Palo-Alto-Networks Certkiller ACE v2017-06-09 by Bill 85q PDF

ACE.
exam
Number: ACE
Passing Score: 800
Time Limit: 120 min
File Version: 5.0
http://www.gratisexam.com/
Palo Alto Networks
ACE
Accredited Configuration Engineer
Version 5.0
Exam A
QUESTION 1
Which mode will allow a user to choose when they wish to connect to the Global Protect Network?
A. Always On mode
B. Optional mode
C. Single SignOn mode
D. On Demand mode
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
After the installation of a new Application and Threat database, the firewall must be rebooted.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 3
Taking into account only the information in the screenshot above, answer the following question:
A span port or a switch is connected to e1/4, but there are no traffic logs.
Which of the following conditions most likely explains this behavior?
A. The interface is not assigned a virtual router.

B. The interface is not assigned an IP address.
C. The interface is not up.
D. There is no zone assigned to the interface.
Correct Answer: D
Section: (none)
Explanation
QUESTION 4
Which of the following platforms supports the Decryption Port Mirror function?
A. PA3000
B. VMSeries 100
C. PA2000
D. PA4000
Correct Answer: A
Section: (none)
Explanation
QUESTION 5
An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 6
UserID is enabled in the configuration of:
A. a Security Profile.
B. an Interface.
C. a Security Policy.
D. a Zone.
Correct Answer: D
Section: (none)
Explanation
QUESTION 7
Which of the following interface types can have an IP address assigned to it?
A. Layer 3
B. Layer 2
C. Tap
D. Virtual Wire
Correct Answer: A
Section: (none)
Explanation
QUESTION 8
As the Palo Alto Networks Administrator you have enabled Application Block pages.
Afterwards, not knowing they are attempting to access a blocked web based application, users call the Help Desk to complain about network connectivity issues.
What is the cause of the increased number of help desk calls?
A. The File Blocking Block Page was disabled.

B. Some AppID's are set with a Session Timeout value that is too low.
C. The firewall admin did not create a custom response page to notify potential users that their attempt to access the web based application is being blocked due to
policy.
D. Application Block Pages will only be displayed when Captive Portal is configured.
Correct Answer: B
Section: (none)
Explanation
QUESTION 9
Security policies specify a source interface and a destination interface.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 10
Select the implicit rules that are applied to traffic that fails to match any administrator defined Security Policies.
A. Intrazone traffic is allowed

B. Interzone traffic is denied
C. Intrazone traffic is denied
D. Interzone traffic is allowed
Correct Answer: AB
Section: (none)
Explanation
QUESTION 11
Besides selecting the Heartbeat Backup option when creating an ActivePassive HA Pair, which of the following also prevents "SplitBrain"?
A. Creating a custom interface under Service Route Configuration, and assigning this interface as the backup HA2 link.
B. Under “Packet Forwarding”, selecting the VR Sync checkbox.
C. Configuring an independent backup HA1 link.
D. Configuring a backup HA2 link that points to the MGT interface of the other device in the pair.
Correct Answer: D
Section: (none)
Explanation
QUESTION 12
Which of the following statements is NOT True regarding a Decryption Mirror interface?
A. Requires superuser privilege

B. Supports SSL outbound
C. Can be a member of any VSYS
D. Supports SSL inbound
Correct Answer: C
Section: (none)
Explanation
QUESTION 13
Considering the information in the screenshot above, what is the order of evaluation for this URL Filtering Profile?
A. URL Categories (BrightCloud or PANDB),

