ACE 4.0 Exam

Palo Alto ACE 4.0 Exam 題庫 Page.1 / 12

Palo Alto Networks PANOS 4.0 ACE Examine 題庫

No. Question Ans.

1. For non-Microsoft clients, what Captive Portal method is supported?

A. Local Database

B. User Agent

C. Web Form Captive Portal

D. NTLM Auth

C

2. Which statement accurately reflects the functionality of using regions as objects in Security policies?

A. The administrator can set up custom regions, including latitude and longitude, to specify the geographic

position of that particular region. Both predefined regions and custom regions can be used in the “Source

User” field.

B. Predefined regions are provided for countries, not but not for cities. The administrator can set up custom

regions, including latitude and longitude, to specify the geographic position of that particular region.

C. Regions cannot be used in the “Source User” field of the Security Policies, unless the administrator has

set up custom regions.

D. The administrator can set up custom regions, including latitude and longitude, to specify the geographic

position of that particular region. These custom regions can be used in the “Source User” field of the

Security Policies.

B

3. When using 802.1Q with aggregate links, what TAG-ID must be configured on the virtual wire in order

for LACP on a Cisco switch to operate properly?

A. 0

B. 1

C. 2

D. 3

A

4. What happens on URL license expiration?

A. URL database no longer update; category actions still effective

B. URL database no longer used; HTTP traffic is allowed or blocked by configuration per URL Filtering

Profile

C. URL database no longer used; applicable traffic is blocked

D. URL database no longer used; applicable traffic is allowed

B

5. For correct routing to SSL VPN clients to occur, the following must be configured:

A. A static route on the next-hop gateway of the SSL VPN client IP pool with a distination of the PAN device

B. No routing needs to be configured – the PAN device automatically responds to ARP requests for the SSL

VPN client IP pool

C. A dynamic routing protocol between the PAN device and the next-hop gateway to advertise the SSL VPN

client IP pool

D. Network Address Translation must be enable for the SSL VPN client IP pool

B


6. You’d like to schedule a firewall policy to only allow a certain application during a particular time of day.

Where can this policy option be configured?

A. Policies / Application

B. Policies / Options column

C. Policies / Profile

D. Policies / Service

B

7. A customer would like to identify any TCP port scans or UDP ports scans traversing their network links.

Where can this type of security policy be configured?

A. Policies / Profile / Zone Protection

B. Interfaces / Interface number / Zone Protection

C. Objects / Zone Protection

D. Network / Network Profiles / Zone Protection

D

8. With SSH decryption enabled, the SCP application will be identified as:

A. sftp

B. scp

C. ssh

D. ssh-tunnel

C

9. Which best describes the firewall rules to be applied to a session?

A. all matches applied

B. last match applied

C. first match applied

D. most specific match applied

C

10. The following can be configured as a next hop in a Static Route:

A. A Policy-Based Forwarding Rule

B. A Dynamic Routing Protocol

C. Virtual System

D. Virtual Router

D

11. Which of the following can be configured as a next hop in a Policy-Based Forwarding Rule:

A. Virtual Router

B. A Dynamic Routing Protocol

C. A Redistribution Profile

D. Virtual System

D

12. For a security policy to allow inbound NATed traffic to a web server with a private IP address in the trust

zone, the entry in the Destination Address column of the security rule should be based on the private IP

address of the web server.

A. True

B. False

B


13. The “Drive-By Download” protection feature, under File Blocking profiles in Contend-ID, provides:

A. an administrator the ability to leverage Authentication Profiles in order to protect against unwanted

downloads.

B. Password-protected access to specific file downloads, for authorized users.

C. Increased speed on the downloads of the allowed file types.

D. Protection against unwanted downloads, by alerting the user with a response page indicating that a file is

going to be downloaded.

D

14. What is the currect policy to most effectively block Skype?

A. Block Skype-probe, block Skype

B. Allow Skype, block Skype-probe

C. Allow Skype-probe, block Skype

D. Block Skype

C

15. If a customer has a group of users that are evenly distributed between both LDAP and RADIUS, how

can you ensure that a Palo Alto networks firewall will always check both user databases when

identifying users?

