Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version
Question 1 of 50.
As of PAN-OS 7.0, when configuring a Decryption Policy Rule, which of the following is NOT an available option as matching criteria in the rule?
Question 2 of 50.
Previous to PAN-OS 7.0 the firewall was able to decode up to two levels. With PAN-OS 7.0 the firewall can now decode up to how many levels?
Before PAN-OS 7.0, the Palo Alto Networks firewall was able to decode up to two levels of encoding. Files exceeding this level would be allowed to bypass file blocking. Since PAN-OS 7.0, the maximum level of decoding has been increased to 4.
Examples of encoding levels:
Word document (docx) in a zip file sent by email defines three levels of encoding
Word document (docx) zipped and sent through HTTP chunk encoding and gzip compression defines four levels of encoding
Question 3 of 50.
What are two sources of information for determining whether the firewall has been successful in communicating with an external User-ID Agent?
System Logs and the indicator light under the User-ID Agent settings in the firewall.
Traffic Logs and Authentication Logs.
System Logs and Authentication Logs.
System Logs and an indicator light on the chassis.
From the manual:
“Complete the following steps on each firewall you want to connect to the User-ID agent to receive user mappings:
1. Select Device > User Identification > User-ID Agents and click Add…
7. Verify that the Connected status displays as connected (a green light).”
Question 4 of 50.
As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candidate configuration. These changes may be undone by Device > Setup > Operations > Configuration Management>....and then what operation?
Revert to Running Configuration
Revert to last Saved Configuration
Load Configuration Version
Import Named Configuration Snapshot
Restore the current running configuration.
This operation undoes all the changes you made to the candidate configuration since the last commit.
Select Device > Setup > Operations and Revert to running configuration.
Click Yes to confirm the operation.
Question 5 of 50.
An interface in tap mode can transmit packets on the wire.
TAP Mode deployment allows only passive monitoring of the traffic flow across a network by using the SPAN feature. No traffic is coming through.
The V-Wire deployment options overcome the limitations of TAP mode deployment, as engineers are able to monitor and control traffic traversing the link. A Virtual Wire interface supports App-ID, User-ID, Content-ID, NAT and decryption.
Question 6 of 50.
Which of the following platforms supports the Decryption Port Mirror function?
The Decryption Port mirror feature provides the capability to create a copy of decrypted traffic from a firewall and send it to a traffic collection tool that is capable of receiving raw packet captures–such as NetWitness or Solera–for archiving and analysis. Decryption port mirroring is available on PA-7050, PA-5000 Series and PA-3000 Series platforms only.
Question 7 of 50.
What is the maximum file size of .EXE files uploaded from the firewall to WildFire?
Always 10 megabytes.
Configurable up to 10 megabytes.
Configurable up to 2 megabytes.
Always 2 megabytes.
On PAN-OS 6.0, WildFire supports multiple file types:
JAR (max. 10 MB)
Executables (max. 10 MB)
PDF (max. 1000 KB)
MS Office Docs (max. 10000 KB)
Android APK (max. 50 MB)
Question 8 of 50.
After the installation of a new Application and Threat database, the firewall must be rebooted.
To install a new update:
Click Download next to the update to be installed. When the download is complete, a checkmark is displayed in the Downloaded column.
To install a downloaded content update, click Install next to the update.
Question 9 of 50.
The following can be configured as a next hop in a static route:
A Policy-Based Forwarding Rule
Question 10 of 50.
WildFire analyzes files to determine whether or not they are malicious. When doing so, WildFire will classify the file with an official verdict. This verdict is known as the WildFire Analysis verdict. Choose the three correct classifications as a result of this analysis and classification?
Question 11 of 50.
Which of the following CANNOT use the source user as a match criterion?
Policy Based Forwarding
QoS, Policy Based Forwarding, DoS Protection, Secuirty Policies have Source User as a match criterion.
Question 12 of 50.
In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order to process traffic.
Security Zone Overview
Security zones are a logical way to group physical and virtual interfaces on the firewall in order to control and log the traffic that traverses (through these interface on) your network. An interface on the firewall must be assigned to a security zone before the interface can process traffic.
Question 13 of 50.
Which of the following are methods that HA clusters use to identify network outages?
Link and Session Monitors
VR and VSYS Monitors
Heartbeat and Session Monitors
Path and Link Monitoring
Question 13 of 50.
Which of the following are methods that HA clusters use to identify network outages?
Link and Session Monitors
VR and VSYS Monitors
Heartbeat and Session Monitors
Path and Link Monitoring
When a failure occurs on one firewall and the peer takes over the task of securing traffic, the event is called a failover. A failover is triggered when a monitored metric on a firewall in the HA pair fails. The metrics that are monitored for detecting a firewall failure are:
Heartbeat Polling and Hello messages
The firewalls use hello message and heartbeats to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other at the configured Hello Interval to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer over the control link, and the peer responds to the ping to establish that the firewalls are connected and responsive. By default, the interval for the heartbeat is 1000 milliseconds. For details on the HA timers that trigger a failover, see HA Timers.
The physical interfaces to be monitored are grouped into a link group and their state (link up or link down) is monitored. A link group can contain one or more physical interfaces. A firewall failure is triggered when any or all of the interfaces in the group fail. The default behavior is failure of any one link in the link group will cause the firewall to change the HA state to non-functional to indicate a failure of a monitored object.
Monitors the full path through the network to mission-critical IP addresses. ICMP pings are used to verify reachability of the IP address. The default interval for pings is 200ms. An IP address is considered unreachable when 10 consecutive pings (the default value) fail, and a firewall failure is triggered when any or all of the IP addresses monitored become unreachable. The default behavior is any one of the IP addresses becoming unreachable will cause the firewall to change the HA state to non-functional to indicate a failure of a monitored object.
In addition to the failover triggers listed above, a failover also occurs when the administrator places the firewall is a suspended state or if preemption occurs.
On the PA-3000 Series, PA-5000 Series, and PA-7000 Series firewalls, a failover can occur when an internal health check fails. This health check is not configurable and is enabled to verify the operational status for all the components within the firewall.
Question 14 of 50.
When configuring Admin Roles for Web UI access, what are the available access levels?
Allow and Deny only
Enable and Disable only
None, Superuser, Device Administrator
Enable, Read-Only, and Disable
Question 15 of 50.
In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-Based Forwarding Rule? (Choose 3.)
Question 16 of 50.
Color-coded tags can be used on all of the items listed below EXCEPT:
Question 17 of 50.
As the Palo Alto Networks Administrator responsible for User-ID, you need to enable mapping of network users that do not sign-in using LDAP. Which information source would allow for reliable User-ID mapping while requiring the least effort to configure?
Exchange CAS Security logs
Active Directory Security Logs
User mappings can be done via Exchange CAS Security logs, Active Directory Security Logs, Captive Portal. WMI Query is used to ensure that already existing mapping is still valid by probing the end-host. Captive Portal is not reliable. If users don’t use LDAP to login then Active Directory is of no use either. One option left.
Question 18 of 50.
In a Destination NAT configuration, the Translated Address field may be populated with either an IP address or an Address Object.
Question 19 of 50.
When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most informative?
Responding side, Traffic log
Responding side, System Log
Initiating side, System log
Initiating side, Traffic log
Question 20 of 50.
When Destination Network Address Translation is being performed, the destination in the corresponding Security Policy Rule should use:
The Pre-NAT destination zone and Post-NAT IP addresses.
The Post-NAT destination zone and Post-NAT IP addresses.
The Pre-NAT destination zone and Pre-NAT IP addresses.
The Post-NAT destination zone and Pre-NAT IP addresses.
Destination NAT Example—One-to-One Mapping
The most common mistakes when configuring NAT and security rules are the references to the zones and address objects. The addresses used in destination NAT rules always refer to the original IP address in the packet (that is, the pre-translated address). The destination zone in the NAT rule is determined after the route lookup of the destination IP address in the original packet (that is, the pre-NAT destination IP address).
The addresses in the security policy also refer to the IP address in the original packet (that is, the pre-NAT address). However, the destination zone is the zone where the end host is physically connected. In other words, the destination zone in the security rule is determined after the route lookup of the post-NAT destination IP address.
Question 21 of 50.
Which of the following services are enabled on the MGT interface by default? (Select all correct answers.)
By default, HTTP and telnet are disabled on the MGT interface but HTTPS, SSH, Ping , and SNMP are allowed.
Question 22 of 50.
When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must be done to allow a user to authenticate through multiple methods?
This cannot be done. Although multiple authentication methods exist, a firewall must choose a single, global authentication type—and all users must use this method.
This cannot be done. A single user can only use one authentication type.
Create multiple authentication profiles for the same user.
Create an Authentication Sequence, dictating the order of authentication profiles.
An authentication profile defines the authentication service that validates the login credentials of firewall or Panorama administrators and Captive Portal or GlobalProtect end users. The authentication service can be a local database (firewalls only), an external service (RADIUS, TACACS+, LDAP, or Kerberos server), or Kerberos single sign-on (SSO).
Some networks have multiple databases for different users and user groups (for example, TACACS+ and LDAP). To authenticate users in such cases, configure an authentication sequence, which is a ranked order of authentication profiles that the firewall or Panorama matches a user against during login. The firewall or Panorama checks against each profile in sequence until one successfully authenticates the user (the firewall always checks the local database first if the sequence includes one). A user is denied access only if authentication fails for all the profiles in the authentication sequence.
Question 23 of 50.
Which of the following statements is NOT True about Palo Alto Networks firewalls?
Initial configuration may be accomplished thru the MGT interface or the Console port.
By default the MGT Port’s IP Address is 192.168.1.1/24.
System defaults may be restored by performing a factory reset in Maintenance Mode.
The default Admin account may be disabled or deleted.
Which of the following is a routing protocol supported in a Palo Alto Networks firewall?
Question 25 of 50.
The “Drive-By Download” protection feature, under File Blocking profiles in Content-ID, provides:
The ability to use Authentication Profiles, in order to protect against unwanted downloads.
Protection against unwanted downloads by showing the user a response page indicating that a file is going to be downloaded.
Increased speed on downloads of file types that are explicitly enabled.
Password-protected access to specific file downloads for authorized users.
Known as a phishing attack. Once the user visits such a website, the website would start downloading exploits to user’s computer without user’s intervention. Such downloads are also referred to as drive-by-downloads in the sense that the user didn’t have to explicitly download the exploits; just by the virtue of visiting the website would cause the download to happen.
Such attacks can be usually nipped in the bud by a URL filtering solution that would detect user’s traffic going to a pre-categorized malware website. Our next-generation firewalls provide URL filtering solution that can help in detecting such traffic and thereby preventing the attack.
To test your file blocking configuration, access a client PC in the trust zone of the firewall and attempt to download a .exe file from a website in the untrust zone. A response page should display. Click Continue to download the file. You can also set other actions, such as alert only, forward (which will forward to WildFire), or block, which will not provide a continue page to the user. The following shows the default response page for File Blocking:
Question 26 of 50.
In which of the following can User-ID be used to provide a match condition?
Zone Protection Policies
Question 27 of 50.
Which pre-defined Admin Role has all rights except the rights to create administrative accounts and virtual systems?
A custom admin role must be created for this specific combination of rights.
Question 28 of 50.
As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterwards, not knowing they are attempting to access a blocked web-based application, users call the Help Desk to complain about network connectivity issues. What is the cause of the increased number of help desk calls?
Some App-ID’s are set with a Session Timeout value that is too low.
The firewall admin did not create a custom response page to notify potential users that their attempt to access the web-based application is being blocked due to company policy.
Application Block Pages will only be displayed when Captive Portal is configured.
The File Blocking Block Page was disabled.
You can perform any of the following functions for Response Pages.
To import a custom HTML response page, click the link of the page type you would like to change and then click import/export. Browse to locate the page. A message is displayed to indicate whether the import succeeded. For the import to be successful, the file must be in HTML format.
To export a custom HTML response page, click Export for the type of page. Select whether to open the file or save it to disk and, if appropriate, select Always use the same option.
To enable or disable the Application Block page or SSL Decryption Opt-out pages, click Enable for the type of page. Select or deselect Enable, as appropriate.
To use the default response page instead of a previously uploaded custom page, delete the custom block page and commit. This will set the default block page as the new active page.
Question 29 of 50.
PAN-OS 7.0 introduced a new Security Profile type. What is the name of this new security profile type?
A new WildFire Analysis profile is introduced with PAN-OS 7.0 in order to forward files and email links for WildFire analysis, replacing the need to use File Blocking profile rules to forward files for WildFire analysis.
Question 30 of 50.
Which of the following facts about dynamic updates is correct?
Threat and URL Filtering updates are released daily. Application and Anti-virus updates are released weekly.
Application and Threat updates are released daily. Anti-virus and URL Filtering updates are released weekly.
Application and Anti-virus updates are released weekly. Threat and “Threat and URL Filtering” updates are released weekly.
Anti-virus updates are released daily. Application and Threat updates are released weekly.
Antivirus—Includes new and updated antivirus signatures, including signatures discovered by the WildFire cloud service. You must have a Threat Prevention subscription to get these updates. New antivirus signatures are published daily.
Applications—Includes new and updated application signatures. This update does not require any additional subscriptions, but it does require a valid maintenance/support contract. New application updates are published weekly.
Applications and Threats —Includes new and updated application and threat signatures. This update is available if you have a Threat Prevention subscription (and you get it instead of the Applications update). New Applications and Threats updates are published weekly.
GlobalProtect Data File —Contains the vendor-specific information for defining and evaluating host information profile (HIP) data returned by GlobalProtect agents. You must have a GlobalProtect portal and GlobalProtect gateway license in order to receive these updates. In addition, you must create a schedule for these updates before GlobalProtect will function.
BrightCloud URL Filtering —Provides updates to the BrightCloud URL Filtering database only. You must have a BrightCloud subscription to get these updates. New BrightCloud URL database updates are published daily. If you have a PAN-DB license, scheduled updates are not required as devices remain in-sync with the servers automatically.
WildFire—Provides near real-time malware and antivirus signatures created as a result of the analysis done by the WildFire cloud service. Without the subscription, you must wait 24 to 48 hours for the signatures to roll into the Applications and Threat update.
Question 31 of 50.
Both SSL decryption and SSH decryption are disabled by default.
Question 32 of 50.
Which statement below is True?
PAN-OS uses BrightCloud for URL Filtering, replacing PAN-DB.
PAN-OS uses BrightCloud as its default URL Filtering database, but also supports PAN-DB.
PAN-OS uses PAN-DB for URL Filtering, replacing BrightCloud.
PAN-OS uses PAN-DB as the default URL Filtering database, but also supports BrightCloud.
URL Filtering Vendors
Palo Alto Networks firewalls support two vendors for URL filtering purposes:
PAN-DB—A Palo Alto Networks developed URL filtering database that is tightly integrated into PAN-OS by utilizing high-performance local caching to perform maximum inline performance for URL lookups while a distributed cloud architecture provides coverage for the latest websites. In addition, PAN-DB is tightly integrated with WildFire such that whenever WildFire deems a site malicious, it updates the corresponding PAN-DB URL category to malware, immediately blocking any future access to the site as long as you have a URL Filtering profile attached to the security policy rule. To view a list of PAN-DB URL filtering categories, refer to https://urlfiltering.paloaltonetworks.com/CategoryList.aspx.
BrightCloud—A third-party URL database that is owned by Webroot, Inc. and is integrated into PAN-OS firewalls. For information on the BrightCloud URL database, visit http://brightcloud.com.
Question 33 of 50.
WildFire may be used for identifying which of the following types of traffic?
Question 34 of 50.
When an interface is in Tap mode and a Policy’s action is set to “block”, the interface will send a TCP reset.
Question 35 of 50.
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you need a:
Question 36 of 50.
In Palo Alto Networks terms, an application is:
A specific program detected within an identified stream that can be detected, monitored, and/or blocked.
A combination of port and protocol that can be detected, monitored, and/or blocked.
A file installed on a local machine that can be detected, monitored, and/or blocked.
Web-based traffic from a specific IP address that can be detected, monitored, and/or blocked.
Question 37 of 50.
Which of the following is True of an application filter?
An application filter automatically includes a new application when one of the new application’s characteristics are included in the filter.
An application filter is used by malware to evade detection by firewalls and anti-virus software.
An application filter automatically adapts when an application moves from one IP address to another.
An application filter specifies the users allowed to access an application.
An application filter is an object that dynamically groups applications based on application attributes that you define, including category, subcategory, technology, risk factor, and characteristic. This is useful when you want to safely enable access to applications that you do not explicitly sanction, but that you want users to be able to access…As new applications office programs emerge and new App-IDs get created, these new applications will automatically match the filter you defined; you will not have to make any additional changes to your policy rulebase to safely enable any application that matches the attributes you defined for the filter.
