ACE Exam - PAN-OS 6.1
description
Transcript of ACE Exam - PAN-OS 6.1
-
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 1/7
TestAccreditedConfigurationEngineer(ACE)ExamPANOS6.1Version
ACEExam
Question1of50.
Thefollowingcanbeconfiguredasanexthopinastaticroute:
APolicyBasedForwardingRuleVirtualSystemsVirtualRouterVirtualSwitch
Markforfollowup
Question2of50.
AsaPaloAltoNetworksfirewalladministrator,youhavemadeunwantedchangestotheCandidateconfiguration.ThesechangesmaybeundonebyDevice>Setup>Operations>ConfigurationManagement>....andthenwhatoperation?
ReverttoRunningConfigurationReverttolastSavedConfigurationLoadConfigurationVersionImportNamedConfigurationSnapshot
Markforfollowup
Question3of50.
WhichstatementbelowisTrue?
PANOSusesBrightCloudforURLFiltering,replacingPANDB.PANOSusesBrightCloudasitsdefaultURLFilteringdatabase,butalsosupportsPANDB.PANOSusesPANDBasthedefaultURLFilteringdatabase,butalsosupportsBrightCloud.PANOSusesPANDBforURLFiltering,replacingBrightCloud.
Markforfollowup
Question4of50.
WhenemployingtheBrightCloudURLfilteringdatabaseinaPaloAltoNetworksfirewall,theorderofevaluationwithinaprofileis:
Blocklist,CustomCategories,Predefinedcategories,DynamicURLfiltering,Allowlist,Cachefiles.Blocklist,Allowlist,CustomCategories,Cachefiles,LocalURLDBfile.Blocklist,CustomCategories,Cachefiles,Predefinedcategories,DynamicURLfiltering,Allowlist.DynamicURLfiltering,Blocklist,Allowlist,Cachefiles,Customcategories,Predefinedcategories.
Markforfollowup
Question5of50.
WithIKEPhase1,eachdeviceisidentifiedtotheotherbyaPeerID.Inmostcases,thePeerIDisjustthepublicIPaddressofthedevice.InsituationswherethepublicIPaddressisnotstatic,thePeerIDcanbeatextvalue.True False
Markforfollowup
Question6of50.
Thescreenshotaboveshowspartofafirewallsconfiguration.Ifpingtrafficcantraversethisdevicefrome1/2toe1/1,whichofthefollowingstatementsmustbeTrueaboutthisfirewallsconfiguration?(Selectallcorrectanswers.)
TheremustbeasecuritypolicyfromInternetzonetotrustzonethatallowsping.TheremustbeasecuritypolicyfromtrustzonetoInternetzonethatallowsping.Theremustbeappropriateroutesinthedefaultvirtualrouter.TheremustbeaManagementProfilethatallowsping.(ThenassignthatManagementProfiletoe1/1ande1/2.)
-
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 2/7
Markforfollowup
Question7of50.
Whichfeaturecanbeconfiguredtoblocksessionsthatthefirewallcannotdecrypt?
DecryptionProfileinSecurityPolicyDecryptionProfileinDecryptionPolicyDecryptionProfileinPBFDecryptionProfileinSecurityProfile
Markforfollowup
Question8of50.
AlloftheinterfacesonaPaloAltoNetworksdevicemustbeofthesameinterfacetype.True False
Markforfollowup
Question9of50.
WhichofthefollowingwouldbeareasontousethePANOSXMLAPItocommunicatewithaPaloAltoNetworksfirewall?
TopermitsysloggingofUserIdentificationevents.TopullinformationfromothernetworkresourcesforUserID.ToallowthefirewalltopushUserIDinformationtoaNetworkAccessControl(NAC)device.
Markforfollowup
Question10of50.
WhichofthefollowingstatementsisNOTTrueaboutPaloAltoNetworksfirewalls?