A. Use two authentication profiles and two Captive Portal policies

B. Employ an Authentication Sequence which references two authentication profiles, the preferred order.

C. Use User-ID agent for LDAP and Captive Portal for RADIUS

D. Use two Captive Portal Policies, one which utilizes LDAP, one which utilizes RADIUS

B

16. HA path monitoring can be configured in Virtual Wire mode.

A. True

B. False

A

17. Thre best practice to advertise an interface IP via OSPF without it acting as an OSPF neighbor and

without it creating unnecessary Type 5 LSA’s is:

A. Configure the interface as a passive OSPF interface

B. Configure a static route and configure a routing policy to import the static route into the OSPF area

C. Configure the interface as a Virtual Link

D. Configure a routing policy to import the connected subnet into the OSPF area

A

18. Botnet Detection, under the Minitor tab, will accomplish the following:

A. To block the installation of Botnets through an advanced deep-packet inspection algorithm.

B. Prevent Botnet-infect client computers from responding to Command and Control data.

C. Provide the administrator with packet captures that can be used later to create custom signatures for

preventing unknown botnets.

D. Present a report of known bonnets, based upon conditions stipulated by the administrator, found over a

period of time.

D

19. What happens at the point of Threat Prevention license expiration?

A. Threat Prevention is no longer used; applicable traffic is allowed

B. Threat Prevention no longer used; applicable traffic is blocked

C. Threat prevention no longer updated; existing database still effective

D. Threat Prevention no longer used; traffic is allowed or blocked by configuration per Security Rule

C


20. Which local interface cannot be assigned to IKE gateway?

A. Tunnel

B. Loopback

C. L3

D. VLAN

A

21. In QoS, which of the following would be the highest priority traffic from the options listed below on a

saturated 100Mbps link?

A. Class 1 traffic, set to high and guaranteed 1 Mbps.

B. Class 8 traffic, set to real time.

C. Class 8 traffic, set to real time and guaranteed 1 Mbps

D. Class 1 traffic, set to high.

C

22. If a customer has 1 forest with 3 domains and wants a resilient PAN Agent deployment, what is the most

appropriate agent architecture?

A. Two agents deployed on virtual servers on a server within the forest

B. Agents deployed on two separate servers within the forest

C. Two agents deployed per domain, on separate servers

D. An agent deployed on a server within each domain

C

23. When setting up GlobalProtect, what is the job of the GlobalProtect Portal? Select the best answer

A. To maintain the list of GlobalProtect Gateways and list of categories for checking the client machine

B. To apply Global server Load Balancing to Global Protect clients to other GlobalProtect Portals or

Gateways.

C. To maintain the list of remote GlobalProtect Portals and list of categories for checking the client machine

D. To load balance GlobalProtect client connections to GlobalProtect Gateways

A

24. It is possible to use different SSL forward proxy certificaties for different vsys in a multi-vsys

environment.

A. True

B. False

A

25. Which of the following types of protection are available in DoS policy?

A. Session Limit, Port Scanning, Host Swapping, UDP Flood

B. Session Limit, SYN Flood, Host Swapping, UDP Flood

C. Session Limit, SYN Flood, Port Scanning, Host Swapping

D. Session Limit, SYN Flood, UDP Flood

D

26. To reduce the amount of URL logs generated you can configure:

A. The following CLI command: “set system url-log-length 256

B. A URL Filtering Profile with “Log container page only” enabled

C. A URL Filtering Profile with “Dynamic URL Filtering” enable

D. A URL Filtering Profile with the block list set to “Alert”

B


27. When creating a custom vulnerability profile and selecting “Block IP” as the action, how long will the IP

address be blocked?

A. Configurable from one second to one hour

B. Configurable from one second to two hours

C. Two Hours

D. One Hours

A

28. To properly configure DOS protection to limit the number of sessions individually from specific source

IPs you would configure a DOS Protection rule with the following characteristics:

A. Action: Deny, Aggregate Profile with “Resources Protection” configured

B. Action: Protect, Clasified Profile with “Resources Protection” configured, and Classified Address with

“source-ip-only” configured

C. Action: Protect, Aggregate Profile with “Resources Protection” configured

D. Action: Deny, Classified Profile with “Resources Protection” configured, and Classified Address with

“source-ip-only” configured

B

29. A local/enterprise PKI system is required to deploy outbound forward proxy SSL decryption

capabilities.

