ace
Content
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.… 1/7
Test Accredited Configuration Engineer (ACE) Exam PANOS 6.1 Version
ACE Exam
Question 1 of 50.
The following can be configured as a next hop in a static route:
A PolicyBased Forwarding Rule
Virtual Systems
Virtual Router
Virtual Switch
Mark for follow up
Question 2 of 50.
As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candida
hese changes may be undone by Device > Setup > Operations >
Configuration Management>....and then what operation?
Revert to Running Configuration
Revert to last Saved Configuration
Load Configuration Version
Import Named Configuration Snapshot
Mark for follow up
Question 3 of 50.
Which statement below is True?
PANOS uses BrightCloud for URL Filtering, replacing PANDB.
PANOS uses BrightCloud as its default URL Filtering database, but also supports PANDB.
PANOS uses PANDB as the default URL Filtering database, but also supports BrightCloud.
PANOS uses PANDB for URL Filtering, replacing BrightCloud.
Mark for follow up
Question 4 of 50.
When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the o
thin a profile is:
Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cach
Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, All
Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined cat
Mark for follow up
Question 5 of 50.
With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the Pee
ice. In situations where the public IP address is
not static, the Peer ID can be a text value.
True False
Mark for follow up
Question 6 of 50.
The screenshot above shows part of a firewall’s configuration. If ping traffic can traverse t
1, which of the following statements must be True about this
firewall’s configuration? (Select all correct answers.)
There must be a security policy from Internet zone to trust zone that allows ping.
There must be a security policy from trust zone to Internet zone that allows ping.
There must be appropriate routes in the default virtual router.
There must be a Management Profile that allows ping. (Then assign that Management Profile to
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.… 2/7
Mark for follow up
Question 7 of 50.
Which feature can be configured to block sessions that the firewall cannot decrypt?
Decryption Profile in Security Policy
Decryption Profile in Decryption Policy
Decryption Profile in PBF
Decryption Profile in Security Profile
Mark for follow up
Question 8 of 50.
All of the interfaces on a Palo Alto Networks device must be of the same interface type.
True False
Mark for follow up
Question 9 of 50.
Which of the following would be a reason to use the PANOS XML API to communicate with a Palo
To permit syslogging of User Identification events.
To pull information from other network resources for UserID.
To allow the firewall to push UserID information to a Network Access Control (NAC) device.
Mark for follow up
Question 10 of 50.
Which of the following statements is NOT True about Palo Alto Networks firewalls?
Initial configuration may be accomplished thru the MGT interface or the Console port.
The default Admin account may be disabled or deleted.
By default the MGT Port s IP Address is 192.168.1.1/24.
System defaults may be restored by performing a factory reset in Maintenance Mode.
Mark for follow up
Question 11 of 50.
After the installation of a new version of PANOS, the firewall must be rebooted.
True False
Mark for follow up
Question 12 of 50.
Which of the Dynamic Updates listed below are issued on a daily basis? (Select all correct an
BrightCloud URL Filtering
Applications and Threats
Applications
Antivirus
Mark for follow up
Question 13 of 50.
Colorcoded tags can be used on all of the items listed below EXCEPT:
Address Objects
Service Groups
Zones
Vulnerability Profiles
Mark for follow up
Question 14 of 50.
In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order
True False
Mark for follow up
Question 15 of 50.
You can assign an IP address to an interface in Virtual Wire mode.
True False
Mark for follow up
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.… 3/7
Question 16 of 50.
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you
Virtual Router
VLAN
Virtual Wire
Security Profile
Mark for follow up
Question 17 of 50.
An interface in tap mode can transmit packets on the wire.
True False
Mark for follow up
Question 18 of 50.
When Destination Network Address Translation is being performed, the destination in the corre
rity Policy Rule should use:
The PostNAT destination zone and PostNAT IP address.
The PreNAT destination zone and PreNAT IP address.
The PreNAT destination zone and PostNAT IP address.
The PostNAT destination zone and PreNAT IP address.
