ACE - gratisexam.com€¦ · Considering the information in the screenshot above, what is the order...

http://www.gratisexam.com/

ACE.exam

Number: ACEPassing Score: 800Time Limit: 120 minFile Version: 5.0


Palo Alto Networks

ACE

Accredited Configuration Engineer

Version 5.0


Exam A

QUESTION 1Which mode will allow a user to choose when they wish to connect to the Global Protect Network?

A. Always On mode

B. Optional mode

C. Single SignOn mode

D. On Demand mode

Correct Answer: DSection: (none)Explanation

Explanation/Reference:

QUESTION 2After the installation of a new Application and Threat database, the firewall must be rebooted.


A. True

B. False

Correct Answer: BSection: (none)Explanation


QUESTION 3


Taking into account only the information in the screenshot above, answer the following question: A span port or a switch is connected to e1/4, but there are no traffic logs. Which of the following conditions most likely explains this behavior?

A. The interface is not assigned a virtual router.

B. The interface is not assigned an IP address.

C. The interface is not up.

D. There is no zone assigned to the interface.



QUESTION 4Which of the following platforms supports the Decryption Port Mirror function?

A. PA3000

B. VMSeries 100

C. PA2000

D. PA4000

Correct Answer: ASection: (none)Explanation



QUESTION 5An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.

A. True

B. False



QUESTION 6UserID is enabled in the configuration of:

A. a Security Profile.

B. an Interface.

C. a Security Policy.

D. a Zone.



QUESTION 7Which of the following interface types can have an IP address assigned to it?


A. Layer 3


B. Layer 2

C. Tap

D. Virtual Wire



QUESTION 8As the Palo Alto Networks Administrator you have enabled Application Block pages.Afterwards, not knowing they are attempting to access a blocked web based application, users call the Help Desk to complain about network connectivity issues.What is the cause of the increased number of help desk calls?

A. The File Blocking Block Page was disabled.

B. Some AppID's are set with a Session Timeout value that is too low.

C. The firewall admin did not create a custom response page to notify potential users that their attempt to access the web based application is being blocked due topolicy.

D. Application Block Pages will only be displayed when Captive Portal is configured.



QUESTION 9Security policies specify a source interface and a destination interface.

A. True

B. False




QUESTION 10Select the implicit rules that are applied to traffic that fails to match any administrator defined Security Policies.

A. Intrazone traffic is allowed

B. Interzone traffic is denied

C. Intrazone traffic is denied

D. Interzone traffic is allowed

Correct Answer: ABSection: (none)Explanation


QUESTION 11Besides selecting the Heartbeat Backup option when creating an ActivePassive HA Pair, which of the following also prevents "SplitBrain"?

A. Creating a custom interface under Service Route Configuration, and assigning this interface as the backup HA2 link.

B. Under “Packet Forwarding”, selecting the VR Sync checkbox.

C. Configuring an independent backup HA1 link.

D. Configuring a backup HA2 link that points to the MGT interface of the other device in the pair.



QUESTION 12Which of the following statements is NOT True regarding a Decryption Mirror interface?

A. Requires superuser privilege

B. Supports SSL outbound

C. Can be a member of any VSYS

D. Supports SSL inbound


Correct Answer: CSection: (none)Explanation


QUESTION 13

Considering the information in the screenshot above, what is the order of evaluation for this URL Filtering Profile?

A. URL Categories (BrightCloud or PANDB),

B. Custom Categories, Block List, Allow List.

C. Block List, Allow List, URL Categories (BrightCloud or PANDB), Custom Categories.

D. Block List, Allow List, Custom Categories, URL Categories (BrightCloud or PANDB).

E. Allow List, Block List, Custom Categories, URL Categories (BrightCloud or PANDB).

Correct Answer: B


Section: (none)Explanation


QUESTION 14An interface in tap mode can transmit packets on the wire.

A. True

B. False



QUESTION 15Which of the following is NOT a valid option for builtin CLI Admin roles?


A. deviceadmin

B. superuser

C. devicereader

D. read/write




QUESTION 16Which of the Dynamic Updates listed below are issued on a daily basis?

