TestAccreditedConfigurationEngineer(ACE)ExamPANOS6.

1Version
ACEExam

Question1of50.
WhichofthefollowingmustbeenabledinorderforUserIDtofunction?

CaptivePortalPoliciesmustbeenabled.
UserIDmustbeenabledforthesourcezoneofthetrafficthatistobeidentified.
SecurityPoliciesmusthavetheUserIDoptionenabled.
CaptivePortalmustbeenabled.

Markforfollowup

Question2of50.
YoucanassignanIPaddresstoaninterfaceinVirtualWiremode.
True
False

Markforfollowup

Question3of50.
BesidesselectingtheHeartbeatBackupoptionwhencreatinganActivePassiveHAPair,whichofthefollowingalsoprevents"SplitBrain"?

UnderPacketForwarding,selectingtheVRSynccheckbox.
ConfiguringabackupHA2linkthatpointstotheMGTinterfaceoftheotherdeviceinthepair.
ConfiguringanindependentbackupHA1link.
CreatingacustominterfaceunderServiceRouteConfiguration,andassigningthisinterfaceasthebackupHA2link.

Markforfollowup

Question4of50.
WhatSecurityProfiletypemustbeconfiguredtosendfilestotheWildFirecloud,andwithwhatchoicesfortheactionsetting?

AVulnerabilityProtectionprofilewiththepossibleactionofForward.
AURLFilteringprofilewiththepossibleactionofForward.
AFileBlockingprofilewithpossibleactionsofForwardorContinueandForward.
ADataFilteringprofilewithpossibleactionsofForwardorContinueandForward.

Markforfollowup

Question5of50.
Choosethebestanswer:InPANOS,theWildFireSubscriptionServiceallowsupdatesformalwaresignaturestobedistributedasoftenas

Onceaweek
Onceanhour
Onceevery15minutes
Onceaday

Markforfollowup

Question6of50.
WhichoftheDynamicUpdateslistedbelowareissuedonadailybasis?(Selectallcorrectanswers.)
ApplicationsandThreats
BrightCloudURLFiltering
Antivirus
Applications

Markforfollowup

Question7of50.
AftertheinstallationofanewApplicationandThreatdatabase,thefirewallmustberebooted.
True
False

Markforfollowup

Question8of50.
WhichofthefollowingwouldbeareasontousethePANOSXMLAPItocommunicatewithaPaloAltoNetworksfirewall?

ToallowthefirewalltopushUserIDinformationtoaNetworkAccessControl(NAC)device.
TopullinformationfromothernetworkresourcesforUserID.
TopermitsysloggingofUserIdentificationevents.

Markforfollowup

Question9of50.
AsthePaloAltoNetworksAdministratorresponsibleforUserID,youneedtoenablemappingofnetworkusersthatdonotsigninusingLDAP.Whichinformationsourcewouldallow
forreliableUserIDmappingwhilerequiringtheleastefforttoconfigure?

ActiveDirectorySecurityLogs
CaptivePortal
ExchangeCASSecuritylogs
WMIQuery

Markforfollowup

Question10of50.

Thescreenshotaboveshowspartofafirewallsconfiguration.Ifpingtrafficcantraversethisdevicefrome1/2toe1/1,whichofthefollowingstatementsmustbeTrueaboutthis
firewallsconfiguration?(Selectallcorrectanswers.)
Theremustbeappropriateroutesinthedefaultvirtualrouter.
TheremustbeaManagementProfilethatallowsping.(ThenassignthatManagementProfiletoe1/1ande1/2.)
TheremustbeasecuritypolicyrulefromtrustzonetoInternetzonethatallowsping.
TheremustbeasecuritypolicyrulefromInternetzonetotrustzonethatallowsping.

Markforfollowup

Question11of50.
WhenconfiguringAdminRolesforWebUIaccess,whataretheavailableaccesslevels?

EnableandDisableonly
AllowandDenyonly
Enable,ReadOnly,andDisable
None,Superuser,DeviceAdministrator

Markforfollowup

Question12of50.
WhenconfiguringaSecurityPolicyRulebasedonFQDNAddressObjects,whichofthefollowingstatementsisTrue?