Mark for follow up
Question 19 of 50.
Taking into account only the information in the screenshot above, answer the following questi
tions will be allowed on their standard ports? (Select all correct
answers.)
BitTorrent
Gnutella
Skype
SSH
Mark for follow up
Question 20 of 50.
When configuring a Security Policy Rule based on FQDN Address Objects, which of the following
In order to create FQDNbased objects, you need to manually define a list of associated IP ad
The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN agai
iles are evaluated.
The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN agai
Mark for follow up
Question 21 of 50.
Users may be authenticated sequentially to multiple authentication servers by configuring:
An Authentication Sequence.
Multiple RADIUS servers sharing a VSA configuration.
A custom Administrator Profile.
An Authentication Profile.
Mark for follow up
Question 22 of 50.
Will an exported configuration contain Management Interface settings?
Yes No
Mark for follow up
Question 23 of 50.
When using Config Audit, the color yellow indicates which of the following?
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.… 4/7
A setting has been changed between the two config files
A setting has been deleted from a config file.
A setting has been added to a config file
An invalid value has been used in a config file.
Mark for follow up
Question 24 of 50.
When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must
o authenticate through multiple methods?
Create an Authentication Sequence, dictating the order of authentication profiles.
Create multiple authentication profiles for the same user.
This cannot be done. A single user can only use one authentication type.
This cannot be done. Although multiple authentication methods exist, a firewall must choose a
hentication typeand all users must use this method.
Mark for follow up
Question 25 of 50.
When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most info
Responding side, System Log
Initiating side, Traffic log
Initiating side, System log
Responding side, Traffic log
Mark for follow up
Question 26 of 50.
UserID is enabled in the configuration of …
A Zone.
A Security Profile.
An Interface.
A Security Policy.
Mark for follow up
Question 27 of 50.
What will the user experience when attempting to access a blocked hacking website through a t
ch as Google Translate or Bing Translator?
A “Blocked” page response when the URL filtering policy to block is enforced.
A “Success” page response when the site is successfully translated.
The browser will be redirected to the original website address.
An "HTTP Error 503 Service unavailable" message.
Mark for follow up
Question 28 of 50.
When you have created a Security Policy Rule that allows Facebook, what must you do to block
c?
Nothing. You can depend on PANOS to block the webbrowsing traffic that is not needed for Fa
Ensure that the Service column is defined as "applicationdefault" for this Security policy.
atically include the implicit webbrowsing application dependency.
Create an additional rule that blocks all other traffic.
When creating the policy, ensure that webbrowsing is included in the same rule.
Mark for follow up
Question 29 of 50.
Both SSL decryption and SSH decryption are disabled by default.
True False
Mark for follow up
Question 30 of 50.
A "Continue" action can be configured on which of the following Security Profiles?
URL Filtering and File Blocking
URL Filtering only
URL Filtering, File Blocking, and Data Filtering
URL Filtering and Antivirus
Mark for follow up
Question 31 of 50.
Which of the following interface types can have an IP address assigned to it?
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.… 5/7
Layer 3
Layer 2
Tap
Virtual Wire
Mark for follow up
Question 32 of 50.
What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on t
l correct answers.)
Improved DNSbased C&C signatures.
Improved PANDB malware detection.
Improved BrightCloud malware detection.
Improved malware detection in WildFire.
Mark for follow up
Question 33 of 50.
Security policies specify a source interface and a destination interface.
True False
Mark for follow up
Question 34 of 50.
Taking into account only the information in the screenshot above, answer the following questi
tor is using SSH on port 3333 and BitTorrent on port 7777. Which
statements are True?
The SSH traffic will be denied.
The BitTorrent traffic will be allowed.
The SSH traffic will be allowed.
The BitTorrent traffic will be denied.
Mark for follow up
Question 35 of 50.
Which of the following most accurately describes Dynamic IP in a Source NAT configuration?
A single IP address is used, and the source port number is unchanged.
