Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.

1 Version

ACE Exam

Question 1 of 50.

What is the default setting for 'Action' in a Decryption Policy's rule?

Decrypt
None
Any
No-
Decrypt

Mark for follow up

Question 2 of 50.

Which of the following platforms supports the Decryption Port Mirror function?

PA-3000
VM-Series
100
PA-2000
PA-4000

Mark for follow up

Question 3 of 50.

Which routing protocol is supported on the Palo Alto Networks platform?

 BGP
RIPv1

ISIS
RSTP

Mark for follow up

Question 4 of 50.

What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut
off communication?

The local loopback address.

Any layer 3 interface address specified by the firewall
administrator.
The MGT interface address.
The default gateway of the firewall.

Mark for follow up

Question 5 of 50.

The screenshot above shows part of a firewall’s configuration. If ping traffic can traverse
this device from e1/2 to e1/1, which of the following statements must be True about this
firewall’s configuration? (Select all correct answers.)
There must be a security policy rule from trust zone to Internet zone that allows
ping.
There must be a Management Profile that allows ping. (Then assign that Management
Profile to e1/1 and e1/2.)
There must be appropriate routes in the default virtual router.
There must be a security policy rule from Internet zone to trust zone that allows
ping.
 Mark for follow up

Question 6 of 50.

After the installation of a new version of PAN-OS, the firewall must be rebooted.
True False

Mark for follow up

Question 7 of 50.

Which link is used by an Active/Passive cluster to synchronize session information?

The Data Link

The Management
Link
The Control Link
The Uplink

Mark for follow up

Question 8 of 50.

Traffic going to a public IP address is being translated by a Palo Alto Networks firewall to
an internal server’s private IP address. Which IP address should the Security Policy use as
the "Destination IP" in order to allow traffic to the server?

The server’s public IP

The server’s private IP
The firewall’s gateway
IP
The firewall’s MGT IP

Mark for follow up

Question 9 of 50.

Which of the following facts about dynamic updates is correct?

Application and Anti-virus updates are released weekly. Threat and “Threat and URL
Filtering” updates are released weekly.
Application and Threat updates are released daily. Anti-virus and URL Filtering
updates are released weekly.
Anti-virus updates are released daily. Application and Threat updates are released
weekly.
Threat and URL Filtering updates are released daily. Application and Anti-virus
updates are released weekly.

Mark for follow up

Question 10 of 50.

What is the maximum file size of .EXE files uploaded from the firewall to WildFire?

Always 2 megabytes.
Always 10 megabytes.
Configurable up to 10
megabytes.
Configurable up to 2 megabytes.

Mark for follow up

Question 11 of 50.

What Security Profile type must be configured to send files to the WildFire cloud, and
with what choices for the action setting?

A Data Filtering profile with possible actions of “Forward” or “Continue and

Forward”.
A URL Filtering profile with the possible action of “Forward”.
 A File Blocking profile with possible actions of “Forward” or “Continue and
Forward”.
A Vulnerability Protection profile with the possible action of “Forward”.

Mark for follow up

Question 12 of 50.

In a Destination NAT configuration, the Translated Address field may be populated with
either an IP address or an Address Object.
True False

Mark for follow up

Question 13 of 50.

Taking into account only the information in the screenshot above, answer the following
question: A span port or a switch is connected to e1/4, but there are no traffic logs. Which
of the following conditions most likely explains this behavior?

The interface is not up.

The interface is not assigned an IP address.
There is no zone assigned to the interface.
The interface is not assigned a virtual
router.

Mark for follow up

Question 14 of 50.

In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall,
you need a:

Virtual Router
 VLAN
Virtual Wire
Security
Profile

Mark for follow up

Question 15 of 50.

When configuring Admin Roles for Web UI access, what are the available access levels?

Allow and Deny only

Enable, Read-Only, and Disable
None, Superuser, Device
Administrator
Enable and Disable only

Mark for follow up

Question 16 of 50.

Select the implicit rules that are applied to traffic that fails to match any administrator-
defined Security Policies. (Choose all rules that are correct.)
Intra-zone traffic is allowed
Inter-zone traffic is denied
Intra-zone traffic is denied
Inter-zone traffic is allowed

Mark for follow up

Question 17 of 50.

What general practice best describes how Palo Alto Networks firewall policies are applied
to a session?
 The rule with the highest rule number is
applied.
First match applied.
Last match applied.
Most specific match applied.