Question 38 of 50.
Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day?
WildFire API —The WildFire subscription provides access to the WildFire API, which enables direct programmatic access to the WildFire service on the Palo Alto Networks WildFire cloud or a WildFire appliance. You can use the WildFire API to submit files and to retrieve reports for the submitted files. The WildFire API supports up to 1,000 file submissions per day and up to 10,000 queries per day.
Question 39 of 50.
The screenshot above shows part of a firewall’s configuration. If ping traffic can traverse this device from e1/2 to e1/1, which of the following statements must be True about this firewall’s configuration? (Select all correct answers.)
There must be a security policy rule from Internet zone to trust zone that allows ping.
There must be a Management Profile that allows ping. (Then assign that Management Profile to e1/1 and e1/2.)
There must be a security policy rule from trust zone to Internet zone that allows ping.
There must be appropriate routes in the default virtual router.
Question 40 of 50.
When you have created a Security Policy Rule that allows Facebook, what must you do to block all other web-browsing traffic?
When creating the policy, ensure that web-browsing is included in the same rule.
Ensure that the Service column is defined as “application-default” for this Security policy. Doing this will automatically include the implicit web-browsing application dependency.
Nothing. You can depend on PAN-OS to block the web-browsing traffic that is not needed for Facebook use.
Create an additional rule that blocks all other traffic.
Question 41 of 50.
Users may be authenticated sequentially to multiple authentication servers by configuring:
An Authentication Profile.
Multiple RADIUS servers sharing a VSA configuration.
An Authentication Sequence.
A custom Administrator Profile.
Configure an authentication sequence.
Required if you want the firewall or Panorama to try multiple authentication profiles to authenticate users. The firewall or Panorama evaluates the profiles in top-to-bottom order until one profile successfully authenticates the user. Select Device > Authentication Sequence and click Add….
Question 42 of 50.
An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.
Question 43 of 50.
Which feature can be configured to block sessions that the firewall cannot decrypt?
Decryption Profile in Security Policy
Decryption Profile in Security Profile
Decryption Profile in Decryption Policy
Decryption Profile in PBF
A decryption profile allows you to perform checks on both decrypted traffic and traffic that you have excluded from decryption. Create a decryption profile to:
Block sessions using unsupported protocols, cipher suits, or sessions that require client authentication.
Block sessions based on certificate status, where the certificate is expired, is signed by an untrusted CA, has extensions restricting the certificate use, has an unknown certificate status, or the certificate status can’t be retrieved during a configured timeout period.
Block sessions if the resources to perform decryption are not available or if a hardware security module is not available to sign certificates.
Question 44 of 50.
Which of the following can provide information to a Palo Alto Networks firewall for the purposes of User-ID? (Select all correct answers.)
Network Access Control (NAC) device
Question 45 of 50.
Which of the following is NOT a valid option for built-in CLI Admin roles?
The Role scope controls the available options:
Device role— superuser, superreader, deviceadmin, devicereader, or None
Virtual System role— vsysadmin, vsysreader, or None
Question 46 of 50.
User-ID is enabled in the configuration of …
A Security Policy.
A Security Profile.
Question 47 of 50.
Traffic going to a public IP address is being translated by a Palo Alto Networks firewall to an internal server’s private IP address. Which IP address should the Security Policy use as the “Destination IP” in order to allow traffic to the server?
The server’s public IP
The firewall’s gateway IP
The firewall’s MGT IP
The server’s private IP
Question 48 of 50.
What is the default setting for ‘Action’ in a Decryption Policy’s rule?
Question 49 of 50.
You can assign an IP address to an interface in Virtual Wire mode.
Question 50 of 50.
Which of the following would be a reason to use the PAN-OS XML API to communicate with a Palo Alto Networks firewall?
To permit syslogging of User Identification events.
To pull information from other network resources for User-ID.
To allow the firewall to push User-ID information to a Network Access Control (NAC) device.
Although the User-ID functionality provides many out-of-the box methods for obtaining user mapping information, you may have some applications or devices that capture user information that cannot be natively integrated with User-ID. In this case you can use the User-ID XML API to create custom scripts that allow you to leverage existing user data and send it to the User-ID agent or directly to the firewall.By privilege15