIPT
----------------------- Page 1----------------------Empowering People: paloaltonetworks7/2/2014Test - Accredited Configuration Engineer (ACE)Exam - PAN-OS 6.0 VersionACE ExamQuestion 1 of 50.Traffic going to a public IP address is being translated by your Palo Alto Networks firewall to your servers private IP address. Which IP address should theSecurity Policy use as the "Destination IP" in order to allow traffic to theserver?The firewalls MGT IPThe firewalls gateway IPThe servers public IPThe servers private IP
Mark for follow upQuestion 2 of 50.Taking into account only the information in the screenshot above, answer the following question. An administrator is pinging 4.4.4.4 and fails to receive aresponse. What is the most likely reason for the lack of response?There is a Security Policy that prevents pingThere is no Management ProfileThe interface is downThere is no route back to the machine originating the ping
Mark for follow upQuestion 3 of 50.Which of the Dynamic Updates listed below are issued on a daily basis?Global ProtectURL FilteringAntivirusApplications and Threats
Mark for follow upQuestion 4 of 50.In a Destination NAT configuration, the Translated Address field may be populated with either an IP address or an Address objectTrueFalse
Mark for follow upQuestion 5 of 50.https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evalLvl=5&redirect_url=%2fLMS%2fUserTranscript%2fMainView.aspx1 / 9----------------------- Page 2----------------------Empowering People: paloaltonetworks7/2/2014Taking into account only the information in the screenshot above, answer thefollowing question. An administrator is attempting to ping 2.2.2.1. and fails toreceive a response. What is the most likely reason for the lack of response?The interface is downThere is a security policy that prevents pingThere is no management profileThere is no route back to the machine originating the ping
Mark for follow upQuestion 6 of 50.Select the implicit rules enforced on traffic failing to match any user defined Security Policies:Intra-zone traffic is deniedInter-zone traffic is deniedIntra-zone traffic is allowedInter-zone traffic is allowed
Mark for follow up
Question 7 of 50.Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based (customized user roles)TrueFalse
Mark for follow upQuestion 8 of 50.Which of the following interface types can have an IP address assigned to it?
Layer 3Layer 2VwireTAP
Mark for follow upQuestion 9 of 50.Subsequent to the installation of a new Application and Threat database, thefirewall must be rebootedTrueFalse
Mark for follow upQuestion 10 of 50.Subsequent to the installation of a new PAN-OS version, the firewall must berebootedTrueFalse
Mark for follow upQuestion 11 of 50.Which mode will allow a user to choose when they wish to connect to the Global Protect Network?On Demand modeOptional mode
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evalLvl=5&redirect_url=%2fLMS%2fUserTranscript%2fMainView.aspx2 / 9----------------------- Page 3----------------------Empowering People: paloaltonetworks7/2/2014Single Sign-On modeAlways On mode
Mark for follow upQuestion 12 of 50.In PAN-OS 6.0, rule numbers were introduced. Rule Numbers are:Dynamic numbers that refer to a security policys order and are especiallyuseful when filtering security policies by tagsnumbers referring to when the security policy was created and do not havea bearing on the order of policy enforcementStatic numbers that must be manually re-numbered whenever a new securitypolicy is added.
Mark for follow upQuestion 13 of 50.When configuring Security Policies based on FQDN objects, which of the following statements are true?The firewall resolves the FQDN first when the policy is committed, and isrefreshed at TTL expiration.In order to create FQDN-based objects, you need to manually define a listof associated IP addresses. Up to 10 IP addresses can be configured for each FQDNentryThe firewall resolves the FQDN first when the policy is committed, and isrefreshed each time Security profiles are evaluated
Mark for follow upQuestion 14 of 50.Which of the following is NOT a valid option for built-in CLI access roles?read/write
superusersvsysadmindeviceadmin
Mark for follow upQuestion 15 of 50.When Network Address Translation has been performed on traffic, Destination Zones in Security Policies should be based on:Post-NAT addressesNone of the abovePre-NAT addressesThe same zones used in NAT rules
Mark for follow upQuestion 16 of 50.When troubleshooting Phase 1 of an IPSec VPN tunnel, which location will havethe most informative logs?Responding side, System LogInitiating side, System logResponding side, Traffic logInitiating side, Traffic log
Mark for follow upQuestion 17 of 50.Which of the following options may be enabled to reduce system overhead whenusing Content-ID?DSRIRSTPVRRPSTP
Mark for follow uphttps://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evalLvl=5&redirect_url=%2fLMS%2fUserTranscript%2fMainView.aspx3 / 9----------------------- Page 4----------------------Empowering People: paloaltonetworks7/2/2014Question 18 of 50.What is the benefit realized when the "Enable Passive DNS Monitoring" checkboxis enabled on the firewall? Select all that applyImprove PAN-DB malware detectionImprove DNS-based C&C signatureImprove malware detection in WildFireImprove BrightCloud malware detection