A. True

B. False

B

30. When Network Address Translation has been performed on traffic, Destination Zones in Security rules

should be based on:

A. Post-NAT address

B. the same zones used in the NAT rules

C. Pre-NAT Address

D. None of the above

A

31. Which of the following fields is not available in DoS policy?

A. Application

B. Service

C. Destination Zone

D. Source Zone

A

32. When a user logs in via Captive Portal, their user information is checked against:

A. Radius

B. Kerberos

C. Local database

D. Active Directory

A

33. Which of the following is not defined or assigned as part of the security rules?

A. NAT rules

B. Applications

C. Security profiles

D. File Blocking profile

A


34. Which one of the options describes the sequence of the GlobalProtect agent connecting to a Gateway?

A. The agent connect to the portal, obtains a list of the Gateways, and connects to the Gateway with the

fastest SSL connect time

B. The agent connects to the portal and randomly establishes connect to the first available Gateway

C. The agent connects to the portal, obtains a list of the Gateways, and connects to the Gateway with the

fastest PING response time

D. The agent connects to the closet Gateway and send the HIP report to the portal

A

35. With SSH decryption enabled, X-Window forwarding will be identified as:

A. ssh-tunnel

B. rdp

C. xwindow

D. ssh

A

36. Users can be authenticated serially to multiple authentication servers by configuring:

A. A custom Administrator Profile

B. Authentication Profile

C. Authentication Sequence

D. Multiple RADIUS Servers sharing a VSA configuration

C

37. Which of the following are necessary components of a GlobalProtect solution?

A. GlobalProtect NetConnect, GlobalProtect Agent, GlobalProtect Portal, Globalprotect Server

B. GlobalProtect Gateway, GlobalProtect Agent, GlobalProtect Server

C. GlobalProtect Gateway, GlobalProtect netConnect, GlobalProtect Agent, GlobalProtect Portal,

GlobalProtect Server

D. GlobalProtect Gateway, GlobalProtect Agent, GlobalProtect Portal

D

38. To allow the PAN device to resolve internal and external DNS host names for reporting and for security

policy, an administrator can do the following:

A. Create a DNS Proxy Object with a default DNS Server for external resolution and a DNS server for

internal domain. Then, in the device settings, select the proxy object as the Primary DNS and create a

custom security rule which references that object for

B. In the device setting define internal hosts via a static list.

C. Create a DNS Proxy Object with a default DNS Server for external resolution and a DNS server for

internal domain. Then, in the device settings, point to this proxy object for DNS resolution.

D. In the device settings set the Primary DNS server to an external server and the secondary to an internal

server.

C

39. On a PA-4050 with tap interfaces configured on one copper port and one fiber port, how many virtual

wires can be configured using the remaining ports?

A. 12

B. 11

C. 10

D. 9

B


40. An Outbound SSL forward-proxy decryption rule cannot be created using which type of zone?

A. Virtual Wire

B. L3

C. L2

D. Tap

D

41. Which of the following represents potential HTTP traffic events that can be used to identify potential

Botnets?

A. Traffic from users that browse to IP addresses instead of fully-qualified domain names, traffic to domains

that have been registered in the last 30 days, Downloading executable files from unknown URL’s

B. Traffic from users that browse to IP addresses instead of fully-qualified domain names, traffic to domains

that have be registereded in the last 60 days, downloading executable files from unknown URL’s

C. Traffic from users that browse to IP addresses instead of fully-qualified domain names, traffic to domains

that have be registereded in the last 60 days, downloading executable files from unknown URL’s,

IRC-based Command and Control traffic

D. Traffic from users that browse to IP addresses instead of fully-qualified domain names, downloading

W32.Welchia.Worm from a Windows share, traffic to domain that have been registered in the last 30

days, downloading executable files from unknown URL’s

A

42. How many bytes of the URL are captured in the URL log?

A. 2047

B. 1023

C. 511

D. 255

B

43. In the event that the “show proxy setting” command displays a ready state of “no”, what is most likely

the cause?

A. SSL decryption rule is not create

B. SSL forward proxy certificate is no generated

C. Web interface certificate is no generated

D. Forward proxy license is not enable on the box

B

44. Which of the following are accurate statements describing the HA3 link in an Active-Active HA

deployment?

A. HA3 is used to handle asymmetric routing, HA3 is the data link

B. HA3 is a Layer 2 link, HA3 is used to handle asymmetric routing

C. HA3 is used for session synchronization, HA3 is a Layer 2 link

D. HA3 is the control link, HA3 is a layer 2 link

B

45. The maximum number of interfaces that can be configured in a single Virtual Wire object is:

A. 8

B. 4

C. 2

D. 1

C


46. If you want to prevent client PCs using SSH port-forwarding to bypass firewall enforcement, what is the

best way of accomplishing this ?

A. Enable SSH decryption, block SSH traffic

B. Enable SSH decryption, block SSH tunnel traffic

C. Enable SSL decryption, block SSH tunnel traffic

D. Enable SSL decryption, block SSH traffic

B

47. Which mode will allow a user to choose how they wish to connect to the GlobalProtect Network as they

would like?

A. Always On Mode

B. Single Sign-On Mode

C. Optional Mode

D. On Demand Mode

D

48. Which two statements are true about the Session Owner device in an Active/Active HA pair?

A. The Session Owner performs all Layer 3 and Layer 4 packet processing, the Session owner is

responsible for generating traffic logs

B. The Session Owner is responsible for generate traffic logs, the Active Primary device is always the

Session Owner.

C. The Session owner performs Layer 3 and Layer 4 packet processing, the Active Primary device is always

the Session Owner

D. The Session Owner does all Layer 7 processing, The Active Primary device is always the Session Owner

A

49. A “Continue” action can be configured on the following Security Profiles:

A. URL Filtering and Antivirus

B. URL Filtering, File Blocking and Data Filtering

C. URL Filtering and File Blocking

D. URL Filtering

C

50. The “Disable Server Return Inspection” option on a security profile:

A. can only be configured in Tap Mode

B. performs higher-level inspection of traffic from the side that originated the TCP SYN packet

C. does not perform higher-level inspection of traffic from the side that originated the TCY SYN packet

D. performs high-level inspection of traffic from the side that originated the TCP SYN-ACK packet

B

51. What needs to be done prior to committing a configuration in Panorama after making a change via the

CLI or web interface on a device?

A. No additional actions required

B. Re-import the configuration from the device into Panorama

C. Synchronize the configuration between the device and Panorama

D. Make the same change again via Panorama

A

52. Which of the following answers represents a group of address objects that can be used in a PANOS 4.0

Security rule?

A. IP netmask, FQDN, IP Range, VLAN

B. FQDN, IP range, VLAN

C. IP Netmask, IP range, VLAN

D. IP Netmask, IP range, FQDN

D


53. What is the default action against virus detection over SMTP protocol?

A. None

B. Alert

C. Reset

D. Drop

B

54. What rights to the domain does the Terminal Services Agent require in order to identify users on a

terminal server?

A. Domain Admin

B. Domain User

C. Does not need Domain permissions

D. Read access to the Security logs

C

55. In order to route between layer 3 interfaces on the PAN firewall you need:

A. Virtual Router

B. Security Profile

C. Vwire

D. VLAN

A

56. What is required to configure multiple Phase 2 IPSec VPN tunnels to the same Phase 1 gateway?

A. Multiple P2 tunnels with different Peer ID’s on the same tunnel interfaces

B. Multiple P2 tunnels with different Proxy ID’s on different tunnel interfaces

C. Multiple P2 tunnels with different Proxy ID’s on the same tunnel interface

D. Multiple tunnel interfaces

C

57. Active/Active HA can be configured to provide:

A. Redundant Virtual routers

B. Support for asymmetric routing environments

C. Lower fail-over times

D. Higher session count

B

58. What can you enable the “Dynamic URL Filtering” option?

A. Under Device / Licenses / URL Filtering

B. In the Zone Protection Profile settings

C. In the URL Filtering security profile object

D. In the zone configuration that includes the interface for the URL filtered traffic

C

59. Which of the following are valid HA states in an Active/Active High Availability deployment?

A. Active Tentative, Tentative, Non-functional

B. Active Primary, Tentative, Non-functional

C. Active Primary, Active Tentative, Tentative

D. Active Primary, Active Tentative, Non-functional

B

60. What option should be configured when using User Identification?

A. Enable User Identification per Zone

B. Enable User Identification per Security Rule

C. Enable User Identification per interface

D. None of the above

A


61. Which of the following licenses is necessary in order to provide more accurate Botnet reporting?

A. GlobalProtect Gateway License

B. Virtual System License

C. URL-Filtering License

D. Threat Prevention License

C

62. When using Panorama, how much storage capacity is available for logs? Select the best answer:

A. A 160GB virtual drive is attached by default to the Panorama VM; virtually unlimited storage can be

implemented via an NFS mount.