InitialconfigurationmaybeaccomplishedthrutheMGTinterfaceortheConsoleport.ThedefaultAdminaccountmaybedisabledordeleted.BydefaulttheMGTPort'sIPAddressis192.168.1.1/24.SystemdefaultsmayberestoredbyperformingafactoryresetinMaintenanceMode.
Markforfollowup
Question11of50.
AftertheinstallationofanewversionofPANOS,thefirewallmustberebooted.True False
Markforfollowup
Question12of50.
WhichoftheDynamicUpdateslistedbelowareissuedonadailybasis?(Selectallcorrectanswers.)BrightCloudURLFilteringApplicationsandThreatsApplicationsAntivirus
Markforfollowup
Question13of50.
ColorcodedtagscanbeusedonalloftheitemslistedbelowEXCEPT:
AddressObjectsServiceGroupsZonesVulnerabilityProfiles
Markforfollowup
Question14of50.
InaPaloAltoNetworksfirewall,everyinterfaceinusemustbeassignedtoazoneinordertoprocesstraffic.True False
Markforfollowup
Question15of50.
YoucanassignanIPaddresstoaninterfaceinVirtualWiremode.True False
Markforfollowup
-
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 3/7
Question16of50.
InordertoroutetrafficbetweenLayer3interfacesonthePaloAltoNetworksfirewall,youneeda:
VirtualRouterVLANVirtualWireSecurityProfile
Markforfollowup
Question17of50.
Aninterfaceintapmodecantransmitpacketsonthewire.True False
Markforfollowup
Question18of50.
WhenDestinationNetworkAddressTranslationisbeingperformed,thedestinationinthecorrespondingSecurityPolicyRuleshoulduse:
ThePostNATdestinationzoneandPostNATIPaddress.ThePreNATdestinationzoneandPreNATIPaddress.ThePreNATdestinationzoneandPostNATIPaddress.ThePostNATdestinationzoneandPreNATIPaddress.
Markforfollowup
Question19of50.
Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion.Whichapplicationswillbeallowedontheirstandardports?(Selectallcorrectanswers.)
BitTorrentGnutellaSkypeSSH
Markforfollowup
Question20of50.
WhenconfiguringaSecurityPolicyRulebasedonFQDNAddressObjects,whichofthefollowingstatementsisTrue?
InordertocreateFQDNbasedobjects,youneedtomanuallydefinealistofassociatedIPaddresses.ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagaineachtimeSecurityProfilesareevaluated.ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagainatDNSTTLexpiration.
Markforfollowup
Question21of50.
Usersmaybeauthenticatedsequentiallytomultipleauthenticationserversbyconfiguring:
AnAuthenticationSequence.MultipleRADIUSserverssharingaVSAconfiguration.AcustomAdministratorProfile.AnAuthenticationProfile.
Markforfollowup
Question22of50.
WillanexportedconfigurationcontainManagementInterfacesettings?Yes No
Markforfollowup
Question23of50.
WhenusingConfigAudit,thecoloryellowindicateswhichofthefollowing?
-
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 4/7
AsettinghasbeenchangedbetweenthetwoconfigfilesAsettinghasbeendeletedfromaconfigfile.AsettinghasbeenaddedtoaconfigfileAninvalidvaluehasbeenusedinaconfigfile.
Markforfollowup
Question24of50.
Whenusingremoteauthenticationforusers(LDAP,RADIUS,ActiveDirectory,etc.),whatmustbedonetoallowausertoauthenticatethroughmultiplemethods?
CreateanAuthenticationSequence,dictatingtheorderofauthenticationprofiles.Createmultipleauthenticationprofilesforthesameuser.Thiscannotbedone.Asingleusercanonlyuseoneauthenticationtype.Thiscannotbedone.Althoughmultipleauthenticationmethodsexist,afirewallmustchooseasingle,globalauthenticationtypeandallusersmustusethismethod.
Markforfollowup
Question25of50.
