ACE Exam

Question 1 of 50.
Which statement below is True?
PAN-OS uses BrightCloud for URL Filtering, replacing PAN-DB.
PAN-OS uses PAN-DB for URL Filtering, replacing BrightCloud.
PAN-OS uses PAN-DB as the default URL Filtering database, but also supports BrightCloud.
PAN-OS uses BrightCloud as its default URL Filtering database, but also supports PAN-DB.

Question 2 of 50.
A "Continue" action can be configured on which of the following Security Profiles?
URL Filtering and File Blocking
URL Filtering only
URL Filtering, File Blocking, and Data Filtering
URL Filtering and Anti-virus

Question 3 of 50.
A Config Lock may be removed by which of the following users? (Select all correct answers.)
Any administrator
Device administrators
The administrator who set it
Superusers

Question 4 of 50.
When an interface is in Tap mode and a Policys action is set to block, the interface will send a TCP reset.

True

False

Question 5 of 50.
Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day?
500
50
1000
10

Question 6 of 50.
Which statement about config locks is True?
A config lock can be removed only by a superuser.
A config lock can be removed only by the administrator who set it.
A config lock can only be removed by the administrator who set it or by a superuser.
A config lock will expire after 24 hours, unless it was set by a superuser.

Question 7 of 50.
Can multiple administrator accounts be configured on a single firewall?
Yes

No

Question 8 of 50.
In which of the following can User-ID be used to provide a match condition?

Security Policies
NAT Policies
Zone Protection Policies
Threat Profiles

Question 9 of 50.
Will an exported configuration contain Management Interface settings?
Yes

No

Question 10 of 50.
Which of the following must be enabled in order for User-ID to function?
Security Policies must have the User-ID option enabled.
User-ID must be enabled for the source zone of the traffic that is to be identified.
Captive Portal Policies must be enabled.
Captive Portal must be enabled.

Question 11 of 50.
Which of the following interface types can have an IP address assigned to it?
Layer 3
Layer 2
Tap
Virtual Wire

Question 12 of 50.

Which of the following most accurately describes Dynamic IP in a Source NAT configuration?
A single IP address is used, and the source port number is changed.
The next available IP address in the configured pool is used, but the source port number is unchanged.
The next available address in the configured pool is used, and the source port number is changed.
A single IP address is used, and the source port number is unchanged.

Question 13 of 50.
Enabling "Highlight Unused Rules" in the Security Policy window will:
Display rules that caused a validation error to occur at the time a Commit was performed.
Highlight all rules that have not matched traffic since the rule was created or since the last reboot of the
firewall.
Highlight all rules that did not match traffic within an administrator-specified time period.
Temporarily disable rules that have not matched traffic since the rule was created or since the last reboot of the
firewall.

Question 14 of 50.
Which of the following statements is NOT True about Palo Alto Networks firewalls?
System defaults may be restored by performing a factory reset in Maintenance Mode.
The default Admin account may be disabled or deleted.
Initial configuration may be accomplished thru the MGT interface or the Console port.
By default the MGT Port's IP Address is 192.168.1.1/24.

Question 15 of 50.
When Destination Network Address Translation is being performed, the destination in the corresponding
Security Policy Rule should use:
The Pre-NAT destination zone and Pre-NAT IP addresses.
The Post-NAT destination zone and Pre-NAT IP addresses.

The Pre-NAT destination zone and Post-NAT IP addresses.

The Post-NAT destination zone and Post-NAT IP addresses.

Question 16 of 50.
When configuring a Security Policy Rule based on FQDN Address Objects, which of the following statements
is True?
The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN again each time
Security Profiles are evaluated.
In order to create FQDN-based objects, you need to manually define a list of associated IP addresses.
The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN again at DNS TTL
expiration.

Question 17 of 50.
When configuring a Decryption Policy Rule, which of the following are available as matching criteria in the
rule? (Choose 3 answers.)
URL Category
Service
Source User
Application
Source Zone

Question 18 of 50.
Without a WildFire subscription, which of the following files can be submitted by the Firewall to the hosted
WildFire virtualized sandbox?
MS Office doc/docx, xls/xlsx, and ppt/pptx files only
PDF files only
PE and Java Applet (jar and class) only
PE files only

Question 19 of 50.
When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most informative?
Responding side, Traffic log
Initiating side, System log
Initiating side, Traffic log
Responding side, System Log

Question 20 of 50.
What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on the
firewall? (Select all correct answers.)
Improved malware detection in WildFire.
Improved DNS-based C&C signatures.
Improved BrightCloud malware detection.
Improved PAN-DB malware detection.

