Scribd Logo
Upload

Welcome to Scribd!

  • 12K views

    ACE Exam 201 - PAN-OS 7.0

    Uploaded by

    janojoms
    This document contains a sample exam for the Palo Alto Networks Accredited Configuration Engineer (ACE) certification. It includes 29 multiple choice questions about Palo Alto Networks firewall configuration and functionality. Correct answers are not provided. The questions cover topics like security policies, decryption, interfaces, authentication, and more.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    ACE Exam 201 - PAN-OS 7.0

    Uploaded by

    janojoms
    12K views8 pages
    This document contains a sample exam for the Palo Alto Networks Accredited Configuration Engineer (ACE) certification. It includes 29 multiple choice questions about Palo Alto Networks firewall configuration and functionality. Correct answers are not provided. The questions cover topics like security policies, decryption, interfaces, authentication, and more.

    Original Description:

    with out answer.

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document contains a sample exam for the Palo Alto Networks Accredited Configuration Engineer (ACE) certification. It includes 29 multiple choice questions about Palo Alto Networks firewall configuration and functionality. Correct answers are not provided. The questions cover topics like security policies, decryption, interfaces, authentication, and more.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    12K views8 pages

    ACE Exam 201 - PAN-OS 7.0

    Uploaded by

    janojoms
    This document contains a sample exam for the Palo Alto Networks Accredited Configuration Engineer (ACE) certification. It includes 29 multiple choice questions about Palo Alto Networks firewall configuration and functionality. Correct answers are not provided. The questions cover topics like security policies, decryption, interfaces, authentication, and more.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 8

    20/12/2015

    RealizeYourPotential:paloaltonetworks

    TestAccreditedConfigurationEngineer(ACE)ExamPANOS7.0Version
    ACEExam

    Question1of50.
    WhenconfiguringaSecurityPolicyRulebasedonFQDNAddressObjects,whichofthefollowingstatementsisTrue?

    ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagaineachtimeSecurityProfilesareevaluated.
    ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagainatDNSTTLexpiration.
    InordertocreateFQDNbasedobjects,youneedtomanuallydefinealistofassociatedIPaddresses.

    Markforfollowup

    Question2of50.
    UsingtheAPIinPANOS6.1,WildFiresubscriberscanuploaduptohowmanysamplesperday?

    50
    1000
    500
    10

    Markforfollowup

    Question3of50.
    InPaloAltoNetworksterms,anapplicationis:

    Aspecificprogramdetectedwithinanidentifiedstreamthatcanbedetected,monitored,and/orblocked.
    Acombinationofportandprotocolthatcanbedetected,monitored,and/orblocked.
    Afileinstalledonalocalmachinethatcanbedetected,monitored,and/orblocked.
    WebbasedtrafficfromaspecificIPaddressthatcanbedetected,monitored,and/orblocked.

    Markforfollowup

    Question4of50.
    Whatisthedefaultsettingfor'Action'inaDecryptionPolicy'srule?

    Any
    NoDecrypt
    None
    Decrypt

    Markforfollowup

    Question5of50.
    WhenDestinationNetworkAddressTranslationisbeingperformed,thedestinationinthecorrespondingSecurityPolicyRuleshoulduse:

    ThePostNATdestinationzoneandPreNATIPaddresses.
    ThePostNATdestinationzoneandPostNATIPaddresses.
    ThePreNATdestinationzoneandPostNATIPaddresses.
    ThePreNATdestinationzoneandPreNATIPaddresses.

    Markforfollowup

    Question6of50.
    AlloftheinterfacesonaPaloAltoNetworksdevicemustbeofthesameinterfacetype.
    True
    False

    Markforfollowup

    Question7of50.
    WhenusingConfigAudit,thecoloryellowindicateswhichofthefollowing?

    Asettinghasbeenchangedbetweenthetwoconfigfiles
    Asettinghasbeendeletedfromaconfigfile.
    Asettinghasbeenaddedtoaconfigfile

    https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4eed00144d48d3a07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

    1/8

    20/12/2015

    RealizeYourPotential:paloaltonetworks

    Aninvalidvaluehasbeenusedinaconfigfile.