WhentroubleshootingPhase1ofanIPsecVPNtunnel,whichlocationandlogwillbemostinformative?
Respondingside,SystemLogInitiatingside,TrafficlogInitiatingside,SystemlogRespondingside,Trafficlog
Markforfollowup
Question26of50.
UserIDisenabledintheconfigurationof
AZone.ASecurityProfile.AnInterface.ASecurityPolicy.
Markforfollowup
Question27of50.
WhatwilltheuserexperiencewhenattemptingtoaccessablockedhackingwebsitethroughatranslationservicesuchasGoogleTranslateorBingTranslator?
ABlockedpageresponsewhentheURLfilteringpolicytoblockisenforced.ASuccesspageresponsewhenthesiteissuccessfullytranslated.Thebrowserwillberedirectedtotheoriginalwebsiteaddress.An"HTTPError503Serviceunavailable"message.
Markforfollowup
Question28of50.
WhenyouhavecreatedaSecurityPolicyRulethatallowsFacebook,whatmustyoudotoblockallotherwebbrowsingtraffic?
Nothing.YoucandependonPANOStoblockthewebbrowsingtrafficthatisnotneededforFacebookuse.EnsurethattheServicecolumnisdefinedas"applicationdefault"forthisSecuritypolicy.Doingthiswillautomaticallyincludetheimplicitwebbrowsingapplicationdependency.Createanadditionalrulethatblocksallothertraffic.Whencreatingthepolicy,ensurethatwebbrowsingisincludedinthesamerule.
Markforfollowup
Question29of50.
BothSSLdecryptionandSSHdecryptionaredisabledbydefault.True False
Markforfollowup
Question30of50.
A"Continue"actioncanbeconfiguredonwhichofthefollowingSecurityProfiles?
URLFilteringandFileBlockingURLFilteringonlyURLFiltering,FileBlocking,andDataFilteringURLFilteringandAntivirus
Markforfollowup
Question31of50.
WhichofthefollowinginterfacetypescanhaveanIPaddressassignedtoit?
-
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 5/7
Layer3Layer2TapVirtualWire
Markforfollowup
Question32of50.
Whatarethebenefitsgainedwhenthe"EnablePassiveDNSMonitoring"checkboxischosenonthefirewall?(Selectallcorrectanswers.)ImprovedDNSbasedC&Csignatures.ImprovedPANDBmalwaredetection.ImprovedBrightCloudmalwaredetection.ImprovedmalwaredetectioninWildFire.
Markforfollowup
Question33of50.
Securitypoliciesspecifyasourceinterfaceandadestinationinterface.True False
Markforfollowup
Question34of50.
Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion.AnadministratorisusingSSHonport3333andBitTorrentonport7777.WhichstatementsareTrue?
TheSSHtrafficwillbedenied.TheBitTorrenttrafficwillbeallowed.TheSSHtrafficwillbeallowed.TheBitTorrenttrafficwillbedenied.
Markforfollowup
Question35of50.
WhichofthefollowingmostaccuratelydescribesDynamicIPinaSourceNATconfiguration?
AsingleIPaddressisused,andthesourceportnumberisunchanged.ThenextavailableIPaddressintheconfiguredpoolisused,butthesourceportnumberisunchanged.AsingleIPaddressisused,andthesourceportnumberischanged.Thenextavailableaddressintheconfiguredpoolisused,andthesourceportnumberischanged.
Markforfollowup
Question36of50.
WhataretwosourcesofinformationfordeterminingwhetherthefirewallhasbeensuccessfulincommunicatingwithanexternalUserIDAgent?
SystemLogsandAuthenticationLogs.SystemLogsandtheindicatorlightundertheUserIDAgentsettingsinthefirewall.SystemLogsandanindicatorlightonthechassis.TrafficLogsandAuthenticationLogs.
Markforfollowup
Question37of50.
WhichpredefinedAdminRolehasallrightsexcepttherightstocreateadministrativeaccountsandvirtualsystems?
