Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=6...

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 8.0 Version

ACE 8.0

Question 1 of 40.

A Security policy rule displayed in italic font indicates which condition?

The rule is active.

The rule is a clone.
The rule has been overridden.
The rule is disabled.

Mark for follow up

Question 2 of 40.

An Antivirus Security Profile specifies Actions and WildFire Actions. Wildfire Actions enable you to configure the firewall
to perform which operation?

Delete packet data when a virus is suspected.

Download new antivirus signatures from WildFire.
Block traffic when a WildFire virus signature is detected.
Upload traffic to WildFire when a virus is suspected.

Mark for follow up

Question 3 of 40.

An Interface Management Profile can be attached to which two interface types? (Choose two.)
Tap
Layer 2
Virtual Wire
Loopback
Layer 3

Mark for follow up

Question 4 of 40.

Application block pages can be enabled for which applications?

any
web-based
MGT port-based
non-TCP/IP

1 of 10 12/26/2017, 1:25 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=6...

Mark for follow up

Question 5 of 40.

Because a firewall examines every packet in a session, a firewall can detect application ________?

shifts
errors
groups
filters

Mark for follow up

Question 6 of 40.

Finding URLs matched to the not-resolved URL category in the URL Filtering log file might indicate that you should take
which action?

Reboot the firewall.

Validate your Security policy rules.
Validate connectivity to the PAN-DB cloud.
Re-download the URL seed database.

Mark for follow up

Question 7 of 40.

For which firewall feature should you create forward trust and forward untrust certificates?

SSH decryption
SSL client-side certificate checking
SSL Inbound Inspection decryption
SSL forward proxy decryption

Mark for follow up

Question 8 of 40.

If a DNS sinkhole is configured, any sinkhole actions indicating a potentially infected host are recorded in which log type?

Traffic
WildFire Submissions
Data Filtering
Threat

Mark for follow up

Question 9 of 40.

2 of 10 12/26/2017, 1:25 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=6...

If there is an HA configuration mismatch between firewalls during peer negotiation, which state will the passive firewall
enter?

INITIAL
NON-FUNCTIONAL
PASSIVE
ACTIVE

Mark for follow up

Question 10 of 40.

In a destination NAT configuration, which option accurately completes the following sentence? A Security policy rule
should be written to match the _______.

post-NAT source and destination addresses, but the pre-NAT destination zone
original pre-NAT source and destination addresses, but the post-NAT destination zone
original pre-NAT source and destination addresses, and the pre-NAT destination zone
post-NAT source and destination addresses, and the post-NAT destination zone

Mark for follow up

Question 11 of 40.

In a Security Profile, which action does a firewall take when the profiles action is configured as Reset Server? (Choose
two.)
The traffic responder is reset.
For UDP sessions, the connection is dropped.
For UDP sessions, the connection is reset.
The client is reset.

Mark for follow up

Question 12 of 40.

Which two user mapping methods are supported by the User-ID integrated agent? (Choose two.)
WMI probing
NetBIOS Probing
LDAP Filters
Client Probing

Mark for follow up

Question 13 of 40.

SSL Inbound Inspection requires that the firewall be configured with which two components? (Choose two.)
client's public key
server's digital certificate This is Incorrect Answer to this should be Server's digital
certificate and server's Private key.

3 of 10 12/26/2017, 1:25 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=6...

client's digital certificate

server's private key

Mark for follow up

Question 14 of 40.

The firewall acts as a proxy for which two types of traffic? (Choose two.)
SSH
Non-SSL
This is Incorrect
SSL Inbound Inspection
SSL outbound

Mark for follow up

Question 15 of 40.

The Threat log records events from which three Security Profiles? (Choose three.)
Vulnerability Protection
Antivirus
URL Filtering
Anti-Spyware
File Blocking
WildFire Analysis

Mark for follow up

Question 16 of 40.

The WildFire Portal website supports which three operations? (Choose three.)
view WildFire verdicts
report incorrect verdicts
upload files to WildFire for analysis
request firewall WildFire licenses

Mark for follow up

Question 17 of 40.

What are the two separate planes that make up the PAN-OS architecture? (Choose two.)
control/management plane
dataplane
routing plane
signature processing plane
HA plane

Mark for follow up

4 of 10 12/26/2017, 1:25 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=6...

Question 18 of 40.

What are two benefits of attaching a Decryption Profile to a Decryption policy no-decrypt rule? (Choose two.)
expired certificate checking
URL category match checking
untrusted certificate checking
acceptable protocol checking

Mark for follow up

Question 19 of 40.

What is a characteristic of Dynamic Admin Roles?

They can be dynamically modified by external authorization systems.

They can be dynamically created or deleted by a firewall administrator.
Role privileges can be dynamically updated with newer software releases.
Role privileges can be dynamically updated by a firewall administrator.

Mark for follow up

Question 20 of 40.