    Markforfollowup

    Question8of50.
    WhichofthefollowingisNOTavalidoptionforbuiltinCLIAdminroles?

    read/write
    superuser
    deviceadmin
    devicereader

    Markforfollowup

    Question9of50.
    Securitypolicyrulesspecifyasourceinterfaceandadestinationinterface.
    True
    False

    Markforfollowup

    Question10of50.

    Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion.AnadministratorisusingSSHonport3333andBitTorrentonport7777.Which
    statementsareTrue?
    TheBitTorrenttrafficwillbeallowed.
    TheSSHtrafficwillbedenied.
    TheBitTorrenttrafficwillbedenied.
    TheSSHtrafficwillbeallowed.

    Markforfollowup

    Question11of50.
    AftertheinstallationoftheThreatPreventionlicense,thefirewallmustberebooted.
    True
    False

    Markforfollowup

    Question12of50.
    Attackerswillemployanumberoftacticstohidemalware.Onesuchtacticistoencodeand/orcompressthefilesoastohidethemalware.WithPANOS7.0thefirewallcandecode
    uptofourlevels.Butifanattackerhasencodedthefilebeyondfourlevels,whatcanyouasanadministerdotoprotectyourusers?

    CreateaDecryptionProfileformultilevelencodedfilesandapplyittoaDecryptionPolicy.
    CreateaFileBlockingProfileformultilevelencodedfilesandapplyittoaDecryptionPolicy.
    CreateaFileBlockingProfileformultilevelencodedfileswiththeactionsettoblock.
    CreateaDecryptionPolicyformultilevelencodedfilesandsettheactiontoblock.

    Markforfollowup

    Question13of50.
    WillanexportedconfigurationcontainManagementInterfacesettings?
    Yes
    No

    Markforfollowup

    Question14of50.
    WhentroubleshootingPhase1ofanIPsecVPNtunnel,whichlocationandlogwillbemostinformative?

    https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4eed00144d48d3a07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

    2/8

    20/12/2015

    RealizeYourPotential:paloaltonetworks

    Initiatingside,Systemlog
    Initiatingside,Trafficlog
    Respondingside,SystemLog
    Respondingside,Trafficlog

    Markforfollowup

    Question15of50.
    WhichofthefollowinginterfacetypescanhaveanIPaddressassignedtoit?

    Layer3
    Layer2
    Tap
    VirtualWire

    Markforfollowup

    Question16of50.
    Aninterfaceintapmodecantransmitpacketsonthewire.
    True
    False

    Markforfollowup

    Question17of50.
    SelecttheimplicitrulesthatareappliedtotrafficthatfailstomatchanyadministratordefinedSecurityPolicies.(Chooseallrulesthatarecorrect.)
    Intrazonetrafficisallowed
    Interzonetrafficisdenied
    Intrazonetrafficisdenied
    Interzonetrafficisallowed

    Markforfollowup

    Question18of50.
    WhichstatementaboutconfiglocksisTrue?

    Aconfiglockcanonlyberemovedbytheadministratorwhosetitorbyasuperuser.
    Aconfiglockcanberemovedonlybytheadministratorwhosetit.
    Aconfiglockwillexpireafter24hours,unlessitwassetbyasuperuser.
    Aconfiglockcanberemovedonlybyasuperuser.

    Markforfollowup

    Question19of50.
    WhenyouhavecreatedaSecurityPolicyRulethatallowsFacebook,whatmustyoudotoblockallotherwebbrowsingtraffic?

    Nothing.YoucandependonPANOStoblockthewebbrowsingtrafficthatisnotneededforFacebookuse.
    Whencreatingthepolicy,ensurethatwebbrowsingisincludedinthesamerule.
    Createanadditionalrulethatblocksallothertraffic.
    EnsurethattheServicecolumnisdefinedas"applicationdefault"forthisSecuritypolicy.Doingthiswillautomaticallyincludetheimplicitwebbrowsingapplicationdependency.