A. Applications

B. BrightCloud URL Filtering

C. Applications and Threats

D. Antivirus

Correct Answer: BDSection: (none)Explanation


QUESTION 17In PANOS 6.0 and later, which of these items may be used as match criterion in a PolicyBased Forwarding Rule? (Choose three.)

A. Source User

B. Source Zone

C. Destination Zone

D. Application

Correct Answer: ABDSection: (none)Explanation


QUESTION 18What is the maximum file size of .EXE files uploaded from the firewall to WildFire?

A. Always 2 megabytes.

B. Always 10 megabytes.

C. Configurable up to 2 megabytes.

D. Configurable up to 10 megabytes.




QUESTION 19Which of the following most accurately describes Dynamic IP in a Source NAT configuration?

A. The next available address in the configured pool is used, and the source port number is changed.

B. A single IP address is used, and the source port number is unchanged.

C. A single IP address is used, and the source port number is changed.

D. The next available IP address in the configured pool is used, but the source port number is unchanged.



QUESTION 20All of the interfaces on a Palo Alto Networks device must be of the same interface type.

A. True

B. False



QUESTION 21With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the Peer ID is just the public IP address of the device. In situations where thepublic IP address is not static, the Peer ID can be a text value.

A. True


B. False



QUESTION 22Which of the following facts about dynamic updates is correct?

A. Antivirus updates are released daily. Application and Threat updates are released weekly.

B. Application and Antivirus updates are released weekly. Threat and “Threat and URL Filtering” updates are released weekly.

C. Application and Threat updates are released daily. Antivirus and URL Filtering updates are released weekly.

D. Threat and URL Filtering updates are released daily. Application and Antivirus updates are released weekly.



QUESTION 23“What is the result of an Administrator submitting a WildFire report’s verdict back to Palo Alto Networks as “Incorrect”?

A. The signature will be updated for False positive and False negative files in the next AV signature update.

B. The signature will be updated for False positive and False negative files in the next Application signature update.

C. You will receive an email to disable the signature manually.

D. You will receive an update within 15 minutes.



QUESTION 24


When configuring the firewall for UserID, what is the maximum number of Domain Controllers that can be configured?


A. 100

B. 50

C. 10

D. 150



QUESTION 25In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order to process traffic.

A. True

B. False



QUESTION 26


Taking into account only the information in the screenshot above, answer the following question. An administrator is pinging 4.4.4.4 and fails to receive a response.What is the most likely reason for the lack of response?

A. The interface is down.

B. There is a Security Policy that prevents ping.

C. There is no Management Profile.

D. There is no route back to the machine originating the ping.



QUESTION 27Which type of license is required to perform Decryption Port Mirroring?

A. A free PANPADecrypt license

B. A subscriptionbased

C. SSL Port license

D. A Client Decryption license

E. A subscriptionbased PANPADecrypt license




QUESTION 28In which of the following can UserID be used to provide a match condition?

A. Security Policies

B. NAT Policies

C. Zone Protection Policies

D. Threat Profiles



QUESTION 29Which of the following are necessary components of a GlobalProtect solution?

A. GlobalProtect Gateway, GlobalProtect Agent, GlobalProtect Portal

B. GlobalProtect Gateway, GlobalProtect Agent, GlobalProtect Server

C. GlobalProtect Gateway, GlobalProtect NetConnect, GlobalProtect Agent, GlobalProtect Portal, GlobalProtect Server

D. GlobalProtect NetConnect, GlobalProtect Agent, GlobalProtect Portal, GlobalProtect Server



QUESTION 30Which feature can be configured to block sessions that the firewall cannot decrypt?

A. Decryption Profile in Decryption Policy

B. Decryption Profile in Security Profile

C. Decryption Profile in PBF

D. Decryption Profile in Security Policy




QUESTION 31How do you reduce the amount of information recorded in the URL Content Filtering Logs?

A. Enable "Log container page only".

B. Disable URL packet captures.

C. Enable URL log caching.

D. Enable DSRI.



QUESTION 32

Taking into account only the information in the screenshot above, answer the following question. An administrator is using SSH on port 3333 and BitTorrent on port7777. Which statements are true?

A. The BitTorrent traffic will be allowed.

B. The SSH traffic will be allowed.


C. The SSH traffic will be denied.

D. The BitTorrent traffic will be denied.

Correct Answer: BDSection: (none)Explanation


QUESTION 33Which of the following statements is NOT True about Palo Alto Networks firewalls?

A. The Admin account may be disabled.

B. System defaults may be restored by performing a factory reset in Maintenance Mode.

C. The Admin account may not be disabled.

D. Initial configuration may be accomplished thru the MGT interface or the Console port.



QUESTION 34When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must be done to allow a user to authenticate through multiple methods?


A. Create an Authentication Sequence, dictating the order of authentication profiles.

B. Create multiple authentication profiles for the same user.

C. This cannot be done. A single user can only use one authentication type.


D. This cannot be done. Although multiple authentication methods exist, a firewall must choose a single, global authentication type and all users must use thismethod.



QUESTION 35If the Forward Proxy Ready shows “no” when running the command show system setting ssl-decrypt setting, what is most likely the cause?

A. SSL forward proxy certificate is not generated

B. Web interface certificate is not generated

C. Forward proxy license is not enabled on the box n

D. SSL decryption rule is not created



QUESTION 36When adding an application in a Policy-based Forwarding rule, only a subset of the entire App-ID database is represented. Why would this be?

A. Policy-based forwarding can only indentify certain applications at this stage of the packet flow, as the majority of applications are only identified once the sessionis created.

B. Policy-based forwarding rules require that a companion Security policy rule, allowing the needed Application traffic, must first be created.

C. The license for the Application ID database is no longer valid.

D. A custom application must first be defined before it can be added to a Policy-based forwarding rule.




QUESTION 37What option should be configured when using User Identification?

A. Enable User Identification per Zone

B. Enable User Identification per Security Rule

C. Enable User Identification per interface

D. None of the above



QUESTION 38A local/enterprise PKI system is required to deploy outbound forward proxy SSL decryption capabilities.

A. True

B. False



QUESTION 39To properly configure DOS protection to limit the number of sessions individually from specific source IPs you would configure a DOS Protection rule with thefollowing characteristics:

A. Action: Protect, Classified Profile with "Resources Protection" configured, and Classified Address with "source-ip-only" configured

B. Action: Deny, Aggregate Profile with "Resources Protection" configured

C. Action: Protect, Aggregate Profile with "Resources Protection" configured

D. Action: Deny, Classified Profile with "Resources Protection" configured, and Classified Address with "source-ip-only" configured

Correct Answer: ASection: (none)


Explanation


QUESTION 40When setting up GlobalProtect, what is the job of the GlobalProtect Portal?

A. To maintain the list of remote GlobalProtect Portals and list of categories for checking the client machine

B. To maintain the list of GlobalProtect Gateways and list of categories for checking the client machine

C. To load balance GlobalProtect client connections to GlobalProtect Gateways




QUESTION 41Which of the following fields is not available in DoS policy?

A. Destination Zone

B. Source Zone

C. Application

D. Service



QUESTION 42Which of the following are accurate statements describing the HA3 link in an Active-Active HA deployment?

A. HA3 is used for session synchronization


B. The HA3 link is used to transfer Layer 7 information

C. HA3 is used to handle asymmetric routing

D. HA3 is the control link



QUESTION 43What is the correct policy to most effectively block Skype?

A. Allow Skype, block Skype-probe

B. Allow Skype-probe, block Skype

C. Block Skype-probe, block Skype

D. Block Skype



QUESTION 44Which best describes how Palo Alto Networks firewall rules are applied to a session?

A. last match applied

B. first match applied

C. all matches applied

D. most specific match applied




QUESTION 45As the Palo Alto Networks administrator responsible for User Identification, you are looking for the simplest method of mapping network users that do not sign intoLDAP. Which information source would allow reliable User ID mapping for these users, requiring the least amount of configuration?