B. Custom Categories, Block List, Allow List.
C. Block List, Allow List, URL Categories (BrightCloud or PANDB), Custom Categories.
D. Block List, Allow List, Custom Categories, URL Categories (BrightCloud or PANDB).
E. Allow List, Block List, Custom Categories, URL Categories (BrightCloud or PANDB).
Correct Answer: B
Section: (none)
Explanation
QUESTION 14
An interface in tap mode can transmit packets on the wire.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 15
Which of the following is NOT a valid option for builtin CLI Admin roles?
A. deviceadmin
B. superuser
C. devicereader
D. read/write
Correct Answer: D
Section: (none)
Explanation
QUESTION 16
Which of the Dynamic Updates listed below are issued on a daily basis?
A. Applications
B. BrightCloud URL Filtering
C. Applications and Threats
D. Antivirus
Correct Answer: BD
Section: (none)
Explanation
QUESTION 17
In PANOS 6.0 and later, which of these items may be used as match criterion in a PolicyBased Forwarding Rule? (Choose three.)
A. Source User
B. Source Zone
C. Destination Zone
D. Application
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 18
What is the maximum file size of .EXE files uploaded from the firewall to WildFire?
A. Always 2 megabytes.
B. Always 10 megabytes.
C. Configurable up to 2 megabytes.
D. Configurable up to 10 megabytes.
Correct Answer: D
Section: (none)
Explanation
QUESTION 19
Which of the following most accurately describes Dynamic IP in a Source NAT configuration?
A. The next available address in the configured pool is used, and the source port number is changed.
B. A single IP address is used, and the source port number is unchanged.
C. A single IP address is used, and the source port number is changed.
D. The next available IP address in the configured pool is used, but the source port number is unchanged.
Correct Answer: A
Section: (none)
Explanation
QUESTION 20
All of the interfaces on a Palo Alto Networks device must be of the same interface type.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 21
With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the Peer ID is just the public IP address of the device. In situations where the
public IP address is not static, the Peer ID can be a text value.
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
QUESTION 22
Which of the following facts about dynamic updates is correct?
A. Antivirus updates are released daily. Application and Threat updates are released weekly.
B. Application and Antivirus updates are released weekly. Threat and “Threat and URL Filtering” updates are released weekly.
C. Application and Threat updates are released daily. Antivirus and URL Filtering updates are released weekly.
D. Threat and URL Filtering updates are released daily. Application and Antivirus updates are released weekly.
Correct Answer: A
Section: (none)
Explanation
QUESTION 23
“What is the result of an Administrator submitting a WildFire report’s verdict back to Palo Alto Networks as “Incorrect”?
A. The signature will be updated for False positive and False negative files in the next AV signature update.
B. The signature will be updated for False positive and False negative files in the next Application signature update.
C. You will receive an email to disable the signature manually.
D. You will receive an update within 15 minutes.
Correct Answer: A
Section: (none)
Explanation
QUESTION 24
When configuring the firewall for UserID, what is the maximum number of Domain Controllers that can be configured?
A. 100
B. 50
C. 10
D. 150
Correct Answer: A
Section: (none)
Explanation
QUESTION 25
In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order to process traffic.
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
QUESTION 26
Taking into account only the information in the screenshot above, answer the following question. An administrator is pinging 4.4.4.4 and fails to receive a response.
What is the most likely reason for the lack of response?
A. The interface is down.

B. There is a Security Policy that prevents ping.
C. There is no Management Profile.
D. There is no route back to the machine originating the ping.
Correct Answer: C
Section: (none)
Explanation
QUESTION 27
Which type of license is required to perform Decryption Port Mirroring?
A. A free PANPADecrypt license

B. A subscriptionbased
C. SSL Port license
D. A Client Decryption license
E. A subscriptionbased PANPADecrypt license
Correct Answer: A
Section: (none)
Explanation
QUESTION 28
In which of the following can UserID be used to provide a match condition?
A. Security Policies
B. NAT Policies
C. Zone Protection Policies
D. Threat Profiles
Correct Answer: A
Section: (none)
Explanation
QUESTION 29
Which of the following are necessary components of a GlobalProtect solution?
A. GlobalProtect Gateway, GlobalProtect Agent, GlobalProtect Portal

B. GlobalProtect Gateway, GlobalProtect Agent, GlobalProtect Server
C. GlobalProtect Gateway, GlobalProtect NetConnect, GlobalProtect Agent, GlobalProtect Portal, GlobalProtect Server
D. GlobalProtect NetConnect, GlobalProtect Agent, GlobalProtect Portal, GlobalProtect Server
Correct Answer: A
Section: (none)
Explanation
QUESTION 30
Which feature can be configured to block sessions that the firewall cannot decrypt?
A. Decryption Profile in Decryption Policy

B. Decryption Profile in Security Profile
C. Decryption Profile in PBF
D. Decryption Profile in Security Policy
Correct Answer: A
Section: (none)
Explanation
QUESTION 31
How do you reduce the amount of information recorded in the URL Content Filtering Logs?
A. Enable "Log container page only".

