PaloAlto_ACE认证考试题库及答案2015_4.docx

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 7.0 VersionACE ExamQuestion 1 of 50.Taking into account only the information in the screenshot above, answer the following question: A span port or a switch is connected to e1/4, but there are no traffic logs. Which of the following conditions most likely explains this behavior?There is no zone assigned to the interface.The interface is not assigned an IP address.The interface is not assigned a virtual router.The interface is not up.Mark for follow upQuestion 2 of 50.Which of the following must be enabled in order for User-ID to function?User-ID must be enabled for the source zone of the traffic that is to be identified.Captive Portal must be enabled.Security Policies must have the User-ID option enabled.Captive Portal Policies must be enabled.Mark for follow upQuestion 3 of 50.In a Destination NAT configuration, the Translated Address field may be populated with either an IP address or an Address Object.TrueFalseMark for follow upQuestion 4 of 50.When an interface is in Tap mode and a Policys action is set to “block”, the interface will send a TCP reset.TrueFalseMark for follow upQuestion 5 of 50.Taking into account only the information in the screenshot above, answer the following question. An administrator is pinging 4.4.4.4 and fails to receive a response. What is the most likely reason for the lack of response?There is a Security Policy that prevents ping.There is no route back to the machine originating the ping.There is no Management Profile.The interface is down.Mark for follow upQuestion 6 of 50.When employing the BrightCloud URL filtering database in a Palo Alto Networks firewall, the order of evaluation within a profile is:Block list, Custom Categories, Predefined categories, Dynamic URL filtering, Allow list, Cache files.Dynamic URL filtering, Block list, Allow list, Cache files, Custom categories, Predefined categories.Block list, Custom Categories, Cache files, Predefined categories, Dynamic URL filtering, Allow list.Block list, Allow list, Custom Categories, Cache files, Local URL DB file.Mark for follow upQuestion 7 of 50.In PAN-OS 6.0 and later, which of these items may be used as match criterion in a Policy-Based Forwarding Rule? (Choose 3.)Source UserDestination ZoneSource ZoneDestination Application Mark for follow upQuestion 8 of 50.Which of the following is NOT a valid option for built-in CLI Admin roles?deviceadmindevicereadersuperuserread/writeMark for follow upQuestion 9 of 50.An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities.TrueFalseMark for follow upQuestion 10 of 50.After the installation of the Threat Prevention license, the firewall must be rebooted.TrueFalseMark for follow upQuestion 11 of 50.You can assign an IP address to an interface in Virtual Wire mode.TrueFalseMark for follow upQuestion 12 of 50.When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most informative?Initiating side, Traffic logResponding side, Traffic logResponding side, System LogInitiating side, System logMark for follow upQuestion 13 of 50.Using the API in PAN-OS 6.1, WildFire subscribers can upload up to how many samples per day?50050100010Mark for follow upQuestion 14 of 50.Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based (customized user roles) for Administrator Accounts.TrueFalseMark for follow upQuestion 15 of 50.In PAN-OS 7.0 which of the available choices serves as an alert warning by defining patterns of suspicious traffic and network anomalies that may indicate a host has been compromised?App-ID SignaturesCommand & Control SignaturesCustom SignaturesCorrelation ObjectsCorrelation EventsMark for follow upQuestion 16 of 50.Taking into account only the information in the screenshot above, answer the following question. An administrator is using SSH on port 3333 and BitTorrent on port 7777. Which statements are True?The SSH traffic will be denied.The BitTorrent traffic will be denied.The SSH traffic will be allowed.The BitTorrent traffic will be allowed. Mark for follow upQuestion 17 of 50.What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut off communication?The MGT interface address.The default gateway of the firewall.Any layer 3 interface address specified by the firewall administrator.The local loopback address.Mark for follow upQuestion 18 of 50.The screenshot above shows part of a firewalls configuration. If ping traffic can traverse this device from e1/2 to e1/1, which of the following statements must be True about this firewalls