The next available IP address in the configured pool is used, but the source port number is u
A single IP address is used, and the source port number is changed.
The next available address in the configured pool is used, and the source port number is chan
Mark for follow up
Question 36 of 50.
What are two sources of information for determining whether the firewall has been successful
th an external UserID Agent?
System Logs and Authentication Logs.
System Logs and the indicator light under the UserID Agent settings in the firewall.
System Logs and an indicator light on the chassis.
Traffic Logs and Authentication Logs.
Mark for follow up
Question 37 of 50.
Which predefined Admin Role has all rights except the rights to create administrative accoun
s?
Superuser
Device Administrator
A custom admin role must be created for this specific combination of rights.
vsysadmin
Mark for follow up
Question 38 of 50.
An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.… 6/7
True False
Mark for follow up
Question 39 of 50.
Taking into account only the information in the screenshot above, answer the following questi
ch is connected to e1/4, but there are no traffic logs. Which of
the following conditions most likely explains this behavior?
The interface is not up.
There is no zone assigned to the interface.
The interface is not assigned an IP address.
The interface is not assigned a virtual router.
Mark for follow up
Question 40 of 50.
Which type of license is required to perform Decryption Port Mirroring?
A subscriptionbased SSL Port license
A free PANPADecrypt license
A Client Decryption license
A subscriptionbased PANPADecrypt license
Mark for follow up
Question 41 of 50.
Can multiple administrator accounts be configured on a single firewall?
Yes No
Mark for follow up
Question 42 of 50.
Which of the following CANNOT use the source user as a match criterion?
DoS Protection
Secuirty Policies
Antivirus Profile
Policy Based Forwarding
QoS
Mark for follow up
Question 43 of 50.
Which of the following must be enabled in order for UserID to function?
Captive Portal Policies must be enabled.
UserID must be enabled for the source zone of the traffic that is to be identified.
Captive Portal must be enabled.
Security Policies must have the UserID option enabled.
Mark for follow up
Question 44 of 50.
In a Destination NAT configuration, the Translated Address field may be populated with either
ess Object.
True False
Mark for follow up
Question 45 of 50.
When configuring the firewall for UserID, what is the maximum number of Domain Controllers t
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.… 7/7
50
100
10
150
Mark for follow up
Question 46 of 50.
Besides selecting the Heartbeat Backup option when creating an ActivePassive HA Pair, which
revents "SplitBrain"?
Creating a custom interface under Service Route Configuration, and assigning this interface a
nk.
Configuring an independent backup HA1 link.
Configuring a backup HA2 link that points to the MGT interface of the other device in the pai
Under “Packet Forwarding”, selecting the VR Sync checkbox.
Mark for follow up
Question 47 of 50.
Palo Alto Networks firewalls support the use of both Dynamic (builtin user roles) and RoleB
es) for Administrator Accounts.
True False
Mark for follow up
Question 48 of 50.
When configuring a Decryption Policy rule, which option allows a firewall administrator to co
ling in policies by specifying the SSHtunnel AppID?
SSH Proxy
SSL Forward Proxy
SSL Inbound Inspection
SSL Reverse Proxy
Mark for follow up
Question 49 of 50.
In which of the following can UserID be used to provide a match condition? (Select all corre
Security Policies
NAT Policies
Zone Protection Policies
Threat Profiles
Mark for follow up
Question 50 of 50.
In PANOS 6.0, rule numbers are:
Numbers that specify the order in which security policies are evaluated.
Numbers created to be unique identifiers in each firewall’s policy database.
Numbers on a scale of 0 to 99 that specify priorities when two or more rules are in conflict.
Numbers created to make it easier for users to discuss a complicated or difficult sequence of
Mark for follow up
Save / Return Later Summary
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.… 1/7
Test Accredited Configuration Engineer (ACE) Exam PANOS 6.1 Version
ACE Exam
Question 1 of 50.
