Realize Your Potential: paloaltonetworks

1 of 8

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version

ACE Exam

Question 1 of 50.
Which pre-defined Admin Role has all rights except the rights to create administrative accounts and virtual systems?
Superuser
Device Administrator
vsysadmin
A custom admin role must be created for this specific combination of rights.

Mark for follow up

Question 2 of 50.
After the installation of a new version of PAN-OS, the firewall must be rebooted.
True

False

Mark for follow up

Question 3 of 50.
Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based (customized user roles) for Administrator Accounts.
True

False

Mark for follow up

Question 4 of 50.
What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut off communication?
The default gateway of the firewall.
The local loopback address.
The MGT interface address.
Any layer 3 interface address specified by the firewall administrator.

Mark for follow up

Question 5 of 50.
Users may be authenticated sequentially to multiple authentication servers by configuring:
An Authentication Profile.
An Authentication Sequence.
A custom Administrator Profile.
Multiple RADIUS servers sharing a VSA configuration.

Mark for follow up

Question 6 of 50.
What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on the firewall? (Select all correct answers.)
Improved malware detection in WildFire.
Improved PAN-DB malware detection.
Improved DNS-based C&C signatures.
Improved BrightCloud malware detection.

Mark for follow up

Question 7 of 50.
In PAN-OS 7.0 which of the available choices serves as an alert warning by defining patterns of suspicious traffic and network anomalies that may indicate a host has been
compromised?

8/8/2016 3:35 PM

Realize Your Potential: paloaltonetworks

2 of 8

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...

Custom Signatures
App-ID Signatures
Correlation Events
Correlation Objects
Command & Control Signatures

Mark for follow up

Question 8 of 50.
Which of the following must be enabled in order for User-ID to function?
Captive Portal Policies must be enabled.
Security Policies must have the User-ID option enabled.
Captive Portal must be enabled.
User-ID must be enabled for the source zone of the traffic that is to be identified.

Mark for follow up

Question 9 of 50.
In which of the following can User-ID be used to provide a match condition?
Security Policies
NAT Policies
Zone Protection Policies
Threat Profiles

Mark for follow up

Question 10 of 50.
In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-Based Forwarding Rule? (Choose 3.)
Source User
Destination Zone
Source Zone
Destination Application

Mark for follow up

Question 11 of 50.
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:
Protection against unwanted downloads by showing the user a response page indicating that a file is going to be downloaded.
Increased speed on downloads of file types that are explicitly enabled.
Password-protected access to specific file downloads for authorized users.
The ability to use Authentication Profiles, in order to protect against unwanted downloads.

Mark for follow up

Question 12 of 50.
Color-coded tags can be used on all of the items listed below EXCEPT:
Vulnerability Profiles
Address Objects
Zones
Service Groups

Mark for follow up

Question 13 of 50.
When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of evaluation within a profile is:
Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, Allow list.

8/8/2016 3:35 PM

Realize Your Potential: paloaltonetworks

3 of 8

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...

Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cache files.
Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined categories.

Mark for follow up

Question 14 of 50.
Can multiple administrator accounts be configured on a single firewall?
Yes

No

Mark for follow up

Question 15 of 50.
As the Palo Alto Networks Administrator responsible for User-ID, you need to enable mapping of network users that do not sign-in using LDAP. Which information source would
allow for reliable User-ID mapping while requiring the least effort to configure?
Active Directory Security Logs
Exchange CAS Security logs
WMI Query
Captive Portal

Mark for follow up

Question 16 of 50.
User-ID is enabled in the configuration of
An Interface.
A Zone.
A Security Policy.
A Security Profile.

Mark for follow up

Question 17 of 50.
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you need a:
Virtual Router
VLAN
Virtual Wire
Security Profile

Mark for follow up

Question 18 of 50.
An interface in tap mode can transmit packets on the wire.
True

False

Mark for follow up

Question 19 of 50.
Which of the following is a routing protocol supported in a Palo Alto Networks firewall?
EIGRP
RIPv2
ISIS
IGRP

Mark for follow up

Question 20 of 50.
WildFire may be used for identifying which of the following types of traffic?
RIPv2

8/8/2016 3:35 PM

Realize Your Potential: paloaltonetworks

4 of 8

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...

