20/4/2019 Realize Your Potential: paloaltonetworks

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 8.1 Version

ACE 8.1

Question 1 of 45.

A Security policy rule displayed in italic font indicates which condition?

The rule has been overridden.

The rule is active.
The rule is disabled.
The rule is a clone.
Mark for follow up

Question 2 of 45.

A Server Profile enables a firewall to locate which server type?

a server with an available VPN connection

a server with remote user accounts
a server with firewall software updates
a server with firewall threat updates
Mark for follow up

Question 3 of 45.

An Antivirus Security Profile specifies Actions and WildFire Actions. Wildfire Actions enable you to configure the firewall to
perform which operation?

Block traffic when a WildFire virus signature is detected.

Delete packet data when a virus is suspected.
Upload traffic to WildFire when a virus is suspected.
Download new antivirus signatures from WildFire.
Mark for follow up

Question 4 of 45.
An Interface Management Profile can be attached to which two interface types? (Choose two.)

Tap
Loopback
Layer 2
Virtual Wire
Layer 3
Mark for follow up

Question 5 of 45.
App ID running on a firewall identifies applications using which three methods? (Choose three )
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c11-867e-f4e673545ac9&evalLvl=5&redirect_url=%2fphnx%… 1/10
20/4/2019 Realize Your Potential: paloaltonetworks
App-ID running on a firewall identifies applications using which three methods? (Choose three.)

PAN-DB lookups
Application signatures
WildFire lookups
Known protocol decoders
Program heuristics
Mark for follow up

Question 6 of 45.
Application block pages can be enabled for which applications?

any
MGT port-based
web-based
non-TCP/IP
Mark for follow up

Question 7 of 45.

For which firewall feature should you create forward trust and forward untrust certificates?

SSH decryption
SSL client-side certificate checking
SSL forward proxy decryption
SSL Inbound Inspection decryption
Mark for follow up

Question 8 of 45.

If a DNS sinkhole is configured, any sinkhole actions indicating a potentially infected host are recorded in which log type?

Traffic
WildFire Submissions
Threat
Data Filtering
Mark for follow up

Question 9 of 45.
If there is an HA configuration mismatch between firewalls during peer negotiation, which state will the passive firewall enter?

INITIAL
NON-FUNCTIONAL
ACTIVE
PASSIVE
Mark for follow up

Question 10 of 45.
In a destination NAT configuration, which option accurately completes the following sentence? A Security policy rule should
be written to match the _______.

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c11-867e-f4e673545ac9&evalLvl=5&redirect_url=%2fphnx%… 2/10
20/4/2019 Realize Your Potential: paloaltonetworks

post-NAT source and destination addresses, but the pre-NAT destination zone
original pre-NAT source and destination addresses, but the post-NAT destination zone
post-NAT source and destination addresses, and the post-NAT destination zone
original pre-NAT source and destination addresses, and the pre-NAT destination zone
Mark for follow up

Question 11 of 45.
In an HA configuration, which three components are synchronized between the pair of firewalls? (Choose three.)

logs
networks
objects
policies
Mark for follow up

Question 12 of 45.

In an HA configuration, which three functions are associated with the HA1 Control Link? (Choose three.)

exchanging hellos
synchronizing configuration
exchanging heartbeats
synchronizing sessions
Mark for follow up

Question 13 of 45.
In an HA configuration, which two failure detection methods rely on ICMP ping? (Choose two.)

hellos
path monitoring
heartbeats
link groups
Mark for follow up

Question 14 of 45.
On a firewall that has 32 Ethernet ports and is configured with a dynamic IP and port (DIPP) NAT oversubscription rate of 2x,
what is the maximum number of concurrent sessions supported by each available IP address?