    Markforfollowup

    Question20of50.
    WithoutaWildFiresubscription,whichofthefollowingfilescanbesubmittedbytheFirewalltothehostedWildFirevirtualizedsandbox?

    PEfilesonly
    MSOfficedoc/docx,xls/xlsx,andppt/pptxfilesonly
    PDFfilesonly
    PEandJavaApplet(jarandclass)only

    Markforfollowup

    Question21of50.
    Usersmaybeauthenticatedsequentiallytomultipleauthenticationserversbyconfiguring:

    AnAuthenticationSequence.

    https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4eed00144d48d3a07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

    3/8

    20/12/2015

    RealizeYourPotential:paloaltonetworks

    AnAuthenticationProfile.
    AcustomAdministratorProfile.
    MultipleRADIUSserverssharingaVSAconfiguration.

    Markforfollowup

    Question22of50.
    WildFiremaybeusedforidentifyingwhichofthefollowingtypesoftraffic?

    Malware
    RIPv2
    DHCP
    OSPF

    Markforfollowup

    Question23of50.
    Whenusingremoteauthenticationforusers(LDAP,RADIUS,ActiveDirectory,etc.),whatmustbedonetoallowausertoauthenticatethroughmultiplemethods?

    CreateanAuthenticationSequence,dictatingtheorderofauthenticationprofiles.
    Thiscannotbedone.Althoughmultipleauthenticationmethodsexist,afirewallmustchooseasingle,globalauthenticationtypeandallusersmustusethismethod.
    Thiscannotbedone.Asingleusercanonlyuseoneauthenticationtype.
    Createmultipleauthenticationprofilesforthesameuser.

    Markforfollowup

    Question24of50.

    Consideringtheinformationinthescreenshotabove,whatistheorderofevaluationforthisURLFilteringProfile?

    AllowList,BlockList,CustomCategories,URLCategories(BrightCloudorPANDB).
    URLCategories(BrightCloudorPANDB),CustomCategories,BlockList,AllowList.
    BlockList,AllowList,CustomCategories,URLCategories(BrightCloudorPANDB).
    BlockList,AllowList,URLCategories(BrightCloudorPANDB),CustomCategories.

    Markforfollowup

    Question25of50.
    WhichtypeoflicenseisrequiredtoperformDecryptionPortMirroring?

    AClientDecryptionlicense
    AsubscriptionbasedSSLPortlicense
    AfreePANPADecryptlicense
    AsubscriptionbasedPANPADecryptlicense

    Markforfollowup

    https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4eed00144d48d3a07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

    4/8

    20/12/2015

    RealizeYourPotential:paloaltonetworks

    Question26of50.
    Canmultipleadministratoraccountsbeconfiguredonasinglefirewall?
    Yes
    No

    Markforfollowup

    Question27of50.

    Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion:Aspanportoraswitchisconnectedtoe1/4,buttherearenotrafficlogs.Whichofthe
    followingconditionsmostlikelyexplainsthisbehavior?

    TheinterfaceisnotassignedanIPaddress.
    Theinterfaceisnotup.
    Thereisnozoneassignedtotheinterface.
    Theinterfaceisnotassignedavirtualrouter.

    Markforfollowup

    Question28of50.
    WhichpredefinedAdminRolehasallrightsexcepttherightstocreateadministrativeaccountsandvirtualsystems?

    Superuser
    vsysadmin
    DeviceAdministrator
    Acustomadminrolemustbecreatedforthisspecificcombinationofrights.

    Markforfollowup

    Question29of50.

    Thescreenshotaboveshowspartofafirewallsconfiguration.Ifpingtrafficcantraversethisdevicefrome1/2toe1/1,whichofthefollowingstatementsmustbeTrueaboutthis
    firewallsconfiguration?(Selectallcorrectanswers.)
    Theremustbeappropriateroutesinthedefaultvirtualrouter.
    TheremustbeasecuritypolicyrulefromInternetzonetotrustzonethatallowsping.
    TheremustbeasecuritypolicyrulefromtrustzonetoInternetzonethatallowsping.
    TheremustbeaManagementProfilethatallowsping.(ThenassignthatManagementProfiletoe1/1ande1/2.)