B. Disable URL packet captures.
C. Enable URL log caching.
D. Enable DSRI.
Correct Answer: A
Section: (none)
Explanation
QUESTION 32
Taking into account only the information in the screenshot above, answer the following question. An administrator is using SSH on port 3333 and BitTorrent on port
7777. Which statements are true?
A. The BitTorrent traffic will be allowed.

B. The SSH traffic will be allowed.
C. The SSH traffic will be denied.
D. The BitTorrent traffic will be denied.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 33
Which of the following statements is NOT True about Palo Alto Networks firewalls?
A. The Admin account may be disabled.

B. System defaults may be restored by performing a factory reset in Maintenance Mode.
C. The Admin account may not be disabled.
D. Initial configuration may be accomplished thru the MGT interface or the Console port.
Correct Answer: A
Section: (none)
Explanation
QUESTION 34
When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must be done to allow a user to authenticate through multiple methods?
A. Create an Authentication Sequence, dictating the order of authentication profiles.

B. Create multiple authentication profiles for the same user.
C. This cannot be done. A single user can only use one authentication type.
D. This cannot be done. Although multiple authentication methods exist, a firewall must choose a single, global authentication type and all users must use this
method.
Correct Answer: A
Section: (none)
Explanation
QUESTION 35
If the Forward Proxy Ready shows “no” when running the command show system setting ssl-decrypt setting, what is most likely the cause?
A. SSL forward proxy certificate is not generated

B. Web interface certificate is not generated
C. Forward proxy license is not enabled on the box n
D. SSL decryption rule is not created
Correct Answer: D
Section: (none)
Explanation
QUESTION 36
When adding an application in a Policy-based Forwarding rule, only a subset of the entire App-ID database is represented. Why would this be?
A. Policy-based forwarding can only indentify certain applications at this stage of the packet flow, as the majority of applications are only identified once the session
is created.
B. Policy-based forwarding rules require that a companion Security policy rule, allowing the needed Application traffic, must first be created.
C. The license for the Application ID database is no longer valid.
D. A custom application must first be defined before it can be added to a Policy-based forwarding rule.
Correct Answer: A
Section: (none)
Explanation
QUESTION 37
What option should be configured when using User Identification?
A. Enable User Identification per Zone

B. Enable User Identification per Security Rule
C. Enable User Identification per interface
D. None of the above
Correct Answer: A
Section: (none)
Explanation
QUESTION 38
A local/enterprise PKI system is required to deploy outbound forward proxy SSL decryption capabilities.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 39
To properly configure DOS protection to limit the number of sessions individually from specific source IPs you would configure a DOS Protection rule with the
following characteristics:
A. Action: Protect, Classified Profile with "Resources Protection" configured, and Classified Address with "source-ip-only" configured
B. Action: Deny, Aggregate Profile with "Resources Protection" configured
C. Action: Protect, Aggregate Profile with "Resources Protection" configured
D. Action: Deny, Classified Profile with "Resources Protection" configured, and Classified Address with "source-ip-only" configured
Correct Answer: A
Section: (none)
Explanation
QUESTION 40
When setting up GlobalProtect, what is the job of the GlobalProtect Portal?
A. To maintain the list of remote GlobalProtect Portals and list of categories for checking the client machine
B. To maintain the list of GlobalProtect Gateways and list of categories for checking the client machine
C. To load balance GlobalProtect client connections to GlobalProtect Gateways
Correct Answer: B
Section: (none)
Explanation
QUESTION 41
Which of the following fields is not available in DoS policy?
A. Destination Zone
B. Source Zone
C. Application
D. Service
Correct Answer: C
Section: (none)
Explanation
QUESTION 42
Which of the following are accurate statements describing the HA3 link in an Active-Active HA deployment?
A. HA3 is used for session synchronization
B. The HA3 link is used to transfer Layer 7 information
C. HA3 is used to handle asymmetric routing
D. HA3 is the control link
Correct Answer: A
Section: (none)
Explanation
QUESTION 43
What is the correct policy to most effectively block Skype?
A. Allow Skype, block Skype-probe