B. A 2TB virtual drive is attached by default to the Panorama VM; this drive must be mounted via NFS

C. VMware allows unlimited storage to the Panorama VM; an NFS mount can be added to offload the

storage to another server

D. VMware allows 2 TB of locally attached storage, but an NFS mount can be added for virtually unlimited

storage

D

63. When forwarding multicast packets in L2 mode, we can configure security policies to match on

multicast IP address.

A. True

B. False

B

64. With URL filtering, the order of checking within a profile is 1) allow list; 2) block list; 3) Custom

categories; 4) Pre-defined categories

A. True

B. False

B

65. Which of the following can be configured as a next hop in a Policy-Based Forwarding Rule:

A. A Redistribution Profile

B. Virtual System

C. A Dynamic Routing Protocol

D. Virtual Router

B

66. When configuring Security rules based on FQDN objects, which of the following statements are true?

A. The firewall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration. The

resolution of this FQDN stores up to 10 different IP addresses.

B. The firewall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration.

There is no limit on the number of IP addresses stored for each resolved FQDN.

C. The firewall resolves the FQDN first when the policy is committed, and is refreshed each time Security

rules are evaluated.

D. In order to create FQDN-based objects, you need to manually define a list of associated IP. Up to 10 IP

address can be configured for each FQDN entry.

B

67. You’ve installed and configured a User Identification Agent on a remote computer, but when the agent

user interface is launched the message “Connection Failed” is shown and no usernames are resolved.

What is the most likely cause of this problem?

A. The User Identification Agent timeout values are not configured correctly.

B. The User Identification Agent cannot communicate to the firewall

C. The User Identification Agent software did not install properly.

D. The User Identificaiton Agent service does not have read permission to the Active Directory Security log

D


68. In Active/Active HA environments, redundancy for the HA3 interface can be achieved by

A. Configuring HA3 in a redundant group

B. Configuring multiple HA3 interfaces

C. Configuring a corresponding HA4 interface

D. Configuring HA3 as an Aggregate Ethernet bundle

D

69. What is the CLI command that will initiate all IPsec VPN tunnels on a device?

A. set vpn all up

B. test vpn ike-sa

C. request vpn IPsec-sa test

D. test vpn IPsec-sa

D

70. When creating an application filter, which of the following characteristics cannot be selected as a

“match”?

A. Excessive bandwidth

B. Used by malware

C. Transfers files

D. Excessive sessions

D

71. In PANOS 4.0 or greater, which of the following is an accurate statement in regard to support for IPv6?

A. PANOS supports Content ID in IPv6, but only in Layer 3 Mode.

B. Threat Prevention capabilities are not supported in IPv6.

C. User ID is only supported in IPv6 when the Palo Alto Networks firewall is deployed in Vwire mode.

D. PANOS supports dual-stack IP. for IPv4 and IPv6. This includes Virtual Wire and Layer 3 deployments.

D

72. A traffic log entry with an Application of “incomplete” means:

A. The App-ID engine could not find a matching application

B. The TCP SYN-ACK response packet was not seen before the session timed out

C. An invalid SSL certificate is in use

D. Captive Portal has not been configured property

B

73. The following routing protocols are supported on the Palo Alto Networks platform:

A. RIPv1

B. ISIS

C. BGP

D. RSTP

C

74. A tunnel interface can only support one IP-Sec tunnel.

A. True

B. False

B

75. A different SSL inbound certificate can be added for a different SSL inbound decryption rule.

A. True

B. False

A

76. When loading SSL inbound certificates via the web interface, the dataplane must be restarted befor

they take effect.

A. True

B. False

B


77. In order to generate a scheduled report in panorama, you must forward logs from the device to

Panorama?

A. True

B. False

B

78. All management services must communicate through the MGT interface on a Palo Alto Networks

firewall.

A. True

B. False

B

79. Security Profiles can be configured in Application Override policies.

A. True

B. False

B

80. If an HTTP application is misclassified, the only option is to submit a new application request to Palo

Alto Networks.

A. True

B. False

B

Documents

ACE 4.0 Exam