    Markforfollowup

    Question30of50.
    WhichofthefollowingisaroutingprotocolsupportedinaPaloAltoNetworksfirewall?

    https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4eed00144d48d3a07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

    5/8

    20/12/2015

    RealizeYourPotential:paloaltonetworks

    RIPv2
    IGRP
    EIGRP
    ISIS

    Markforfollowup

    Question31of50.
    WildFireanalyzesfilestodeterminewhetherornottheyaremalicious.Whendoingso,WildFirewillclassifythefilewithanofficialverdict.ThisverdictisknownastheWildFire
    Analysisverdict.Choosethethreecorrectclassificationsasaresultofthisanalysisandclassification?
    Benign
    Spyware
    Safeware
    Adware
    Grayware
    Malwaredetection

    Markforfollowup

    Question32of50.
    WhenemployingtheBrightCloudURLfilteringdatabaseinaPaloAltoNetworksfirewall,theorderofevaluationwithinaprofileis:

    Blocklist,Allowlist,CustomCategories,Cachefiles,LocalURLDBfile.
    DynamicURLfiltering,Blocklist,Allowlist,Cachefiles,Customcategories,Predefinedcategories.
    Blocklist,CustomCategories,Predefinedcategories,DynamicURLfiltering,Allowlist,Cachefiles.
    Blocklist,CustomCategories,Cachefiles,Predefinedcategories,DynamicURLfiltering,Allowlist.

    Markforfollowup

    Question33of50.
    InPANOS7.0whichoftheavailablechoicesservesasanalertwarningbydefiningpatternsofsuspicioustrafficandnetworkanomaliesthatmayindicateahosthasbeen
    compromised?

    CorrelationObjects
    AppIDSignatures
    Command&ControlSignatures
    CustomSignatures
    CorrelationEvents

    Markforfollowup

    Question34of50.
    TrueorFalse:TheWildFireAnalysisProfilecanonlybeconfiguredtosendunknownfilestotheWildFirePublicCloudonly.
    True
    False

    Markforfollowup

    Question35of50.
    WhichofthefollowingmostaccuratelydescribesDynamicIPinaSourceNATconfiguration?

    ThenextavailableIPaddressintheconfiguredpoolisused,butthesourceportnumberisunchanged.
    AsingleIPaddressisused,andthesourceportnumberischanged.
    Thenextavailableaddressintheconfiguredpoolisused,andthesourceportnumberischanged.
    AsingleIPaddressisused,andthesourceportnumberisunchanged.

    Markforfollowup

    Question36of50.
    WhatwillbetheuserexperiencewhenthesafesearchoptionisNOTenabledforGooglesearchbutthefirewallhas"SafeSearchEnforcement"Enabled?

    AblockpagewillbepresentedwithinstructionsonhowtosetthestrictSafeSearchoptionfortheGooglesearch.
    Theuserwillberedirectedtoadifferentsearchsitethatisspecifiedbythefirewalladministrator.
    AtaskbarpopupmessagewillbepresentedtoenableSafeSearch.
    TheFirewallwillenforceSafeSearchiftheURLfilteringlicenseisstillvalid.

    Markforfollowup

    https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4eed00144d48d3a07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

    6/8

    20/12/2015

    RealizeYourPotential:paloaltonetworks

    Question37of50.
    InPANOS6.0andlater,whichoftheseitemsmaybeusedasmatchcriterioninaPolicyBasedForwardingRule?(Choose3.)
    DestinationApplication
    SourceZone
    SourceUser
    DestinationZone

    Markforfollowup

    Question38of50.
    A"Continue"actioncanbeconfiguredonwhichofthefollowingSecurityProfiles?

    URLFilteringandFileBlocking
    URLFilteringonly
    URLFiltering,FileBlocking,andDataFiltering
    URLFilteringandAntivirus

    Markforfollowup

    Question39of50.
    PaloAltoNetworksfirewallssupporttheuseofbothDynamic(builtinuserroles)andRoleBased(customizeduserroles)forAdministratorAccounts.
    True
    False

    Markforfollowup

    Question40of50.
    Whichofthefollowingfactsaboutdynamicupdatesiscorrect?

    Antivirusupdatesarereleaseddaily.ApplicationandThreatupdatesarereleasedweekly.
    ApplicationandThreatupdatesarereleaseddaily.AntivirusandURLFilteringupdatesarereleasedweekly.
    ApplicationandAntivirusupdatesarereleasedweekly.ThreatandThreatandURLFilteringupdatesarereleasedweekly.
    ThreatandURLFilteringupdatesarereleaseddaily.ApplicationandAntivirusupdatesarereleasedweekly.

    Markforfollowup

    Question41of50.
    PrevioustoPANOS7.0thefirewallwasabletodecodeuptotwolevels.WithPANOS7.0thefirewallcannowdecodeuptohowmanylevels?

    Four
    Three
    Five
    Six

    Markforfollowup

    Question42of50.
    WhichofthefollowingwouldbeareasontousethePANOSXMLAPItocommunicatewithaPaloAltoNetworksfirewall?

    TopullinformationfromothernetworkresourcesforUserID.
    TopermitsysloggingofUserIdentificationevents.
    ToallowthefirewalltopushUserIDinformationtoaNetworkAccessControl(NAC)device.

    Markforfollowup

    Question43of50.
    PANOS7.0introducedanewSecurityProfiletype.Whatisthenameofthisnewsecurityprofiletype?

    ThreatAnalysis
    WildFireAnalysis
    MalwareAnalysis
    FileAnalysis

    Markforfollowup

    Question44of50.

    https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4eed00144d48d3a07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

    7/8

    20/12/2015

    RealizeYourPotential:paloaltonetworks

    YoucanassignanIPaddresstoaninterfaceinVirtualWiremode.
    True
    False

    Markforfollowup

    Question45of50.
    WhichofthefollowingaremethodsthatHAclustersusetoidentifynetworkoutages?

    LinkandSessionMonitors
    PathandLinkMonitoring
    HeartbeatandSessionMonitors
    VRandVSYSMonitors

    Markforfollowup

    Question46of50.
    WhenaninterfaceisinTapmodeandaPolicysactionissettoblock,theinterfacewillsendaTCPreset.
    True
    False

    Markforfollowup

    Question47of50.
    HowdoyoureducetheamountofinformationrecordedintheURLContentFilteringLogs?

    Enable"Logcontainerpageonly".
    DisableURLpacketcaptures.
    EnableURLlogcaching.
    EnableDSRI.

    Markforfollowup

    Question48of50.
    WhatwilltheuserexperiencewhenattemptingtoaccessablockedhackingwebsitethroughatranslationservicesuchasGoogleTranslateorBingTranslator?

    ABlockedpageresponsewhentheURLfilteringpolicytoblockisenforced.
    ASuccesspageresponsewhenthesiteissuccessfullytranslated.
    Thebrowserwillberedirectedtotheoriginalwebsiteaddress.
    An"HTTPError503Serviceunavailable"message.

    Markforfollowup

    Question49of50.
    TrueorFalse:ThePANDBURLFilteringServiceisofferedasbothaPrivateCloudsolutionandaPublicCloudsolution.
    True
    False

    Markforfollowup

    Question50of50.
    WithIKEPhase1,eachdeviceisidentifiedtotheotherbyaPeerID.Inmostcases,thePeerIDisjustthepublicIPaddressofthedevice.InsituationswherethepublicIPaddressis
    notstatic,thePeerIDcanbeatextvalue.
    True
    False

    Markforfollowup

    Save/ReturnLater

    Summary

    https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=e9d5a4eed00144d48d3a07d77495f928&evalLvl=5&redirect_url=%2fphnx%2fdriver.as

    8/8

    You might also like