Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.

1 Version
ACE Exam
Question 1 of 50.
The following can be configured as a next hop in a static route:
1. A Policy-Based Forwarding Rule
2. Virtual Systems
3. Virtual Router
4. Virtual Switch Mark for follow up
Question 2 of 50.
As a Palo Alto Networks firewall administrator, you have made unwanted
changes to the Candidate configuration. These changes may be undone by
Device > Setup > Operations >Configuration Management>....and then what
operation?
1. Revert to Running Configuration
2. Revert to last Saved Configuration
3. Load Configuration Version
4. Import Named Configuration Snapshot Mark for follow up
Question 3 of 50.
Which statement below is True?
1. PAN-OS uses BrightCloud for URL Filtering, replacing PAN-DB.
2. PAN-OS uses BrightCloud as its default URL Filtering database, but also
supports PAN-DB.
3. PAN-OS uses PAN-DB as the default URL Filtering database, but
also supports BrightCloud.
4. PAN-OS uses PAN-DB for URL Filtering, replacing BrightCloud. Mark for
follow up
Question 4 of 50.
When employing the BrightCloud URL filtering database in a Palo Alto Networks
firewall, the order of evaluation within a profile is:
1. Block list, Custom Categories, Predefined categories, Dynamic
URL filtering, Allow list, Cache files.

2. Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
3. Block list, Custom Categories, Cache files, Predefined categories, Dynamic
URL filtering, Allow list.
4. Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories,
Predefined categories. Mark for follow up
Question 5 of 50.
With IKE Phase 1, each device is identified to the other by a Peer ID. In most
cases, the Peer ID is just the public IP address of the device. In situations where
the public IP address is not static, the Peer ID can be a text value.
Tr u e
Fa l s e
Question 6 of 50.

The screenshot above shows part of a firewalls configuration. If ping

traffic can traverse this device from e1/2 to e1/1, which of the following
statements must be True about this firewalls configuration? (Select all
correct answers.)
1. There must be a security policy from Internet zone to trust zone that
allows ping.
2. There must be a security policy from trust zone to Internet zone
that allows ping.
3. There must be appropriate routes in the default virtual router.
4. There must be a Management Profile that allows ping. (Then
assign that Management Profile to e1/1 and e1/2.)
Question 7 of 50.

Which feature can be configured to block sessions that the firewall cannot
decrypt?
1. Decryption Profile in Security Policy
2. Decryption Profile in Decryption Policy
3. Decryption Profile in PBF
4. Decryption Profile in Security Profile Mark for follow up
Question 8 of 50.
All of the interfaces on a Palo Alto Networks device must be of the same
interface type.
Tr u e
False
Question 9 of 50.
Which of the following would be a reason to use the PAN-OS XML API to
communicate with a Palo Alto Networks firewall?
1. To permit syslogging of User Identification events.
2. To pull information from other network resources for User-ID.
3. To allow the firewall to push User-ID information to a Network
Access Control (NAC) device.
Question 10 of 50.
Which of the following statements is NOT True about Palo Alto Networks
firewalls?
1. Initial configuration may be accomplished thru the MGT interface or the
Console port.
2. The default Admin account may be disabled or deleted.
3. By default the MGT Port's IP Address is 192.168.1.1/24.
4. System defaults may be restored by performing a factory reset in
Maintenance Mode.
Question 11 of 50.
After the installation of a new version of PAN-OS, the firewall must be rebooted.
Tr u e

Fa l s e
Question 12 of 50.
Which of the Dynamic Updates listed below are issued on a daily basis? (Select
all correct answers.)
1. BrightCloud URL Filtering
2. Applications and Threats
3. Applications
4. Anti-virus