InordertocreateFQDNbasedobjects,youneedtomanuallydefinealistofassociatedIPaddresses.
ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagainatDNSTTLexpiration.
ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagaineachtimeSecurityProfilesareevaluated.

Markforfollowup

Question13of50.

Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion:Aspanportoraswitchisconnectedtoe1/4,buttherearenotrafficlogs.Whichofthe
followingconditionsmostlikelyexplainsthisbehavior?

Theinterfaceisnotup.
TheinterfaceisnotassignedanIPaddress.
Theinterfaceisnotassignedavirtualrouter.
Thereisnozoneassignedtotheinterface.

Markforfollowup

Question14of50.
WhichstatementbelowisTrue?

PANOSusesPANDBforURLFiltering,replacingBrightCloud.
PANOSusesBrightCloudasitsdefaultURLFilteringdatabase,butalsosupportsPANDB.
PANOSusesBrightCloudforURLFiltering,replacingPANDB.
PANOSusesPANDBasthedefaultURLFilteringdatabase,butalsosupportsBrightCloud.

Markforfollowup

Question15of50.
WhichroutingprotocolissupportedonthePaloAltoNetworksplatform?

BGP
RIPv1
ISIS
RSTP

Markforfollowup

Question16of50.
WhenconfiguringaDecryptionPolicyrule,whichoptionallowsafirewalladministratortocontrolSSHv2tunnelinginpoliciesbyspecifyingtheSSHtunnelAppID?

SSHProxy
SSLForwardProxy
SSLInboundInspection
SSLReverseProxy

Markforfollowup

Question17of50.
InaDestinationNATconfiguration,theTranslatedAddressfieldmaybepopulatedwitheitheranIPaddressoranAddressObject.
True
False

Markforfollowup

Question18of50.
InordertoroutetrafficbetweenLayer3interfacesonthePaloAltoNetworksfirewall,youneeda:

VirtualRouter
VLAN
VirtualWire
SecurityProfile

Markforfollowup

Question19of50.
PaloAltoNetworksfirewallssupporttheuseofbothDynamic(builtinuserroles)andRoleBased(customizeduserroles)forAdministratorAccounts.
True
False

Markforfollowup

Question20of50.
WhichofthefollowingplatformssupportstheDecryptionPortMirrorfunction?

PA3000
VMSeries100
PA2000
PA4000

Markforfollowup

Question21of50.
ColorcodedtagscanbeusedonalloftheitemslistedbelowEXCEPT:

ServiceGroups
VulnerabilityProfiles
AddressObjects
Zones

Markforfollowup

Question22of50.
WhenyouhavecreatedaSecurityPolicyRulethatallowsFacebook,whatmustyoudotoblockallotherwebbrowsingtraffic?

EnsurethattheServicecolumnisdefinedas"applicationdefault"forthisSecuritypolicy.Doingthiswillautomaticallyincludetheimplicitwebbrowsingapplicationdependency.
Nothing.YoucandependonPANOStoblockthewebbrowsingtrafficthatisnotneededforFacebookuse.
Createanadditionalrulethatblocksallothertraffic.
Whencreatingthepolicy,ensurethatwebbrowsingisincludedinthesamerule.

Markforfollowup

Question23of50.
Whatisthemaximumfilesizeof.EXEfilesuploadedfromthefirewalltoWildFire?

Configurableupto2megabytes.
Configurableupto10megabytes.
Always10megabytes.
Always2megabytes.

Markforfollowup

Question24of50.
WhatwillbetheuserexperiencewhenthesafesearchoptionisNOTenabledforGooglesearchbutthefirewallhas"SafeSearchEnforcement"Enabled?

AblockpagewillbepresentedwithinstructionsonhowtosetthestrictSafeSearchoptionfortheGooglesearch.
TheFirewallwillenforceSafeSearchiftheURLfilteringlicenseisstillvalid.
AtaskbarpopupmessagewillbepresentedtoenableSafeSearch.
Theuserwillberedirectedtoadifferentsearchsitethatisspecifiedbythefirewalladministrator.