SuperuserDeviceAdministratorAcustomadminrolemustbecreatedforthisspecificcombinationofrights.vsysadmin
Markforfollowup
Question38of50.
AnenterprisePKIsystemisrequiredtodeploySSLForwardProxydecryptioncapabilities.
-
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 6/7
True False
Markforfollowup
Question39of50.
Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion:Aspanportoraswitchisconnectedtoe1/4,buttherearenotrafficlogs.Whichofthefollowingconditionsmostlikelyexplainsthisbehavior?
Theinterfaceisnotup.Thereisnozoneassignedtotheinterface.TheinterfaceisnotassignedanIPaddress.Theinterfaceisnotassignedavirtualrouter.
Markforfollowup
Question40of50.
WhichtypeoflicenseisrequiredtoperformDecryptionPortMirroring?
AsubscriptionbasedSSLPortlicenseAfreePANPADecryptlicenseAClientDecryptionlicenseAsubscriptionbasedPANPADecryptlicense
Markforfollowup
Question41of50.
Canmultipleadministratoraccountsbeconfiguredonasinglefirewall?Yes No
Markforfollowup
Question42of50.
WhichofthefollowingCANNOTusethesourceuserasamatchcriterion?
DoSProtectionSecuirtyPoliciesAntivirusProfilePolicyBasedForwardingQoS
Markforfollowup
Question43of50.
WhichofthefollowingmustbeenabledinorderforUserIDtofunction?
CaptivePortalPoliciesmustbeenabled.UserIDmustbeenabledforthesourcezoneofthetrafficthatistobeidentified.CaptivePortalmustbeenabled.SecurityPoliciesmusthavetheUserIDoptionenabled.
Markforfollowup
Question44of50.
InaDestinationNATconfiguration,theTranslatedAddressfieldmaybepopulatedwitheitheranIPaddressoranAddressObject.True False
Markforfollowup
Question45of50.
WhenconfiguringthefirewallforUserID,whatisthemaximumnumberofDomainControllersthatcanbeconfigured?
-
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 7/7
5010010150
Markforfollowup
Question46of50.
BesidesselectingtheHeartbeatBackupoptionwhencreatinganActivePassiveHAPair,whichofthefollowingalsoprevents"SplitBrain"?
CreatingacustominterfaceunderServiceRouteConfiguration,andassigningthisinterfaceasthebackupHA2link.ConfiguringanindependentbackupHA1link.ConfiguringabackupHA2linkthatpointstotheMGTinterfaceoftheotherdeviceinthepair.UnderPacketForwarding,selectingtheVRSynccheckbox.
Markforfollowup
Question47of50.
PaloAltoNetworksfirewallssupporttheuseofbothDynamic(builtinuserroles)andRoleBased(customizeduserroles)forAdministratorAccounts.True False
Markforfollowup
Question48of50.
WhenconfiguringaDecryptionPolicyrule,whichoptionallowsafirewalladministratortocontrolSSHv2tunnelinginpoliciesbyspecifyingtheSSHtunnelAppID?
SSHProxySSLForwardProxySSLInboundInspectionSSLReverseProxy
Markforfollowup
Question49of50.
InwhichofthefollowingcanUserIDbeusedtoprovideamatchcondition?(Selectallcorrectanswers.)
SecurityPoliciesNATPoliciesZoneProtectionPoliciesThreatProfiles
Markforfollowup
Question50of50.
InPANOS6.0,rulenumbersare:
Numbersthatspecifytheorderinwhichsecuritypoliciesareevaluated.Numberscreatedtobeuniqueidentifiersineachfirewallspolicydatabase.Numbersonascaleof0to99thatspecifyprioritieswhentwoormorerulesareinconflict.Numberscreatedtomakeiteasierforuserstodiscussacomplicatedordifficultsequenceofrules.
Markforfollowup
Save/ReturnLater Summary