The following can be configured as a next hop in a static route:
A PolicyBased Forwarding Rule
Virtual Systems
Virtual Router
Virtual Switch
Mark for follow up
Question 2 of 50.
As a Palo Alto Networks firewall administrator, you have made unwanted changes to the Candida
hese changes may be undone by Device > Setup > Operations >
Configuration Management>....and then what operation?
Revert to Running Configuration
Revert to last Saved Configuration
Load Configuration Version
Import Named Configuration Snapshot
Mark for follow up
Question 3 of 50.
Which statement below is True?
PANOS uses BrightCloud for URL Filtering, replacing PANDB.
PANOS uses BrightCloud as its default URL Filtering database, but also supports PANDB.
PANOS uses PANDB as the default URL Filtering database, but also supports BrightCloud.
PANOS uses PANDB for URL Filtering, replacing BrightCloud.
Mark for follow up
Question 4 of 50.
When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the o
thin a profile is:
Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cach
Block list, Allow list, Custom Categories, Cache files, Local URL DB file.
Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, All
Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined cat
Mark for follow up
Question 5 of 50.
With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the Pee
ice. In situations where the public IP address is
not static, the Peer ID can be a text value.
True False
Mark for follow up
Question 6 of 50.
The screenshot above shows part of a firewall’s configuration. If ping traffic can traverse t
1, which of the following statements must be True about this
firewall’s configuration? (Select all correct answers.)
There must be a security policy from Internet zone to trust zone that allows ping.
There must be a security policy from trust zone to Internet zone that allows ping.
There must be appropriate routes in the default virtual router.
There must be a Management Profile that allows ping. (Then assign that Management Profile to
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.… 2/7
Mark for follow up
Question 7 of 50.
Which feature can be configured to block sessions that the firewall cannot decrypt?
Decryption Profile in Security Policy
Decryption Profile in Decryption Policy
Decryption Profile in PBF
Decryption Profile in Security Profile
Mark for follow up
Question 8 of 50.
All of the interfaces on a Palo Alto Networks device must be of the same interface type.
True False
Mark for follow up
Question 9 of 50.
Which of the following would be a reason to use the PANOS XML API to communicate with a Palo
To permit syslogging of User Identification events.
To pull information from other network resources for UserID.
To allow the firewall to push UserID information to a Network Access Control (NAC) device.
Mark for follow up
Question 10 of 50.
Which of the following statements is NOT True about Palo Alto Networks firewalls?
Initial configuration may be accomplished thru the MGT interface or the Console port.
The default Admin account may be disabled or deleted.
By default the MGT Port s IP Address is 192.168.1.1/24.
System defaults may be restored by performing a factory reset in Maintenance Mode.
Mark for follow up
Question 11 of 50.
After the installation of a new version of PANOS, the firewall must be rebooted.
True False
Mark for follow up
Question 12 of 50.
Which of the Dynamic Updates listed below are issued on a daily basis? (Select all correct an
BrightCloud URL Filtering
Applications and Threats
Applications
Antivirus
Mark for follow up
Question 13 of 50.
Colorcoded tags can be used on all of the items listed below EXCEPT:
Address Objects
Service Groups
Zones
Vulnerability Profiles
Mark for follow up
Question 14 of 50.
In a Palo Alto Networks firewall, every interface in use must be assigned to a zone in order
True False
Mark for follow up
Question 15 of 50.
You can assign an IP address to an interface in Virtual Wire mode.
True False
Mark for follow up
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.… 3/7
Question 16 of 50.
In order to route traffic between Layer 3 interfaces on the Palo Alto Networks firewall, you
Virtual Router
VLAN
Virtual Wire
Security Profile
Mark for follow up
Question 17 of 50.
An interface in tap mode can transmit packets on the wire.
True False
Mark for follow up
Question 18 of 50.
When Destination Network Address Translation is being performed, the destination in the corre
rity Policy Rule should use:
The PostNAT destination zone and PostNAT IP address.
The PreNAT destination zone and PreNAT IP address.
The PreNAT destination zone and PostNAT IP address.
