ACE Exam - PAN-OS 6.1
7
Test Accredited Configuration Engineer (ACE) Exam PANOS 6.1 Version ACE Exam Question 1 of 50. The following can be configured as a next hop in a static route: A PolicyBased Forwarding Rule Virtual Systems Virtual Router Virtual Switch Mark for follow up Question 2 of 50. As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candidate configuration. These changes may be undone by Device > Setup > Operations > Configuration Management>....and then what operation? Revert to Running Configuration Revert to last Saved Configuration Load Configuration Version Import Named Configuration Snapshot Mark for follow up Question 3 of 50. Which statement below is True? PANOS uses BrightCloud for URL Filtering, replacing PANDB. PANOS uses BrightCloud as its default URL Filtering database, but also supports PANDB. PANOS uses PANDB as the default URL Filtering database, but also supports BrightCloud. PANOS uses PANDB for URL Filtering, replacing BrightCloud. Mark for follow up Question 4 of 50. When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of evaluation within a profile is: Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cache files. Block list, Allow list, Custom Categories, Cache files, Local URL DB file. Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, Allow list. Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined categories. Mark for follow up Question 5 of 50. With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the Peer ID is just the public IP address of the device. In situations where the public IP address is not static, the Peer ID can be a text value. True False Mark for follow up Question 6 of 50. The screenshot above shows part of a firewall’s configuration. If ping traffic can traverse this device from e1/2 to e1/1, which of the following statements must be True about this firewall’s configuration? (Select all correct answers.) There must be a security policy from Internet zone to trust zone that allows ping. There must be a security policy from trust zone to Internet zone that allows ping. There must be appropriate routes in the default virtual router. There must be a Management Profile that allows ping. (Then assign that Management Profile to e1/1 and e1/2.)
description
ACE, PAN-OS 6.1, Accredited Configuration Engineer
Transcript of ACE Exam - PAN-OS 6.1
-
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 1/7
TestAccreditedConfigurationEngineer(ACE)ExamPANOS6.1Version
ACEExam
Question1of50.
Thefollowingcanbeconfiguredasanexthopinastaticroute:
APolicyBasedForwardingRuleVirtualSystemsVirtualRouterVirtualSwitch
Markforfollowup
Question2of50.
AsaPaloAltoNetworksfirewalladministrator,youhavemadeunwantedchangestotheCandidateconfiguration.ThesechangesmaybeundonebyDevice>Setup>Operations>ConfigurationManagement>....andthenwhatoperation?
ReverttoRunningConfigurationReverttolastSavedConfigurationLoadConfigurationVersionImportNamedConfigurationSnapshot
Markforfollowup
Question3of50.
WhichstatementbelowisTrue?
PANOSusesBrightCloudforURLFiltering,replacingPANDB.PANOSusesBrightCloudasitsdefaultURLFilteringdatabase,butalsosupportsPANDB.PANOSusesPANDBasthedefaultURLFilteringdatabase,butalsosupportsBrightCloud.PANOSusesPANDBforURLFiltering,replacingBrightCloud.
Markforfollowup
Question4of50.
WhenemployingtheBrightCloudURLfilteringdatabaseinaPaloAltoNetworksfirewall,theorderofevaluationwithinaprofileis:
Blocklist,CustomCategories,Predefinedcategories,DynamicURLfiltering,Allowlist,Cachefiles.Blocklist,Allowlist,CustomCategories,Cachefiles,LocalURLDBfile.Blocklist,CustomCategories,Cachefiles,Predefinedcategories,DynamicURLfiltering,Allowlist.DynamicURLfiltering,Blocklist,Allowlist,Cachefiles,Customcategories,Predefinedcategories.
Markforfollowup
Question5of50.
WithIKEPhase1,eachdeviceisidentifiedtotheotherbyaPeerID.Inmostcases,thePeerIDisjustthepublicIPaddressofthedevice.InsituationswherethepublicIPaddressisnotstatic,thePeerIDcanbeatextvalue.True False
Markforfollowup
Question6of50.
Thescreenshotaboveshowspartofafirewallsconfiguration.Ifpingtrafficcantraversethisdevicefrome1/2toe1/1,whichofthefollowingstatementsmustbeTrueaboutthisfirewallsconfiguration?(Selectallcorrectanswers.)
TheremustbeasecuritypolicyfromInternetzonetotrustzonethatallowsping.TheremustbeasecuritypolicyfromtrustzonetoInternetzonethatallowsping.Theremustbeappropriateroutesinthedefaultvirtualrouter.TheremustbeaManagementProfilethatallowsping.(ThenassignthatManagementProfiletoe1/1ande1/2.)