A. WMI Query

B. Exchange CAS Security Logs

C. Captive Portal

D. Active Directory Security Logs



QUESTION 46Which mode will allow a user to choose how they wish to connect to the GlobalProtect Network as they would like?


A. Single Sign-On Mode

B. On Demand Mode

C. Always On Mode

D. Optional Mode




QUESTION 47Which of the following must be configured when deploying User-ID to obtain information from an 802.1x authenticator?

A. Terminal Server Agent

B. An Agentless deployment of User-ID, employing only the Palo Alto Networks Firewall

C. A User-ID agent, with the "Use for NTLM Authentication" option enabled.

D. XML API for User-ID Agent



QUESTION 48Which of the following options may be enabled to reduce system overhead when using Content ID?

A. STP

B. VRRP

C. RSTP

D. DSRI



QUESTION 49When creating an application filter, which of the following is true?

A. They are used by malware

B. Excessive bandwidth may be used as a filter match criteria

C. They are called dynamic because they automatically adapt to new IP addresses

D. They are called dynamic because they will automatically include new applications from an application signature update if the new application's type is included inthe filter




QUESTION 50Which fields can be altered in the default Vulnerability profile?

A. Severity

B. Category

C. CVE

D. None



QUESTION 51When a user logs in via Captive Portal, their user information can be checked against:

A. Terminal Server Agent

B. Security Logs

C. XML API

D. Radius



QUESTION 52A "Continue" action can be configured on the following Security Profiles:


A. URL Filtering, File Blocking, and Data Filtering

B. URL Filtering

C. URL Filtering and Antivirus

D. URL Filtering and File Blocking



QUESTION 53As the Palo Alto Networks administrator, you have enabled Application Block pages. Afterward, some users do not receive web-based feedback for all deniedapplications. Why would this be?

A. Some users are accessing the Palo Alto Networks firewall through a virtual system that does not have Application Block pages enabled.

B. Application Block Pages will only be displayed when Captive Portal is configured

C. Some Application ID's are set with a Session Timeout value that is too low.

D. Application Block Pages will only be displayed when users attempt to access a denied web-based application.



QUESTION 54Wildfire may be used for identifying which of the following types of traffic?

A. URL content

B. DHCP

C. DNS

D. Viruses

Correct Answer: DSection: (none)


Explanation


QUESTION 55When Network Address Translation has been performed on traffic, Destination Zones in Security rules should be based on:

A. Post-NAT addresses

B. The same zones used in the NAT rules

C. Pre-NAT addresses




QUESTION 56In Active/Active HA environments, redundancy for the HA3 interface can be achieved by:

A. Configuring a corresponding HA4 interface

B. Configuring HA3 as an Aggregate Ethernet bundle

C. Configuring multiple HA3 interfaces

D. Configuring HA3 in a redundant group



QUESTION 57An Outbound SSL forward-proxy decryption rule cannot be created using which type of zone?

A. Virtual Wire


B. Tap

C. L3

D. L2



QUESTION 58When a Palo Alto Networks firewall is forwarding traffic through interfaces configured for L2 mode, security policies can be set to match on multicast IP addresses.


A. True

B. False



QUESTION 59In an Anti-Virus profile, changing the action to “Block” for IMAP or POP decoders will result in the following:

A. The connection from the server will be reset

B. The Anti-virus profile will behave as if “Alert” had been specified for the action

C. The traffic will be dropped by the firewall

D. Error 541 being sent back to the server




QUESTION 60After configuring Captive Portal in Layer 3 mode, users in the Trust Zone are not receiving the Captive Portal authentication page when they launch their webbrowsers. How can this be corrected?

A. Ensure that all users in the Trust Zone are using NTLM-capable browsers

B. Enable "Response Pages" in the Interface Management Profile that is applied to the L3 Interface in the Trust Zone.

C. Confirm that Captive Portal Timeout value is not set below 2 seconds

D. Enable "Redirect " as the Mode type in the Captive Portal Settings

Correct Answer: ABSection: (none)Explanation


QUESTION 61The "Disable Server Return Inspection" option on a security profile:

A. Can only be configured in Tap Mode

B. Should only be enabled on security policies allowing traffic to a trusted server.

C. Does not perform higher-level inspection of traffic from the side that originated the TCP SYN packet

D. Only performs inspection of traffic from the side that originated the TCP SYN-ACK packet



QUESTION 62


A user complains that they are no longer able to access a needed work application after you have implemented vulnerability and anti-spyware profiles. The user'sapplication uses a unique port. What is the most efficient way to allow the user access to this application?