B. Allow Skype-probe, block Skype
C. Block Skype-probe, block Skype
D. Block Skype
Correct Answer: A
Section: (none)
Explanation
QUESTION 44
Which best describes how Palo Alto Networks firewall rules are applied to a session?
A. last match applied

B. first match applied
C. all matches applied
D. most specific match applied
Correct Answer: B
Section: (none)
Explanation
QUESTION 45
As the Palo Alto Networks administrator responsible for User Identification, you are looking for the simplest method of mapping network users that do not sign into
LDAP. Which information source would allow reliable User ID mapping for these users, requiring the least amount of configuration?
A. WMI Query
B. Exchange CAS Security Logs
C. Captive Portal
D. Active Directory Security Logs
Correct Answer: C
Section: (none)
Explanation
QUESTION 46
Which mode will allow a user to choose how they wish to connect to the GlobalProtect Network as they would like?
A. Single Sign-On Mode

B. On Demand Mode
C. Always On Mode
D. Optional Mode
Correct Answer: B
Section: (none)
Explanation
QUESTION 47
Which of the following must be configured when deploying User-ID to obtain information from an 802.1x authenticator?
A. Terminal Server Agent

B. An Agentless deployment of User-ID, employing only the Palo Alto Networks Firewall
C. A User-ID agent, with the "Use for NTLM Authentication" option enabled.
D. XML API for User-ID Agent
Correct Answer: D
Section: (none)
Explanation
QUESTION 48
Which of the following options may be enabled to reduce system overhead when using Content ID?
A. STP
B. VRRP
C. RSTP
D. DSRI
Correct Answer: D
Section: (none)
Explanation
QUESTION 49
When creating an application filter, which of the following is true?
A. They are used by malware

B. Excessive bandwidth may be used as a filter match criteria
C. They are called dynamic because they automatically adapt to new IP addresses
D. They are called dynamic because they will automatically include new applications from an application signature update if the new application's type is included in
the filter
Correct Answer: D
Section: (none)
Explanation
QUESTION 50
Which fields can be altered in the default Vulnerability profile?
A. Severity
B. Category
C. CVE
D. None
Correct Answer: D
Section: (none)
Explanation
QUESTION 51
When a user logs in via Captive Portal, their user information can be checked against:
A. Terminal Server Agent

B. Security Logs
C. XML API
D. Radius
Correct Answer: D
Section: (none)
Explanation
QUESTION 52
A "Continue" action can be configured on the following Security Profiles:
A. URL Filtering, File Blocking, and Data Filtering
B. URL Filtering
C. URL Filtering and Antivirus
D. URL Filtering and File Blocking
Correct Answer: D
Section: (none)
Explanation
QUESTION 53
As the Palo Alto Networks administrator, you have enabled Application Block pages. Afterward, some users do not receive web-based feedback for all denied
applications. Why would this be?
A. Some users are accessing the Palo Alto Networks firewall through a virtual system that does not have Application Block pages enabled.
B. Application Block Pages will only be displayed when Captive Portal is configured
C. Some Application ID's are set with a Session Timeout value that is too low.
D. Application Block Pages will only be displayed when users attempt to access a denied web-based application.
Correct Answer: D
Section: (none)
Explanation
QUESTION 54
Wildfire may be used for identifying which of the following types of traffic?
A. URL content
B. DHCP
C. DNS
D. Viruses
Correct Answer: D
Section: (none)
Explanation
QUESTION 55
When Network Address Translation has been performed on traffic, Destination Zones in Security rules should be based on:
A. Post-NAT addresses
B. The same zones used in the NAT rules
C. Pre-NAT addresses
Correct Answer: A
Section: (none)
Explanation
QUESTION 56
In Active/Active HA environments, redundancy for the HA3 interface can be achieved by:
A. Configuring a corresponding HA4 interface