configuration? (Select all correct answers.)There must be appropriate routes in the default virtual router.There must be a security policy rule from Internet zone to trust zone that allows ping.There must be a Management Profile that allows ping. (Then assign that Management Profile to e1/1 and e1/2.)There must be a security policy rule from trust zone to Internet zone that allows ping. Mark for follow upQuestion 19 of 50.What general practice best describes how Palo Alto Networks firewall policies are applied to a session?Most specific match applied.Last match applied.The rule with the highest rule number is applied.First match applied.Mark for follow upQuestion 20 of 50.A Continue action can be configured on which of the following Security Profiles?URL Filtering and File BlockingURL Filtering onlyURL Filtering, File Blocking, and Data FilteringURL Filtering and Anti-virusMark for follow upQuestion 21 of 50.Which of the following would be a reason to use the PAN-OS XML API to communicate with a Palo Alto Networks firewall?To allow the firewall to push User-ID information to a Network Access Control (NAC) device.To permit syslogging of User Identification events.To pull information from other network resources for User-ID.Mark for follow upQuestion 22 of 50.Which statement below is True?PAN-OS uses BrightCloud as its default URL Filtering database, but also supports PAN-DB.PAN-OS uses PAN-DB for URL Filtering, replacing BrightCloud.PAN-OS uses BrightCloud for URL Filtering, replacing PAN-DB.PAN-OS uses PAN-DB as the default URL Filtering database, but also supports BrightCloud.Mark for follow upQuestion 23 of 50.Choose the best answer: In PAN-OS, the WildFire Subscription Service allows updates for malware signatures to be distributed as often asOnce an hourOnce every 15 minutesOnce a weekOnce a dayMark for follow upQuestion 24 of 50.What is the maximum file size of .EXE files uploaded from the firewall to WildFire?Always 10 megabytes.Configurable up to 10 megabytes.Configurable up to 2 megabytes.Always 2 megabytes.Mark for follow upQuestion 25 of 50.Enabling Highlight Unused Rules in the Security Policy window will:Temporarily disable rules that have not matched traffic since the rule was created or since the last reboot of the firewall.Highlight all rules that have not matched traffic since the rule was created or since the last reboot of the firewall.Display rules that caused a validation error to occur at the time a Commit was performed.Highlight all rules that did not match traffic within an administrator-specified time period.Mark for follow upQuestion 26 of 50.Security policy rules specify a source interface and a destination interface.TrueFalseMark for follow upQuestion 27 of 50.When configuring a Security Policy Rule based on FQDN Address Objects, which of the following statements is True?In order to create FQDN-based objects, you need to manually define a list of associated IP addresses.The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN again at DNS TTL expiration.The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN again each time Security Profiles are evaluated.Mark for follow upQuestion 28 of 50.Which of the following facts about dynamic updates is correct?Application and Threat updates are released daily. Anti-virus and URL Filtering updates are released weekly.Anti-virus updates are released daily. Application and Threat updates are released weekly.Threat and URL Filtering updates are released daily. Application and Anti-virus updates are released weekly.Application and Anti-virus updates are released weekly. Threat and “Threat and URL Filtering” updates are released weekly.Mark for follow upQuestion 29 of 50.Which of the following most accurately describes Dynamic IP in a Source NAT configuration?The next available IP address in the configured pool is used, but the source port number is unchanged.The next available address in the configured pool is used, and the source port number is changed.A single IP address is used, and the source port number is changed.A single IP address is used, and the source port number is unchanged.Mark for follow upQuestion 30 of 50.When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must be done to allow a user to authenticate through multiple methods?Create an Authentication Sequence, dictating the order of authentication profiles.This cannot be done. Although multiple authentication methods exist, a firewall must choose a single, global authentication type-and all users must use this method.Create multiple