A. Utilize an Application Override Rule, referencing the custom port utilized by this application. Application Override rules bypass all Layer 7 inspection, therebyallowing access to this application.

B. In the Threat log, locate the event which is blocking access to the user's application and create a IP-based exemption for this user.

C. In the vulnerability and anti-spyware profiles, create an application exemption for the user's application.

D. Create a custom Security rule for this user to access the required application. Do not apply vulnerability and anti-spyware profiles to this rule.



QUESTION 63You’d like to schedule a firewall policy to only allow a certain application during a particular time of day. Where can this policy option be configured?

A. Policies > Security > Service

B. Policies > Security > Options

C. Policies > Security > Application

D. Policies > Security > Profile



QUESTION 64What is the size limitation of files manually uploaded to WildFire?

A. Configurable up to 10 megabytes

B. Hard-coded at 10 megabytes

C. Hard-coded at 2 megabytes

D. Configurable up to 20 megabytes




QUESTION 65Enabling "Highlight Unused Rules" in the Security policy window will:

A. Highlight all rules that did not immediately match traffic.

B. Highlight all rules that did not match traffic since the rule was created or since last reboot of the firewall.

C. Allows the administrator to troubleshoot rules when a validation error occurs at the time of commit.

D. Allow the administrator to temporarily disable rules that do not match traffic, for testing purposes.



QUESTION 66In PAN-OS 5.0, which of the following features is supported with regards to IPv6?

A. OSPF

B. NAT64

C. IPSec VPN tunnels




QUESTION 67Which statement accurately reflects the functionality of using regions as objects in Security policies?



A. Predefined regions are provided for countries, not but not for cities. The administrator can set up custom regions, including latitude and longitude, to specify thegeographic position of that particular region.

B. The administrator can set up custom regions, including latitude and longitude, to specify the geographic position of that particular region. These custom regionscan be used in the "Source User" field of the Security Policies.

C. Regions cannot be used in the "Source User" field of the Security Policies, unless the administrator has set up custom regions.

D. The administrator can set up custom regions, including latitude and longitude, to specify the geographic position of that particular region. Both predefined regionsand custom regions can be used in the "Source User" field.



QUESTION 68When employing the Brightcloud URL filtering database on the Palo Alto Networks firewalls, the order of checking within a profile is:

A. Block List, Allow List, Custom Categories, Cache Files, Predefined Categories, Dynamic URL Filtering

B. Block List, Allow List, Cache Files, Custom Categories, Predefined Categories, Dynamic URL Filtering

C. Dynamic URL Filtering, Block List, Allow List, Cache Files, Custom Categories, Predefined Categories




QUESTION 69The following can be configured as a next hop in a Static Route:


A. A Policy-Based Forwarding Rule

B. Virtual System

C. A Dynamic Routing Protocol

D. Virtual Router



QUESTION 70In PAN-OS 5.0, how is Wildfire enabled?

A. Via the "Forward" and "Continue and Forward" File-Blocking actions

B. A custom file blocking action must be enabled for all PDF and PE type files

C. Wildfire is automatically enabled with a valid URL-Filtering license

D. Via the URL-Filtering "Continue" Action.



QUESTION 71Traffic going to a public IP address is being translated by your PANW firewall to your web server's private IP. Which IP should the Security Policy use as the"Destination IP" in order to allow traffic to the server.

A. The server’s public IP

B. The firewall’s gateway IP

C. The server’s private IP

D. The firewall’s MGT IP

Correct Answer: ASection: (none)


Explanation


QUESTION 72You have decided to implement a Virtual Wire Subinterface. Which options can be used to classify traffic?