Question 13 of 50.
Color-coded tags can be used on all of the items listed below EXCEPT:
1. Address Objects
2. Service Groups
3. Zones
4. Vulnerability Profiles
Question 14 of 50.
In a Palo Alto Networks firewall, every interface in use must be assigned to a
zone in order to process traffic.
Tr u e
Fa l s e
Question 15 of 50.
You can assign an IP address to an interface in Virtual Wire mode.
Tr u e
False
Question 16 of 50.
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks
firewall, you need a:
1. Virtual Router
2. VLAN

3. Virtual Wire
4. Security Profile Mark for follow up

Question 17 of 50.
An interface in tap mode can transmit packets on the wire.
Tr u e
False
Question 18 of 50.
When Destination Network Address Translation is being performed, the
destination in the corresponding Security Policy Rule should use:
1. The Post-NAT destination zone and Post-NAT IP address.
2. The Pre-NAT destination zone and Pre-NAT IP address.
3. The Pre-NAT destination zone and Post-NAT IP address.
4. The Post-NAT destination zone and Pre-NAT IP address.
Question 19 of 50.

Taking into account only the information in the screenshot above, answer the
following question. Which applications will be allowed on their standard ports?
(Select all correct answers.)
1. BitTorrent
2. Gnutella
3. Skype
4. SSH

Question 20 of 50.
When configuring a Security Policy Rule based on FQDN Address Objects, which
of the following statements is True?
1. In order to create FQDN-based objects, you need to manually define a list
of associated IP addresses.
2. The firewall resolves the FQDN first when the policy is committed, and
resolves the FQDN again each time Security Profiles are evaluated.
3. The firewall resolves the FQDN first when the policy is committed,
and resolves the FQDN again at DNS TTL expiration.
Question 21 of 50.
Users may be authenticated sequentially to multiple authentication servers by
configuring:
1. An Authentication Sequence.
2. Multiple RADIUS servers sharing a VSA configuration.
3. A custom Administrator Profile.
4. An Authentication Profile.
Question 22 of 50.
Will an exported configuration contain Management Interface settings?
Y e s
N o
Question 23 of 50.
When using Config Audit, the color yellow indicates which of the following?
1. A setting has been changed between the two config files
2. A setting has been deleted from a config file.
3. A setting has been added to a config file
4. An invalid value has been used in a config file. Mark for follow up
Question 24 of 50.
When using remote authentication for users (LDAP, RADIUS, Active Directory,
etc.), what must be done to allow a user to authenticate through multiple
methods?

1. Create an Authentication Sequence, dictating the order of

authentication profiles.
2. Create multiple authentication profiles for the same user.
3. This cannot be done. A single user can only use one authentication type.
4. This cannot be done. Although multiple authentication methods exist, a
firewall must choose a single, global authentication type--and all users
must use this method.
Question 25 of 50.
When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will
be most informative?
1. Responding side, System Log
2. Initiating side, Traffic log
3. Initiating side, System log
4. Responding side, Traffic log

Question 26 of 50.
User-ID is enabled in the configuration of
1. A Zone.
2. A Security Profile.
3. An Interface.
4. A Security Policy.
Question 27 of 50.
What will the user experience when attempting to access a blocked hacking
website through a translation service such as Google Translate or Bing
Translator?
1. A Blocked page response when the URL filtering policy to block
is enforced.
2. A Success page response when the site is successfully translated.
3. The browser will be redirected to the original website address.
4. An "HTTP Error 503 - Service unavailable" message.

Question 28 of 50.
When you have created a Security Policy Rule that allows Facebook, what must
you do to block all other web-browsing traffic?
1. Nothing. You can depend on PAN-OS to block the web-browsing
traffic that is not needed for Facebook use.
2. Ensure that the Service column is defined as "application-default" for this
Security policy. Doing this will automatically include the implicit webbrowsing application dependency.
3. Create an additional rule that blocks all other traffic.
4. When creating the policy, ensure that web-browsing is included in the
same rule.
Question 29 of 50.
Both SSL decryption and SSH decryption are disabled by default.
Tr u e
Fa l s e
Question 30 of 50.
A "Continue" action can be configured on which of the following Security Profiles?
1. URL Filtering and File Blocking
2. URL Filtering only
3. URL Filtering, File Blocking, and Data Filtering
4. URL Filtering and Anti-virus
Question 31 of 50.
Which of the following interface types can have an IP address assigned to it?
1. Layer 3
2. Layer 2
3. Tap
4. Virtual Wire
Question 32 of 50.