Malware
DHCP
OSPF

Mark for follow up

Question 21 of 50.
True or False: The PAN-DB URL Filtering Service is offered as both a Private Cloud solution and a Public Cloud solution.
True

False

Mark for follow up

Question 22 of 50.
With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the Peer ID is just the public IP address of the device. In situations where the public IP address is
not static, the Peer ID can be a text value.
True

False

Mark for follow up

Question 23 of 50.
A Config Lock may be removed by which of the following users? (Select all correct answers.)
The administrator who set it
Any administrator
Device administrators
Superusers

Mark for follow up

Question 24 of 50.
What will be the user experience when the safe search option is NOT enabled for Google search but the firewall has "Safe Search Enforcement" Enabled?
A block page will be presented with instructions on how to set the strict Safe Search option for the Google search.
The Firewall will enforce Safe Search if the URL filtering license is still valid.
A task bar pop-up message will be presented to enable Safe Search.
The user will be redirected to a different search site that is specified by the firewall administrator.

Mark for follow up

Question 25 of 50.
True or False: The WildFire Analysis Profile can only be configured to send unknown files to the WildFire Public Cloud only.
True

False

Mark for follow up

Question 26 of 50.
As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterwards, not knowing they are attempting to access a blocked web-based application, users
call the Help Desk to complain about network connectivity issues. What is the cause of the increased number of help desk calls?
The firewall admin did not create a custom response page to notify potential users that their attempt to access the web-based application is being blocked due to company policy.
Some App-ID's are set with a Session Timeout value that is too low.
The File Blocking Block Page was disabled.
Application Block Pages will only be displayed when Captive Portal is configured.

Mark for follow up

Question 27 of 50.
A "Continue" action can be configured on which of the following Security Profiles?
URL Filtering and File Blocking
URL Filtering only
URL Filtering, File Blocking, and Data Filtering

8/8/2016 3:35 PM

Realize Your Potential: paloaltonetworks

5 of 8

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...

URL Filtering and Anti-virus

Mark for follow up

Question 28 of 50.
Will an exported configuration contain Management Interface settings?
Yes

No

Mark for follow up

Question 29 of 50.
Which of the following facts about dynamic updates is correct?
Threat and URL Filtering updates are released daily. Application and Anti-virus updates are released weekly.
Application and Threat updates are released daily. Anti-virus and URL Filtering updates are released weekly.
Anti-virus updates are released daily. Application and Threat updates are released weekly.
Application and Anti-virus updates are released weekly. Threat and Threat and URL Filtering updates are released weekly.

Mark for follow up

Question 30 of 50.
WildFire analyzes files to determine whether or not they are malicious. When doing so, WildFire will classify the file with an official verdict. This verdict is known as the WildFire
Analysis verdict. Choose the three correct classifications as a result of this analysis and classification?
Safeware
Malware detection
Benign
Grayware
Spyware
Adware

Mark for follow up

Question 31 of 50.
When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most informative?
Initiating side, System log
Initiating side, Traffic log
Responding side, System Log
Responding side, Traffic log

Mark for follow up

Question 32 of 50.
In Palo Alto Networks terms, an application is:
A specific program detected within an identified stream that can be detected, monitored, and/or blocked.
A combination of port and protocol that can be detected, monitored, and/or blocked.
A file installed on a local machine that can be detected, monitored, and/or blocked.
Web-based traffic from a specific IP address that can be detected, monitored, and/or blocked.

Mark for follow up

Question 33 of 50.
Which of the following services are enabled on the MGT interface by default? (Select all correct answers.)
HTTPS
SSH
Telnet
HTTP

Mark for follow up

8/8/2016 3:35 PM

Realize Your Potential: paloaltonetworks

6 of 8

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...

Question 34 of 50.
Which feature can be configured to block sessions that the firewall cannot decrypt?
Decryption Profile in PBF
Decryption Profile in Security Profile
Decryption Profile in Decryption Policy
Decryption Profile in Security Policy

Mark for follow up

Question 35 of 50.
When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2 tunneling in policies by specifying the SSH-tunnel App-ID?
SSH Proxy
SSL Forward Proxy
SSL Inbound Inspection
SSL Reverse Proxy

Mark for follow up

Question 36 of 50.
As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candidate configuration. These changes may be undone by Device > Setup > Operations >
Configuration Management>....and then what operation?
Revert to Running Configuration
Revert to last Saved Configuration
Load Configuration Version
Import Named Configuration Snapshot

Mark for follow up

Question 37 of 50.
In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order to process traffic.
True

False

Mark for follow up

Question 38 of 50.
Which statement below is True?
PAN-OS uses PAN-DB for URL Filtering, replacing BrightCloud.
PAN-OS uses BrightCloud as its default URL Filtering database, but also supports PAN-DB.
PAN-OS uses BrightCloud for URL Filtering, replacing PAN-DB.
PAN-OS uses PAN-DB as the default URL Filtering database, but also supports BrightCloud.