Markforfollowup

Question25of50.
SelecttheimplicitrulesthatareappliedtotrafficthatfailstomatchanyadministratordefinedSecurityPolicies.(Chooseallrulesthatarecorrect.)
Intrazonetrafficisallowed
Interzonetrafficisdenied
Intrazonetrafficisdenied
Interzonetrafficisallowed

Markforfollowup

Question26of50.
WhataretwosourcesofinformationfordeterminingwhetherthefirewallhasbeensuccessfulincommunicatingwithanexternalUserIDAgent?

SystemLogsandtheindicatorlightundertheUserIDAgentsettingsinthefirewall.
SystemLogsandanindicatorlightonthechassis.
TrafficLogsandAuthenticationLogs.
SystemLogsandAuthenticationLogs.

Markforfollowup

Question27of50.
A"Continue"actioncanbeconfiguredonwhichofthefollowingSecurityProfiles?

URLFilteringandFileBlocking
URLFilteringonly
URLFiltering,FileBlocking,andDataFiltering
URLFilteringandAntivirus

Markforfollowup

Question28of50.
WhichofthefollowingstatementsisNOTTrueaboutPaloAltoNetworksfirewalls?

InitialconfigurationmaybeaccomplishedthrutheMGTinterfaceortheConsoleport.
ThedefaultAdminaccountmaybedisabledordeleted.
BydefaulttheMGTPort'sIPAddressis192.168.1.1/24.
SystemdefaultsmayberestoredbyperformingafactoryresetinMaintenanceMode.

Markforfollowup

Question29of50.
Whichofthefollowingsearchenginesaresupportedbythe"SafeSearchEnforcement"option?(Selectallcorrectanswers.)
Yahoo
Google
Bing
Baidu

Markforfollowup

Question30of50.
UsingtheAPIinPANOS6.1,WildFiresubscriberscanuploaduptohowmanysamplesperday?

50
1000
10
500

Markforfollowup

Question31of50.
WithIKEPhase1,eachdeviceisidentifiedtotheotherbyaPeerID.Inmostcases,thePeerIDisjustthepublicIPaddressofthedevice.InsituationswherethepublicIPaddressis
notstatic,thePeerIDcanbeatextvalue.
True
False

Markforfollowup

Question32of50.
Whatisthedefaultsettingfor'Action'inaDecryptionPolicy'srule?

Any
NoDecrypt
Decrypt
None

Markforfollowup

Question33of50.
WhenaninterfaceisinTapmodeandaPolicysactionissettoblock,theinterfacewillsendaTCPreset.
True
False

Markforfollowup

Question34of50.
WhenemployingtheBrightCloudURLfilteringdatabaseinaPaloAltoNetworksfirewall,theorderofevaluationwithinaprofileis:

DynamicURLfiltering,Blocklist,Allowlist,Cachefiles,Customcategories,Predefinedcategories.
Blocklist,CustomCategories,Predefinedcategories,DynamicURLfiltering,Allowlist,Cachefiles.
Blocklist,Allowlist,CustomCategories,Cachefiles,LocalURLDBfile.
Blocklist,CustomCategories,Cachefiles,Predefinedcategories,DynamicURLfiltering,Allowlist.

Markforfollowup

Question35of50.
Securitypolicyrulesspecifyasourceinterfaceandadestinationinterface.
True
False

Markforfollowup

Question36of50.
WhichofthefollowinginterfacetypescanhaveanIPaddressassignedtoit?

Layer3
Layer2
Tap
VirtualWire

Markforfollowup

Question37of50.
UserIDisenabledintheconfigurationof

ASecurityProfile.
ASecurityPolicy.
AZone.
AnInterface.

Markforfollowup

Question38of50.
Whenusingremoteauthenticationforusers(LDAP,RADIUS,ActiveDirectory,etc.),whatmustbedonetoallowausertoauthenticatethroughmultiplemethods?