The PostNAT destination zone and PreNAT IP address.
Mark for follow up
Question 19 of 50.
Taking into account only the information in the screenshot above, answer the following questi
tions will be allowed on their standard ports? (Select all correct
answers.)
BitTorrent
Gnutella
Skype
SSH
Mark for follow up
Question 20 of 50.
When configuring a Security Policy Rule based on FQDN Address Objects, which of the following
In order to create FQDNbased objects, you need to manually define a list of associated IP ad
The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN agai
iles are evaluated.
The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN agai
Mark for follow up
Question 21 of 50.
Users may be authenticated sequentially to multiple authentication servers by configuring:
An Authentication Sequence.
Multiple RADIUS servers sharing a VSA configuration.
A custom Administrator Profile.
An Authentication Profile.
Mark for follow up
Question 22 of 50.
Will an exported configuration contain Management Interface settings?
Yes No
Mark for follow up
Question 23 of 50.
When using Config Audit, the color yellow indicates which of the following?
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.… 4/7
A setting has been changed between the two config files
A setting has been deleted from a config file.
A setting has been added to a config file
An invalid value has been used in a config file.
Mark for follow up
Question 24 of 50.
When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must
o authenticate through multiple methods?
Create an Authentication Sequence, dictating the order of authentication profiles.
Create multiple authentication profiles for the same user.
This cannot be done. A single user can only use one authentication type.
This cannot be done. Although multiple authentication methods exist, a firewall must choose a
hentication typeand all users must use this method.
Mark for follow up
Question 25 of 50.
When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most info
Responding side, System Log
Initiating side, Traffic log
Initiating side, System log
Responding side, Traffic log
Mark for follow up
Question 26 of 50.
UserID is enabled in the configuration of …
A Zone.
A Security Profile.
An Interface.
A Security Policy.
Mark for follow up
Question 27 of 50.
What will the user experience when attempting to access a blocked hacking website through a t
ch as Google Translate or Bing Translator?
A “Blocked” page response when the URL filtering policy to block is enforced.
A “Success” page response when the site is successfully translated.
The browser will be redirected to the original website address.
An "HTTP Error 503 Service unavailable" message.
Mark for follow up
Question 28 of 50.
When you have created a Security Policy Rule that allows Facebook, what must you do to block
c?
Nothing. You can depend on PANOS to block the webbrowsing traffic that is not needed for Fa
Ensure that the Service column is defined as "applicationdefault" for this Security policy.
atically include the implicit webbrowsing application dependency.
Create an additional rule that blocks all other traffic.
When creating the policy, ensure that webbrowsing is included in the same rule.
Mark for follow up
Question 29 of 50.
Both SSL decryption and SSH decryption are disabled by default.
True False
Mark for follow up
Question 30 of 50.
A "Continue" action can be configured on which of the following Security Profiles?
URL Filtering and File Blocking
URL Filtering only
URL Filtering, File Blocking, and Data Filtering
URL Filtering and Antivirus
Mark for follow up
Question 31 of 50.
Which of the following interface types can have an IP address assigned to it?
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.… 5/7
Layer 3
Layer 2
Tap
Virtual Wire
Mark for follow up
Question 32 of 50.
What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on t
l correct answers.)
Improved DNSbased C&C signatures.
Improved PANDB malware detection.
Improved BrightCloud malware detection.
Improved malware detection in WildFire.
Mark for follow up
Question 33 of 50.
Security policies specify a source interface and a destination interface.
True False
Mark for follow up
Question 34 of 50.
Taking into account only the information in the screenshot above, answer the following questi
tor is using SSH on port 3333 and BitTorrent on port 7777. Which
statements are True?
The SSH traffic will be denied.
The BitTorrent traffic will be allowed.
The SSH traffic will be allowed.
The BitTorrent traffic will be denied.
Mark for follow up
Question 35 of 50.
Which of the following most accurately describes Dynamic IP in a Source NAT configuration?
