Вы находитесь на странице: 1из 7

4/7/2015

Empowering People: paloaltonetworks

TestAccreditedConfigurationEngineer(ACE)ExamPANOS6.1Version
ACEExam

Question1of50.
Thefollowingcanbeconfiguredasanexthopinastaticroute:

APolicyBasedForwardingRule
VirtualSystems
VirtualRouter
VirtualSwitch

Markforfollowup

Question2of50.
AsaPaloAltoNetworksfirewalladministrator,youhavemadeunwantedchangestotheCandidateconfiguration.ThesechangesmaybeundonebyDevice>Setup>Operations>
ConfigurationManagement>....andthenwhatoperation?

ReverttoRunningConfiguration
ReverttolastSavedConfiguration
LoadConfigurationVersion
ImportNamedConfigurationSnapshot

Markforfollowup

Question3of50.
WhichstatementbelowisTrue?

PANOSusesBrightCloudforURLFiltering,replacingPANDB.
PANOSusesBrightCloudasitsdefaultURLFilteringdatabase,butalsosupportsPANDB.
PANOSusesPANDBasthedefaultURLFilteringdatabase,butalsosupportsBrightCloud.
PANOSusesPANDBforURLFiltering,replacingBrightCloud.

Markforfollowup

Question4of50.
WhenemployingtheBrightCloudURLfilteringdatabaseinaPaloAltoNetworksfirewall,theorderofevaluationwithinaprofileis:

Blocklist,CustomCategories,Predefinedcategories,DynamicURLfiltering,Allowlist,Cachefiles.
Blocklist,Allowlist,CustomCategories,Cachefiles,LocalURLDBfile.
Blocklist,CustomCategories,Cachefiles,Predefinedcategories,DynamicURLfiltering,Allowlist.
DynamicURLfiltering,Blocklist,Allowlist,Cachefiles,Customcategories,Predefinedcategories.

Markforfollowup

Question5of50.
WithIKEPhase1,eachdeviceisidentifiedtotheotherbyaPeerID.Inmostcases,thePeerIDisjustthepublicIPaddressofthedevice.InsituationswherethepublicIPaddressis
notstatic,thePeerIDcanbeatextvalue.
True
False

Markforfollowup

Question6of50.

Thescreenshotaboveshowspartofafirewallsconfiguration.Ifpingtrafficcantraversethisdevicefrome1/2toe1/1,whichofthefollowingstatementsmustbeTrueaboutthis
firewallsconfiguration?(Selectallcorrectanswers.)
TheremustbeasecuritypolicyfromInternetzonetotrustzonethatallowsping.
TheremustbeasecuritypolicyfromtrustzonetoInternetzonethatallowsping.
Theremustbeappropriateroutesinthedefaultvirtualrouter.
TheremustbeaManagementProfilethatallowsping.(ThenassignthatManagementProfiletoe1/1ande1/2.)

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.

1/7

4/7/2015

Empowering People: paloaltonetworks

Markforfollowup

Question7of50.
Whichfeaturecanbeconfiguredtoblocksessionsthatthefirewallcannotdecrypt?

DecryptionProfileinSecurityPolicy
DecryptionProfileinDecryptionPolicy
DecryptionProfileinPBF
DecryptionProfileinSecurityProfile

Markforfollowup

Question8of50.
AlloftheinterfacesonaPaloAltoNetworksdevicemustbeofthesameinterfacetype.
True
False

Markforfollowup

Question9of50.
WhichofthefollowingwouldbeareasontousethePANOSXMLAPItocommunicatewithaPaloAltoNetworksfirewall?

TopermitsysloggingofUserIdentificationevents.
TopullinformationfromothernetworkresourcesforUserID.
ToallowthefirewalltopushUserIDinformationtoaNetworkAccessControl(NAC)device.

Markforfollowup

Question10of50.
WhichofthefollowingstatementsisNOTTrueaboutPaloAltoNetworksfirewalls?

InitialconfigurationmaybeaccomplishedthrutheMGTinterfaceortheConsoleport.
ThedefaultAdminaccountmaybedisabledordeleted.
BydefaulttheMGTPort'sIPAddressis192.168.1.1/24.
SystemdefaultsmayberestoredbyperformingafactoryresetinMaintenanceMode.

Markforfollowup

Question11of50.
AftertheinstallationofanewversionofPANOS,thefirewallmustberebooted.
True
False

Markforfollowup

Question12of50.
WhichoftheDynamicUpdateslistedbelowareissuedonadailybasis?(Selectallcorrectanswers.)
BrightCloudURLFiltering
ApplicationsandThreats
Applications
Antivirus

Markforfollowup

Question13of50.
ColorcodedtagscanbeusedonalloftheitemslistedbelowEXCEPT:

AddressObjects
ServiceGroups
Zones
VulnerabilityProfiles

Markforfollowup

Question14of50.
InaPaloAltoNetworksfirewall,everyinterfaceinusemustbeassignedtoazoneinordertoprocesstraffic.
True
False

Markforfollowup

Question15of50.
YoucanassignanIPaddresstoaninterfaceinVirtualWiremode.
True
False

Markforfollowup

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.

2/7

4/7/2015

Empowering People: paloaltonetworks

Question16of50.
InordertoroutetrafficbetweenLayer3interfacesonthePaloAltoNetworksfirewall,youneeda:

VirtualRouter
VLAN
VirtualWire
SecurityProfile

Markforfollowup

Question17of50.
Aninterfaceintapmodecantransmitpacketsonthewire.
True
False

Markforfollowup

Question18of50.
WhenDestinationNetworkAddressTranslationisbeingperformed,thedestinationinthecorrespondingSecurityPolicyRuleshoulduse:

ThePostNATdestinationzoneandPostNATIPaddress.
ThePreNATdestinationzoneandPreNATIPaddress.
ThePreNATdestinationzoneandPostNATIPaddress.
ThePostNATdestinationzoneandPreNATIPaddress.

Markforfollowup

Question19of50.

Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion.Whichapplicationswillbeallowedontheirstandardports?(Selectallcorrect
answers.)
BitTorrent
Gnutella
Skype
SSH

Markforfollowup

Question20of50.
WhenconfiguringaSecurityPolicyRulebasedonFQDNAddressObjects,whichofthefollowingstatementsisTrue?

InordertocreateFQDNbasedobjects,youneedtomanuallydefinealistofassociatedIPaddresses.
ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagaineachtimeSecurityProfilesareevaluated.
ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagainatDNSTTLexpiration.

Markforfollowup

Question21of50.
Usersmaybeauthenticatedsequentiallytomultipleauthenticationserversbyconfiguring:

AnAuthenticationSequence.
MultipleRADIUSserverssharingaVSAconfiguration.
AcustomAdministratorProfile.
AnAuthenticationProfile.

Markforfollowup

Question22of50.
WillanexportedconfigurationcontainManagementInterfacesettings?
Yes
No

Markforfollowup

Question23of50.
WhenusingConfigAudit,thecoloryellowindicateswhichofthefollowing?

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.

3/7

4/7/2015

Empowering People: paloaltonetworks

Asettinghasbeenchangedbetweenthetwoconfigfiles
Asettinghasbeendeletedfromaconfigfile.
Asettinghasbeenaddedtoaconfigfile
Aninvalidvaluehasbeenusedinaconfigfile.

Markforfollowup

Question24of50.
Whenusingremoteauthenticationforusers(LDAP,RADIUS,ActiveDirectory,etc.),whatmustbedonetoallowausertoauthenticatethroughmultiplemethods?

CreateanAuthenticationSequence,dictatingtheorderofauthenticationprofiles.
Createmultipleauthenticationprofilesforthesameuser.
Thiscannotbedone.Asingleusercanonlyuseoneauthenticationtype.
Thiscannotbedone.Althoughmultipleauthenticationmethodsexist,afirewallmustchooseasingle,globalauthenticationtypeandallusersmustusethismethod.

Markforfollowup

Question25of50.
WhentroubleshootingPhase1ofanIPsecVPNtunnel,whichlocationandlogwillbemostinformative?

