Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version

Similar documents
Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.0 Version

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

High Availability Synchronization PAN-OS 5.0.3

Paloalto Networks Exam PCNSE6 Palo Alto Networks Certified Network Security Engineer 6.0 Version: 6.1 [ Total Questions: 153 ]

Palo Alto Networks PCNSE7 Exam

*Performance and capacities are measured under ideal testing conditions using PAN-OS.0. Additionally, for VM

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Paloalto Networks PCNSA EXAM

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Feature. *1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*Performance and capacities are measured under ideal testing conditions using PAN-OS 8.0. Additionally, for VM

Max sessions (IPv4 or IPv6) 500, , ,000

Palo-Alto PCNSE7. Palo Alto Networks Certified Network Security Engineer.

Paloalto Networks. Exam Questions PCNSE6. Palo Alto Networks Certified Network Security Engineer 6.0. Version:Demo

Exam Questions PCNSE6

Contents New Features Changes to Default Behavior Upgrade and Downgrade Procedures Associated Software Versions...

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Palo Alto Networks PCNSE Exam Questions and Answers (PDF) Palo Alto Networks PCNSE Exam Questions PCNSE BrainDumps

Understanding the Dynamic Update Mechanism Tech Note

Barracuda Link Balancer

Palo Alto Networks Stallion Spring Seminar -Tech Track. Peter Gustafsson, June 2010

NetConnect to GlobalProtect Migration Tech Note PAN-OS 4.1

ASACAMP - ASA Lab Camp (5316)

Juniper Exam JN0-696 Security Support, Professional (JNCSP-SEC) Version: 9.0 [ Total Questions: 71 ]

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

AccessEnforcer Version 4.0 Features List

A Comprehensive CyberSecurity Policy

Barracuda Firewall Release Notes 6.6.X

Cisco - ASA Lab Camp v9.0

CISCO EXAM QUESTIONS & ANSWERS

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

vcloud Director User's Guide 04 OCT 2018 vcloud Director 9.5

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Palo-Alto PCNSE. Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS

Release Notes. Release Purpose... 1 Platform Compatibility... 1 Upgrading Information... 1 Browser Support... 2 Known Issues... 3 Resolved Issues...

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

ASA Access Control. Section 3

A. Verify that the IKE gateway proposals on the initiator and responder are the same.

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

ForeScout Extended Module for Palo Alto Networks Next Generation Firewall

Integrating Microsoft Forefront Threat Management Gateway (TMG)

New Features for ASA Version 9.0(2)

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Cisco Next Generation Firewall Services

High Availability. Palo Alto Supports Two types of High Availability. I. Active/Passive II. Active/Active

Cisco Passguide Exam Questions & Answers

Sun Mgt Bonus Lab 11: Auto-Tagging in PAN-OS 8.X

BIG-IP Access Policy Manager : Portal Access. Version 12.1

BIG-IP Access Policy Manager : Portal Access. Version 13.0

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

vcloud Director User's Guide

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

Surat Smart City Development Ltd. Surat Municipal Corporation 1

Integrate Clavister Firewall

vcloud Director User's Guide

Interested in learning more about security? Palo Alto Firewall Security Configuration Benchmark. Copyright SANS Institute Author Retains Full Rights

SonicOS Release Notes

vcloud Director Tenant Portal Guide vcloud Director 8.20

Fundamentals of Network Security v1.1 Scope and Sequence

Palo Alto Networks PAN-OS

vcloud Director User's Guide

Reviewer s guide. PureMessage for Windows/Exchange Product tour

App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

Gigabit SSL VPN Security Router

KillTest. 半年免费更新服务

Installing and Configuring vcloud Connector

vshield Administration Guide

Identity Firewall. About the Identity Firewall

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Licensing the Firepower System

ASA/PIX Security Appliance

Systrome Next Gen Firewalls

vcloud Director User's Guide

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

The IINS acronym to this exam will remain but the title will change slightly, removing IOS from the title, making the new title.

AWS Reference Architecture - CloudGen Firewall Auto Scaling Cluster

VII. Corente Services SSL Client

Firepower Threat Defense Remote Access VPNs

Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0)

Cisco Exam Implementing Cisco Network Security Version: 12.0 [ Total Questions: 186 ]

Guest Access User Interface Reference

Licensing the Firepower System

What s New in Fireware v12.3 WatchGuard Training

This article explains how to configure NSRP-Lite for a NS50 firewall to a single WAN.