B. Configuring HA3 as an Aggregate Ethernet bundle
C. Configuring multiple HA3 interfaces
D. Configuring HA3 in a redundant group
Correct Answer: B
Section: (none)
Explanation
QUESTION 57
An Outbound SSL forward-proxy decryption rule cannot be created using which type of zone?
A. Virtual Wire
B. Tap
C. L3
D. L2
Correct Answer: A
Section: (none)
Explanation
QUESTION 58
When a Palo Alto Networks firewall is forwarding traffic through interfaces configured for L2 mode, security policies can be set to match on multicast IP addresses.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
QUESTION 59
In an Anti-Virus profile, changing the action to “Block” for IMAP or POP decoders will result in the following:
A. The connection from the server will be reset

B. The Anti-virus profile will behave as if “Alert” had been specified for the action
C. The traffic will be dropped by the firewall
D. Error 541 being sent back to the server
Correct Answer: B
Section: (none)
Explanation
QUESTION 60
After configuring Captive Portal in Layer 3 mode, users in the Trust Zone are not receiving the Captive Portal authentication page when they launch their web
browsers. How can this be corrected?
A. Ensure that all users in the Trust Zone are using NTLM-capable browsers
B. Enable "Response Pages" in the Interface Management Profile that is applied to the L3 Interface in the Trust Zone.
C. Confirm that Captive Portal Timeout value is not set below 2 seconds
D. Enable "Redirect " as the Mode type in the Captive Portal Settings
Correct Answer: AB
Section: (none)
Explanation
QUESTION 61
The "Disable Server Return Inspection" option on a security profile:
A. Can only be configured in Tap Mode

B. Should only be enabled on security policies allowing traffic to a trusted server.
C. Does not perform higher-level inspection of traffic from the side that originated the TCP SYN packet
D. Only performs inspection of traffic from the side that originated the TCP SYN-ACK packet
Correct Answer: B
Section: (none)
Explanation
QUESTION 62
A user complains that they are no longer able to access a needed work application after you have implemented vulnerability and anti-spyware profiles. The user's
application uses a unique port. What is the most efficient way to allow the user access to this application?
A. Utilize an Application Override Rule, referencing the custom port utilized by this application. Application Override rules bypass all Layer 7 inspection, thereby
allowing access to this application.
B. In the Threat log, locate the event which is blocking access to the user's application and create a IP-based exemption for this user.
C. In the vulnerability and anti-spyware profiles, create an application exemption for the user's application.
D. Create a custom Security rule for this user to access the required application. Do not apply vulnerability and anti-spyware profiles to this rule.
Correct Answer: B
Section: (none)
Explanation
QUESTION 63
You’d like to schedule a firewall policy to only allow a certain application during a particular time of day. Where can this policy option be configured?
A. Policies > Security > Service

B. Policies > Security > Options
C. Policies > Security > Application
D. Policies > Security > Profile
Correct Answer: D
Section: (none)
Explanation
QUESTION 64
What is the size limitation of files manually uploaded to WildFire?
A. Configurable up to 10 megabytes
B. Hard-coded at 10 megabytes
C. Hard-coded at 2 megabytes
D. Configurable up to 20 megabytes
Correct Answer: A
Section: (none)
Explanation
QUESTION 65
Enabling "Highlight Unused Rules" in the Security policy window will:
A. Highlight all rules that did not immediately match traffic.