Respondingside,SystemLog
Initiatingside,Trafficlog
Initiatingside,Systemlog
Respondingside,Trafficlog

Markforfollowup

Question26of50.
UserIDisenabledintheconfigurationof

AZone.
ASecurityProfile.
AnInterface.
ASecurityPolicy.

Markforfollowup

Question27of50.
WhatwilltheuserexperiencewhenattemptingtoaccessablockedhackingwebsitethroughatranslationservicesuchasGoogleTranslateorBingTranslator?

ABlockedpageresponsewhentheURLfilteringpolicytoblockisenforced.
ASuccesspageresponsewhenthesiteissuccessfullytranslated.
Thebrowserwillberedirectedtotheoriginalwebsiteaddress.
An"HTTPError503Serviceunavailable"message.

Markforfollowup

Question28of50.
WhenyouhavecreatedaSecurityPolicyRulethatallowsFacebook,whatmustyoudotoblockallotherwebbrowsingtraffic?

Nothing.YoucandependonPANOStoblockthewebbrowsingtrafficthatisnotneededforFacebookuse.
EnsurethattheServicecolumnisdefinedas"applicationdefault"forthisSecuritypolicy.Doingthiswillautomaticallyincludetheimplicitwebbrowsingapplicationdependency.
Createanadditionalrulethatblocksallothertraffic.
Whencreatingthepolicy,ensurethatwebbrowsingisincludedinthesamerule.

Markforfollowup

Question29of50.
BothSSLdecryptionandSSHdecryptionaredisabledbydefault.
True
False

Markforfollowup

Question30of50.
A"Continue"actioncanbeconfiguredonwhichofthefollowingSecurityProfiles?

URLFilteringandFileBlocking
URLFilteringonly
URLFiltering,FileBlocking,andDataFiltering
URLFilteringandAntivirus

Markforfollowup

Question31of50.
WhichofthefollowinginterfacetypescanhaveanIPaddressassignedtoit?

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.

4/7

4/7/2015

Empowering People: paloaltonetworks

Layer3
Layer2
Tap
VirtualWire

Markforfollowup

Question32of50.
Whatarethebenefitsgainedwhenthe"EnablePassiveDNSMonitoring"checkboxischosenonthefirewall?(Selectallcorrectanswers.)
ImprovedDNSbasedC&Csignatures.
ImprovedPANDBmalwaredetection.
ImprovedBrightCloudmalwaredetection.
ImprovedmalwaredetectioninWildFire.

Markforfollowup

Question33of50.
Securitypoliciesspecifyasourceinterfaceandadestinationinterface.
True
False

Markforfollowup

Question34of50.

Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion.AnadministratorisusingSSHonport3333andBitTorrentonport7777.Which
statementsareTrue?
TheSSHtrafficwillbedenied.
TheBitTorrenttrafficwillbeallowed.
TheSSHtrafficwillbeallowed.
TheBitTorrenttrafficwillbedenied.

Markforfollowup

Question35of50.
WhichofthefollowingmostaccuratelydescribesDynamicIPinaSourceNATconfiguration?

AsingleIPaddressisused,andthesourceportnumberisunchanged.
ThenextavailableIPaddressintheconfiguredpoolisused,butthesourceportnumberisunchanged.
AsingleIPaddressisused,andthesourceportnumberischanged.
Thenextavailableaddressintheconfiguredpoolisused,andthesourceportnumberischanged.

Markforfollowup

Question36of50.
WhataretwosourcesofinformationfordeterminingwhetherthefirewallhasbeensuccessfulincommunicatingwithanexternalUserIDAgent?

SystemLogsandAuthenticationLogs.
SystemLogsandtheindicatorlightundertheUserIDAgentsettingsinthefirewall.
SystemLogsandanindicatorlightonthechassis.
TrafficLogsandAuthenticationLogs.

Markforfollowup

Question37of50.
WhichpredefinedAdminRolehasallrightsexcepttherightstocreateadministrativeaccountsandvirtualsystems?

