2024年5月5日发(作者:)
Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 Version
ACE Exam
Question 1 of 50.
As of PAN-OS 7.0, when configuring a Decryption Policy Rule, which of the following is NOT an
available option as matching criteria in the rule?
*
URL
Category
Application
Source Zone
Source User
Service
Mark for follow up
Question 2 of 50.
PAN-OS 7.0 introduced a new Security Profile type. What is the name of this new security profile
type?
*
Threat Analysis
WildFire Analysis
File Analysis
Malware
Analysis
Mark for follow up
Question 3 of 50.
Which of the following most accurately describes Dynamic IP in a Source NAT configuration?
*
A single IP address is used, and the source port number is changed.
The next available IP address in the configured pool is used, but the source port number is
unchanged.
A single IP address is used, and the source port number is unchanged.
The next available address in the configured pool is used, and the source port number is
changed.
Mark for follow up
Question 4 of 50.
Palo Alto Networks offers WildFire users three solution types. These solution types are the
WildFire Public Cloud, The WF-500 Private Appliance, and the WildFire Hybrid solution. What is
the main reason and purpose for the WildFire Hybrid solution?
*
The WildFire Hybrid solution enables outside companies to share the same WF-500
Appliance while at the same time allowing them to send only their private files to the
private WF-500.
The WildFire Hybrid solution enables companies to send to the WF-500 Private Appliance
keeping them internal to their network, as well providing the option to send other, general
files to the WildFire Public Cloud for analysis.
The WildFire Hybrid solution places WF-500s at multiple places in the cloud, so that firewall
appliances distributed throughout an enterprise's network receive WildFire verdicts with
minimal latency while retaining data privacy.
The WildFire Hybrid solution is only offered to companies that have sensitive files to
protect and does not require a WildFire subscription.
Mark for follow up
Question 5 of 50.
Which of the following interface types can have an IP address assigned to it?
*
Layer 3
Layer 2
Tap
Virtual
Wire
Mark for follow up
Question 6 of 50.
True or False: The PAN-DB URL Filtering Service is offered as both a Private Cloud solution and a
Public Cloud solution.
True
Mark for follow up
Question 7 of 50.
True or False: The WildFire Analysis Profile can only be configured to send unknown files to the
WildFire Public Cloud only.
True
Mark for follow up
Question 8 of 50.
All of the interfaces on a Palo Alto Networks device must be of the same interface type.
True
Mark for follow up
Question 9 of 50.
What is the maximum file size of .EXE files uploaded from the firewall to WildFire?
False
False
False
*
Always 10 megabytes.
Configurable
megabytes.
up to 10
Configurable up to 2 megabytes.
Always 2 megabytes.
Mark for follow up
Question 10 of 50.
Attackers will employ a number of tactics to hide malware. One such tactic is to encode and/or
compress the file so as to hide the malware. With PAN-OS 7.0 the firewall can decode up to four
levels. But if an attacker has encoded the file beyond four levels, what can you as an administer
do to protect your users?
*
Create a Decryption Profile for multi-level encoded files and apply it to a Decryption
Policy.
Create a File Blocking Profile for multi-level encoded files with the action set to block.
Create a File Blocking Profile for multi-level encoded files and apply it to a Decryption
Policy.
Create a Decryption Policy for multi-level encoded files and set the action to block.
Mark for follow up
Question 11 of 50.
What will be the user experience when the safe search option is NOT enabled for Google search
but the firewall has "Safe Search Enforcement" Enabled?
*
The user will be redirected to a different search site that is specified by the firewall
administrator.
A block page will be presented with instructions on how to set the strict Safe Search option
for the Google search.
The Firewall will enforce Safe Search if the URL filtering license is still valid.
A task bar pop-up message will be presented to enable Safe Search.
Mark for follow up
Question 12 of 50.
Which of the following is NOT a valid option for built-in CLI Admin roles?
*
deviceadmin
read/write
devicereader
superuser
Mark for follow up
Question 13 of 50.
Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based
(customized user roles) for Administrator Accounts.
True
Mark for follow up
Question 14 of 50.
Besides selecting the Heartbeat Backup option when creating an Active-Passive HA Pair, which of
the following also prevents "Split-Brain"?
*
Creating a custom interface under Service Route Configuration, and assigning this interface
as the backup HA2 link.
Configuring an independent backup HA1 link.
Under “Packet Forwarding”, selecting the VR Sync checkbox.
Configuring a backup HA2 link that points to the MGT interface of the other device in the
pair.
Mark for follow up
Question 15 of 50.
What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on
the firewall? (Select all correct answers.)
Improved malware detection in WildFire.
False
Improved PAN-DB malware detection.
Improved BrightCloud malware detection.
Improved DNS-based C&C signatures.
Mark for follow up
Question 16 of 50.
Which of the following is a routing protocol supported in a Palo Alto Networks firewall?
*
EIGRP
RIPv2
IGRP
ISIS
Mark for follow up
Question 17 of 50.
What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut off
communication?
*
Any layer 3 interface address specified by the firewall
administrator.
The default gateway of the firewall.
The local loopback address.
The MGT interface address.
Mark for follow up
Question 18 of 50.
Which of the following CANNOT use the source user as a match criterion?
*
QoS
Secuirty Policies
Anti-virus Profile
DoS Protection
Policy
Forwarding
Mark for follow up
Question 19 of 50.
When configuring the firewall for User-ID, what is the maximum number of Domain Controllers
that can be configured?
Based
*
150
50
100
10
Mark for follow up
Question 20 of 50.
Previous to PAN-OS 7.0 the firewall was able to decode up to two levels. With PAN-OS 7.0 the
firewall can now decode up to how many levels?
*
Six
Five
Four
Three
Mark for follow up
Question 21 of 50.
When configuring Admin Roles for Web UI access, what are the available access levels?
*
Enable and Disable only
Allow and Deny only
Enable, Read-Only, and Disable
None, Superuser,
Administrator
Mark for follow up
Question 22 of 50.
User-ID is enabled in the configuration of …
*
An Interface.
A Security
Profile.
A Zone.
A Security Policy.
Mark for follow up
Question 23 of 50.
Considering the information in the screenshot above, what is the order of evaluation for this URL
Device
Filtering Profile?
*
Allow List, Block List, Custom Categories, URL Categories (BrightCloud or
PAN-DB).
Block List, Allow List, URL Categories (BrightCloud or PAN-DB), Custom
Categories.
Block List, Allow List, Custom Categories, URL Categories (BrightCloud or
PAN-DB).
URL Categories (BrightCloud or PAN-DB), Custom Categories, Block List, Allow
List.
Mark for follow up
Question 24 of 50.
Choose the best answer: In PAN-OS, the WildFire Subscription Service allows updates for
malware signatures to be distributed as often as…
*
Once an hour
Once a week
Once every
minutes
Once a day
Mark for follow up
Question 25 of 50.
15
As a Palo Alto Networks firewall administrator, you have made unwanted changes to the
Candidate configuration. These changes may be undone by Device > Setup > Operations >
Configuration Management>....and then what operation?
*
Revert to Running Configuration
Revert to last Saved Configuration
Load Configuration Version
Import Named
Snapshot
Mark for follow up
Question 26 of 50.
The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides:
*
The ability to use Authentication Profiles, in order to protect against unwanted
downloads.
Password-protected access to specific file downloads for authorized users.
Protection against unwanted downloads by showing the user a response page indicating
that a file is going to be downloaded.
Increased speed on downloads of file types that are explicitly enabled.
Mark for follow up
Question 27 of 50.
Configuration
发布评论