What are the benefits gained when the "Enable Passive DNS
Monitoring" checkbox is chosen on the firewall? (Select all correct
answers.)
1. Improved DNS-based C&C signatures.
2. Improved PAN-DB malware detection.
3. Improved BrightCloud malware detection.
4. Improved malware detection in WildFire.
Question 33 of 50.
Security policies specify a source interface and a destination interface.
Tr u e F a l s e
Question 34 of 50.
Taking into account only the information in the screenshot above,
answer the following question. An administrator is using SSH on port
3333 and BitTorrent on port 7777. Which statements are True?

1. The SSH traffic will be denied.

2. The BitTorrent traffic will be allowed.
3. The SSH traffic will be allowed.
4. The BitTorrent traffic will be denied.
Question 35 of 50.
Which of the following most accurately describes Dynamic IP in a
Source NAT configuration?
1. A single IP address is used, and the source port number is unchanged.

2. The next available IP address in the configured pool is used, but

the source port number is unchanged.
3. A single IP address is used, and the source port number is changed.
4. The next available address in the configured pool is used, and the source
port number is changed.
Question 36 of 50.
What are two sources of information for determining whether the
firewall has been successful in communicating with an external User-ID
Agent?
1. System Logs and Authentication Logs.
2. System Logs and the indicator light under the User-ID Agent
settings in the firewall.
3. System Logs and an indicator light on the chassis.
4. Traffic Logs and Authentication Logs.
Question 37 of 50.
Which pre-defined Admin Role has all rights except the rights to create
administrative accounts and virtual systems?
1. Superuser
2. Device Administrator
3. A custom admin role must be created for this specific combination
of rights.
4. Vsysadmin
Question 38 of 50.
An enterprise PKI system is required to deploy SSL Forward Proxy
decryption capabilities.
Tr u e F a l s e
Question 39 of 50.
Taking into account only the information in the screenshot above,
answer the following question: A span port or a switch is connected to
e1/4, but there are no traffic logs. Which of the following conditions
most likely explains this behaviour?

1. The interface is not up.

2. There is no zone assigned to the interface.
3. The interface is not assigned an IP address.
4. The interface is not assigned a virtual router.
Question 40 of 50.
Which type of license is required to perform Decryption Port Mirroring?
1. A subscription-based SSL Port license
2. A free PAN-PA-Decrypt license
3. A Client Decryption license
4. A subscription-based PAN-PA-Decrypt license.
Question 41 of 50.
Can multiple administrator accounts be configured on a single firewall?
Y e s

N o

Question 42 of 50.
Which of the following CANNOT use the source user as a match
criterion?
1. DoS Protection
2. Secuirty Policies

3. Anti-virus Profile
4. Policy Based Forwarding
5. QoS
Question 43 of 50.
Which of the following must be enabled in order for User-ID to function?
1. Captive Portal Policies must be enabled.
2. User-ID must be enabled for the source zone of the traffic that is
to be identified.
3. Captive Portal must be enabled.
4. Security Policies must have the User-ID option enabled.
Question 44 of 50.
In a Destination NAT configuration, the Translated Address field may be
populated with either an IP address or an Address Object.
Tr u e Fa l s e
Question 45 of 50.
When configuring the firewall for User-ID, what is the maximum number
of Domain Controllers that can be configured?
1. 50
2. 100
3. 10
4. 150
Question 46 of 50.
Besides selecting the Heartbeat Backup option when creating an ActivePassive HA Pair, which of the following also prevents "Split-Brain"?
1. Creating a custom interface under Service Route Configuration, and
assigning this interface as the backup HA2 link.
2. Configuring an independent backup HA1 link.
3. Configuring a backup HA2 link that points to the MGT interface of
the other device in the pair.
4. Under Packet Forwarding, selecting the VR Sync checkbox.