authentication profiles for the same user.This cannot be done. A single user can only use one authentication type.Mark for follow upQuestion 31 of 50.An interface in tap mode can transmit packets on the wire.TrueFalseMark for follow upQuestion 32 of 50.When configuring the firewall for User-ID, what is the maximum number of Domain Controllers that can be configured?1005015010Mark for follow upQuestion 33 of 50.The Drive-By Download protection feature, under File Blocking profiles in Content-ID, provides:Protection against unwanted downloads by showing the user a response page indicating that a file is going to be downloaded.Password-protected access to specific file downloads for authorized users.The ability to use Authentication Profiles, in order to protect against unwanted downloads.Increased speed on downloads of file types that are explicitly enabled.Mark for follow upQuestion 34 of 50.In which of the following can User-ID be used to provide a match condition? (Select all correct answers.)Security PoliciesNAT PoliciesZone Protection PoliciesThreat ProfilesMark for follow upQuestion 35 of 50.With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the Peer ID is just the public IP address of the device. In situations where the public IP address is not static, the Peer ID can be a text value.TrueFalseMark for follow upQuestion 36 of 50.Which of the following platforms supports the Decryption Port Mirror function?PA-3000VM-Series 100PA-2000PA-4000Mark for follow upQuestion 37 of 50.As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterwards, not knowing they are attempting to access a blocked web-based application, users call the Help Desk to complain about network connectivity issues. What is the cause of the increased number of help desk calls?Application Block Pages will only be displayed when Captive Portal is configured.The firewall admin did not create a custom response page to notify potential users that their attempt to access the web-based application is being blocked due to company policy.The File Blocking Block Page was disabled.Some App-IDs are set with a Session Timeout value that is too low.Mark for follow upQuestion 38 of 50.PAN-OS 7.0 introduced a new Security Profile type. What is the name of this new security profile type?File AnalysisWildFire AnalysisMalware AnalysisThreat AnalysisMark for follow upQuestion 39 of 50.Which feature can be configured to block sessions that the firewall cannot decrypt?Decryption Profile in PBFDecryption Profile in Decryption PolicyDecryption Profile in Security PolicyDecryption Profile in Security ProfileMark for follow upQuestion 40 of 50.Select the implicit rules that are applied to traffic that fails to match any administrator-defined Security Policies. (Choose all rules that are correct.)Intra-zone traffic is allowedInter-zone traffic is deniedIntra-zone traffic is deniedInter-zone traffic is allowed Mark for follow upQuestion 41 of 50.Considering the information in the screenshot above, what is the order of evaluation for this URL Filtering Profile?Allow List, Block List, Custom Categories, URL Categories (BrightCloud or PAN-DB).Block List, Allow List, Custom Categories, URL Categories (BrightCloud or PAN-DB).URL Categories (BrightCloud or PAN-DB), Custom Categories, Block List, Allow List.Block List, Allow List, URL Categories (BrightCloud or PAN-DB), Custom Categories.Mark for follow upQuestion 42 of 50.Which of the following are methods that HA clusters use to identify network outages?Heartbeat and Session MonitorsLink and Session MonitorsPath and Link MonitoringVR and VSYS MonitorsMark for follow upQuestion 43 of 50.Can multiple administrator accounts be configured on a single firewall?YesNoMark for follow upQuestion 44 of 50.Palo Alto Networks offers WildFire users three solution types. These solution types are the WildFire Public Cloud, The WF-500 Private Appliance, and the WildFire Hybrid solution. What is the main reason and purpose for the WildFire Hybrid solution?The WildFire Hybrid solution is only offered to companies that have sensitive files to protect and does not require a WildFire subscription.The WildFire Hybrid solution enables outside companies to share the same WF-500 Appliance while at the same time allowing them to send only their private files to the private WF-500.The WildFire Hybrid solution enables companies to send to the WF-500 Private Appliance keeping them internal to their network, as well providing the option to send other, general files to the WildFire Public Cloud for analy