Basic Firewall Configuration

Transcription:

Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version ACE Exam Question 1 of 50. Which of the following statements is NOT True regarding a Decryption Mirror interface? Supports SSL outbound Supports SSL inbound Can be a member of any VSYS Requires superuser privilege Question 2 of 50. How do you reduce the amount of information recorded in the URL Content Filtering Logs? Enable "Log container page only". Disable URL packet captures. Enable URL log caching. Enable DSRI. Question 3 of 50. Which routing protocol is supported on the Palo Alto Networks platform? BGP RIPv1 ISIS RSTP Question 4 of 50. When using remote authentication for users (LDAP, RADIUS, Active Directory, etc.), what must be done to allow a user to authenticate through multiple methods? Create multiple authentication profiles for the same user. This cannot be done. A single user can only use one authentication type. Create an Authentication Sequence, dictating the order of authentication profiles. This cannot be done. Although multiple authentication methods exist, a firewall must choose a single, global authentication type and all users must use this method. https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=7557e253 1f91 470f a91c a284f048d2c3&evallvl=5&redirect_url=%2fphnx%2fdriver.as 1/12

Question 5 of 50. In a Destination NAT configuration, the Translated Address field may be populated with either an IP address or an Address Object. True False Question 6 of 50. Which of the following CANNOT use the source user as a match criterion? DoS Protection Secuirty Policies QoS Anti virus Profile Policy Based Forwarding Question 7 of 50. A Config Lock may be removed by which of the following users? (Select all correct answers.) Device administrators Any administrator The administrator who set it Superusers Question 8 of 50. Taking into account only the information in the screenshot above, answer the following question. An administrator is using SSH on port 3333 and BitTorrent on port 7777. Which statements are True? The BitTorrent traffic will be denied. https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=7557e253 1f91 470f a91c a284f048d2c3&evallvl=5&redirect_url=%2fphnx%2fdriver.as 2/12

The SSH traffic will be allowed. The BitTorrent traffic will be allowed. The SSH traffic will be denied. Question 9 of 50. With IKE Phase 1, each device is identified to the other by a Peer ID. In most cases, the Peer ID is just the public IP address of the device. In situations where the public IP address is not static, the Peer ID can be a text value. True False Question 10 of 50. What Security Profile type must be configured to send files to the WildFire cloud, and with what choices for the action setting? A Data Filtering profile with possible actions of Forward or Continue and Forward. A Vulnerability Protection profile with the possible action of Forward. A File Blocking profile with possible actions of Forward or Continue and Forward. A URL Filtering profile with the possible action of Forward. Question 11 of 50. Both SSL decryption and SSH decryption are disabled by default. True False Question 12 of 50. Which of the following would be a reason to use the PAN OS XML API to communicate with a Palo Alto Networks firewall? To permit syslogging of User Identification events. To pull information from other network resources for User ID. To allow the firewall to push User ID information to a Network Access Control (NAC) device. Question 13 of 50. Without a WildFire subscription, which of the following files can be submitted by the Firewall to the hosted WildFire virtualized sandbox? MS Office doc/docx, xls/xlsx, and ppt/pptx files only https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=7557e253 1f91 470f a91c a284f048d2c3&evallvl=5&redirect_url=%2fphnx%2fdriver.as 3/12

PE and Java Applet (jar and class) only PE files only PDF files only Question 14 of 50. What is the function of the GlobalProtect Portal? To maintain the list of Global Protect Gateways and specify HIP data that the agent should report. To load balance GlobalProtect client connections to GlobalProtect Gateways. To maintain the list of remote GlobalProtect Portals and the list of categories for checking the client machine. To provide redundancy for tunneled connections through the GlobalProtect Gateways. Question 15 of 50. Which of the following interface types can have an IP address assigned to it? (Select all correct answers.) Layer 3 Layer 2 Tap Virtual Wire Question 16 of 50. Which of the following most accurately describes Dynamic IP in a Source NAT configuration? The next available address in the configured pool is used, and the source port number is changed. A single IP address is used, and the source port number is unchanged. A single IP address is used, and the source port number is changed. The next available IP address in the configured pool is used, but the source port number is unchanged. Question 17 of 50. WildFire may be used for identifying which of the following types of traffic? RIPv2 DHCP OSPF Malware https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=7557e253 1f91 470f a91c a284f048d2c3&evallvl=5&redirect_url=%2fphnx%2fdriver.as 4/12