-
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 2/7
Markforfollowup
Question7of50.
Whichfeaturecanbeconfiguredtoblocksessionsthatthefirewallcannotdecrypt?
DecryptionProfileinSecurityPolicyDecryptionProfileinDecryptionPolicyDecryptionProfileinPBFDecryptionProfileinSecurityProfile
Markforfollowup
Question8of50.
AlloftheinterfacesonaPaloAltoNetworksdevicemustbeofthesameinterfacetype.True False
Markforfollowup
Question9of50.
WhichofthefollowingwouldbeareasontousethePANOSXMLAPItocommunicatewithaPaloAltoNetworksfirewall?
TopermitsysloggingofUserIdentificationevents.TopullinformationfromothernetworkresourcesforUserID.ToallowthefirewalltopushUserIDinformationtoaNetworkAccessControl(NAC)device.
Markforfollowup
Question10of50.
WhichofthefollowingstatementsisNOTTrueaboutPaloAltoNetworksfirewalls?
InitialconfigurationmaybeaccomplishedthrutheMGTinterfaceortheConsoleport.ThedefaultAdminaccountmaybedisabledordeleted.BydefaulttheMGTPort'sIPAddressis192.168.1.1/24.SystemdefaultsmayberestoredbyperformingafactoryresetinMaintenanceMode.
Markforfollowup
Question11of50.
AftertheinstallationofanewversionofPANOS,thefirewallmustberebooted.True False
Markforfollowup
Question12of50.
WhichoftheDynamicUpdateslistedbelowareissuedonadailybasis?(Selectallcorrectanswers.)BrightCloudURLFilteringApplicationsandThreatsApplicationsAntivirus
Markforfollowup
Question13of50.
ColorcodedtagscanbeusedonalloftheitemslistedbelowEXCEPT:
AddressObjectsServiceGroupsZonesVulnerabilityProfiles
Markforfollowup
Question14of50.
InaPaloAltoNetworksfirewall,everyinterfaceinusemustbeassignedtoazoneinordertoprocesstraffic.True False
Markforfollowup
Question15of50.
YoucanassignanIPaddresstoaninterfaceinVirtualWiremode.True False
Markforfollowup
-
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 3/7
Question16of50.
InordertoroutetrafficbetweenLayer3interfacesonthePaloAltoNetworksfirewall,youneeda:
VirtualRouterVLANVirtualWireSecurityProfile
Markforfollowup
Question17of50.
Aninterfaceintapmodecantransmitpacketsonthewire.True False
Markforfollowup
Question18of50.
WhenDestinationNetworkAddressTranslationisbeingperformed,thedestinationinthecorrespondingSecurityPolicyRuleshoulduse:
ThePostNATdestinationzoneandPostNATIPaddress.ThePreNATdestinationzoneandPreNATIPaddress.ThePreNATdestinationzoneandPostNATIPaddress.ThePostNATdestinationzoneandPreNATIPaddress.
Markforfollowup
Question19of50.
Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion.Whichapplicationswillbeallowedontheirstandardports?(Selectallcorrectanswers.)
BitTorrentGnutellaSkypeSSH
Markforfollowup
Question20of50.
WhenconfiguringaSecurityPolicyRulebasedonFQDNAddressObjects,whichofthefollowingstatementsisTrue?
InordertocreateFQDNbasedobjects,youneedtomanuallydefinealistofassociatedIPaddresses.ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagaineachtimeSecurityProfilesareevaluated.ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagainatDNSTTLexpiration.
Markforfollowup
Question21of50.
Usersmaybeauthenticatedsequentiallytomultipleauthenticationserversbyconfiguring:
AnAuthenticationSequence.MultipleRADIUSserverssharingaVSAconfiguration.AcustomAdministratorProfile.AnAuthenticationProfile.
Markforfollowup
Question22of50.
WillanexportedconfigurationcontainManagementInterfacesettings?Yes No
Markforfollowup
Question23of50.
WhenusingConfigAudit,thecoloryellowindicateswhichofthefollowing?
-
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 4/7
AsettinghasbeenchangedbetweenthetwoconfigfilesAsettinghasbeendeletedfromaconfigfile.AsettinghasbeenaddedtoaconfigfileAninvalidvaluehasbeenusedinaconfigfile.
Markforfollowup
Question24of50.
Whenusingremoteauthenticationforusers(LDAP,RADIUS,ActiveDirectory,etc.),whatmustbedonetoallowausertoauthenticatethroughmultiplemethods?
CreateanAuthenticationSequence,dictatingtheorderofauthenticationprofiles.Createmultipleauthenticationprofilesforthesameuser.Thiscannotbedone.Asingleusercanonlyuseoneauthenticationtype.Thiscannotbedone.Althoughmultipleauthenticationmethodsexist,afirewallmustchooseasingle,globalauthenticationtypeandallusersmustusethismethod.
Markforfollowup
Question25of50.
WhentroubleshootingPhase1ofanIPsecVPNtunnel,whichlocationandlogwillbemostinformative?
Respondingside,SystemLogInitiatingside,TrafficlogInitiatingside,SystemlogRespondingside,Trafficlog
Markforfollowup
Question26of50.
UserIDisenabledintheconfigurationof
AZone.ASecurityProfile.AnInterface.ASecurityPolicy.
Markforfollowup
Question27of50.
WhatwilltheuserexperiencewhenattemptingtoaccessablockedhackingwebsitethroughatranslationservicesuchasGoogleTranslateorBingTranslator?
ABlockedpageresponsewhentheURLfilteringpolicytoblockisenforced.ASuccesspageresponsewhenthesiteissuccessfullytranslated.Thebrowserwillberedirectedtotheoriginalwebsiteaddress.An"HTTPError503Serviceunavailable"message.
Markforfollowup
Question28of50.
WhenyouhavecreatedaSecurityPolicyRulethatallowsFacebook,whatmustyoudotoblockallotherwebbrowsingtraffic?
Nothing.YoucandependonPANOStoblockthewebbrowsingtrafficthatisnotneededforFacebookuse.EnsurethattheServicecolumnisdefinedas"applicationdefault"forthisSecuritypolicy.Doingthiswillautomaticallyincludetheimplicitwebbrowsingapplicationdependency.Createanadditionalrulethatblocksallothertraffic.Whencreatingthepolicy,ensurethatwebbrowsingisincludedinthesamerule.
Markforfollowup
Question29of50.
BothSSLdecryptionandSSHdecryptionaredisabledbydefault.True False
Markforfollowup
Question30of50.
A"Continue"actioncanbeconfiguredonwhichofthefollowingSecurityProfiles?
URLFilteringandFileBlockingURLFilteringonlyURLFiltering,FileBlocking,andDataFilteringURLFilteringandAntivirus
Markforfollowup
Question31of50.
WhichofthefollowinginterfacetypescanhaveanIPaddressassignedtoit?
-
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 5/7
Layer3Layer2TapVirtualWire
Markforfollowup
Question32of50.
Whatarethebenefitsgainedwhenthe"EnablePassiveDNSMonitoring"checkboxischosenonthefirewall?(Selectallcorrectanswers.)ImprovedDNSbasedC&Csignatures.ImprovedPANDBmalwaredetection.ImprovedBrightCloudmalwaredetection.ImprovedmalwaredetectioninWildFire.
Markforfollowup
Question33of50.
Securitypoliciesspecifyasourceinterfaceandadestinationinterface.True False
Markforfollowup
Question34of50.
Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion.AnadministratorisusingSSHonport3333andBitTorrentonport7777.WhichstatementsareTrue?
TheSSHtrafficwillbedenied.TheBitTorrenttrafficwillbeallowed.TheSSHtrafficwillbeallowed.TheBitTorrenttrafficwillbedenied.
Markforfollowup
Question35of50.
WhichofthefollowingmostaccuratelydescribesDynamicIPinaSourceNATconfiguration?
AsingleIPaddressisused,andthesourceportnumberisunchanged.ThenextavailableIPaddressintheconfiguredpoolisused,butthesourceportnumberisunchanged.AsingleIPaddressisused,andthesourceportnumberischanged.Thenextavailableaddressintheconfiguredpoolisused,andthesourceportnumberischanged.
Markforfollowup
Question36of50.
WhataretwosourcesofinformationfordeterminingwhetherthefirewallhasbeensuccessfulincommunicatingwithanexternalUserIDAgent?
SystemLogsandAuthenticationLogs.SystemLogsandtheindicatorlightundertheUserIDAgentsettingsinthefirewall.SystemLogsandanindicatorlightonthechassis.TrafficLogsandAuthenticationLogs.
Markforfollowup
Question37of50.
WhichpredefinedAdminRolehasallrightsexcepttherightstocreateadministrativeaccountsandvirtualsystems?
