Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version
Hi , I have passed the exam on 28-Nov-2016. Five answers is not correct which i have marked. You can trust all other answers
Question 2 of 50.
| What are two sources of information for determining whether the firewall has been successful in communicating with an external User-ID Agent? |
| System Logs and the indicator light under the User-ID Agent settings in the firewall. | |
| Traffic Logs and Authentication Logs. | |
| System Logs and an indicator light on the chassis. | |
| System Logs and Authentication Logs. |
Question 3 of 50.
Question 5 of 50.
| Which of the following platforms supports the Decryption Port Mirror function? |
| PA-3000 | |
| VM-Series 100 | |
| PA-2000 | |
| PA-40 |
| User-ID is enabled in the configuration of … |
| A Security Profile. | |
| A Security Policy. | |
| A Zone. | |
| An Interface. |
Question 4 of 50.
Question 6 of 50.
Question 7 of 50.
Question 8 of 50.
Question 9 of 50.
Question 10 of 50.
Question 11 of 50.
Question 12 of 50.
Question 13 of 50.
Question 14 of 50.
Question 15 of 50.
Question 16 of 50.
| Which of the following can provide information to a Palo Alto Networks firewall for the purposes of User-ID? (Select all correct answers.) |
| Network Access Control (NAC) device | |
| SSL Certificates | |
| RIPv2 | |
| Domain Controller >>Incorrect answer |
Question 6 of 50.
| Without a WildFire subscription, which of the following files can be submitted by the Firewall to the hosted WildFire virtualized sandbox? |
| PE and Java Applet (jar and class) only | |
| MS Office doc/docx, xls/xlsx, and ppt/pptx files only >> Incorrect | |
| PE files only | |
| PDF files only |
Question 7 of 50.
| When configuring a Security Policy Rule based on FQDN Address Objects, which of the following statements is True? |
| The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN again each time Security Profiles are evaluated. | |
| The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN again at DNS TTL expiration. | |
| In order to create FQDN-based objects, you need to manually define a list of associated IP addresses. |
Question 8 of 50.
| Which of the following statements is NOT True about Palo Alto Networks firewalls? |
| System defaults may be restored by performing a factory reset in Maintenance Mode. | |||
| Initial configuration may be accomplished thru the MGT interface or the Console port. | |||
| The default Admin account may be disabled or deleted. | |||
| By default the MGT Port's IP Address is 192.168.1.1/24. | |||
Question 9 of 50.
| Which of the following would be a reason to use the PAN-OS XML API to communicate with a Palo Alto Networks firewall? |
| To pull information from other network resources for User-ID. | |||
| To allow the firewall to push User-ID information to a Network Access Control (NAC) device. >>Incorrect | |||
| To permit syslogging of User Identification events. | |||
Question 10 of 50.
| Which of the following is True of an application filter? |
| An application filter automatically includes a new application when one of the new application’s characteristics are included in the filter. | |||
| An application filter specifies the users allowed to access an application. | |||
| An application filter is used by malware to evade detection by firewalls and anti-virus software. | |||
| An application filter automatically adapts when an application moves from one IP address to another. | |||
| Which of the following most accurately describes Dynamic IP in a Source NAT configuration? |
| The next available IP address in the configured pool is used, but the source port number is unchanged. | |||
| A single IP address is used, and the source port number is unchanged. | |||
| The next available address in the configured pool is used, and the source port number is changed. | |||
| A single IP address is used, and the source port number is changed. | |||
Question 12 of 50.
| You can assign an IP address to an interface in Virtual Wire mode. |
| True | False | |
|---|---|---|
Question 13 of 50.
| After the installation of a new Application and Threat database, the firewall must be rebooted. |
| True | False | |
|---|---|---|
Question 14 of 50.
| Enabling "Highlight Unused Rules" in the Security Policy window will: |
| Highlight all rules that did not match traffic within an administrator-specified time period. | |||
| Temporarily disable rules that have not matched traffic since the rule was created or since the last reboot of the firewall. | |||
| Display rules that caused a validation error to occur at the time a Commit was performed. | |||
| Highlight all rules that have not matched traffic since the rule was created or since the last reboot of the firewall. | |||
Question 15 of 50.