Question 21 of 50.
Which of the Dynamic Updates listed below are issued on a daily basis? (Select all correct answers.)
Applications
BrightCloud URL Filtering
Applications and Threats
Anti-virus

Question 22 of 50.
Which of the following would be a reason to use the PAN-OS XML API to communicate with a Palo Alto
Networks firewall?

To permit syslogging of User Identification events.

To allow the firewall to push User-ID information to a Network Access Control (NAC) device.
To pull information from other network resources for User-ID.

Question 23 of 50.
An interface in tap mode can transmit packets on the wire.
True

False

Question 24 of 50.
WildFire may be used for identifying which of the following types of traffic?
DHCP
Malware
RIPv2
OSPF

Question 25 of 50.
What general practice best describes how Palo Alto Networks firewall policies are applied to a session?
Most specific match applied.
First match applied.
Last match applied.
The rule with the highest rule number is applied.

Question 26 of 50.

What will be the user experience when the safe search option is NOT enabled for Google search but the
firewall has "Safe Search Enforcement" Enabled?
The user will be redirected to a different search site that is specified by the firewall administrator.
A block page will be presented with instructions on how to set the strict Safe Search option for the Google
search.
A task bar pop-up message will be presented to enable Safe Search.
The Firewall will enforce Safe Search if the URL filtering license is still valid.

Question 27 of 50.

Taking into account only the information in the screenshot above, answer the following question. An
administrator is using SSH on port 3333 and BitTorrent on port 7777. Which statements are True?
The SSH traffic will be denied.
The BitTorrent traffic will be allowed.
The BitTorrent traffic will be denied.
The SSH traffic will be allowed.

Question 28 of 50.
After the installation of the Threat Prevention license, the firewall must be rebooted.
True

False

Question 29 of 50.
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you need a:
Virtual Router
VLAN
Virtual Wire
Security Profile

Question 30 of 50.
What will the user experience when attempting to access a blocked hacking website through a translation
service such as Google Translate or Bing Translator?
A Blocked page response when the URL filtering policy to block is enforced.
A Success page response when the site is successfully translated.
The browser will be redirected to the original website address.
An "HTTP Error 503 - Service unavailable" message.

Question 31 of 50.
Which of the following are methods that HA clusters use to identify network outages?
Link and Session Monitors
VR and VSYS Monitors
Heartbeat and Session Monitors
Path and Link Monitoring

Question 32 of 50.

Taking into account only the information in the screenshot above, answer the following question. Which
applications will be allowed on their standard ports? (Select all correct answers.)
Gnutella
BitTorrent
Skype
SSH

Question 33 of 50.
An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.
True

False

Question 34 of 50.
In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-Based Forwarding
Rule? (Choose 3.)
Destination Zone
Source Zone
Source User
Destination Application

Question 35 of 50.
In a Destination NAT configuration, the Translated Address field may be populated with either an IP address
or an Address Object.
True

False

Question 36 of 50.
Which routing protocol is supported on the Palo Alto Networks platform?
BGP
RIPv1
ISIS
RSTP

Question 37 of 50.
Both SSL decryption and SSH decryption are disabled by default.
True

False

Question 38 of 50.
In PAN-OS 6.0 and later, rule numbers are:
Numbers that specify the order in which security policies are evaluated.
Numbers created to be unique identifiers in each firewalls policy database.
Numbers on a scale of 0 to 99 that specify priorities when two or more rules are in conflict.
Numbers created to make it easier for users to discuss a complicated or difficult sequence of rules.

Question 39 of 50.

In Palo Alto Networks terms, an application is:

A specific program detected within an identified stream that can be detected, monitored, and/or blocked.
A combination of port and protocol that can be detected, monitored, and/or blocked.
A file installed on a local machine that can be detected, monitored, and/or blocked.
Web-based traffic from a specific IP address that can be detected, monitored, and/or blocked.

Mark for follow up

Question 40 of 50.
Color-coded tags can be used on all of the items listed below EXCEPT:
Zones
Vulnerability Profiles
Address Objects
Service Groups

Question 41 of 50.
With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the Peer ID is just the
public IP address of the device. In situations where the public IP address is not static, the Peer ID can be a
text value.
True

False

Question 42 of 50.
When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of
evaluation within a profile is:
Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cache files.
Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, Allow list.
Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined categories.