32
128K
64
64K
Mark for follow up

Question 15 of 45.
SSL Inbound Inspection requires that the firewall be configured with which two components? (Choose two.)

client 's public key

server's digital certificate

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c11-867e-f4e673545ac9&evalLvl=5&redirect_url=%2fphnx%… 3/10
20/4/2019 Realize Your Potential: paloaltonetworks

server's private key

client's digital certificate
Mark for follow up

Question 16 of 45.

The Threat log records events from which three Security Profiles? (Choose three.)

Vulnerability Protection
Antivirus
Anti-Spyware
URL Filtering
WildFire Analysis
File Blocking
Mark for follow up

Question 17 of 45.

The User-ID feature is enabled per __________?

firewall security zone

User-ID agent
firewall interface
firewall
Mark for follow up

Question 18 of 45.
What are three connection methods for the GlobalProtect agent? (Choose three.)

Captcha portal
Pre-Logon
User-Logon
On-demand
Mark for follow up

Question 19 of 45.
What is a characteristic of Dynamic Admin Roles?

Role privileges can be dynamically updated with newer software releases.

They can be dynamically created or deleted by a firewall administrator.
Role privileges can be dynamically updated by a firewall administrator.
They can be dynamically modified by external authorization systems.
Mark for follow up

Question 20 of 45.

What is a use case for deploying Palo Alto Networks NGFW in the public cloud?

centralizing your data storage on premise

cost savings through one-time purchase of Palo Alto Networks hardware and subscriptions
faster WildFire analysis response time

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c11-867e-f4e673545ac9&evalLvl=5&redirect_url=%2fphnx%… 4/10
20/4/2019 Realize Your Potential: paloaltonetworks

extending the corporate data center into the public cloud

Mark for follow up

Question 21 of 45.

What is the result of performing a firewall Commit operation?

The candidate configuration becomes the running configuration.

The candidate configuration becomes the saved configuration.
The loaded configuration becomes the candidate configuration.
The saved configuration becomes the loaded configuration.
Mark for follow up

Question 22 of 45.

Which condition must exist before a firewall's in-band interface can process traffic?

The firewall must be assigned to a security zone.

The firewall must be assigned an IP address.
The firewall must not be a loopback interface.
The firewall must be enabled.
Mark for follow up

Question 23 of 45.

Which four actions can be applied to traffic matching a URL Filtering Security Profile? (Choose four.)

Continue
Reset Client
Block
Reset Server
Override
Alert
Mark for follow up

Question 24 of 45.
Which statement describes a function provided by an Interface Management Profile?

It determines which firewall services are accessible from external devices.

It determines which external services are accessible by the firewall.
It determines the NetFlow and LLDP interface management settings.
It determines which administrators can manage which interfaces.
Mark for follow up

Question 25 of 45.
Which statement describes the Export named configuration snapshot operation?

The candidate configuration is transferred from memory to the firewall' s storage device.
A copy of the configuration is uploaded to the cloud as a backup.
The running configuration is transferred from memory to the firewall' s storage device.
A saved configuration is transferred to an external host s storage device.

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c11-867e-f4e673545ac9&evalLvl=5&redirect_url=%2fphnx%… 5/10
20/4/2019 Realize Your Potential: paloaltonetworks

Mark for follow up

Question 26 of 45.
Which statement is true about a URL Filtering Profile override password?

There is a password per firewall administrator account.

There is a password per website.
There is a single, per-firewall password.
There is a password per session.
Mark for follow up

Question 27 of 45.
Which three are valid configuration options in a WildFire Analysis Profile? (Choose three.)

maximum file size

file types
application
direction
Mark for follow up

Question 28 of 45.

Which three components can be sent to WildFire for analysis? (Choose three.)

files traversing the firewall

MGT interface traffic
URL links found in email
email attachments
Mark for follow up

Question 29 of 45.

Which three interface types can control or shape network traffic? (Choose three.)

Virtual Wire
Layer 2
Layer 3
Tap
Mark for follow up

Question 30 of 45.

Which three MGT port configuration settings are required in order to access the WebUI from a remote subnet? (Choose three.)