Mark for follow up

Question 39 of 50.
Which of the following platforms supports the Decryption Port Mirror function?
PA-3000
VM-Series 100
PA-2000
PA-4000

Mark for follow up

Question 40 of 50.
Which of the following are methods that HA clusters use to identify network outages?
Path and Link Monitoring
Link and Session Monitors
VR and VSYS Monitors

8/8/2016 3:35 PM

Realize Your Potential: paloaltonetworks

7 of 8

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...

Heartbeat and Session Monitors

Mark for follow up

Question 41 of 50.

Taking into account only the information in the screenshot above, answer the following question: A span port or a switch is connected to e1/4, but there are no traffic logs. Which of
the following conditions most likely explains this behavior?
There is no zone assigned to the interface.
The interface is not assigned a virtual router.
The interface is not assigned an IP address.
The interface is not up.

Mark for follow up

Question 42 of 50.
Which of the following statements is NOT True about Palo Alto Networks firewalls?
The default Admin account may be disabled or deleted.
System defaults may be restored by performing a factory reset in Maintenance Mode.
By default the MGT Port's IP Address is 192.168.1.1/24.
Initial configuration may be accomplished thru the MGT interface or the Console port.

Mark for follow up

Question 43 of 50.
Which of the following can provide information to a Palo Alto Networks firewall for the purposes of User-ID? (Select all correct answers.)
SSL Certificates
RIPv2
Domain Controller
Network Access Control (NAC) device

Mark for follow up

Question 44 of 50.
Which of the following interface types can have an IP address assigned to it?
Layer 3
Layer 2
Tap
Virtual Wire

Mark for follow up

Question 45 of 50.
As of PAN-OS 7.0, when configuring a Decryption Policy Rule, which of the following is NOT an available option as matching criteria in the rule?
Service
URL Category
Source User

8/8/2016 3:35 PM

Realize Your Potential: paloaltonetworks

8 of 8

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...

Application
Source Zone

Mark for follow up

Question 46 of 50.
Security policy rules specify a source interface and a destination interface.
True

False

Mark for follow up

Question 47 of 50.
Both SSL decryption and SSH decryption are disabled by default.
True

False

Mark for follow up

Question 48 of 50.
Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day?
1000
10
50
500

Mark for follow up

Question 49 of 50.
Palo Alto Networks offers WildFire users three solution types. These solution types are the WildFire Public Cloud, The WF-500 Private Appliance, and the WildFire Hybrid solution.
What is the main reason and purpose for the WildFire Hybrid solution?
The WildFire Hybrid solution enables companies to send to the WF-500 Private Appliance keeping them internal to their network, as well providing the option to send other, general files to the
WildFire Public Cloud for analysis.
The WildFire Hybrid solution places WF-500s at multiple places in the cloud, so that firewall appliances distributed throughout an enterprise's network receive WildFire verdicts with minimal
latency while retaining data privacy.
The WildFire Hybrid solution is only offered to companies that have sensitive files to protect and does not require a WildFire subscription.
The WildFire Hybrid solution enables outside companies to share the same WF-500 Appliance while at the same time allowing them to send only their private files to the private WF-500.

Mark for follow up

Question 50 of 50.
Choose the best answer: In PAN-OS, the WildFire Subscription Service allows updates for malware signatures to be distributed as often as
Once every 15 minutes
Once an hour
Once a day
Once a week

Mark for follow up

Save / Return Later

Summary

8/8/2016 3:35 PM

Realize Your Potential: paloaltonetworks

1 of 2

https://paloaltonetworks.csod.com/Evaluations/Tests/UserTestReview.as...

Test results are summarized below. Change the view to see only Correct or Incorrect questions.

Review Test Questions

View:

All Questions

Correct Questions

Incorrect Questions

(50 Results)

ID

Question

Correct

6781

A "Continue" action can be configured on which of the following Security Profiles?

Correct

6786

A Config Lock may be removed by which of the following users? (Select all correct
answers.)

Correct

7947

After the installation of a new version of PAN-OS, the firewall must be rebooted.

Correct

7942

An interface in tap mode can transmit packets on the wire.

Correct

7954

As a Palo Alto Networks firewall administrator, you have made unwanted changes to the
Candidate configuration. These changes may be undone by Device > Setup > Operations Correct
> Configuration Management>....and then what operation?

7979

As the Palo Alto Networks Administrator responsible for User-ID, you need to enable
mapping of network users that do not sign-in using LDAP. Which information source
would allow for reliable User-ID mapping while requiring the least effort to configure?

7984

As the Palo Alto Networks Administrator you have enabled Application Block pages.
Afterwards, not knowing they are attempting to access a blocked web-based application,
Incorrect
users call the Help Desk to complain about network connectivity issues. What is the
cause of the increased number of help desk calls?

7953

Both SSL decryption and SSH decryption are disabled by default.

Correct

7994

Can multiple administrator accounts be configured on a single firewall?

Correct

8062

Color-coded tags can be used on all of the items listed below EXCEPT:

Correct

7952

In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in
order to process traffic.

Correct

8756

In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall,
you need a:

Correct

8751

In Palo Alto Networks terms, an application is:

Incorrect

8741

In PAN-OS 6.0 and later, which of these items may be used as match criterion in a
Policy-Based Forwarding Rule? (Choose 3.)

Incorrect

8731

Choose the best answer: In PAN-OS, the WildFire Subscription Service allows updates
for malware signatures to be distributed as often as

Correct

Incorrect

8/8/2016 3:38 PM

Realize Your Potential: paloaltonetworks

2 of 2

https://paloaltonetworks.csod.com/Evaluations/Tests/UserTestReview.as...

ID

Question

Correct

8721

In which of the following can User-ID be used to provide a match condition?

Correct

7944

Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and
Role-Based (customized user roles) for Administrator Accounts.

Correct

7945

Security policy rules specify a source interface and a destination interface.

Correct

8072

Taking into account only the information in the screenshot above, answer the following
question: A span port or a switch is connected to e1/4, but there are no traffic logs.
Which of the following conditions most likely explains this behavior?

Incorrect

8711

The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID,
provides:

Correct

Close

8/8/2016 3:38 PM

Realize Your Potential: paloaltonetworks

1 of 2

https://paloaltonetworks.csod.com/Evaluations/Tests/UserTestReview.as...

Test results are summarized below. Change the view to see only Correct or Incorrect questions.

Review Test Questions

View:

All Questions

Correct Questions

Incorrect Questions

(50 Results)

ID

Question

Correct

8651

User-ID is enabled in the configuration of

Correct

8696

Users may be authenticated sequentially to multiple authentication servers by

configuring:

Correct

8681

What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is
chosen on the firewall? (Select all correct answers.)

Incorrect

8676

What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut
Correct
off communication?

8646

What will be the user experience when the safe search option is NOT enabled for Google
Correct
search but the firewall has "Safe Search Enforcement" Enabled?

8636

When configuring a Decryption Policy rule, which option allows a firewall administrator
to control SSHv2 tunneling in policies by specifying the SSH-tunnel App-ID?

8596

When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall,
Incorrect
the order of evaluation within a profile is:

8586

When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be
most informative?

Correct

8576

Which feature can be configured to block sessions that the firewall cannot decrypt?

Correct

8551

Which of the following are methods that HA clusters use to identify network outages?

Correct

8541

Which of the following can provide information to a Palo Alto Networks firewall for the
purposes of User-ID? (Select all correct answers.)

Incorrect

8490

Which of the following facts about dynamic updates is correct?

Correct

8531

Which of the following interface types can have an IP address assigned to it?

Correct

8556

Which of the following is a routing protocol supported in a Palo Alto Networks firewall?

Correct

8516

Which of the following must be enabled in order for User-ID to function?

Correct

8500

Which of the following platforms supports the Decryption Port Mirror function?

Correct

Incorrect

8/8/2016 3:39 PM

Realize Your Potential: paloaltonetworks

2 of 2

https://paloaltonetworks.csod.com/Evaluations/Tests/UserTestReview.as...

ID

Question

Correct

8495

Which of the following services are enabled on the MGT interface by default? (Select all
correct answers.)

Correct

8485

Which of the following statements is NOT True about Palo Alto Networks firewalls?

Correct

8466

Which pre-defined Admin Role has all rights except the rights to create administrative
accounts and virtual systems?

Correct

8420

Which statement below is True?

Correct

Close

8/8/2016 3:39 PM