Question 43 of 50.
When configuring the firewall for User-ID, what is the maximum number of Domain Controllers that can be
configured?
100
50
10
150

Question 44 of 50.
Which of the following services are enabled on the MGT interface by default? (Select all correct answers.)
HTTPS
SSH
Telnet
HTTP

Question 45 of 50.
As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterwards, not
knowing they are attempting to access a blocked web-based application, users call the Help Desk to
complain about network connectivity issues. What is the cause of the increased number of help desk calls?
The firewall admin did not create a custom response page to notify potential users that their attempt to access
the web-based application is being blocked due to company policy.
The File Blocking Block Page was disabled.
Application Block Pages will only be displayed when Captive Portal is configured.
Some App-ID's are set with a Session Timeout value that is too low.

Question 46 of 50.

Considering the information in the screenshot above, what is the order of evaluation for this URL Filtering
Profile?
Block List, Allow List, Custom Categories, URL Categories (BrightCloud or PAN-DB).
URL Categories (BrightCloud or PAN-DB), Custom Categories, Block List, Allow List.
Allow List, Block List, Custom Categories, URL Categories (BrightCloud or PAN-DB).
Block List, Allow List, URL Categories (BrightCloud or PAN-DB), Custom Categories.

Question 47 of 50.

The screenshot above shows part of a firewalls configuration. If ping traffic can traverse this device from
e1/2 to e1/1, which of the following statements must be True about this firewalls configuration? (Select all
correct answers.)
There must be a security policy rule from trust zone to Internet zone that allows ping.
There must be a security policy rule from Internet zone to trust zone that allows ping.
There must be appropriate routes in the default virtual router.
There must be a Management Profile that allows ping. (Then assign that Management Profile to e1/1 and
e1/2.)

Question 48 of 50.
What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut off communication?
The local loopback address.
The default gateway of the firewall.
The MGT interface address.
Any layer 3 interface address specified by the firewall administrator.

Question 49 of 50.
Which of the following facts about dynamic updates is correct?
Anti-virus updates are released daily. Application and Threat updates are released weekly.
Application and Anti-virus updates are released weekly. Threat and Threat and URL Filtering updates are
released weekly.
Application and Threat updates are released daily. Anti-virus and URL Filtering updates are released weekly.

Threat and URL Filtering updates are released daily. Application and Anti-virus updates are released weekly.

Question 50 of 50.
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:
The ability to use Authentication Profiles, in order to protect against unwanted downloads.
Protection against unwanted downloads by showing the user a response page indicating that a file is going to
be downloaded.
Increased speed on downloads of file types that are explicitly enabled.
Password-protected access to specific file downloads for authorized users.

806
2

Color-coded tags can be used on all of the items listed below EXCEPT:

Incorrect

809
7

Considering the information in the screenshot above, what is the order of evaluation for this
Incorrect
URL Filtering Profile?

875
6

In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you
need a:

Incorrect

874
1

In PAN-OS 6.0 and later, which of these items may be used as match criterion in a PolicyBased Forwarding Rule? (Choose 3.)

Incorrect

872
1

In which of the following can User-ID be used to provide a match condition?

Incorrect

808
7

Taking into account only the information in the screenshot above, answer the following
question. An administrator is using SSH on port 3333 and BitTorrent on port 7777. Which
statements are True?

Incorrect

8711

The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID,
provides:

Incorrect

808
2

The screenshot above shows part of a firewalls configuration. If ping traffic can traverse
this device from e1/2 to e1/1, which of the following statements must be True about this
firewalls configuration? (Select all correct answers.)

Incorrect

864
6

What will be the user experience when the safe search option is NOT enabled for Google
search but the firewall has "Safe Search Enforcement" Enabled?

Incorrect

862
1

When configuring a Security Policy Rule based on FQDN Address Objects, which of the
following statements is True?

Incorrect

859
1

When Destination Network Address Translation is being performed, the destination in the
corresponding Security Policy Rule should use:

Incorrect

852
1

Which of the following most accurately describes Dynamic IP in a Source NAT

configuration?

Incorrect

847
6

Which of the following would be a reason to use the PAN-OS XML API to communicate with
a Palo Alto Networks firewall?

Incorrect