Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 8.

0
Version

ACE 8.0

Question 1 of 40.

An Interface Management Profile can be attached to which two interface types? (Choose two.)
Layer 3

Layer 2

Virtual Wire

Tap

Loopback

Mark for follow up

Question 2 of 40.

App-ID running on a firewall identifies applications using which three methods? (Choose three.)
WildFire lookups

Program heuristics

Application signatures

Known protocol decoders

PAN-DB lookups

Mark for follow up

Question 3 of 40.

Application block pages can be enabled for which applications?

web-based

non-TCP/IP

MGT port-based

any
 Mark for follow up

Question 4 of 40.

Because a firewall examines every packet in a session, a firewall can detect application ________?

errors

filters

groups

shifts

Mark for follow up

Question 5 of 40.

Finding URLs matched to the not-resolved URL category in the URL Filtering log file might indicate that you
should take which action?

Validate your Security policy rules.

Re-download the URL seed database.

Validate connectivity to the PAN-DB cloud.

Reboot the firewall.

Mark for follow up

Question 6 of 40.

For which firewall feature should you create forward trust and forward untrust certificates?

SSL forward proxy decryption

SSL Inbound Inspection decryption

SSL client-side certificate checking

SSH decryption

Mark for follow up

Question 7 of 40.
If a DNS sinkhole is configured, any sinkhole actions indicating a potentially infected host are recorded in
which log type?

Threat

Data Filtering

WildFire Submissions

Traffic

Mark for follow up

Question 8 of 40.

In a destination NAT configuration, which option accurately completes the following sentence? A Security
policy rule should be written to match the _______.

post-NAT source and destination addresses, and the post-NAT destination zone

original pre-NAT source and destination addresses, and the pre-NAT destination zone

original pre-NAT source and destination addresses, but the post-NAT destination zone

post-NAT source and destination addresses, but the pre-NAT destination zone

Mark for follow up

Question 9 of 40.

In a Security Profile, which action does a firewall take when the profiles action is configured as Reset
Server? (Choose two.)
The traffic responder is reset.

For UDP sessions, the connection is reset.

For UDP sessions, the connection is dropped.

The client is reset.

Mark for follow up

Question 10 of 40.

In an HA configuration, which three components are synchronized between the pair of firewalls? (Choose
three.)
logs

policies
 networks

objects

Mark for follow up

Question 11 of 40.

In an HA configuration, which three functions are associated with the HA1 Control Link? (Choose three.)
exchanging hellos

synchronizing sessions

synchronizing configuration

exchanging heartbeats

Mark for follow up

Question 12 of 40.

In an HA configuration, which two failure detection methods rely on ICMP ping? (Choose two.)
hellos

link groups

path groups

heartbeats

Mark for follow up

Question 13 of 40.

On a firewall that has 32 Ethernet ports and is configured with a dynamic IP and port (DIPP) NAT
oversubscription rate of 2x, what is the maximum number of concurrent sessions supported by each
available IP address?

32

64K

128K

64

Mark for follow up

Question 14 of 40.

Which two user mapping methods are supported by the User-ID integrated agent? (Choose two.)
LDAP Filters

WMI probing

NetBIOS Probing

Client Probing

Mark for follow up

Question 15 of 40.

SSL Inbound Inspection requires that the firewall be configured with which two components? (Choose two.)
client's digital certificate

client's public key

server's digital certificate

server's private key

Mark for follow up

Question 16 of 40.

The Threat log records events from which three Security Profiles? (Choose three.)
WildFire Analysis

File Blocking

Vulnerability Protection

Antivirus

Anti-Spyware

URL Filtering

Mark for follow up

Question 17 of 40.

The WildFire Portal website supports which three operations? (Choose three.)
request firewall WildFire licenses
 view WildFire verdicts

upload files to WildFire for analysis

report incorrect verdicts

Mark for follow up

Question 18 of 40.

What are three connection methods for the GlobalProtect agent? (Choose three.)
User-Logon

Pre-Logon

On-demand

Captcha portal

Mark for follow up

Question 19 of 40.

What are two benefits of attaching a Decryption Profile to a Decryption policy no-decrypt rule? (Choose two.)
acceptable protocol checking

URL category match checking

expired certificate checking

untrusted certificate checking

Mark for follow up

Question 20 of 40.

What is a characteristic of Dynamic Admin Roles?