Question 18 of 50. Which link is used by an Active/Passive cluster to synchronize session information? The Uplink The Control Link The Management Link The Data Link Question 19 of 50. Users may be authenticated sequentially to multiple authentication servers by configuring: Multiple RADIUS servers sharing a VSA configuration. A custom Administrator Profile. An Authentication Sequence. An Authentication Profile. Question 20 of 50. Which statement about config locks is True? A config lock can be removed only by a superuser. A config lock will expire after 24 hours, unless it was set by a superuser. A config lock can only be removed by the administrator who set it or by a superuser. A config lock can be removed only by the administrator who set it. Question 21 of 50. Which feature can be configured to block sessions that the firewall cannot decrypt? Decryption Profile in Security Profile Decryption Profile in PBF Decryption Profile in Decryption Policy Decryption Profile in Security Policy Question 22 of 50. All of the interfaces on a Palo Alto Networks device must be of the same interface type. https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=7557e253 1f91 470f a91c a284f048d2c3&evallvl=5&redirect_url=%2fphnx%2fdriver.as 5/12

True False Question 23 of 50. As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterwards, not knowing they are attempting to access a blocked web based application, users call the Help Desk to complain about network connectivity issues. What is the cause of the increased number of help desk calls? Some App ID's are set with a Session Timeout value that is too low. Application Block Pages will only be displayed when Captive Portal is configured. The firewall admin did not create a custom response page to notify potential users that their attempt to access the webbased application is being blocked due to policy. The File Blocking Block Page was disabled. Question 24 of 50. When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2 tunneling in policies by specifying the SSH tunnel App ID? SSH Proxy SSL Forward Proxy SSL Inbound Inspection SSL Reverse Proxy Question 25 of 50. What is the default DNS sinkhole address used by the Palo Alto Networks Firewall to cut off communication? Any layer 3 interface address specified by the firewall administrator. The MGT interface address. The local loopback address. The default gateway of the firewall. Question 26 of 50. https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=7557e253 1f91 470f a91c a284f048d2c3&evallvl=5&redirect_url=%2fphnx%2fdriver.as 6/12

Considering the information in the screenshot above, what is the order of evaluation for this URL Filtering Profile? Block List, Allow List, URL Categories (BrightCloud or PAN DB), Custom Categories. Allow List, Block List, Custom Categories, URL Categories (BrightCloud or PAN DB). Block List, Allow List, Custom Categories, URL Categories (BrightCloud or PAN DB). URL Categories (BrightCloud or PAN DB), Custom Categories, Block List, Allow List. Question 27 of 50. Security policies specify a source interface and a destination interface. True False Question 28 of 50. Enabling "Highlight Unused Rules" in the Security Policy window will: Highlight all rules that did not match traffic within an administrator specified time period. Highlight all rules that have not matched traffic since the rule was created or since the last reboot of the firewall. Display rules that caused a validation error to occur at the time a Commit was performed. Temporarily disable rules that have not matched traffic since the rule was created or since the last reboot of the firewall. https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=7557e253 1f91 470f a91c a284f048d2c3&evallvl=5&redirect_url=%2fphnx%2fdriver.as 7/12

Question 29 of 50. When troubleshooting Phase 1 of an IPsec VPN tunnel, which location and log will be most informative? Responding side, Traffic log Responding side, System Log Initiating side, Traffic log Initiating side, System log Question 30 of 50. In PAN OS 6.0, rule numbers are: Numbers that specify the order in which security policies are evaluated. Numbers created to be unique identifiers in each firewall s policy database. Numbers on a scale of 0 to 99 that specify priorities when two or more rules are in conflict. Numbers created to make it easier for users to discuss a complicated or difficult sequence of rules. Question 31 of 50. When you have created a Security Policy Rule that allows Facebook, what must you do to block all other web browsing traffic? When creating the policy, ensure that web browsing is included in the same rule. Nothing. You can depend on PAN OS to block the web browsing traffic that is not needed for Facebook use. Ensure that the Service column is defined as "application default" for this Security policy. Doing this will automatically include the implicit web browsing application dependency. Create an additional rule that blocks all other traffic. Question 32 of 50. When using Config Audit, the color yellow indicates which of the following? A setting has been changed between the two config files A setting has been deleted from a config file. A setting has been added to a config file An invalid value has been used in a config file. Question 33 of 50. https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=7557e253 1f91 470f a91c a284f048d2c3&evallvl=5&redirect_url=%2fphnx%2fdriver.as 8/12