Superuser
DeviceAdministrator
Acustomadminrolemustbecreatedforthisspecificcombinationofrights.
vsysadmin

Markforfollowup

Question38of50.
AnenterprisePKIsystemisrequiredtodeploySSLForwardProxydecryptioncapabilities.

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.

5/7

4/7/2015

Empowering People: paloaltonetworks

True
False

Markforfollowup

Question39of50.

Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion:Aspanportoraswitchisconnectedtoe1/4,buttherearenotrafficlogs.Whichof
thefollowingconditionsmostlikelyexplainsthisbehavior?

Theinterfaceisnotup.
Thereisnozoneassignedtotheinterface.
TheinterfaceisnotassignedanIPaddress.
Theinterfaceisnotassignedavirtualrouter.

Markforfollowup

Question40of50.
WhichtypeoflicenseisrequiredtoperformDecryptionPortMirroring?

AsubscriptionbasedSSLPortlicense
AfreePANPADecryptlicense
AClientDecryptionlicense
AsubscriptionbasedPANPADecryptlicense

Markforfollowup

Question41of50.
Canmultipleadministratoraccountsbeconfiguredonasinglefirewall?
Yes
No

Markforfollowup

Question42of50.
WhichofthefollowingCANNOTusethesourceuserasamatchcriterion?

DoSProtection
SecuirtyPolicies
AntivirusProfile
PolicyBasedForwarding
QoS

Markforfollowup

Question43of50.
WhichofthefollowingmustbeenabledinorderforUserIDtofunction?

CaptivePortalPoliciesmustbeenabled.
UserIDmustbeenabledforthesourcezoneofthetrafficthatistobeidentified.
CaptivePortalmustbeenabled.
SecurityPoliciesmusthavetheUserIDoptionenabled.

Markforfollowup

Question44of50.
InaDestinationNATconfiguration,theTranslatedAddressfieldmaybepopulatedwitheitheranIPaddressoranAddressObject.
True
False

Markforfollowup

Question45of50.
WhenconfiguringthefirewallforUserID,whatisthemaximumnumberofDomainControllersthatcanbeconfigured?

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.

6/7

4/7/2015

Empowering People: paloaltonetworks

50
100
10
150

Markforfollowup

Question46of50.
BesidesselectingtheHeartbeatBackupoptionwhencreatinganActivePassiveHAPair,whichofthefollowingalsoprevents"SplitBrain"?

CreatingacustominterfaceunderServiceRouteConfiguration,andassigningthisinterfaceasthebackupHA2link.
ConfiguringanindependentbackupHA1link.
ConfiguringabackupHA2linkthatpointstotheMGTinterfaceoftheotherdeviceinthepair.
UnderPacketForwarding,selectingtheVRSynccheckbox.

Markforfollowup

Question47of50.
PaloAltoNetworksfirewallssupporttheuseofbothDynamic(builtinuserroles)andRoleBased(customizeduserroles)forAdministratorAccounts.
True
False

Markforfollowup

Question48of50.
WhenconfiguringaDecryptionPolicyrule,whichoptionallowsafirewalladministratortocontrolSSHv2tunnelinginpoliciesbyspecifyingtheSSHtunnelAppID?

SSHProxy
SSLForwardProxy
SSLInboundInspection
SSLReverseProxy

Markforfollowup

Question49of50.
InwhichofthefollowingcanUserIDbeusedtoprovideamatchcondition?(Selectallcorrectanswers.)

SecurityPolicies
NATPolicies
ZoneProtectionPolicies
ThreatProfiles

Markforfollowup

Question50of50.
InPANOS6.0,rulenumbersare:

Numbersthatspecifytheorderinwhichsecuritypoliciesareevaluated.
Numberscreatedtobeuniqueidentifiersineachfirewallspolicydatabase.
Numbersonascaleof0to99thatspecifyprioritieswhentwoormorerulesareinconflict.
Numberscreatedtomakeiteasierforuserstodiscussacomplicatedordifficultsequenceofrules.

Markforfollowup

Save/ReturnLater

Summary

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.

7/7