Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version
May 2, 2017 | Author: BillAlways | Category: N/A
Short Description
Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version...
Description
Realize Your Potential: paloaltonetworks
1 of 8
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...
Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version ACE Exam
Question 1 of 50. Which pre-defined Admin Role has all rights except the rights to create administrative accounts and virtual systems? Superuser Device Administrator vsysadmin A custom admin role must be created for this specific combination of rights.
Mark for follow up
Question 2 of 50. After the installation of a new version of PAN-OS, the firewall must be rebooted. True
False
Mark for follow up
Question 3 of 50. Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based (customized user roles) for Administrator Accounts. True
False
Mark for follow up
Question 4 of 50. What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut off communication? The default gateway of the firewall. The local loopback address. The MGT interface address. Any layer 3 interface address specified by the firewall administrator.
Mark for follow up
Question 5 of 50. Users may be authenticated sequentially to multiple authentication servers by configuring: An Authentication Profile. An Authentication Sequence. A custom Administrator Profile. Multiple RADIUS servers sharing a VSA configuration.
Mark for follow up
Question 6 of 50. What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on the firewall? (Select all correct answers.) Improved malware detection in WildFire. Improved PAN-DB malware detection. Improved DNS-based C&C signatures. Improved BrightCloud malware detection.
Mark for follow up
Question 7 of 50. In PAN-OS 7.0 which of the available choices serves as an alert warning by defining patterns of suspicious traffic and network anomalies that may indicate a host has been compromised?
8/8/2016 3:35 PM
Realize Your Potential: paloaltonetworks
2 of 8
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...
Custom Signatures App-ID Signatures Correlation Events Correlation Objects Command & Control Signatures
Mark for follow up
Question 8 of 50. Which of the following must be enabled in order for User-ID to function? Captive Portal Policies must be enabled. Security Policies must have the User-ID option enabled. Captive Portal must be enabled. User-ID must be enabled for the source zone of the traffic that is to be identified.
Mark for follow up
Question 9 of 50. In which of the following can User-ID be used to provide a match condition? Security Policies NAT Policies Zone Protection Policies Threat Profiles
Mark for follow up
Question 10 of 50. In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-Based Forwarding Rule? (Choose 3.) Source User Destination Zone Source Zone Destination Application
Mark for follow up
Question 11 of 50. The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides: Protection against unwanted downloads by showing the user a response page indicating that a file is going to be downloaded. Increased speed on downloads of file types that are explicitly enabled. Password-protected access to specific file downloads for authorized users. The ability to use Authentication Profiles, in order to protect against unwanted downloads.
Mark for follow up
Question 12 of 50. Color-coded tags can be used on all of the items listed below EXCEPT: Vulnerability Profiles Address Objects Zones Service Groups
Mark for follow up
Question 13 of 50. When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of evaluation within a profile is: Block list, Allow list, Custom Categories, Cache files, Local URL DB file. Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, Allow list.
8/8/2016 3:35 PM
Realize Your Potential: paloaltonetworks
3 of 8
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...
Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cache files. Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined categories.
Mark for follow up
Question 14 of 50. Can multiple administrator accounts be configured on a single firewall? Yes
No
Mark for follow up
Question 15 of 50. As the Palo Alto Networks Administrator responsible for User-ID, you need to enable mapping of network users that do not sign-in using LDAP. Which information source would allow for reliable User-ID mapping while requiring the least effort to configure? Active Directory Security Logs Exchange CAS Security logs WMI Query Captive Portal
Mark for follow up
Question 16 of 50. User-ID is enabled in the configuration of … An Interface. A Zone. A Security Policy. A Security Profile.
Mark for follow up
Question 17 of 50. In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you need a: Virtual Router VLAN Virtual Wire Security Profile
Mark for follow up
Question 18 of 50. An interface in tap mode can transmit packets on the wire. True
False
Mark for follow up
Question 19 of 50. Which of the following is a routing protocol supported in a Palo Alto Networks firewall? EIGRP RIPv2 ISIS IGRP
Mark for follow up
Question 20 of 50. WildFire may be used for identifying which of the following types of traffic? RIPv2
8/8/2016 3:35 PM
Realize Your Potential: paloaltonetworks
4 of 8
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...
Malware DHCP OSPF
Mark for follow up
Question 21 of 50. True or False: The PAN-DB URL Filtering Service is offered as both a Private Cloud solution and a Public Cloud solution. True
False
Mark for follow up
Question 22 of 50. With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the Peer ID is just the public IP address of the device. In situations where the public IP address is not static, the Peer ID can be a text value. True
False
Mark for follow up
Question 23 of 50. A Config Lock may be removed by which of the following users? (Select all correct answers.) The administrator who set it Any administrator Device administrators Superusers
Mark for follow up
Question 24 of 50. What will be the user experience when the safe search option is NOT enabled for Google search but the firewall has "Safe Search Enforcement" Enabled? A block page will be presented with instructions on how to set the strict Safe Search option for the Google search. The Firewall will enforce Safe Search if the URL filtering license is still valid. A task bar pop-up message will be presented to enable Safe Search. The user will be redirected to a different search site that is specified by the firewall administrator.
Mark for follow up
Question 25 of 50. True or False: The WildFire Analysis Profile can only be configured to send unknown files to the WildFire Public Cloud only. True
False
Mark for follow up
Question 26 of 50. As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterwards, not knowing they are attempting to access a blocked web-based application, users call the Help Desk to complain about network connectivity issues. What is the cause of the increased number of help desk calls? The firewall admin did not create a custom response page to notify potential users that their attempt to access the web-based application is being blocked due to company policy. Some App-ID's are set with a Session Timeout value that is too low. The File Blocking Block Page was disabled. Application Block Pages will only be displayed when Captive Portal is configured.
Mark for follow up
Question 27 of 50. A "Continue" action can be configured on which of the following Security Profiles? URL Filtering and File Blocking URL Filtering only URL Filtering, File Blocking, and Data Filtering
8/8/2016 3:35 PM
Realize Your Potential: paloaltonetworks
5 of 8
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...
URL Filtering and Anti-virus
Mark for follow up
Question 28 of 50. Will an exported configuration contain Management Interface settings? Yes
No
Mark for follow up
Question 29 of 50. Which of the following facts about dynamic updates is correct? Threat and URL Filtering updates are released daily. Application and Anti-virus updates are released weekly. Application and Threat updates are released daily. Anti-virus and URL Filtering updates are released weekly. Anti-virus updates are released daily. Application and Threat updates are released weekly. Application and Anti-virus updates are released weekly. Threat and “Threat and URL Filtering” updates are released weekly.
Mark for follow up
Question 30 of 50. WildFire analyzes files to determine whether or not they are malicious. When doing so, WildFire will classify the file with an official verdict. This verdict is known as the WildFire Analysis verdict. Choose the three correct classifications as a result of this analysis and classification? Safeware Malware detection Benign Grayware Spyware Adware
Mark for follow up
Question 31 of 50. When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most informative? Initiating side, System log Initiating side, Traffic log Responding side, System Log Responding side, Traffic log
Mark for follow up
Question 32 of 50. In Palo Alto Networks terms, an application is: A specific program detected within an identified stream that can be detected, monitored, and/or blocked. A combination of port and protocol that can be detected, monitored, and/or blocked. A file installed on a local machine that can be detected, monitored, and/or blocked. Web-based traffic from a specific IP address that can be detected, monitored, and/or blocked.
Mark for follow up
Question 33 of 50. Which of the following services are enabled on the MGT interface by default? (Select all correct answers.) HTTPS SSH Telnet HTTP
Mark for follow up
8/8/2016 3:35 PM
Realize Your Potential: paloaltonetworks
6 of 8
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...
Question 34 of 50. Which feature can be configured to block sessions that the firewall cannot decrypt? Decryption Profile in PBF Decryption Profile in Security Profile Decryption Profile in Decryption Policy Decryption Profile in Security Policy
Mark for follow up
Question 35 of 50. When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2 tunneling in policies by specifying the SSH-tunnel App-ID? SSH Proxy SSL Forward Proxy SSL Inbound Inspection SSL Reverse Proxy
Mark for follow up
Question 36 of 50. As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candidate configuration. These changes may be undone by Device > Setup > Operations > Configuration Management>....and then what operation? Revert to Running Configuration Revert to last Saved Configuration Load Configuration Version Import Named Configuration Snapshot
Mark for follow up
Question 37 of 50. In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order to process traffic. True
False
Mark for follow up
Question 38 of 50. Which statement below is True? PAN-OS uses PAN-DB for URL Filtering, replacing BrightCloud. PAN-OS uses BrightCloud as its default URL Filtering database, but also supports PAN-DB. PAN-OS uses BrightCloud for URL Filtering, replacing PAN-DB. PAN-OS uses PAN-DB as the default URL Filtering database, but also supports BrightCloud.