Will an exported configuration contain Management Interface settings? Yes No Question 34 of 50. An interface in tap mode can transmit packets on the wire. True False Question 35 of 50. Which of the following is a routing protocol supported in a Palo Alto Networks firewall? EIGRP RIPv2 IGRP ISIS Question 36 of 50. In Palo Alto Networks terms, an application is: A specific program detected within an identified stream that can be detected, monitored, and/or blocked. A combination of port and protocol that can be detected, monitored, and/or blocked. A file installed on a local machine that can be detected, monitored, and/or blocked. Web based traffic from a specific IP address that can be detected, monitored, and/or blocked. Question 37 of 50. Reconnaissance Protection is a feature used to protect the Palo Alto Networks firewall from port scans. To enable this feature within the GUI go to Network > Network Profiles > Zone Protection Objects > Zone Protection Interfaces > Interface Number > Zone Protection Policies > Profile > Zone Protection Question 38 of 50. Which of the following is NOT a valid option for built in CLI Admin roles? https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=7557e253 1f91 470f a91c a284f048d2c3&evallvl=5&redirect_url=%2fphnx%2fdriver.as 9/12

deviceadmin superuser read/write devicereader Question 39 of 50. In which of the following can User ID be used to provide a match condition? (Select all correct answers.) Security Policies NAT Policies Zone Protection Policies Threat Profiles Question 40 of 50. A user complains that she is no longer able to access a needed work application after the administrator implemented vulnerability and anti spyware profiles. How best can the administrator resolve this issue so the user will once again have access to the needed application? In the vulnerability and anti spyware Profiles, create an application exemption for the group s application. Check the Threat Log and locate an event showing the user s application being blocked. Using the source IP address displayed in that event, create an IP address based exemption for the group that the user is a member of. Create a custom Security Policy for this user so that she will be able to access the required application. Be sure not to apply the vulnerability and anti spyware profiles to this policy. Create and enable an Application Override Policy, specifying the port used by this application. Question 41 of 50. An enterprise PKI system is required to deploy SSL Forward Proxy decryption capabilities. True False Question 42 of 50. User ID is enabled in the configuration of A Security Policy. An Interface. A Zone. A Security Profile. https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=7557e253 1f91 470f a91c a284f048d2c3&evallvl=5&redirect_url=%2fphnx%2fdriver.a 10/12

Question 43 of 50. What are the benefits gained when the "Enable Passive DNS Monitoring" checkbox is chosen on the firewall? (Select all correct answers.) Improved malware detection in WildFire. Improved DNS based C&C signatures. Improved PAN DB malware detection. Improved BrightCloud malware detection. Question 44 of 50. Which of the following platforms supports the Decryption Port Mirror function? PA 3000 VM Series 100 PA 2000 PA 4000 Question 45 of 50. What is the result of an Administrator submitting a WildFire report s verdict back to Palo Alto Networks as Incorrect? You will receive an update within 15 minutes. The signature will be updated for False positive and False negative files in the next AV signature update. The signature will be updated for False positive and False negative files in the next Application signature update. You will receive an email to disable the signature manually. Question 46 of 50. Which of the following facts about dynamic updates is correct? Threat and URL Filtering updates are released daily. Application and Anti virus updates are released weekly. Anti virus updates are released daily. Application and Threat updates are released weekly. Application and Anti virus updates are released weekly. Threat and Threat and URL Filtering updates are released weekly. Application and Threat updates are released daily. Anti virus and URL Filtering updates are released weekly. Question 47 of 50. https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=7557e253 1f91 470f a91c a284f048d2c3&evallvl=5&redirect_url=%2fphnx%2fdriver.a 11/12

When configuring a Security Policy Rule based on FQDN Address Objects, which of the following statements is True? The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN again at DNS TTL expiration. The firewall resolves the FQDN first when the policy is committed, and resolves the FQDN again each time Security Profiles are evaluated. In order to create FQDN based objects, you need to manually define a list of associated IP addresses. Question 48 of 50. What general practice best describes how Palo Alto Networks firewall policies are applied to a session? The rule with the highest rule number is applied. First match applied. Last match applied. Most specific match applied. Question 49 of 50. Which of the following statements is NOT True about Palo Alto Networks firewalls? System defaults may be restored by performing a factory reset in Maintenance Mode. The Admin account may be disabled. Initial configuration may be accomplished thru the MGT interface or the Console port. The Admin account may not be disabled. Question 50 of 50. When configuring User ID on a Palo Alto Networks firewall, what is the proper procedure to limit User mappings to a particular DHCP scope? In the zone in which User Identification is enabled, select the "Restrict Allocated IP" checkbox. In the zone in which User Identification is enabled, create a User Identification ACL Include List using the same IP ranges as those allocated in the DHCP scope. Under the User Identification settings, under the User Mapping tab, select the "Restrict Users to Allocated IP" checkbox. In the DHCP settings on the Palo Alto Networks firewall, point the DHCP Relay to the IP address of the User ID agent. Save / Return Later Summary https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=7557e253 1f91 470f a91c a284f048d2c3&evallvl=5&redirect_url=%2fphnx%2fdriver.a 12/12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback