4/7/2015 Empowering People: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 1/7
TestAccreditedConfigurationEngineer(ACE)ExamPANOS6.1Version
ACEExam
Question1of50.
Thefollowingcanbeconfiguredasanexthopinastaticroute:

APolicyBasedForwardingRule
VirtualSystems
VirtualRouter
VirtualSwitch

Markforfollowup
Question2of50.
AsaPaloAltoNetworksfirewalladministrator,youhavemadeunwantedchangestotheCandida
hesechangesmaybeundonebyDevice>Setup>Operations>
ConfigurationManagement>....andthenwhatoperation?

ReverttoRunningConfiguration
ReverttolastSavedConfiguration
LoadConfigurationVersion
ImportNamedConfigurationSnapshot

Markforfollowup
Question3of50.
WhichstatementbelowisTrue?

PANOSusesBrightCloudforURLFiltering,replacingPANDB.
PANOSusesBrightCloudasitsdefaultURLFilteringdatabase,butalsosupportsPANDB.
PANOSusesPANDBasthedefaultURLFilteringdatabase,butalsosupportsBrightCloud.
PANOSusesPANDBforURLFiltering,replacingBrightCloud.

Markforfollowup
Question4of50.
WhenemployingtheBrightCloudURLfilteringdatabaseinaPaloAltoNetworksfirewall,theo
thinaprofileis:

Blocklist,CustomCategories,Predefinedcategories,DynamicURLfiltering,Allowlist,Cach
Blocklist,Allowlist,CustomCategories,Cachefiles,LocalURLDBfile.
Blocklist,CustomCategories,Cachefiles,Predefinedcategories,DynamicURLfiltering,All
DynamicURLfiltering,Blocklist,Allowlist,Cachefiles,Customcategories,Predefinedcat

Markforfollowup
Question5of50.
WithIKEPhase1,eachdeviceisidentifiedtotheotherbyaPeerID.Inmostcases,thePee
ice.InsituationswherethepublicIPaddressis
notstatic,thePeerIDcanbeatextvalue.
True False

Markforfollowup
Question6of50.
Thescreenshotaboveshowspartofafirewallsconfiguration.Ifpingtrafficcantraverset
1,whichofthefollowingstatementsmustbeTrueaboutthis
firewallsconfiguration?(Selectallcorrectanswers.)
TheremustbeasecuritypolicyfromInternetzonetotrustzonethatallowsping.
TheremustbeasecuritypolicyfromtrustzonetoInternetzonethatallowsping.
Theremustbeappropriateroutesinthedefaultvirtualrouter.
TheremustbeaManagementProfilethatallowsping.(ThenassignthatManagementProfileto

4/7/2015 Empowering People: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 2/7

Markforfollowup
Question7of50.
Whichfeaturecanbeconfiguredtoblocksessionsthatthefirewallcannotdecrypt?

DecryptionProfileinSecurityPolicy
DecryptionProfileinDecryptionPolicy
DecryptionProfileinPBF
DecryptionProfileinSecurityProfile

Markforfollowup
Question8of50.
AlloftheinterfacesonaPaloAltoNetworksdevicemustbeofthesameinterfacetype.
True False

Markforfollowup
Question9of50.
WhichofthefollowingwouldbeareasontousethePANOSXMLAPItocommunicatewithaPalo

TopermitsysloggingofUserIdentificationevents.
TopullinformationfromothernetworkresourcesforUserID.
ToallowthefirewalltopushUserIDinformationtoaNetworkAccessControl(NAC)device.

Markforfollowup
Question10of50.
WhichofthefollowingstatementsisNOTTrueaboutPaloAltoNetworksfirewalls?

InitialconfigurationmaybeaccomplishedthrutheMGTinterfaceortheConsoleport.
ThedefaultAdminaccountmaybedisabledordeleted.
BydefaulttheMGTPort sIPAddressis192.168.1.1/24.
SystemdefaultsmayberestoredbyperformingafactoryresetinMaintenanceMode.

Markforfollowup
Question11of50.
AftertheinstallationofanewversionofPANOS,thefirewallmustberebooted.
True False

Markforfollowup
Question12of50.
WhichoftheDynamicUpdateslistedbelowareissuedonadailybasis?(Selectallcorrectan
BrightCloudURLFiltering
ApplicationsandThreats
Applications
Antivirus

Markforfollowup
Question13of50.
ColorcodedtagscanbeusedonalloftheitemslistedbelowEXCEPT:

AddressObjects
ServiceGroups
Zones
VulnerabilityProfiles

Markforfollowup
Question14of50.
InaPaloAltoNetworksfirewall,everyinterfaceinusemustbeassignedtoazoneinorder

True False

Markforfollowup
Question15of50.
YoucanassignanIPaddresstoaninterfaceinVirtualWiremode.
True False

Markforfollowup
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 3/7
Question16of50.
InordertoroutetrafficbetweenLayer3interfacesonthePaloAltoNetworksfirewall,you

VirtualRouter
VLAN
VirtualWire
SecurityProfile

Markforfollowup
Question17of50.
Aninterfaceintapmodecantransmitpacketsonthewire.
True False

Markforfollowup
Question18of50.
WhenDestinationNetworkAddressTranslationisbeingperformed,thedestinationinthecorre
rityPolicyRuleshoulduse:

ThePostNATdestinationzoneandPostNATIPaddress.
ThePreNATdestinationzoneandPreNATIPaddress.
ThePreNATdestinationzoneandPostNATIPaddress.
ThePostNATdestinationzoneandPreNATIPaddress.

Markforfollowup
Question19of50.
Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquesti
tionswillbeallowedontheirstandardports?(Selectallcorrect
answers.)
BitTorrent
Gnutella
Skype
SSH

Markforfollowup
Question20of50.
WhenconfiguringaSecurityPolicyRulebasedonFQDNAddressObjects,whichofthefollowing

InordertocreateFQDNbasedobjects,youneedtomanuallydefinealistofassociatedIPad
ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagai
ilesareevaluated.
ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagai

Markforfollowup
Question21of50.
Usersmaybeauthenticatedsequentiallytomultipleauthenticationserversbyconfiguring:

AnAuthenticationSequence.
MultipleRADIUSserverssharingaVSAconfiguration.
AcustomAdministratorProfile.

AnAuthenticationProfile.

Markforfollowup
Question22of50.
WillanexportedconfigurationcontainManagementInterfacesettings?
Yes No

Markforfollowup
Question23of50.
WhenusingConfigAudit,thecoloryellowindicateswhichofthefollowing?

4/7/2015 Empowering People: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 4/7
Asettinghasbeenchangedbetweenthetwoconfigfiles
Asettinghasbeendeletedfromaconfigfile.
Asettinghasbeenaddedtoaconfigfile
Aninvalidvaluehasbeenusedinaconfigfile.

Markforfollowup
Question24of50.
Whenusingremoteauthenticationforusers(LDAP,RADIUS,ActiveDirectory,etc.),whatmust
oauthenticatethroughmultiplemethods?

CreateanAuthenticationSequence,dictatingtheorderofauthenticationprofiles.
Createmultipleauthenticationprofilesforthesameuser.
Thiscannotbedone.Asingleusercanonlyuseoneauthenticationtype.
Thiscannotbedone.Althoughmultipleauthenticationmethodsexist,afirewallmustchoosea
henticationtypeandallusersmustusethismethod.

Markforfollowup
Question25of50.
WhentroubleshootingPhase1ofanIPsecVPNtunnel,whichlocationandlogwillbemostinfo

Respondingside,SystemLog
Initiatingside,Trafficlog
Initiatingside,Systemlog
Respondingside,Trafficlog

Markforfollowup
Question26of50.
UserIDisenabledintheconfigurationof

AZone.
ASecurityProfile.
AnInterface.
ASecurityPolicy.

Markforfollowup
Question27of50.
Whatwilltheuserexperiencewhenattemptingtoaccessablockedhackingwebsitethroughat
chasGoogleTranslateorBingTranslator?

ABlockedpageresponsewhentheURLfilteringpolicytoblockisenforced.
ASuccesspageresponsewhenthesiteissuccessfullytranslated.
Thebrowserwillberedirectedtotheoriginalwebsiteaddress.
An"HTTPError503Serviceunavailable"message.

Markforfollowup
Question28of50.

WhenyouhavecreatedaSecurityPolicyRulethatallowsFacebook,whatmustyoudotoblock
c?

Nothing.YoucandependonPANOStoblockthewebbrowsingtrafficthatisnotneededforFa
EnsurethattheServicecolumnisdefinedas"applicationdefault"forthisSecuritypolicy.
aticallyincludetheimplicitwebbrowsingapplicationdependency.
Createanadditionalrulethatblocksallothertraffic.
Whencreatingthepolicy,ensurethatwebbrowsingisincludedinthesamerule.

Markforfollowup
Question29of50.
BothSSLdecryptionandSSHdecryptionaredisabledbydefault.
True False

Markforfollowup
Question30of50.
A"Continue"actioncanbeconfiguredonwhichofthefollowingSecurityProfiles?

URLFilteringandFileBlocking
URLFilteringonly
URLFiltering,FileBlocking,andDataFiltering
URLFilteringandAntivirus

Markforfollowup
Question31of50.
WhichofthefollowinginterfacetypescanhaveanIPaddressassignedtoit?
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 5/7

Layer3
Layer2
Tap
VirtualWire

Markforfollowup
Question32of50.
Whatarethebenefitsgainedwhenthe"EnablePassiveDNSMonitoring"checkboxischosenont
lcorrectanswers.)
ImprovedDNSbasedC&Csignatures.
ImprovedPANDBmalwaredetection.
ImprovedBrightCloudmalwaredetection.
ImprovedmalwaredetectioninWildFire.