A single IP address is used, and the source port number is unchanged.
The next available IP address in the configured pool is used, but the source port number is u
A single IP address is used, and the source port number is changed.
The next available address in the configured pool is used, and the source port number is chan
Mark for follow up
Question 36 of 50.
What are two sources of information for determining whether the firewall has been successful
th an external UserID Agent?
System Logs and Authentication Logs.
System Logs and the indicator light under the UserID Agent settings in the firewall.
System Logs and an indicator light on the chassis.
Traffic Logs and Authentication Logs.
Mark for follow up
Question 37 of 50.
Which predefined Admin Role has all rights except the rights to create administrative accoun
s?
Superuser
Device Administrator
A custom admin role must be created for this specific combination of rights.
vsysadmin
Mark for follow up
Question 38 of 50.
An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.… 6/7
True False
Mark for follow up
Question 39 of 50.
Taking into account only the information in the screenshot above, answer the following questi
ch is connected to e1/4, but there are no traffic logs. Which of
the following conditions most likely explains this behavior?
The interface is not up.
There is no zone assigned to the interface.
The interface is not assigned an IP address.
The interface is not assigned a virtual router.
Mark for follow up
Question 40 of 50.
Which type of license is required to perform Decryption Port Mirroring?
A subscriptionbased SSL Port license
A free PANPADecrypt license
A Client Decryption license
A subscriptionbased PANPADecrypt license
Mark for follow up
Question 41 of 50.
Can multiple administrator accounts be configured on a single firewall?
Yes No
Mark for follow up
Question 42 of 50.
Which of the following CANNOT use the source user as a match criterion?
DoS Protection
Secuirty Policies
Antivirus Profile
Policy Based Forwarding
QoS
Mark for follow up
Question 43 of 50.
Which of the following must be enabled in order for UserID to function?
Captive Portal Policies must be enabled.
UserID must be enabled for the source zone of the traffic that is to be identified.
Captive Portal must be enabled.
Security Policies must have the UserID option enabled.
Mark for follow up
Question 44 of 50.
In a Destination NAT configuration, the Translated Address field may be populated with either
ess Object.
True False
Mark for follow up
Question 45 of 50.
When configuring the firewall for UserID, what is the maximum number of Domain Controllers t
4/7/2015 Empowering People: paloaltonetworks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=1d91785b-4c5f
-4aad-8994-b323d6d076a1&evalLvl=5&redirect_url=%2fphnx%2fdriver.… 7/7
50
100
10
150
Mark for follow up
Question 46 of 50.
Besides selecting the Heartbeat Backup option when creating an ActivePassive HA Pair, which
revents "SplitBrain"?
Creating a custom interface under Service Route Configuration, and assigning this interface a
nk.
Configuring an independent backup HA1 link.
Configuring a backup HA2 link that points to the MGT interface of the other device in the pai
Under “Packet Forwarding”, selecting the VR Sync checkbox.
Mark for follow up
Question 47 of 50.
Palo Alto Networks firewalls support the use of both Dynamic (builtin user roles) and RoleB
es) for Administrator Accounts.
True False
Mark for follow up
Question 48 of 50.
When configuring a Decryption Policy rule, which option allows a firewall administrator to co
ling in policies by specifying the SSHtunnel AppID?
SSH Proxy
SSL Forward Proxy
SSL Inbound Inspection
SSL Reverse Proxy
Mark for follow up
Question 49 of 50.
In which of the following can UserID be used to provide a match condition? (Select all corre
Security Policies
NAT Policies
Zone Protection Policies
Threat Profiles
Mark for follow up
Question 50 of 50.
In PANOS 6.0, rule numbers are:
Numbers that specify the order in which security policies are evaluated.
Numbers created to be unique identifiers in each firewall’s policy database.
Numbers on a scale of 0 to 99 that specify priorities when two or more rules are in conflict.
Numbers created to make it easier for users to discuss a complicated or difficult sequence of
Mark for follow up
Save / Return Later Summary