Mark for follow up

Question 18 of 50.

Enabling "Highlight Unused Rules" in the Security Policy window will:

Display rules that caused a validation error to occur at the time a Commit was
performed.
Highlight all rules that have not matched traffic since the rule was created or since
the last reboot of the firewall.
Highlight all rules that did not match traffic within an administrator-specified time
period.
Temporarily disable rules that have not matched traffic since the rule was created or
since the last reboot of the firewall.

Mark for follow up

Question 19 of 50.

Which of the following can provide information to a Palo Alto Networks firewall for the
purposes of User-ID? (Select all correct answers.)
RIPv2
Network Access Control (NAC) device
SSL Certificates
Domain Controller

Mark for follow up

Question 20 of 50.

Can multiple administrator accounts be configured on a single firewall?

Yes No

Mark for follow up

Question 21 of 50.

How do you reduce the amount of information recorded in the URL Content Filtering
Logs?

Enable "Log container page

only".
Disable URL packet captures.
Enable URL log caching.
Enable DSRI.

Mark for follow up

Question 22 of 50.

What will the user experience when attempting to access a blocked hacking website
through a translation service such as Google Translate or Bing Translator?

A “Blocked” page response when the URL filtering policy to block is

enforced.
A “Success” page response when the site is successfully translated.
The browser will be redirected to the original website address.
An "HTTP Error 503 - Service unavailable" message.

Mark for follow up

Question 23 of 50.
When an interface is in Tap mode and a Policy’s action is set to “block”, the interface will
send a TCP reset.
True False

Mark for follow up

Question 24 of 50.

When configuring a Decryption Policy rule, which option allows a firewall administrator
to control SSHv2 tunneling in policies by specifying the SSH-tunnel App-ID?

SSH Proxy
SSL Forward Proxy
SSL Inbound
Inspection
SSL Reverse Proxy

Mark for follow up

Question 25 of 50.

Choose the best answer: In PAN-OS, the WildFire Subscription Service allows updates for
malware signatures to be distributed as often as…

Once an hour
Once a week
Once a day
Once every 15
minutes

Mark for follow up

Question 26 of 50.

User-ID is enabled in the configuration of …

 An Interface.
A Security
Profile.
A Security Policy.
A Zone.

Mark for follow up

Question 27 of 50.

A Config Lock may be removed by which of the following users? (Select all correct
answers.)
Superusers
Any administrator
Device administrators
The administrator who set it

Mark for follow up

Question 28 of 50.

When configuring a Security Policy Rule based on FQDN Address Objects, which of the
following statements is True?

The firewall resolves the FQDN first when the policy is committed, and resolves the
FQDN again each time Security Profiles are evaluated.
The firewall resolves the FQDN first when the policy is committed, and resolves the
FQDN again at DNS TTL expiration.
In order to create FQDN-based objects, you need to manually define a list of
associated IP addresses.

Mark for follow up

Question 29 of 50.
As a Palo Alto Networks firewall administrator, you have made unwanted changes to the
Candidate configuration. These changes may be undone by Device > Setup > Operations >
Configuration Management>....and then what operation?

Revert to Running Configuration

Revert to last Saved Configuration
Load Configuration Version
Import Named Configuration
Snapshot

Mark for follow up

Question 30 of 50.

Which of the following statements is NOT True about Palo Alto Networks firewalls?

Initial configuration may be accomplished thru the MGT interface or the Console
port.
The default Admin account may be disabled or deleted.
System defaults may be restored by performing a factory reset in Maintenance
Mode.
By default the MGT Port's IP Address is 192.168.1.1/24.

Mark for follow up

Question 31 of 50.

All of the interfaces on a Palo Alto Networks device must be of the same interface type.
True False

Mark for follow up

Question 32 of 50.
Reconnaissance Protection is a feature used to protect the Palo Alto Networks firewall
from port scans. To enable this feature within the GUI go to…

Network > Network Profiles > Zone Protection

Objects > Zone Protection
Interfaces > Interface Number > Zone
Protection
Policies > Profile > Zone Protection

Mark for follow up

Question 33 of 50.

When employing the BrightCloud URL filtering database in a Palo Alto Networks
firewall, the order of evaluation within a profile is:

Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow
list, Cache files.
Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories,
Predefined categories.
Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL
filtering, Allow list.

Mark for follow up

Question 34 of 50.