B. Highlight all rules that did not match traffic since the rule was created or since last reboot of the firewall.
C. Allows the administrator to troubleshoot rules when a validation error occurs at the time of commit.
D. Allow the administrator to temporarily disable rules that do not match traffic, for testing purposes.
Correct Answer: B
Section: (none)
Explanation
QUESTION 66
In PAN-OS 5.0, which of the following features is supported with regards to IPv6?
A. OSPF
B. NAT64
C. IPSec VPN tunnels
Correct Answer: B
Section: (none)
Explanation
QUESTION 67
Which statement accurately reflects the functionality of using regions as objects in Security policies?
A. Predefined regions are provided for countries, not but not for cities. The administrator can set up custom regions, including latitude and longitude, to specify the
geographic position of that particular region.
B. The administrator can set up custom regions, including latitude and longitude, to specify the geographic position of that particular region. These custom regions
can be used in the "Source User" field of the Security Policies.
C. Regions cannot be used in the "Source User" field of the Security Policies, unless the administrator has set up custom regions.
D. The administrator can set up custom regions, including latitude and longitude, to specify the geographic position of that particular region. Both predefined regions
and custom regions can be used in the "Source User" field.
Correct Answer: A
Section: (none)
Explanation
QUESTION 68
When employing the Brightcloud URL filtering database on the Palo Alto Networks firewalls, the order of checking within a profile is:
A. Block List, Allow List, Custom Categories, Cache Files, Predefined Categories, Dynamic URL Filtering
B. Block List, Allow List, Cache Files, Custom Categories, Predefined Categories, Dynamic URL Filtering
C. Dynamic URL Filtering, Block List, Allow List, Cache Files, Custom Categories, Predefined Categories
Correct Answer: A
Section: (none)
Explanation
QUESTION 69
The following can be configured as a next hop in a Static Route:
A. A Policy-Based Forwarding Rule
B. Virtual System
C. A Dynamic Routing Protocol
D. Virtual Router
Correct Answer: D
Section: (none)
Explanation
QUESTION 70
In PAN-OS 5.0, how is Wildfire enabled?
A. Via the "Forward" and "Continue and Forward" File-Blocking actions

B. A custom file blocking action must be enabled for all PDF and PE type files
C. Wildfire is automatically enabled with a valid URL-Filtering license
D. Via the URL-Filtering "Continue" Action.
Correct Answer: A
Section: (none)
Explanation
QUESTION 71
Traffic going to a public IP address is being translated by your PANW firewall to your web server's private IP. Which IP should the Security Policy use as the
"Destination IP" in order to allow traffic to the server.
A. The server’s public IP

B. The firewall’s gateway IP
C. The server’s private IP
D. The firewall’s MGT IP
Correct Answer: A
Section: (none)
Explanation
QUESTION 72
You have decided to implement a Virtual Wire Subinterface. Which options can be used to classify traffic?
A. Either VLAN tag or IP address, provided that each tag or ID is contained in the same zone.
B. Subinterface ID and VLAN tag only
C. By Zone and/or IP Classifier
D. VLAN tag, or VLAN tag plus IP address (IP address, IP range, or subnet).
Correct Answer: D
Section: (none)
Explanation
QUESTION 73
How do you limit the amount of information recorded in the URL Content Filtering Logs?
A. Enable DSRI
B. Disable URL packet captures
C. Enable URL log caching
D. Enable Log container page only
Correct Answer: D
Section: (none)
Explanation
QUESTION 74
When allowing an Application in a Security policy on a PAN-OS 5.0 device, would a dependency Application need to also be enabled if the application does not
employ HTTP, SSL, MSRPC, RPC, t.120, RTSP, RTMP, and NETBIOS-SS.
A. Yes
B. No
Correct Answer: A
Section: (none)
Explanation
QUESTION 75
Users can be authenticated serially to multiple authentication servers by configuring:
A. Multiple RADIUS Servers sharing a VSA configuration

B. Authentication Sequence
C. Authentication Profile
D. A custom Administrator Profile
Correct Answer: B
Section: (none)
Explanation
QUESTION 76
When creating a Security Policy to allow Facebook in PAN-OS 5.0, how can you be sure that no other web-browsing traffic is permitted?
A. Ensure that the Service column is defined as "application-default" for this security rule. This will automatically include the implicit web-browsing application
dependency.
B. Create a subsequent rule which blocks all other traffic
C. When creating the rule, ensure that web-browsing is added to the same rule. Both applications will be processed by the Security policy, allowing only Facebook to
be accessed. Any other applications can be permitted in subsequent rules.
D. No other configuration is required on the part of the administrator, since implicit application dependencies will be added automatically.
Correct Answer: D
Section: (none)
Explanation
QUESTION 77
In PAN-OS 5.0, how is Wildfire enabled?
A. Via the URL-Filtering "Continue" Action

