Accredited Configuration Engineer (ACE) v7.0

Page:    1 / 9   
Total 122 questions Expand All

When allowing an Application in a Security policy on a PAN-OS 5.0 device, would a dependency Application need to also be enabled if the application does not employ HTTP,
SSL, MSRPC, RPC, t.120, RTSP, RTMP, and NETBIOS-SS.

  • A. Yes
  • B. No


Answer : A

As the Palo Alto Networks administrator, you have enabled Application Block pages.
Afterward, some users do not receive web-based feedback for all denied applications. Why would this be?

  • A. Some users are accessing the Palo Alto Networks firewall through a virtual system that does not have Application Block pages enabled.
  • B. Application Block Pages will only be displayed when Captive Portal is configured
  • C. Some Application ID's are set with a Session Timeout value that is too low.
  • D. Application Block Pages will only be displayed when users attempt to access a denied web-based application.


Answer : D

Will an exported configuration contain Management Interface settings?

  • A. Yes
  • B. No


Answer : A

The "Disable Server Return Inspection" option on a security profile:

  • A. Can only be configured in Tap Mode
  • B. Should only be enabled on security policies allowing traffic to a trusted server.
  • C. Does not perform higher-level inspection of traffic from the side that originated the TCP SYN packet
  • D. Only performs inspection of traffic from the side that originated the TCP SYN-ACK packet


Answer : B

What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on the firewall? (Select all correct answers.)

  • A. Improved DNSbased C&C signatures.
  • B. Improved PANDB malware detection.
  • C. Improved BrightCloud malware detection.
  • D. Improved malware detection in WildFire.


Answer : A,B,D

When Destination Network Address Translation is being performed, the destination in the corresponding Security Policy Rule should use:

  • A. The PostNAT destination zone and PostNAT IP address.
  • B. The PreNAT destination zone and PreNAT IP address.
  • C. The PreNAT destination zone and PostNAT IP address.
  • D. The PostNAT destination zone and PreNAT IP address.


Answer : D

To properly configure DOS protection to limit the number of sessions individually from specific source IPs you would configure a DOS Protection rule with the following characteristics:

  • A. Action: Protect, Classified Profile with "Resources Protection" configured, and Classified Address with "source-ip-only" configured
  • B. Action: Deny, Aggregate Profile with "Resources Protection" configured
  • C. Action: Protect, Aggregate Profile with "Resources Protection" configured
  • D. Action: Deny, Classified Profile with "Resources Protection" configured, and Classified Address with "source-ip-only" configured


Answer : A

To create a custom signature object for an Application Override Policy, which of the following fields are mandatory?

  • A. Category
  • B. Regular Expressions
  • C. Ports
  • D. Characteristics


Answer : D

The following can be configured as a next hop in a Static Route:

  • A. A Policy-Based Forwarding Rule
  • B. Virtual System
  • C. A Dynamic Routing Protocol
  • D. Virtual Router


Answer : D

Which of the following would be a reason to use an XML API to communicate with a Palo
Alto Networks firewall?

  • A. So that information can be pulled from other network resources for User-ID
  • B. To allow the firewall to push UserID information to a Network Access Control (NAC) device.
  • C. To permit sys logging of User Identification events


Answer : B

In an Anti-Virus profile, changing the action to Block for IMAP or POP decoders will result in the following:

  • A. The connection from the server will be reset
  • B. The Anti-virus profile will behave as if “Alert” had been specified for the action
  • C. The traffic will be dropped by the firewall
  • D. Error 541 being sent back to the server


Answer : B

Wildfire may be used for identifying which of the following types of traffic?

  • A. URL content
  • B. DHCP
  • C. DNS
  • D. Viruses


Answer : D

In PAN-OS 6.0, rule numbers were introduced. Rule Numbers are:

  • A. Dynamic numbers that refer to a security policys order and are especially useful when filtering security policies by tags
  • B. Numbers referring to when the security policy was created and do not have a bearing on the order of policy enforcement
  • C. Static numbers that must be manually re-numbered whenever a new security policy is added


Answer : A


Taking into account only the information in the screenshot above, answer the following question. In order for ping traffic to traverse this device from e1/2 to e1/1, what else needs to be configured? Select all that apply.

  • A. Security policy from trust zone to Internet zone that allows ping
  • B. Create the appropriate routes in the default virtual router
  • C. Security policy from Internet zone to trust zone that allows ping
  • D. Create a Management profile that allows ping. Assign that management profile to e1/1 and e1/2


Answer : A,D

Which of the following is a routing protocol supported in a Palo Alto Networks firewall?

  • A. RIPv2
  • B. ISIS
  • C. IGRP
  • D. EIGRP


Answer : A

Page:    1 / 9   
Total 122 questions Expand All

Talk to us!


Have any questions or issues ? Please dont hesitate to contact us