What is a use case for deploying Palo Alto Networks NGFW in the public cloud?

extending the corporate data center into the public cloud

cost savings through one-time purchase of Palo Alto Networks hardware and subscriptions
centralizing your data storage on premise
faster WildFire analysis response time

Mark for follow up

Question 21 of 40.

What is the result of performing a firewall Commit operation?

The saved configuration becomes the loaded configuration.

The candidate configuration becomes the saved configuration.
The candidate configuration becomes the running configuration.
The loaded configuration becomes the candidate configuration.

Mark for follow up

Question 22 of 40.

Where does a GlobalProtect client connect to first when trying to connect to the network?

AD agent

5 of 10 12/26/2017, 1:25 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=6...

GlobalProtect Portal
User-ID agent
GlobalProtect Gateway

Mark for follow up

Question 23 of 40.

Which action in a File Blocking Security Profile results in the user being prompted to verify a file transfer?

Block
Alert
Continue
Allow

Mark for follow up

Question 24 of 40.

Which feature is a dynamic grouping of applications used in Security policy rules?

implicit applications
application filter This is Incorrect
dependent applications
application group

Mark for follow up

Question 25 of 40.

Which four actions can be applied to traffic matching a URL Filtering Security Profile? (Choose four.)
Override
Alert
Reset Client
Reset Server
Continue
Block

Mark for follow up

Question 26 of 40.

Which interface type does NOT require any configuration changes to adjacent network devices?

Layer 3
Tap
Virtual Wire
Layer 2

6 of 10 12/26/2017, 1:25 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=6...

Mark for follow up

Question 27 of 40.

Which interface type is NOT assigned to a security zone?

Layer 3
HA
Virtual Wire
VLAN

Mark for follow up

Question 28 of 40.

Which statement describes a function provided by an Interface Management Profile?

It determines the NetFlow and LLDP interface management settings.

It determines which administrators can manage which interfaces.
It determines which firewall services are accessible from external devices.
It determines which external services are accessible by the firewall.

Mark for follow up

Question 29 of 40.

Which statement describes the Export named configuration snapshot operation?

The candidate configuration is transferred from memory to the firewall's storage device.
The running configuration is transferred from memory to the firewall's storage device.
A saved configuration is transferred to an external hosts storage device.
A copy of the configuration is uploaded to the cloud as a backup.

Mark for follow up

Question 30 of 40.

Which statement is true about a URL Filtering Profile continue password?

There is a password per firewall administrator account.

There is a single, per-firewall password.
There is a password per session.
There is a password per website.

Mark for follow up

Question 31 of 40.

7 of 10 12/26/2017, 1:25 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=6...

Which three components can be sent to WildFire for analysis? (Choose three.)
files traversing the firewall
URL links found in email
email attachments
MGT interface traffic

Mark for follow up

Question 32 of 40.

Which three interface types can control or shape network traffic? (Choose three.)
Virtual Wire
Layer 3
Tap
Layer 2

Mark for follow up

Question 33 of 40.

Which three MGT port configuration settings are required in order to access the WebUI? (Choose three.)
Default gateway
IP address
Netmask
Hostname

Mark for follow up

Question 34 of 40.

Which three network modes are supported by active/passive HA? (Choose three.)
Virtual Wire
Layer 3
Tap
Layer 2

Mark for follow up

Question 35 of 40.

Which three statements are true regarding sessions on the firewall? (Choose three.)
Sessions are always matched to a Security policy rule.
Network packets are always matched to a session.
Return traffic is allowed.
The only session information tracked in the session logs are the five-tuples.

Mark for follow up

8 of 10 12/26/2017, 1:25 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=6...

Question 36 of 40.

Which two file types can be sent to WildFire for analysis if a firewall has only a standard subscription service? (Choose
two.)
.pdf
This is Incorrect
.exe
.dll
.jar

Mark for follow up

Question 37 of 40.

Which two User-ID methods are used to verify known IP address-to-user mappings? (Choose two.)
Captive Portal
Server Monitoring
Session Monitoring
Client Probing

Mark for follow up

Question 38 of 40.

Which type of content update does NOT have to be scheduled for download on the firewall?

WildFire antivirus signatures

dynamic update threat signatures
dynamic update antivirus signatures
PAN-DB updates

Mark for follow up

Question 39 of 40.

Which user mapping method is recommended for a highly mobile user base?

Client Probing
Server Monitoring
Session Monitoring
GlobalProtect

Mark for follow up

Question 40 of 40.

Which User-ID user mapping method is recommended for environments where users frequently change IP addresses?

Captive Portal

9 of 10 12/26/2017, 1:25 PM
Realize Your Potential: paloaltonetworks https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=6...

Server Monitoring
Session Monitoring
Client Probing

Mark for follow up

Save / Return Later Summary

10 of 10 12/26/2017, 1:25 PM