B. Wildfire is automatically enabled with a valid URL-Filtering license
C. A custom file blocking action must be enabled for all PDF and PE type files
D. Via the "Forward" and "Continue and Forward" File-Blocking actions
Correct Answer: A
Section: (none)
Explanation
QUESTION 78
When configuring Security rules based on FQDN objects, which of the following statements are true?
A. The firewall resolves the FQDN first when the policy is committed, and is refreshed each time Security rules are evaluated.
B. The firewall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration. There is no limit on the number of IP addresses stored for
each resolved FQDN.
C. In order to create FQDN-based objects, you need to manually define a list of associated IP. Up to 10 IP addresses can be configured for each FQDN entry.
D. The firewall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration. The resolution of this FQDN stores up to 10 different IP
addresses.
Correct Answer: C
Section: (none)
Explanation
QUESTION 79
When troubleshooting Phase 1 of an IPSec VPN tunnel, what location will have the most informative logs?
A. Responding side, Traffic Logs

B. Initiating side, Traffic Logs
C. Responding side, System Logs
D. Initiating side, System Logs
Correct Answer: C
Section: (none)
Explanation
QUESTION 80
Configuring a pair of devices into an Active/Active HA pair provides support for:
A. Higher session count

B. Redundant Virtual Routers
C. Asymmetric routing environments
D. Lower fail-over times
Correct Answer: B
Section: (none)
Explanation
QUESTION 81
Which of the Dynamic Updates listed below are issued on a daily basis?
A. Global Protect
B. URL Filtering
C. Antivirus
D. Applications and Threats
Correct Answer: BC
Section: (none)
Explanation
QUESTION 82
Select the implicit rules enforced on traffic failing to match any user defined Security Policies:
A. Intra-zone traffic is denied

B. Inter-zone traffic is denied
C. Intra-zone traffic is allowed
D. Inter-zone traffic is allowed
Correct Answer: BC
Section: (none)
Explanation
QUESTION 83
Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based (customized user roles).
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
QUESTION 84
In PAN-OS 6.0, rule numbers were introduced. Rule Numbers are:
A. Dynamic numbers that refer to a security policy’s order and are especially useful when filtering security policies by tags
B. Numbers referring to when the security policy was created and do not have a bearing on the order of policy enforcement
C. Static numbers that must be manually re-numbered whenever a new security policy is added
Correct Answer: A
Section: (none)
Explanation
QUESTION 85
Which of the following is NOT a valid option for built-in CLI access roles?
A. read/write
B. superusers
C. vsysadmin
D. deviceadmin
Correct Answer: A
Section: (none)
Explanation

Palo-Alto-Networks Certkiller ACE v2017-06-09 by Bill 85q PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Palo-Alto-Networks Certkiller ACE v2017-06-09 by Bill 85q PDF

Загружено:

Авторское право:

Доступные форматы

ACE.

Palo Alto Networks

Accredited Configuration Engineer

A. The interface is not assigned a virtual router.

A. The File Blocking Block Page was disabled.

A. Intrazone traffic is allowed

A. Requires superuser privilege

A. URL Categories (BrightCloud or PANDB),

Correct Answer: ABD

A. The interface is down.

A. A free PANPADecrypt license

A. GlobalProtect Gateway, GlobalProtect Agent, GlobalProtect Portal

A. Decryption Profile in Decryption Policy

A. Enable "Log container page only".

A. The BitTorrent traffic will be allowed.

A. The Admin account may be disabled.

A. Create an Authentication Sequence, dictating the order of authentication profiles.

A. SSL forward proxy certificate is not generated

A. Enable User Identification per Zone

A. HA3 is used for session synchronization

A. Allow Skype, block Skype-probe

A. last match applied

A. Single Sign-On Mode

A. Terminal Server Agent

A. They are used by malware

A. Terminal Server Agent

A. Configuring a corresponding HA4 interface

A. The connection from the server will be reset

A. Can only be configured in Tap Mode

A. Policies > Security > Service

A. Highlight all rules that did not immediately match traffic.

A. Via the "Forward" and "Continue and Forward" File-Blocking actions

A. The server’s public IP

A. Multiple RADIUS Servers sharing a VSA configuration

A. Via the URL-Filtering "Continue" Action

A. Responding side, Traffic Logs

A. Higher session count

A. Intra-zone traffic is denied

Вам также может понравиться