SuperuserDeviceAdministratorAcustomadminrolemustbecreatedforthisspecificcombinationofrights.vsysadmin
Markforfollowup
Question38of50.
AnenterprisePKIsystemisrequiredtodeploySSLForwardProxydecryptioncapabilities.
-
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 6/7
True False
Markforfollowup
Question39of50.
Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion:Aspanportoraswitchisconnectedtoe1/4,buttherearenotrafficlogs.Whichofthefollowingconditionsmostlikelyexplainsthisbehavior?
Theinterfaceisnotup.Thereisnozoneassignedtotheinterface.TheinterfaceisnotassignedanIPaddress.Theinterfaceisnotassignedavirtualrouter.
Markforfollowup
Question40of50.
WhichtypeoflicenseisrequiredtoperformDecryptionPortMirroring?
AsubscriptionbasedSSLPortlicenseAfreePANPADecryptlicenseAClientDecryptionlicenseAsubscriptionbasedPANPADecryptlicense
Markforfollowup
Question41of50.
Canmultipleadministratoraccountsbeconfiguredonasinglefirewall?Yes No
Markforfollowup
Question42of50.
WhichofthefollowingCANNOTusethesourceuserasamatchcriterion?
DoSProtectionSecuirtyPoliciesAntivirusProfilePolicyBasedForwardingQoS
Markforfollowup
Question43of50.
WhichofthefollowingmustbeenabledinorderforUserIDtofunction?
CaptivePortalPoliciesmustbeenabled.UserIDmustbeenabledforthesourcezoneofthetrafficthatistobeidentified.CaptivePortalmustbeenabled.SecurityPoliciesmusthavetheUserIDoptionenabled.
Markforfollowup
Question44of50.
InaDestinationNATconfiguration,theTranslatedAddressfieldmaybepopulatedwitheitheranIPaddressoranAddressObject.True False
Markforfollowup
Question45of50.
WhenconfiguringthefirewallforUserID,whatisthemaximumnumberofDomainControllersthatcanbeconfigured?
-
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 7/7
5010010150
Markforfollowup
Question46of50.
BesidesselectingtheHeartbeatBackupoptionwhencreatinganActivePassiveHAPair,whichofthefollowingalsoprevents"SplitBrain"?
CreatingacustominterfaceunderServiceRouteConfiguration,andassigningthisinterfaceasthebackupHA2link.ConfiguringanindependentbackupHA1link.ConfiguringabackupHA2linkthatpointstotheMGTinterfaceoftheotherdeviceinthepair.UnderPacketForwarding,selectingtheVRSynccheckbox.
Markforfollowup
Question47of50.
PaloAltoNetworksfirewallssupporttheuseofbothDynamic(builtinuserroles)andRoleBased(customizeduserroles)forAdministratorAccounts.True False
Markforfollowup
Question48of50.
WhenconfiguringaDecryptionPolicyrule,whichoptionallowsafirewalladministratortocontrolSSHv2tunnelinginpoliciesbyspecifyingtheSSHtunnelAppID?
SSHProxySSLForwardProxySSLInboundInspectionSSLReverseProxy
Markforfollowup
Question49of50.
InwhichofthefollowingcanUserIDbeusedtoprovideamatchcondition?(Selectallcorrectanswers.)
SecurityPoliciesNATPoliciesZoneProtectionPoliciesThreatProfiles
Markforfollowup
Question50of50.
InPANOS6.0,rulenumbersare:
Numbersthatspecifytheorderinwhichsecuritypoliciesareevaluated.Numberscreatedtobeuniqueidentifiersineachfirewallspolicydatabase.Numbersonascaleof0to99thatspecifyprioritieswhentwoormorerulesareinconflict.Numberscreatedtomakeiteasierforuserstodiscussacomplicatedordifficultsequenceofrules.
Markforfollowup
Save/ReturnLater Summary
![CEEH Workshop Roskilde, February 6, 2008 The Pan European NEEDS-TIMES model SIXTH FRAMEWORK PROGRAMME [6.1] [ Sustainable Energy Systems] Markus Blesl.](https://static.fdocuments.us/doc/165x107/56649e635503460f94b5f558/ceeh-workshop-roskilde-february-6-2008-the-pan-european-needs-times-model.jpg)
![Untitled-2 [] · ACE ADD 951 ACE ASD 115](https://static.fdocuments.us/doc/165x107/5fb6ce9650e9f0666a6110e5/untitled-2-ace-add-951-ace-asd-115.jpg)