Mark for follow up
Question 39 of 50. Which of the following platforms supports the Decryption Port Mirror function? PA-3000 VM-Series 100 PA-2000 PA-4000
Mark for follow up
Question 40 of 50. Which of the following are methods that HA clusters use to identify network outages? Path and Link Monitoring Link and Session Monitors VR and VSYS Monitors
8/8/2016 3:35 PM
Realize Your Potential: paloaltonetworks
7 of 8
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...
Heartbeat and Session Monitors
Mark for follow up
Question 41 of 50.
Taking into account only the information in the screenshot above, answer the following question: A span port or a switch is connected to e1/4, but there are no traffic logs. Which of the following conditions most likely explains this behavior? There is no zone assigned to the interface. The interface is not assigned a virtual router. The interface is not assigned an IP address. The interface is not up.
Mark for follow up
Question 42 of 50. Which of the following statements is NOT True about Palo Alto Networks firewalls? The default Admin account may be disabled or deleted. System defaults may be restored by performing a factory reset in Maintenance Mode. By default the MGT Port's IP Address is 192.168.1.1/24. Initial configuration may be accomplished thru the MGT interface or the Console port.
Mark for follow up
Question 43 of 50. Which of the following can provide information to a Palo Alto Networks firewall for the purposes of User-ID? (Select all correct answers.) SSL Certificates RIPv2 Domain Controller Network Access Control (NAC) device
Mark for follow up
Question 44 of 50. Which of the following interface types can have an IP address assigned to it? Layer 3 Layer 2 Tap Virtual Wire
Mark for follow up
Question 45 of 50. As of PAN-OS 7.0, when configuring a Decryption Policy Rule, which of the following is NOT an available option as matching criteria in the rule? Service URL Category Source User
8/8/2016 3:35 PM
Realize Your Potential: paloaltonetworks
8 of 8
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e...
Application Source Zone
Mark for follow up
Question 46 of 50. Security policy rules specify a source interface and a destination interface. True
False
Mark for follow up
Question 47 of 50. Both SSL decryption and SSH decryption are disabled by default. True
False
Mark for follow up
Question 48 of 50. Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day? 1000 10 50 500
Mark for follow up
Question 49 of 50. Palo Alto Networks offers WildFire users three solution types. These solution types are the WildFire Public Cloud, The WF-500 Private Appliance, and the WildFire Hybrid solution. What is the main reason and purpose for the WildFire Hybrid solution? The WildFire Hybrid solution enables companies to send to the WF-500 Private Appliance keeping them internal to their network, as well providing the option to send other, general files to the WildFire Public Cloud for analysis. The WildFire Hybrid solution places WF-500s at multiple places in the cloud, so that firewall appliances distributed throughout an enterprise's network receive WildFire verdicts with minimal latency while retaining data privacy. The WildFire Hybrid solution is only offered to companies that have sensitive files to protect and does not require a WildFire subscription. The WildFire Hybrid solution enables outside companies to share the same WF-500 Appliance while at the same time allowing them to send only their private files to the private WF-500.
Mark for follow up
Question 50 of 50. Choose the best answer: In PAN-OS, the WildFire Subscription Service allows updates for malware signatures to be distributed as often as… Once every 15 minutes Once an hour Once a day Once a week
Mark for follow up
Save / Return Later
Summary
8/8/2016 3:35 PM
Realize Your Potential: paloaltonetworks
1 of 2
https://paloaltonetworks.csod.com/Evaluations/Tests/UserTestReview.as...
Test results are summarized below. Change the view to see only Correct or Incorrect questions.
Review Test Questions View:
All Questions
Correct Questions
Incorrect Questions
(50 Results)
1
2
ID
Question
Correct
6781
A "Continue" action can be configured on which of the following Security Profiles?