| Attackers will employ a number of tactics to hide malware. One such tactic is to encode and/or compress the file so as to hide the malware. With PAN-OS 7.0 the firewall can decode up to four levels. But if an attacker has encoded the file beyond four levels, what can you as an administer do to protect your users? |
| Create a Decryption Policy for multi-level encoded files and set the action to block. | |
| Create a Decryption Profile for multi-level encoded files and apply it to a Decryption Policy. >>Incorrect answer | |
| Create a File Blocking Profile for multi-level encoded files and apply it to a Decryption Policy. | |
| Create a File Blocking Profile for multi-level encoded files with the action set to block. |
Question 16 of 50.
Picture omitted
Question 17 of 50.
Question 18 of 50.
Question 19 of 50.
Question 20 of 50.
Question 21 of 50.
Question 22 of 50.
Question 23 of 50.
Question 24 of 50.
Question 25 of 50.
Taking into account only the information in the screenshot above, answer the following question. An administrator is pinging 4.4.4.4 and fails to receive a response. What is the most likely reason for the lack of response? |
| There is a Security Policy that prevents ping. | |
| There is no Management Profile. | |
| There is no route back to the machine originating the ping. | |
| The interface is down. |
Question 17 of 50.
| Which of the following facts about dynamic updates is correct? |
| Anti-virus updates are released daily. Application and Threat updates are released weekly. | |||
| Application and Anti-virus updates are released weekly. Threat and “Threat and URL Filtering” updates are released weekly. | |||
| Threat and URL Filtering updates are released daily. Application and Anti-virus updates are released weekly. | |||
| Application and Threat updates are released daily. Anti-virus and URL Filtering updates are released weekly. | |||
Question 18 of 50.
| When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must be done to allow a user to authenticate through multiple methods? |
| Create an Authentication Sequence, dictating the order of authentication profiles. | |||
| This cannot be done. Although multiple authentication methods exist, a firewall must choose a single, global authentication type--and all users must use this method. | |||
| Create multiple authentication profiles for the same user. | |||
| This cannot be done. A single user can only use one authentication type. | |||
Question 19 of 50.
| All of the interfaces on a Palo Alto Networks device must be of the same interface type. |
| True | False | |
|---|---|---|
Question 20 of 50.
| True or False: The PAN-DB URL Filtering Service is offered as both a Private Cloud solution and a Public Cloud solution. |
| True | False | |
|---|---|---|
Question 21 of 50.
| Which statement about config locks is True? |
| A config lock will expire after 24 hours, unless it was set by a superuser. | |||
| A config lock can be removed only by the administrator who set it. | |||
| A config lock can only be removed by the administrator who set it or by a superuser. | |||
| A config lock can be removed only by a superuser. | |||
Question 22 of 50.
| When using Config Audit, the color yellow indicates which of the following? |
| A setting has been changed between the two config files | |||
| A setting has been deleted from a config file. | |||
| A setting has been added to a config file | |||
| An invalid value has been used in a config file. | |||
Question 23 of 50.
| Reconnaissance Protection is a feature used to protect the Palo Alto Networks firewall from port scans. To enable this feature within the GUI go to… |
| Network > Network Profiles > Zone Protection | |||
| Objects > Zone Protection | |||
| Interfaces > Interface Number > Zone Protection | |||
| Policies > Profile > Zone Protection | |||
Question 24 of 50.
| What will the user experience when attempting to access a blocked hacking website through a translation service such as Google Translate or Bing Translator? |
| A “Blocked” page response when the URL filtering policy to block is enforced. | |||
| A “Success” page response when the site is successfully translated. | |||
| The browser will be redirected to the original website address. | |||
| An "HTTP Error 503 - Service unavailable" message. | |||
Question 25 of 50.
| Users may be authenticated sequentially to multiple authentication servers by configuring: |
| Multiple RADIUS servers sharing a VSA configuration. | |
| An Authentication Profile. | |
| An Authentication Sequence. | |
| A custom Administrator Profile. |
Question 26 of 50.