Createmultipleauthenticationprofilesforthesameuser.
Thiscannotbedone.Asingleusercanonlyuseoneauthenticationtype.
CreateanAuthenticationSequence,dictatingtheorderofauthenticationprofiles.
Thiscannotbedone.Althoughmultipleauthenticationmethodsexist,afirewallmustchooseasingle,globalauthenticationtypeandallusersmustusethismethod.

Markforfollowup

Question39of50.
InPaloAltoNetworksterms,anapplicationis:

Aspecificprogramdetectedwithinanidentifiedstreamthatcanbedetected,monitored,and/orblocked.
Acombinationofportandprotocolthatcanbedetected,monitored,and/orblocked.
Afileinstalledonalocalmachinethatcanbedetected,monitored,and/orblocked.
WebbasedtrafficfromaspecificIPaddressthatcanbedetected,monitored,and/orblocked.

Markforfollowup

Question40of50.
Whichfeaturecanbeconfiguredtoblocksessionsthatthefirewallcannotdecrypt?

DecryptionProfileinSecurityProfile

DecryptionProfileinPBF
DecryptionProfileinDecryptionPolicy
DecryptionProfileinSecurityPolicy

Markforfollowup

Question41of50.
WhentroubleshootingPhase1ofanIPsecVPNtunnel,whichlocationandlogwillbemostinformative?

Initiatingside,Trafficlog
Initiatingside,Systemlog
Respondingside,SystemLog
Respondingside,Trafficlog

Markforfollowup

Question42of50.
WillanexportedconfigurationcontainManagementInterfacesettings?
Yes
No

Markforfollowup

Question43of50.
TrafficgoingtoapublicIPaddressisbeingtranslatedbyaPaloAltoNetworksfirewalltoaninternalserversprivateIPaddress.WhichIPaddressshouldtheSecurityPolicyuseas
the"DestinationIP"inordertoallowtraffictotheserver?

ThefirewallsgatewayIP
ThefirewallsMGTIP
TheserversprivateIP
TheserverspublicIP

Markforfollowup

Question44of50.
WhenconfiguringaDecryptionPolicyRule,whichofthefollowingareavailableasmatchingcriteriaintherule?(Choose3answers.)
SourceUser
URLCategory
Service
Application
SourceZone

Markforfollowup

Question45of50.
InPANOS6.0andlater,whichoftheseitemsmaybeusedasmatchcriterioninaPolicyBasedForwardingRule?(Choose3.)
SourceZone
SourceUser
DestinationZone
DestinationApplication

Markforfollowup

Question46of50.
AsaPaloAltoNetworksfirewalladministrator,youhavemadeunwantedchangestotheCandidateconfiguration.ThesechangesmaybeundonebyDevice>Setup>Operations>
ConfigurationManagement>....andthenwhatoperation?

ReverttoRunningConfiguration
ReverttolastSavedConfiguration
LoadConfigurationVersion
ImportNamedConfigurationSnapshot

Markforfollowup

Question47of50.
WhenconfiguringthefirewallforUserID,whatisthemaximumnumberofDomainControllersthatcanbeconfigured?

10
50
150
100

Markforfollowup

Question48of50.
InaPaloAltoNetworksfirewall,everyinterfaceinusemustbeassignedtoazoneinordertoprocesstraffic.
True
False

Markforfollowup

Question49of50.
WhichlinkisusedbyanActive/Passiveclustertosynchronizesessioninformation?

TheManagementLink
TheDataLink
TheUplink
TheControlLink

Markforfollowup

Question50of50.
WhichofthefollowingmostaccuratelydescribesDynamicIPinaSourceNATconfiguration?

AsingleIPaddressisused,andthesourceportnumberischanged.
ThenextavailableIPaddressintheconfiguredpoolisused,butthesourceportnumberisunchanged.
Thenextavailableaddressintheconfiguredpoolisused,andthesourceportnumberischanged.
AsingleIPaddressisused,andthesourceportnumberisunchanged.

Markforfollowup

Save/ReturnLater

Summary