Question 47 of 50.
Palo Alto Networks firewalls support the use of both Dynamic (built-in
user roles) and Role-Based (customized user roles) for Administrator
Accounts.
Tr u e Fa l s e
Question 48 of 50.
When configuring a Decryption Policy rule, which option allows a
firewall administrator to control SSHv2 tunnelling in policies by
specifying the SSH-tunnel App-ID?
1. SSH Proxy
2. SSL Forward Proxy
3. SSL Inbound Inspection
4. SSL Reverse Proxy
Question 49 of 50.
In which of the following can User-ID be used to provide a match
condition? (Select all correct answers.)
1. Security Policies
2. NAT Policies
3. Zone Protection Policies
4. Threat Profiles
Question 50 of 50.
In PAN-OS 6.0, rule numbers are:
1. Numbers that specify the order in which security policies are
evaluated.
2. Numbers created to be unique identifiers in each firewalls policy
database.
3. Numbers on a scale of 0 to 99 that specify priorities when two or more
rules are in conflict.
4. Numbers created to make it easier for users to discuss a complicated or
difficult sequence of rules.

Q 51: Traffic going to a public IP address is being translated by your Palo Alto
Networks firewall to your servers private IP address. Which IP address should the
Security Policy use as the "Destination IP" in order to allow traffic to the server?
1.
2.
3.
4.

The firewalls MGT IP

The firewalls gateway IP
The servers public IP
The servers private IP

Q 52: If the Forward Proxy Ready shows no when running the command show
system setting ssl
-decrypt setting, what is most likely the cause?
1.
2.
3.
4.

SSL forward proxy certificate is not generated

Web interface certificate is not generated
Forward proxy license is not enabled on the box
SSL decryption rule is not created

Q 53: When adding an application in a Policy-based Forwarding rule, only a

subset of the entire App-ID database is represented. Why would this be?
1. Policy-based forwarding can only identify certain applications at
this stage of the packet flow, as the majority of applications are
only identified once the session is created.
2. Policy-based forwarding rules require that a companion Security policy
rule, allowing the needed Application traffic, must first be created.
3. The license for the Application ID database is no longer valid.
4. A custom application must first be defined before it can be added to a
Policy-based forwarding rule.
Q 54: What option should be configured when using User Identification?
1.
2.
3.
4.

Enable User Identification per Zone

Enable User Identification per Security Rule
Enable User Identification per interface
None of the above

Q 55: What needs to be done prior to committing a configuration in Panorama

after making a change via the CLI or web interface on a device?
1.
2.
3.
4.
Q 56:
1.
2.
3.
4.

No additional actions required

Synchronize the configuration between the device and Panorama
Make the same change again via Panorama
Re-import the configuration from the device into Panorama
Which local interface cannot be assigned to the IKE gateway?
Tunnel
L3
VLAN
Loopback

Q 57: To allow the PAN device to resolve internal and external DNS host
names for reporting and for security policies, an administrator can do the
following:
1. Create a DNS Proxy Object with a default DNS Server for external
resolution and a DNS server for internal domain. Then, in the
device settings, point to this proxy object for DNS resolution.
2. In the device settings define internal hosts via a static list.
3. In the device settings set the Primary DNS server to an external server and
the secondary to an internal server.
4. Create a DNS Proxy Object with a default DNS Server for external
resolution and a DNS server for internal domain. Then, in the device
settings, select the proxy object as the Primary DNS and create a custom
security rule which references that object for
Q 58: With PAN-OS 5.0, how can a common NTP value be pushed to a cluster
of firewalls?
a. Via a Panorama Template
b. Via a shared object in Panorama
c. Via a Panorama Device Group