Color-coded tags can be used on all of the items listed below EXCEPT:

Zones
Vulnerability
Profiles
Service Groups
Address Objects
 Mark for follow up

Question 35 of 50.

Which of the following must be enabled in order for User-ID to function?

Security Policies must have the User-ID option enabled.

Captive Portal Policies must be enabled.
Captive Portal must be enabled.
User-ID must be enabled for the source zone of the traffic that is to be
identified.

Mark for follow up

Question 36 of 50.

Which type of license is required to perform Decryption Port Mirroring?

A subscription-based PAN-PA-Decrypt
license
A subscription-based SSL Port license
A Client Decryption license
A free PAN-PA-Decrypt license

Mark for follow up

Question 37 of 50.

The following can be configured as a next hop in a static route:

A Policy-Based Forwarding
Rule
Virtual Switch
Virtual Systems
 Virtual Router

Mark for follow up

Question 38 of 50.

After the installation of the Threat Prevention license, the firewall must be rebooted.
True False

Mark for follow up

Question 39 of 50.

After the installation of a new Application and Threat database, the firewall must be
rebooted.
True False

Mark for follow up

Question 40 of 50.

A "Continue" action can be configured on which of the following Security Profiles?

URL Filtering and File Blocking

URL Filtering only
URL Filtering, File Blocking, and Data
Filtering
URL Filtering and Anti-virus

Mark for follow up

Question 41 of 50.
Which of the following is True of an application filter?

An application filter automatically adapts when an application moves from one IP

address to another.
An application filter is used by malware to evade detection by firewalls and anti-virus
software.
An application filter specifies the users allowed to access an application.
An application filter automatically includes a new application when one of the new
application’s characteristics are included in the filter.

Mark for follow up

Question 42 of 50.

Taking into account only the information in the screenshot above, answer the following
question. Which applications will be allowed on their standard ports? (Select all correct
answers.)
SSH
BitTorrent
Skype
Gnutella

Mark for follow up

Question 43 of 50.

The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID,
provides:

Protection against unwanted downloads by showing the user a response page

indicating that a file is going to be downloaded.
Increased speed on downloads of file types that are explicitly enabled.
Password-protected access to specific file downloads for authorized users.
The ability to use Authentication Profiles, in order to protect against unwanted
downloads.
 Mark for follow up

Question 44 of 50.

In Palo Alto Networks terms, an application is:

A specific program detected within an identified stream that can be detected,

monitored, and/or blocked.
A combination of port and protocol that can be detected, monitored, and/or blocked.
A file installed on a local machine that can be detected, monitored, and/or blocked.
Web-based traffic from a specific IP address that can be detected, monitored, and/or
blocked.

Mark for follow up

Question 45 of 50.

When you have created a Security Policy Rule that allows Facebook, what must you do to
block all other web-browsing traffic?

Nothing. You can depend on PAN-OS to block the web-browsing traffic that is not
needed for Facebook use.
Create an additional rule that blocks all other traffic.
When creating the policy, ensure that web-browsing is included in the same rule.
Ensure that the Service column is defined as "application-default" for this Security
policy. Doing this will automatically include the implicit web-browsing application
dependency.

Mark for follow up

Question 46 of 50.

Taking into account only the information in the screenshot above, answer the following
question. An administrator is pinging 4.4.4.4 and fails to receive a response. What is the
most likely reason for the lack of response?

The interface is down.

There is no Management Profile.
There is a Security Policy that prevents ping.
There is no route back to the machine originating the
ping.

Mark for follow up

Question 47 of 50.

When Destination Network Address Translation is being performed, the destination in the
corresponding Security Policy Rule should use:

The Post-NAT destination zone and Pre-NAT IP addresses.

The Post-NAT destination zone and Post-NAT IP
addresses.
The Pre-NAT destination zone and Post-NAT IP addresses.
The Pre-NAT destination zone and Pre-NAT IP addresses.

Mark for follow up

Question 48 of 50.

Which of the following services are enabled on the MGT interface by default? (Select all
correct answers.)
HTTPS
SSH
Telnet
HTTP

Mark for follow up

Question 49 of 50.

When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be
most informative?

Responding side, Traffic log

Responding side, System
Log
Initiating side, System log
Initiating side, Traffic log

Mark for follow up

Question 50 of 50.

Which of the following are methods that HA clusters use to identify network outages?

Heartbeat and Session

Monitors
Path and Link Monitoring
VR and VSYS Monitors
Link and Session Monitors