A. Either VLAN tag or IP address, provided that each tag or ID is contained in the same zone.

B. Subinterface ID and VLAN tag only

C. By Zone and/or IP Classifier

D. VLAN tag, or VLAN tag plus IP address (IP address, IP range, or subnet).



QUESTION 73How do you limit the amount of information recorded in the URL Content Filtering Logs?

A. Enable DSRI

B. Disable URL packet captures

C. Enable URL log caching

D. Enable Log container page only



QUESTION 74When allowing an Application in a Security policy on a PAN-OS 5.0 device, would a dependency Application need to also be enabled if the application does notemploy HTTP, SSL, MSRPC, RPC, t.120, RTSP, RTMP, and NETBIOS-SS.

A. Yes


B. No



QUESTION 75Users can be authenticated serially to multiple authentication servers by configuring:

A. Multiple RADIUS Servers sharing a VSA configuration

B. Authentication Sequence

C. Authentication Profile

D. A custom Administrator Profile



QUESTION 76When creating a Security Policy to allow Facebook in PAN-OS 5.0, how can you be sure that no other web-browsing traffic is permitted?

A. Ensure that the Service column is defined as "application-default" for this security rule. This will automatically include the implicit web-browsing applicationdependency.

B. Create a subsequent rule which blocks all other traffic

C. When creating the rule, ensure that web-browsing is added to the same rule. Both applications will be processed by the Security policy, allowing only Facebook tobe accessed. Any other applications can be permitted in subsequent rules.

D. No other configuration is required on the part of the administrator, since implicit application dependencies will be added automatically.




QUESTION 77In PAN-OS 5.0, how is Wildfire enabled?


A. Via the URL-Filtering "Continue" Action

B. Wildfire is automatically enabled with a valid URL-Filtering license

C. A custom file blocking action must be enabled for all PDF and PE type files

D. Via the "Forward" and "Continue and Forward" File-Blocking actions



QUESTION 78When configuring Security rules based on FQDN objects, which of the following statements are true?

A. The firewall resolves the FQDN first when the policy is committed, and is refreshed each time Security rules are evaluated.

B. The firewall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration. There is no limit on the number of IP addresses stored foreach resolved FQDN.

C. In order to create FQDN-based objects, you need to manually define a list of associated IP. Up to 10 IP addresses can be configured for each FQDN entry.

D. The firewall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration. The resolution of this FQDN stores up to 10 different IPaddresses.




QUESTION 79When troubleshooting Phase 1 of an IPSec VPN tunnel, what location will have the most informative logs?

A. Responding side, Traffic Logs

B. Initiating side, Traffic Logs

C. Responding side, System Logs

D. Initiating side, System Logs



QUESTION 80Configuring a pair of devices into an Active/Active HA pair provides support for:

A. Higher session count

B. Redundant Virtual Routers

C. Asymmetric routing environments

D. Lower fail-over times



QUESTION 81Which of the Dynamic Updates listed below are issued on a daily basis?

A. Global Protect

B. URL Filtering

C. Antivirus

D. Applications and Threats


Correct Answer: BCSection: (none)Explanation


QUESTION 82Select the implicit rules enforced on traffic failing to match any user defined Security Policies:

A. Intra-zone traffic is denied

B. Inter-zone traffic is denied

C. Intra-zone traffic is allowed

D. Inter-zone traffic is allowed

Correct Answer: BCSection: (none)Explanation


QUESTION 83Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based (customized user roles).

A. True

B. False



QUESTION 84In PAN-OS 6.0, rule numbers were introduced. Rule Numbers are:

A. Dynamic numbers that refer to a security policy’s order and are especially useful when filtering security policies by tags

B. Numbers referring to when the security policy was created and do not have a bearing on the order of policy enforcement


C. Static numbers that must be manually re-numbered whenever a new security policy is added



QUESTION 85Which of the following is NOT a valid option for built-in CLI access roles?

A. read/write

B. superusers

C. vsysadmin

D. deviceadmin




ACE - gratisexam.com€¦ · Considering the information in the screenshot above, what is the order...

Documents

Transcript of ACE - gratisexam.com€¦ · Considering the information in the screenshot above, what is the order...