Mark for follow upQuestion 19 of 50.Which of the following objects cannot use User-ID as a match criteria?Security PoliciesQoSPolicy Based ForwardingDoS ProtectionNone of the above
Mark for follow upQuestion 20 of 50.Wildfire may be used for identifying which of the following types of traffic?MalwareDNSDHCPURL Content
Mark for follow upQuestion 21 of 50.As the Palo Alto Networks Administrator responsible for User-ID, you need to enable mapping of network users that do not sign in via LDAP. Which informationsource would allow for reliable User-ID mapping while requiring the least amount of configuration?Exchange CAS Security logsActive Directory Security LogsWMI QueryCaptive Portal
Mark for follow upQuestion 22 of 50.What are two sources of information for determining if the firewall has been successful in communicating with an external User-ID Agent?System Logs and the indicator light under the User-ID Agent settings in the firewallTheres only one location - System LogsTheres only one location - Traffic LogsSystem Logs and indicator light on the chassis
Mark for follow upQuestion 23 of 50.Which of the following statements about dynamic updates are correct?Application and Antivirus updates are released weekly and Threat and Threat and URL filtering updates are released weeklyApplication and Threat updates are released daily. Antivirus and URL filtering updates are released weekly.Antivirus and URL Filtering updates are released daily. Application and Threat updates are released weeklyThreat and URL filtering updates are released daily and Application and Antivirus updates are released weekly
Mark for follow uphttps://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evalLvl=5&redirect_url=%2fLMS%2fUserTranscript%2fMainView.aspx4 / 9----------------------- Page 5----------------------Empowering People: paloaltonetworks7/2/2014Question 24 of 50.Subsequent to the installation of new licenses, the firewall must be rebootedTrue
False
Mark for follow upQuestion 25 of 50.Which of the following most accurately describes Dynamic IP in a Source NAT configuration?The next available address in the address range is used, and the source port number is changedThe same address is always used, and the port is unchangedThe next available address in the configured pool is used, but the port number is unchangedNone of the above
Mark for follow upQuestion 26 of 50.When an interface is in Tap mode and a policy action is set to block, the interface will send a TCP reset.TrueFalse
Mark for follow upQuestion 27 of 50.The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:
Password-protected access to specific file downloads, for authorized usersincreased speed on the downloads of the allowed file typesProtection against unwanted downloads, by alerting the user with a response page indicating that s file is going to be downloadedThe Administrator the ability to leverage Authentication Profiles in order to protect against unwanted downloads
Mark for follow upQuestion 28 of 50.Which of the following would be a reason to use an XML API to communicate with a Palo Alto Networks firewall?So that information can be pulled from other network resources for User-IDTo allow the firewall to push User-ID information to a NACTo permit syslogging of User Identification events
Mark for follow upQuestion 29 of 50.Which link is used by an Active-Passive cluster to synchronize session information?The Data LinkThe Control LinkThe UplinkThe Management Link
Mark for follow upQuestion 30 of 50.An interface in tap mode can transmit packets on the wire.TrueFalse
Mark for follow upQuestion 31 of 50.Which of the following describes the sequence of the Global Protect agent con
necting to a Gateway?The Agent connects to the Portal obtains a list of Gateways, and connectsto the Gateway with the fastest SSL response timehttps://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evalLvl=5&redirect_url=%2fLMS%2fUserTranscript%2fMainView.aspx5 / 9----------------------- Page 6----------------------Empowering People: paloaltonetworks7/2/2014The agent connects to the closest Gateway and sends the HIP report to theportalThe agent connects to the portal, obtains a list of gateways, and connects to the gateway with the fastest PING response timeThe agent connects to the portal and randomly establishes a connection tothe first available gateway
Mark for follow upQuestion 32 of 50.Taking into account only the information in the screenshot above, answer thefollowing question. In order for ping traffic to traverse this device from e1/2to e1/1,what else needs to be configured? Select all that apply.Security policy from trust zone to Internet zone that allows pingCreate the appropriate routes in the default virtual routerSecurity policy from Internet zone to trust zone that allows pingCreate a Management profile that allows ping. Assign that management profile to e1/1 and e1/2
Mark for follow upQuestion 33 of 50.What is the default DNS Sinkhole address used by Palo Alto Networks Firewall to cut off communication?MGT interface addressLoopback interface addressAny one Layer 3 interface address
Localhost address