Correct
6786
A Config Lock may be removed by which of the following users? (Select all correct answers.)
Correct
7947
After the installation of a new version of PAN-OS, the firewall must be rebooted.
Correct
7942
An interface in tap mode can transmit packets on the wire.
Correct
7954
As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candidate configuration. These changes may be undone by Device > Setup > Operations Correct > Configuration Management>....and then what operation?
7979
As the Palo Alto Networks Administrator responsible for User-ID, you need to enable mapping of network users that do not sign-in using LDAP. Which information source would allow for reliable User-ID mapping while requiring the least effort to configure?
7984
As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterwards, not knowing they are attempting to access a blocked web-based application, Incorrect users call the Help Desk to complain about network connectivity issues. What is the cause of the increased number of help desk calls?
7953
Both SSL decryption and SSH decryption are disabled by default.
Correct
7994
Can multiple administrator accounts be configured on a single firewall?
Correct
8062
Color-coded tags can be used on all of the items listed below EXCEPT:
Correct
7952
In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order to process traffic.
Correct
8756
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you need a:
Correct
8751
In Palo Alto Networks terms, an application is:
Incorrect
8741
In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-Based Forwarding Rule? (Choose 3.)
Incorrect
8731
Choose the best answer: In PAN-OS, the WildFire Subscription Service allows updates for malware signatures to be distributed as often as…
Correct
3
Incorrect
8/8/2016 3:38 PM
Realize Your Potential: paloaltonetworks
2 of 2
https://paloaltonetworks.csod.com/Evaluations/Tests/UserTestReview.as...
ID
Question
Correct
8721
In which of the following can User-ID be used to provide a match condition?
Correct
7944
Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based (customized user roles) for Administrator Accounts.
Correct
7945
Security policy rules specify a source interface and a destination interface.
Correct
8072
Taking into account only the information in the screenshot above, answer the following question: A span port or a switch is connected to e1/4, but there are no traffic logs. Which of the following conditions most likely explains this behavior?
Incorrect
8711
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:
Correct
Close
8/8/2016 3:38 PM
Realize Your Potential: paloaltonetworks
1 of 2
https://paloaltonetworks.csod.com/Evaluations/Tests/UserTestReview.as...
Test results are summarized below. Change the view to see only Correct or Incorrect questions.
Review Test Questions View:
All Questions
Correct Questions
Incorrect Questions
(50 Results)
1
2
ID
Question
Correct
8651
User-ID is enabled in the configuration of …
Correct
8696
Users may be authenticated sequentially to multiple authentication servers by configuring:
Correct
8681
What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on the firewall? (Select all correct answers.)
Incorrect
8676
What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut Correct off communication?
8646
What will be the user experience when the safe search option is NOT enabled for Google Correct search but the firewall has "Safe Search Enforcement" Enabled?
8636
When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2 tunneling in policies by specifying the SSH-tunnel App-ID?
8596
When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, Incorrect the order of evaluation within a profile is:
8586
When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most informative?
Correct
8576
Which feature can be configured to block sessions that the firewall cannot decrypt?
Correct
8551
Which of the following are methods that HA clusters use to identify network outages?
Correct
8541
Which of the following can provide information to a Palo Alto Networks firewall for the purposes of User-ID? (Select all correct answers.)
Incorrect
8490
Which of the following facts about dynamic updates is correct?
Correct
8531
Which of the following interface types can have an IP address assigned to it?
Correct
8556
Which of the following is a routing protocol supported in a Palo Alto Networks firewall?
Correct
8516
Which of the following must be enabled in order for User-ID to function?
Correct
8500
Which of the following platforms supports the Decryption Port Mirror function?
Correct
3
Incorrect
8/8/2016 3:39 PM
Realize Your Potential: paloaltonetworks
2 of 2
https://paloaltonetworks.csod.com/Evaluations/Tests/UserTestReview.as...
ID
Question
Correct
8495
Which of the following services are enabled on the MGT interface by default? (Select all correct answers.)
Correct
8485
Which of the following statements is NOT True about Palo Alto Networks firewalls?
Correct
8466
Which pre-defined Admin Role has all rights except the rights to create administrative accounts and virtual systems?
Correct
8420
Which statement below is True?
Correct
Close
8/8/2016 3:39 PM
View more...
Comments