Default gateway
IP address
Hostname
Netmask
Mark for follow up

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c11-867e-f4e673545ac9&evalLvl=5&redirect_url=%2fphnx%… 6/10
20/4/2019 Realize Your Potential: paloaltonetworks

Question 31 of 45.

Which three statements are true regarding sessions on the firewall? (Choose three.)

Sessions are always matched to a Security policy rule.

Network packets are always matched to a session.
The only session information tracked in the session logs are the five-tuples.
Return traffic is allowed.
Mark for follow up

Question 32 of 45.
Which two file types can be sent to WildFire for analysis if a firewall has only a standard subscription service? (Choose two.)

.dll
.exe
.pdf
.jar
Mark for follow up

Question 33 of 45.
Which two User-ID methods are used to verify known IP address-to-user mappings? (Choose two.)

Session Monitoring
Server Monitoring
Captive Portal
Client Probing
Mark for follow up

Question 34 of 45.
Which type of content update does NOT have to be scheduled for download on the firewall?

dynamic update antivirus signatures

dynamic update threat signatures
WildFire antivirus signatures
PAN-DB updates
Mark for follow up

Question 35 of 45.

Which user mapping method is recommended for a highly mobile user base?

Session Monitoring
Server Monitoring
Client Probing
GlobalProtect
Mark for follow up

Question 36 of 45.

Which User-ID user mapping method is recommended for environments where users frequently change IP addresses?

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c11-867e-f4e673545ac9&evalLvl=5&redirect_url=%2fphnx%… 7/10
20/4/2019 Realize Your Potential: paloaltonetworks

Session Monitoring
Server Monitoring
Captive Portal
Client Probing
Mark for follow up

Question 37 of 45.

Which file must be downloaded from the firewall to create a Heatmap and Best Practices Assessment report?

firewall config file

Tech Support File
stats dump file
XML file
Mark for follow up

Question 38 of 45.

GlobalProtect clientless VPN provides secure remote access to web applications that use which three technologies? (Choose
three.)

HTML5
JavaScript
HTML
Python
Ruby
Java
Mark for follow up

Question 39 of 45.

What is the maximum number of WildFire® appliances that can be grouped in to a WildFire® appliance cluster?

32
24
20
12
Mark for follow up

Question 40 of 45.

The decryption broker feature is supported by which three Palo Alto Networks firewall series? (Choose three.)

PA-5200
PA-3200
PA-5000
PA-7000
PA-3000
PA-220
Mark for follow up

Question 41 of 45.

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c11-867e-f4e673545ac9&evalLvl=5&redirect_url=%2fphnx%… 8/10
20/4/2019 Realize Your Potential: paloaltonetworks
Which three HTTP header insertion types are predefined? (Choose three.)

WebEx
YouTube
Google
Dropbox
Slack
Box
Mark for follow up

Question 42 of 45.

Which VM-Series model was introduced with the release of PAN-OS® 8.1?

VM-300 Lite
VM-200 Lite
VM-100 Lite
VM-50 Lite
Mark for follow up

Question 43 of 45.
Which cloud computing platform provides shared resources, servers, and storage in a pay-as-you-go model?

public
hybrid
private
community
Mark for follow up

Question 44 of 45.
Cloud security is a shared responsibility between the cloud provider and the customer. Which security platform is the cloud
provider responsible for?

foundation services
encryption management
firewall and network traffic
identity and access management
Mark for follow up

Question 45 of 45.

Which essential cloud characteristic is designed for applications that will be required to run on all platforms including
smartphones, tablets, and laptops?

rapid elasticity
measured services
broad network access
on-demand self service
Mark for follow up

Save / Return Later Summary

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c11-867e-f4e673545ac9&evalLvl=5&redirect_url=%2fphnx%… 9/10
20/4/2019 Realize Your Potential: paloaltonetworks

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c11-867e-f4e673545ac9&evalLvl=5&redirect_url=%2fphnx… 10/10