Role privileges can be dynamically updated by a firewall administrator.

They can be dynamically created or deleted by a firewall administrator.

They can be dynamically modified by external authorization systems.

Role privileges can be dynamically updated with newer software releases.

Mark for follow up

Question 21 of 40.

What is the result of performing a firewall Commit operation?

The loaded configuration becomes the candidate configuration.

The candidate configuration becomes the saved configuration.

The saved configuration becomes the loaded configuration.

The candidate configuration becomes the running configuration.

Mark for follow up

Question 22 of 40.

When SSL traffic passes through the firewall, which component is evaluated first?

Decryption policy

Decryption Profile

Security policy

Decryption exclusions list

Mark for follow up

Question 23 of 40.

Where does a GlobalProtect client connect to first when trying to connect to the network?

AD agent

GlobalProtect Gateway

GlobalProtect Portal

User-ID agent

Mark for follow up

Question 24 of 40.

Which action in a File Blocking Security Profile results in the user being prompted to verify a file transfer?

Block
 Allow

Alert

Continue

Mark for follow up

Question 25 of 40.

Which condition must exist before a firewall's in-band interface can process traffic?

The firewall must be assigned to a security zone.

The firewall must be enabled.

The firewall must not be a loopback interface.

The firewall must be assigned an IP address.

Mark for follow up

Question 26 of 40.

Which four actions can be applied to traffic matching a URL Filtering Security Profile? (Choose four.)
Reset Server

Continue

Reset Client

Alert

Override

Block

Mark for follow up

Question 27 of 40.

Which interface type does NOT require any configuration changes to adjacent network devices?

Virtual Wire

Tap

Layer 3

Layer 2
 Mark for follow up

Question 28 of 40.

Which interface type is NOT assigned to a security zone?

Virtual Wire

HA

Layer 3

VLAN

Mark for follow up

Question 29 of 40.

Which statement describes a function provided by an Interface Management Profile?

It determines which firewall services are accessible from external devices.

It determines which administrators can manage which interfaces.

It determines the NetFlow and LLDP interface management settings.

It determines which external services are accessible by the firewall.

Mark for follow up

Question 30 of 40.

Which statement describes the Export named configuration snapshot operation?

The candidate configuration is transferred from memory to the firewall's storage device.

A saved configuration is transferred to an external hosts storage device.

Mark for follow up

Question 31 of 40.
Which statement is true about a URL Filtering Profile continue password?

There is a password per firewall administrator account.

There is a password per session.

There is a single, per-firewall password.

There is a password per website.

Mark for follow up

Question 32 of 40.

Which three components can be sent to WildFire for analysis? (Choose three.)
URL links found in email

files traversing the firewall

MGT interface traffic

email attachments

Mark for follow up

Question 33 of 40.

Which three MGT port configuration settings are required in order to access the WebUI? (Choose three.)
IP address

Default gateway

Hostname

Netmask

Mark for follow up

Question 34 of 40.

Which three network modes are supported by active/passive HA? (Choose three.)
Layer 3

Virtual Wire

Layer 2

Tap
 Mark for follow up

Question 35 of 40.

Which three statements are true regarding sessions on the firewall? (Choose three.)
Network packets are always matched to a session.

Sessions are always matched to a Security policy rule.

The only session information tracked in the session logs are the five-tuples.

Return traffic is allowed.

Mark for follow up

Question 36 of 40.

Which two file types can be sent to WildFire for analysis if a firewall has only a standard subscription
service? (Choose two.)
.exe

.dll

.pdf

.jar

Mark for follow up

Question 37 of 40.

Which two User-ID methods are used to verify known IP address-to-user mappings? (Choose two.)
Server Monitoring

Session Monitoring

Captive Portal

Client Probing

Mark for follow up

Question 38 of 40.

Which type of content update does NOT have to be scheduled for download on the firewall?

dynamic update threat signatures

 dynamic update antivirus signatures

WildFire antivirus signatures

PAN-DB updates

Mark for follow up

Question 39 of 40.

Which user mapping method is recommended for a highly mobile user base?

Client Probing

Server Monitoring

GlobalProtect

Session Monitoring

Mark for follow up

Question 40 of 40.

Which User-ID user mapping method is recommended for environments where users frequently change IP
addresses?

Captive Portal

Server Monitoring

Client Probing

Session Monitoring

Mark for follow up

Save / Return Later Summary