Question 27 of 50.
Question 28 of 50.
Question 29 of 50.
Question 30 of 50.
Question 31 of 50.
Question 32 of 50.
Question 33 of 50.
Question 34 of 50.
Question 35 of 50.
Question 36 of 50.
Question 37 of 50.
| What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut off communication? |
| Any layer 3 interface address specified by the firewall administrator. | |||
| The default gateway of the firewall. | |||
| The local loopback address. | |||
| The MGT interface address. | |||
Question 27 of 50.
| When Destination Network Address Translation is being performed, the destination in the corresponding Security Policy Rule should use: |
| The Pre-NAT destination zone and Pre-NAT IP addresses. | |||
| The Pre-NAT destination zone and Post-NAT IP addresses. | |||
| The Post-NAT destination zone and Pre-NAT IP addresses. | |||
| The Post-NAT destination zone and Post-NAT IP addresses. | |||
Question 28 of 50.
| Which link is used by an Active/Passive cluster to synchronize session information? |
| The Management Link | |||
| The Uplink | |||
| The Data Link | |||
| The Control Link | |||
Question 29 of 50.
| Previous to PAN-OS 7.0 the firewall was able to decode up to two levels. With PAN-OS 7.0 the firewall can now decode up to how many levels? |
| Six | |||
| Five | |||
| Four | |||
| Three | |||
Question 30 of 50.
| After the installation of a new version of PAN-OS, the firewall must be rebooted. |
| True | False | |
|---|---|---|
Question 31 of 50.
| In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-Based Forwarding Rule? (Choose 3.) |
| Source User | |
| Source Zone | |
| Destination Zone | |
| Destination Application | |
Question 32 of 50.
| When you have created a Security Policy Rule that allows Facebook, what must you do to block all other web-browsing traffic? |
| When creating the policy, ensure that web-browsing is included in the same rule. | |||
| Create an additional rule that blocks all other traffic. | |||
| Ensure that the Service column is defined as "application-default" for this Security policy. Doing this will automatically include the implicit web-browsing application dependency. | |||
| Nothing. You can depend on PAN-OS to block the web-browsing traffic that is not needed for Facebook use. | |||
Question 33 of 50.
| Traffic going to a public IP address is being translated by a Palo Alto Networks firewall to an internal server’s private IP address. Which IP address should the Security Policy use as the "Destination IP" in order to allow traffic to the server? |
| The firewall’s MGT IP | |||
| The firewall’s gateway IP | |||
| The server’s private IP >>In correct answer | |||
| The server’s public IP | |||
Question 34 of 50.
| Which of the following interface types can have an IP address assigned to it? |
| Layer 3 | |||
| Layer 2 | |||
| Tap | |||
| Virtual Wire | |||
Question 35 of 50.
| Which of the following must be enabled in order for User-ID to function? |
| Captive Portal Policies must be enabled. | |||
| Captive Portal must be enabled. | |||
| Security Policies must have the User-ID option enabled. | |||
| User-ID must be enabled for the source zone of the traffic that is to be identified. | |||
Question 36 of 50.
| In PAN-OS 6.0 and later, rule numbers are: |
| Numbers that specify the order in which security policies are evaluated. | |||
| Numbers created to be unique identifiers in each firewall’s policy database. | |||
| Numbers on a scale of 0 to 99 that specify priorities when two or more rules are in conflict. | |||
| Numbers created to make it easier for users to discuss a complicated or difficult sequence of rules. | |||
Taking into account only the information in the screenshot above, answer the following question. An administrator is using SSH on port 3333 and BitTorrent on port 7777. Which statements are True? |
| The SSH traffic will be denied. | |
| The BitTorrent traffic will be allowed. | |
| The BitTorrent traffic will be denied. | |
| The SSH traffic will be allowed. |
Question 38 of 50.
Question 39 of 50.
| Palo Alto Networks offers WildFire users three solution types. These solution types are the WildFire Public Cloud, The WF-500 Private Appliance, and the WildFire Hybrid solution. What is the main reason and purpose for the WildFire Hybrid solution? |
| The WildFire Hybrid solution places WF-500s at multiple places in the cloud, so that firewall appliances distributed throughout an enterprise's network receive WildFire verdicts with minimal latency while retaining data privacy. | |||
| The WildFire Hybrid solution enables companies to send to the WF-500 Private Appliance keeping them internal to their network, as well providing the option to send other, general files to the WildFire Public Cloud for analysis. | |||
| The WildFire Hybrid solution is only offered to companies that have sensitive files to protect and does not require a WildFire subscription. | |||
| The WildFire Hybrid solution enables outside companies to share the same WF-500 Appliance while at the same time allowing them to send only their private files to the private WF-500. | |||
Question 39 of 50.
Considering the information in the screenshot above, what is the order of evaluation for this URL Filtering Profile? |
| Allow List, Block List, Custom Categories, URL Categories (BrightCloud or PAN-DB). | |||
| Block List, Allow List, Custom Categories, URL Categories (BrightCloud or PAN-DB). | |||
| URL Categories (BrightCloud or PAN-DB), Custom Categories, Block List, Allow List. | |||
| Block List, Allow List, URL Categories (BrightCloud or PAN-DB), Custom Categories. | |||
Question 40 of 50.
Question 41 of 50.
Question 42 of 50.
Question 43 of 50.
Question 44 of 50.
Question 45 of 50.
| Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based (customized user roles) for Administrator Accounts. |
| True | False | |
|---|---|---|
Question 41 of 50.
| Both SSL decryption and SSH decryption are disabled by default. |
| True | False | |
|---|---|---|
Question 42 of 50.
| An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities. |
| True | False | |
|---|---|---|
Question 43 of 50.
| What is the maximum file size of .EXE files uploaded from the firewall to WildFire? |
| Always 2 megabytes. | |||
| Configurable up to 10 megabytes. | |||
| Configurable up to 2 megabytes. | |||
| Always 10 megabytes. | |||
Question 44 of 50.
| In Palo Alto Networks terms, an application is: |
| A specific program detected within an identified stream that can be detected, monitored, and/or blocked. | |||
| A combination of port and protocol that can be detected, monitored, and/or blocked. | |||
| A file installed on a local machine that can be detected, monitored, and/or blocked. | |||
| Web-based traffic from a specific IP address that can be detected, monitored, and/or blocked. | |||
Question 45 of 50.
| WildFire may be used for identifying which of the following types of traffic? |
| RIPv2 | |
| Malware | |
| OSPF | |
| DHCP |
Question 46 of 50.
Question 47 of 50.
Question 48 of 50.
Question 49 of 50.
Question 50 of 50.
Taking into account only the information in the screenshot above, answer the following question. Which applications will be allowed on their standard ports? (Select all correct answers.) |
| Skype | |
| BitTorrent | |
| SSH | |
| Gnutella | |
Question 47 of 50.
| Which pre-defined Admin Role has all rights except the rights to create administrative accounts and virtual systems? |
| vsysadmin | |||
| Superuser | |||
| Device Administrator | |||
| A custom admin role must be created for this specific combination of rights. | |||
Question 48 of 50.
| When an interface is in Tap mode and a Policy’s action is set to “block”, the interface will send a TCP reset. |
| True | False | |
|---|---|---|
Question 49 of 50.
| As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candidate configuration. These changes may be undone by Device > Setup > Operations > Configuration Management>....and then what operation? |
| Revert to Running Configuration | |||
| Revert to last Saved Configuration | |||
| Load Configuration Version | |||
| Import Named Configuration Snapshot | |||
Question 50 of 50.
| Choose the best answer: In PAN-OS, the WildFire Subscription Service allows updates for malware signatures to be distributed as often as… |
| Once a day | |||
| Once an hour >> Incorrect answer | |||
| Once every 15 minutes | |||
| Once a week | |||
No comments:
Post a Comment