Professional Documents
Culture Documents
Test Accredited Configuration Engineer (ACE) Exam PANOS 8.0 Version
ACE 8.0
Question 1 of 40.
A Security policy rule displayed in italic font indicates which condition?
The rule is a clone.
The rule has been overridden.
The rule is active.
The rule is disabled.
Mark for follow up
Question 2 of 40.
A Server Profile enables a firewall to locate which server type?
a server with firewall threat updates
a server with an available VPN connection
a server with remote user accounts
a server with firewall software updates
Mark for follow up
Question 3 of 40.
An Antivirus Security Profile specifies Actions and WildFire Actions. Wildfire Actions enable you to configure the firewall
to perform which operation?
Download new antivirus signatures from WildFire.
Block traffic when a WildFire virus signature is detected.
Delete packet data when a virus is suspected.
Upload traffic to WildFire when a virus is suspected.
Mark for follow up
Question 4 of 40.
Finding URLs matched to the notresolved URL category in the URL Filtering log file might indicate that you should take
which action?
Validate your Security policy rules.
Validate connectivity to the PANDB cloud.
Reboot the firewall.
Redownload the URL seed database.
Mark for follow up
Question 5 of 40.
If a DNS sinkhole is configured, any sinkhole actions indicating a potentially infected host are recorded in which log type?
Data Filtering
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=6296516f-bf5b-4c19-bb9a-5223178f76d8&evalLvl=5&redirect_url=%2fLMS%2fUserTra… 1/8
22/06/2017 Realize Your Potential: paloaltonetworks
WildFire Submissions
Threat
Traffic
Mark for follow up
Question 6 of 40.
If there is an HA configuration mismatch between firewalls during peer negotiation, which state will the passive firewall
enter?
PASSIVE
NONFUNCTIONAL
ACTIVE
INITIAL
Mark for follow up
Question 7 of 40.
In a destination NAT configuration, which option accurately completes the following sentence? A Security policy rule
should be written to match the _______.
original preNAT source and destination addresses, and the preNAT destination zone
original preNAT source and destination addresses, but the postNAT destination zone
postNAT source and destination addresses, and the postNAT destination zone
postNAT source and destination addresses, but the preNAT destination zone
Mark for follow up
Question 8 of 40.
In a Security Profile, which action does a firewall take when the profiles action is configured as Reset Server? (Choose
two.)
For UDP sessions, the connection is reset.
For UDP sessions, the connection is dropped.
The client is reset.
The traffic responder is reset.
Mark for follow up
Question 9 of 40.
In an HA configuration, which three components are synchronized between the pair of firewalls? (Choose three.)
policies
networks
objects
logs
Mark for follow up
Question 10 of 40.
In an HA configuration, which three functions are associated with the HA1 Control Link? (Choose three.)
synchronizing sessions
synchronizing configuration
exchanging heartbeats
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=6296516f-bf5b-4c19-bb9a-5223178f76d8&evalLvl=5&redirect_url=%2fLMS%2fUserTra… 2/8
22/06/2017 Realize Your Potential: paloaltonetworks
exchanging hellos
Mark for follow up
Question 11 of 40.
In an HA configuration, which two failure detection methods rely on ICMP ping? (Choose two.)
heartbeats
link groups
path groups
hellos
Mark for follow up
Question 12 of 40.
Which two user mapping methods are supported by the UserID integrated agent? (Choose two.)
Client Probing
LDAP Filters
NetBIOS Probing
WMI probing
Mark for follow up
Question 13 of 40.
SSL Inbound Inspection requires that the firewall be configured with which two components? (Choose two.)
server's private key
client's digital certificate
server's digital certificate
client's public key
Mark for follow up
Question 14 of 40.
The firewall acts as a proxy for which two types of traffic? (Choose two.)
NonSSL
SSL outbound
SSL Inbound Inspection
SSH
Mark for follow up
Question 15 of 40.
The Threat log records events from which three Security Profiles? (Choose three.)
WildFire Analysis
URL Filtering
File Blocking
AntiSpyware
Antivirus
Vulnerability Protection
Mark for follow up
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=6296516f-bf5b-4c19-bb9a-5223178f76d8&evalLvl=5&redirect_url=%2fLMS%2fUserTra… 3/8
22/06/2017 Realize Your Potential: paloaltonetworks
Question 16 of 40.
The UserID feature is enabled per __________?
UserID agent
firewall interface
firewall security zone
firewall
Mark for follow up
Question 17 of 40.
The WildFire Portal website supports which three operations? (Choose three.)
upload files to WildFire for analysis
view WildFire verdicts
request firewall WildFire licenses
report incorrect verdicts
Mark for follow up
Question 18 of 40.
What are the two separate planes that make up the PANOS architecture? (Choose two.)
routing plane
control/management plane
HA plane
signature processing plane
dataplane
Mark for follow up
Question 19 of 40.
What are three connection methods for the GlobalProtect agent? (Choose three.)
Captcha portal
Ondemand
UserLogon
PreLogon
Mark for follow up
Question 20 of 40.
What are two benefits of attaching a Decryption Profile to a Decryption policy nodecrypt rule? (Choose two.)
untrusted certificate checking
expired certificate checking
acceptable protocol checking
URL category match checking
Mark for follow up
Question 21 of 40.