Markforfollowup
Question33of50.
Securitypoliciesspecifyasourceinterfaceandadestinationinterface.
True False

Markforfollowup
Question34of50.
Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquesti
torisusingSSHonport3333andBitTorrentonport7777.Which
statementsareTrue?
TheSSHtrafficwillbedenied.
TheBitTorrenttrafficwillbeallowed.
TheSSHtrafficwillbeallowed.
TheBitTorrenttrafficwillbedenied.

Markforfollowup

Question35of50.
WhichofthefollowingmostaccuratelydescribesDynamicIPinaSourceNATconfiguration?

AsingleIPaddressisused,andthesourceportnumberisunchanged.
ThenextavailableIPaddressintheconfiguredpoolisused,butthesourceportnumberisu
AsingleIPaddressisused,andthesourceportnumberischanged.
Thenextavailableaddressintheconfiguredpoolisused,andthesourceportnumberischan

Markforfollowup
Question36of50.
Whataretwosourcesofinformationfordeterminingwhetherthefirewallhasbeensuccessful
thanexternalUserIDAgent?

SystemLogsandAuthenticationLogs.
SystemLogsandtheindicatorlightundertheUserIDAgentsettingsinthefirewall.
SystemLogsandanindicatorlightonthechassis.
TrafficLogsandAuthenticationLogs.

Markforfollowup
Question37of50.
WhichpredefinedAdminRolehasallrightsexcepttherightstocreateadministrativeaccoun
s?

Superuser
DeviceAdministrator
Acustomadminrolemustbecreatedforthisspecificcombinationofrights.
vsysadmin

Markforfollowup
Question38of50.
AnenterprisePKIsystemisrequiredtodeploySSLForwardProxydecryptioncapabilities.
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 6/7
True False

Markforfollowup
Question39of50.
Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquesti
chisconnectedtoe1/4,buttherearenotrafficlogs.Whichof
thefollowingconditionsmostlikelyexplainsthisbehavior?

Theinterfaceisnotup.
Thereisnozoneassignedtotheinterface.
TheinterfaceisnotassignedanIPaddress.
Theinterfaceisnotassignedavirtualrouter.

Markforfollowup
Question40of50.
WhichtypeoflicenseisrequiredtoperformDecryptionPortMirroring?

AsubscriptionbasedSSLPortlicense
AfreePANPADecryptlicense
AClientDecryptionlicense
AsubscriptionbasedPANPADecryptlicense

Markforfollowup
Question41of50.
Canmultipleadministratoraccountsbeconfiguredonasinglefirewall?
Yes No


Markforfollowup
Question42of50.
WhichofthefollowingCANNOTusethesourceuserasamatchcriterion?

DoSProtection
SecuirtyPolicies
AntivirusProfile
PolicyBasedForwarding
QoS

Markforfollowup
Question43of50.
WhichofthefollowingmustbeenabledinorderforUserIDtofunction?

CaptivePortalPoliciesmustbeenabled.
UserIDmustbeenabledforthesourcezoneofthetrafficthatistobeidentified.
CaptivePortalmustbeenabled.
SecurityPoliciesmusthavetheUserIDoptionenabled.

Markforfollowup
Question44of50.
InaDestinationNATconfiguration,theTranslatedAddressfieldmaybepopulatedwitheither
essObject.
True False

Markforfollowup
Question45of50.
WhenconfiguringthefirewallforUserID,whatisthemaximumnumberofDomainControllerst

4/7/2015 Empowering People: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver. 7/7
50
100
10
150

Markforfollowup
Question46of50.
BesidesselectingtheHeartbeatBackupoptionwhencreatinganActivePassiveHAPair,which
revents"SplitBrain"?

CreatingacustominterfaceunderServiceRouteConfiguration,andassigningthisinterfacea
nk.
ConfiguringanindependentbackupHA1link.
ConfiguringabackupHA2linkthatpointstotheMGTinterfaceoftheotherdeviceinthepai
UnderPacketForwarding,selectingtheVRSynccheckbox.

Markforfollowup
Question47of50.
PaloAltoNetworksfirewallssupporttheuseofbothDynamic(builtinuserroles)andRoleB
es)forAdministratorAccounts.
True False

Markforfollowup
Question48of50.
WhenconfiguringaDecryptionPolicyrule,whichoptionallowsafirewalladministratortoco
linginpoliciesbyspecifyingtheSSHtunnelAppID?

SSHProxy
SSLForwardProxy
SSLInboundInspection
SSLReverseProxy

Markforfollowup
Question49of50.
InwhichofthefollowingcanUserIDbeusedtoprovideamatchcondition?(Selectallcorre

SecurityPolicies
NATPolicies
ZoneProtectionPolicies
ThreatProfiles

Markforfollowup
Question50of50.
InPANOS6.0,rulenumbersare:

Numbersthatspecifytheorderinwhichsecuritypoliciesareevaluated.
Numberscreatedtobeuniqueidentifiersineachfirewallspolicydatabase.
Numbersonascaleof0to99thatspecifyprioritieswhentwoormorerulesareinconflict.
Numberscreatedtomakeiteasierforuserstodiscussacomplicatedordifficultsequenceof

Markforfollowup
Save/ReturnLater Summary