Mark for follow upQuestion 34 of 50.When configuring Admin Roles for Web UI access, what are the available accesslevels?Enable and Disable onlyNone, Superuser, Device AdministratorAllow and Deny onlyEnable, Read-Only and Disable
Mark for follow upQuestion 35 of 50.Which fields can be altered in the default Vulnerability Protection Profile?CategorySeverityNone
Mark for follow upQuestion 36 of 50.Which of the following interfaces types will have a MAC address?Layer 3TapVwireLayer 2
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evalLvl=5&redirect_url=%2fLMS%2fUserTranscript%2fMainView.aspx6 / 9----------------------- Page 7----------------------Empowering People: paloaltonetworks
7/2/2014Mark for follow upQuestion 37 of 50.When creating an Application filter, which of the following is true?Excessive bandwidth may be used as a filter match criteriathey are called dynamic because they automatically adapt to new IP addressesthey are called dynamic because they will automatically include new applications from an application signature update if the new applications filter typeis includedin the filterthey are used by malware
Mark for follow upQuestion 38 of 50.WildFire Analysis Reports are available for the following Operating Systems (select all that apply)Windows XPWindows 7Windows 8Mac OS-X
Mark for follow upQuestion 39 of 50.What will the user experience when browsing a Blocked hacking website such aswww.2600.com via Google Translator?The URL filtering policy to Block is enforcedIt will be translated successfullyIt will be redirected to www.2600.comUser will get "HTTP Error 503 - Service unavailable" message
Mark for follow upQuestion 40 of 50.What option should be configured when using User-ID
Enable User-ID per zoneEnable User-ID per interfaceEnable User-ID per Security PolicyNone of the above
Mark for follow upQuestion 41 of 50.What is the default setting for Action in a Decryption Policys rule?no-decryptdecryptanynone
Mark for follow upQuestion 42 of 50.When using remote authentication for users (LDAP, Radius, AD, etc),what must be done to allow a user to authenticate through multiple methods?This can not be done. A single user can only use one authentication typeCreate multiple authentication profiles for the same user.Create an Authentication Sequence, dictating the order of authenticationprofilesThis can not be done. Although multiple authentication methods exist, a firewall must choose a single, global authentication type, and all users must usethismethodMark for follow uphttps://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evalLvl=5&redirect_url=%2fLMS%2fUserTranscript%2fMainView.aspx7 / 9----------------------- Page 8----------------------Empowering People: paloaltonetworks
7/2/2014Question 43 of 50.Which of the following platforms supports the Decryption Port Mirror function?PA-VM300PA-4000PA-3000PA-2000
Mark for follow upQuestion 44 of 50.As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterward, some users do not receive web-based feedback for all deniedapplications. What is the cause?Application Block Pages will only be displayed when users attempt to access a denied web-based applicationApplication Block Pages will only be displayed when Captive Portal is configuredSome users are accessing the Palo Alto Networks firewall through a virtual system that does not have Application Block Pages enabledw
Some Application IDs are set with a Session Timeout value that is too lo
Mark for follow upQuestion 45 of 50.With IKE, each device is identified to the other by a Peer ID. In most cases,this is just the public IP address of the device. In situations where the publicID is notstatic, this value can be replaced with a domain name or other text valueTrueFalse
Mark for follow upQuestion 46 of 50.In PAN-OS, how is Wildfire enabled?
Via the "Forward" and "Continue and Forward" File-Blocking actionsVia the URL-Filtering "Continue" actionWildfire is automatically enabled with a valid URL-Filtering licenseA custom file blocking action must be enabled for all PDF and PE type files
Mark for follow upQuestion 47 of 50.How do you limit the amount of information recorded in the URL Content Filtering Logs?Enable "Log container page only"Disable URL packet capturesEnable URL log cachingEnable DSRI
Mark for follow upQuestion 48 of 50.In which of the following objects can User-ID be used to provide a match condition?Security PoliciesNAT PoliciesZone Protection PoliciesThreat Profiles
Mark for follow upQuestion 49 of 50.When configuring a Decryption Policy, which of the following are available asmatching criteria in a policy? (Choose 3)Source Zonehttps://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evalLvl=5&redirect_url=%2fLMS%2fUserTranscript%2fMainView.aspx8 / 9----------------------- Page 9-----------------------
Empowering People: paloaltonetworks7/2/2014Source UserServiceURL-CategoryApplication
Mark for follow upQuestion 50 of 50.Which of the following are methods HA clusters use to identify network outages?Path and Link MonitoringVR and VSys MonitorsHeartbeat and Session MonitorsLink and Session Monitors
Mark for follow upSave / Return Later
Summary
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evalLvl=5&redirect_url=%2fLMS%2fUserTranscript%2fMainView.aspx9 / 9