What is a characteristic of Dynamic Admin Roles?
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=6296516f-bf5b-4c19-bb9a-5223178f76d8&evalLvl=5&redirect_url=%2fLMS%2fUserTra… 4/8
22/06/2017 Realize Your Potential: paloaltonetworks
Role privileges can be dynamically updated with newer software releases.
They can be dynamically modified by external authorization systems.
Role privileges can be dynamically updated by a firewall administrator.
They can be dynamically created or deleted by a firewall administrator.
Mark for follow up
Question 22 of 40.
What is the result of performing a firewall Commit operation?
The candidate configuration becomes the running configuration.
The saved configuration becomes the loaded configuration.
The loaded configuration becomes the candidate configuration.
The candidate configuration becomes the saved configuration.
Mark for follow up
Question 23 of 40.
Where does a GlobalProtect client connect to first when trying to connect to the network?
GlobalProtect Gateway
AD agent
UserID agent
GlobalProtect Portal
Mark for follow up
Question 24 of 40.
Which action in a File Blocking Security Profile results in the user being prompted to verify a file transfer?
Allow
Block
Continue
Alert
Mark for follow up
Question 25 of 40.
Which condition must exist before a firewall's inband interface can process traffic?
The firewall must be assigned an IP address.
The firewall must not be a loopback interface.
The firewall must be assigned to a security zone.
The firewall must be enabled.
Mark for follow up
Question 26 of 40.
Which feature is a dynamic grouping of applications used in Security policy rules?
application group
implicit applications
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=6296516f-bf5b-4c19-bb9a-5223178f76d8&evalLvl=5&redirect_url=%2fLMS%2fUserTra… 5/8
22/06/2017 Realize Your Potential: paloaltonetworks
dependent applications
application filter
Mark for follow up
Question 27 of 40.
Which four actions can be applied to traffic matching a URL Filtering Security Profile? (Choose four.)
Reset Server
Block
Override
Continue
Reset Client
Alert
Mark for follow up
Question 28 of 40.
Which interface type does NOT require any configuration changes to adjacent network devices?
Layer 2
Layer 3
Virtual Wire
Tap
Mark for follow up
Question 29 of 40.
Which interface type is NOT assigned to a security zone?
HA
Layer 3
Virtual Wire
VLAN
Mark for follow up
Question 30 of 40.
Which statement describes the Export named configuration snapshot operation?
A saved configuration is transferred to an external hosts storage device.
The running configuration is transferred from memory to the firewall's storage device.
The candidate configuration is transferred from memory to the firewall's storage device.
A copy of the configuration is uploaded to the cloud as a backup.
Mark for follow up
Question 31 of 40.
Which statement is true about a URL Filtering Profile continue password?
There is a password per session.
There is a single, perfirewall password.
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=6296516f-bf5b-4c19-bb9a-5223178f76d8&evalLvl=5&redirect_url=%2fLMS%2fUserTra… 6/8
22/06/2017 Realize Your Potential: paloaltonetworks
There is a password per firewall administrator account.
There is a password per website.
Mark for follow up
Question 32 of 40.
Which three components can be sent to WildFire for analysis? (Choose three.)
email attachments
URL links found in email
files traversing the firewall
MGT interface traffic
Mark for follow up
Question 33 of 40.
Which three interface types can control or shape network traffic? (Choose three.)
Tap
Layer 3
Virtual Wire
Layer 2
Mark for follow up
Question 34 of 40.
Which three MGT port configuration settings are required in order to access the WebUI? (Choose three.)
Netmask
IP address
Default gateway
Hostname
Mark for follow up
Question 35 of 40.
Which three network modes are supported by active/passive HA? (Choose three.)
Virtual Wire
Layer 2
Layer 3
Tap
Mark for follow up
Question 36 of 40.
Which three statements are true regarding sessions on the firewall? (Choose three.)
Sessions are always matched to a Security policy rule.
The only session information tracked in the session logs are the fivetuples.
Network packets are always matched to a session.
Return traffic is allowed.
Mark for follow up
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=6296516f-bf5b-4c19-bb9a-5223178f76d8&evalLvl=5&redirect_url=%2fLMS%2fUserTra… 7/8
22/06/2017 Realize Your Potential: paloaltonetworks
Question 37 of 40.
Which two file types can be sent to WildFire for analysis if a firewall has only a standard subscription service? (Choose
two.)
.dll
.pdf
.exe
.jar
Mark for follow up
Question 38 of 40.
Which two UserID methods are used to verify known IP addresstouser mappings? (Choose two.)
Session Monitoring
Captive Portal
Server Monitoring
Client Probing
Mark for follow up
Question 39 of 40.
Which type of content update does NOT have to be scheduled for download on the firewall?
dynamic update antivirus signatures
WildFire antivirus signatures
dynamic update threat signatures
PANDB updates
Mark for follow up
Question 40 of 40.
Which user mapping method is recommended for a highly mobile user base?
Session Monitoring
Client Probing
Server Monitoring
GlobalProtect
Mark for follow up
Save / Return Later Summary
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=6296516f-bf5b-4c19-bb9a-5223178f76d8&evalLvl=5&redirect_url=%2fLMS%2fUserTra… 8/8