Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.0 Version

Similar documents
Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version

High Availability Synchronization PAN-OS 5.0.3

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Paloalto Networks. Exam Questions PCNSE6. Palo Alto Networks Certified Network Security Engineer 6.0. Version:Demo

Exam Questions PCNSE6

Paloalto Networks Exam PCNSE6 Palo Alto Networks Certified Network Security Engineer 6.0 Version: 6.1 [ Total Questions: 153 ]

Palo Alto Networks PCNSE7 Exam

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

*Performance and capacities are measured under ideal testing conditions using PAN-OS.0. Additionally, for VM

Paloalto Networks PCNSA EXAM

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*Performance and capacities are measured under ideal testing conditions using PAN-OS 8.0. Additionally, for VM

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Feature. *1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Max sessions (IPv4 or IPv6) 500, , ,000

Palo-Alto PCNSE7. Palo Alto Networks Certified Network Security Engineer.

Sun Mgt Bonus Lab 11: Auto-Tagging in PAN-OS 8.X

Palo-Alto PCNSE. Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS

Understanding the Dynamic Update Mechanism Tech Note

NetConnect to GlobalProtect Migration Tech Note PAN-OS 4.1

Palo Alto Networks PCNSE Exam Questions and Answers (PDF) Palo Alto Networks PCNSE Exam Questions PCNSE BrainDumps

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Cisco Next Generation Firewall Services

User Identity Sources

Contents New Features Changes to Default Behavior Upgrade and Downgrade Procedures Associated Software Versions...

Juniper Exam JN0-696 Security Support, Professional (JNCSP-SEC) Version: 9.0 [ Total Questions: 71 ]

ScreenOS Cookbook. Stefan Brunner, Vik Davar, David Delcourt, Ken Draper, Joe Kelly, and Sunil Wadhwa

ForeScout Extended Module for Palo Alto Networks Next Generation Firewall

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

High Availability. Palo Alto Supports Two types of High Availability. I. Active/Passive II. Active/Active

Barracuda Link Balancer

Release Notes. Release Purpose... 1 Platform Compatibility... 1 Upgrading Information... 1 Browser Support... 2 Known Issues... 3 Resolved Issues...

Barracuda Firewall Release Notes 6.6.X

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

vshield Administration Guide

A. Verify that the IKE gateway proposals on the initiator and responder are the same.

User Role Firewall Policy

Cisco - ASA Lab Camp v9.0

DWS-4000 Series DWL-3600AP DWL-6600AP

How to Configure Authentication and Access Control (AAA)

vcloud Director Tenant Portal Guide vcloud Director 8.20

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

BIG-IP TMOS : Implementations. Version

vcenter Operations Management Pack for NSX-vSphere

Identity Firewall. About the Identity Firewall

Sample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.

This article explains how to configure NSRP-Lite for a NS50 firewall to a single WAN.

vcloud Director User's Guide 04 OCT 2018 vcloud Director 9.5

Cisco ISE Ports Reference

Stonesoft Next Generation Firewall. Release Notes Revision C

Who We Are.. ideras Features. Benefits

Installing and Configuring vcloud Connector

5.4 Release README January 2005

Configuring FlexVPN Spoke to Spoke

Configuring High Availability (HA)

Barracuda Firewall Release Notes 6.5.x

Licensing the Firepower System

Juniper Exam JN0-314 Junos Pulse Access Control, Specialist (JNCIS-AC) Version: 7.0 [ Total Questions: 222 ]

SRX als NGFW. Michel Tepper Consultant

TECHNICAL NOTE MSM & CLEARPASS HOW TO CONFIGURE HPE MSM CONTROLLERS WITH ARUBA CLEARPASS VERSION 3, JUNE 2016

Configuring a Palo Alto Firewall in AWS

Comodo One Software Version 3.8

vrealize Operations Management Pack for NSX for vsphere 3.5.0

How to Set Up VPN Certificates

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Cisco Exam Implementing Cisco Network Security Version: 12.0 [ Total Questions: 186 ]

A Comprehensive CyberSecurity Policy

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

User Identity Sources

Managing CX Devices in Multiple Device Mode

Create Decryption Policies to Control HTTPS Traffic

vrealize Operations Management Pack for NSX for vsphere 3.0

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

vcloud Director User's Guide

Licensing the Firepower System

Realms and Identity Policies

Cisco ISE Ports Reference

Configuration Guide TL-ER5120/TL-ER6020/TL-ER REV3.0.0

Cisco ISE Ports Reference

Security SSID Selection: Broadcast SSID:

Cisco Expressway Cluster Creation and Maintenance

PAN-OS Integration with SafeNet Luna SA HSM Tech Note PAN-OS 6.0

Viewing Router Information

Sample excerpt. Virtual Private Networks. Contents

DrayTek Vigor Technical Specifications. PPPoE, PPTP, DHCP client, static IP, L2TP*, Ipv6. Redundancy. By WAN interfaces traffic volume

Palo Alto Networks Stallion Spring Seminar -Tech Track. Peter Gustafsson, June 2010

Failover Configuration Bomgar Privileged Access

Palo Alto Networks PAN-OS

McAfee Next Generation Firewall 5.9.1

Remote Access via Cisco VPN Client

Transcription:

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.0 Version ACE Exam Question 1 of 50. Traffic going to a public IP address is being translated by your Palo Alto Networks firewall to your servers private IP address. Which IP address should the Security Policy use as the "Destination IP" in order to allow traffic to the server? The firewalls MGT IP The firewalls gateway IP The servers public IP The servers private IP Question 2 of 50. Taking into account only the information in the screenshot above, answer the following question. An administrator is pinging 4.4.4.4 and fails to receive a response. What is the most likely reason for the lack of response? There is a Security Policy that prevents ping There is no Management Profile The interface is down There is no route back to the machine originating the ping Question 3 of 50. Which of the Dynamic Updates listed below are issued on a daily basis? Global Protect URL Filtering Antivirus Applications and Threats Question 4 of 50. In a Destination NAT configuration, the Translated Address field may be populated with either an IP address or an Address object Question 5 of 50. https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evallvl=5&redirect_url=%2flms%2fusertranscript%2fmainview.aspx 1 / 9

Taking into account only the information in the screenshot above, answer the following question. An administrator is attempting to ping 2.2.2.1. and fails to receive a response. What is the most likely reason for the lack of response? The interface is down There is a security policy that prevents ping There is no management profile There is no route back to the machine originating the ping Question 6 of 50. Select the implicit rules enforced on traffic failing to match any user defined Security Policies: Intra-zone traffic is denied Inter-zone traffic is denied Intra-zone traffic is allowed Inter-zone traffic is allowed Question 7 of 50. Palo Alto Networks firewalls support the use of both Dynamic (built-in user roles) and Role-Based (customized user roles) Question 8 of 50. Which of the following interface types can have an IP address assigned to it? Layer 3 Layer 2 Vwire TAP Question 9 of 50. Subsequent to the installation of a new Application and Threat database, the firewall must be rebooted Question 10 of 50. Subsequent to the installation of a new PAN-OS version, the firewall must be rebooted Question 11 of 50. Which mode will allow a user to choose when they wish to connect to the Global Protect Network? On Demand mode Optional mode https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evallvl=5&redirect_url=%2flms%2fusertranscript%2fmainview.aspx 2 / 9

Single Sign-On mode Always On mode Question 12 of 50. In PAN-OS 6.0, rule numbers were introduced. Rule Numbers are: Dynamic numbers that refer to a security policy s order and are especially useful when filtering security policies by tags numbers referring to when the security policy was created and do not have a bearing on the order of policy enforcement Static numbers that must be manually re-numbered whenever a new security policy is added. Question 13 of 50. When configuring Security Policies based on FQDN objects, which of the following statements are true? The firewall resolves the FQDN first when the policy is committed, and is refreshed at TTL expiration. In order to create FQDN-based objects, you need to manually define a list of associated IP addresses. Up to 10 IP addresses can be configured for each FQDN entry The firewall resolves the FQDN first when the policy is committed, and is refreshed each time Security profiles are evaluated Question 14 of 50. Which of the following is NOT a valid option for built-in CLI access roles? read/write superusers vsysadmin deviceadmin Question 15 of 50. When Network Address Translation has been performed on traffic, Destination Zones in Security Policies should be based on: Post-NAT addresses None of the above Pre-NAT addresses The same zones used in NAT rules Question 16 of 50. When troubleshooting Phase 1 of an IPSec VPN tunnel, which location will have the most informative logs? Responding side, System Log Initiating side, System log Responding side, Traffic log Initiating side, Traffic log Question 17 of 50. Which of the following options may be enabled to reduce system overhead when using Content-ID? DSRI RSTP VRRP STP https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evallvl=5&redirect_url=%2flms%2fusertranscript%2fmainview.aspx 3 / 9

Question 18 of 50. What is the benefit realized when the "Enable Passive DNS Monitoring" checkbox is enabled on the firewall? Select all that apply Improve PAN-DB malware detection Improve DNS-based C&C signature Improve malware detection in WildFire Improve BrightCloud malware detection Question 19 of 50. Which of the following objects cannot use User-ID as a match criteria? Security Policies QoS Policy Based Forwarding DoS Protection None of the above Question 20 of 50. Wildfire may be used for identifying which of the following types of traffic? Malware DNS DHCP URL Content Question 21 of 50. As the Palo Alto Networks Administrator responsible for User-ID, you need to enable mapping of network users that do not sign in via LDAP. Which information source would allow for reliable User-ID mapping while requiring the least amount of configuration? Exchange CAS Security logs Active Directory Security Logs WMI Query Captive Portal Question 22 of 50. What are two sources of information for determining if the firewall has been successful in communicating with an external User-ID Agent? System Logs and the indicator light under the User-ID Agent settings in the firewall There's only one location - System Logs There's only one location - Traffic Logs System Logs and indicator light on the chassis Question 23 of 50. Which of the following statements about dynamic updates are correct? Application and Antivirus updates are released weekly and Threat and Threat and URL filtering updates are released weekly Application and Threat updates are released daily. Antivirus and URL filtering updates are released weekly. Antivirus and URL Filtering updates are released daily. Application and Threat updates are released weekly Threat and URL filtering updates are released daily and Application and Antivirus updates are released weekly https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evallvl=5&redirect_url=%2flms%2fusertranscript%2fmainview.aspx 4 / 9

Question 24 of 50. Subsequent to the installation of new licenses, the firewall must be rebooted Question 25 of 50. Which of the following most accurately describes Dynamic IP in a Source NAT configuration? The next available address in the address range is used, and the source port number is changed The same address is always used, and the port is unchanged The next available address in the configured pool is used, but the port number is unchanged None of the above Question 26 of 50. When an interface is in Tap mode and a policy action is set to block, the interface will send a TCP reset. Question 27 of 50. The "Drive-By Download" protection feature, under File Blocking profiles in Content-ID, provides: Password-protected access to specific file downloads, for authorized users increased speed on the downloads of the allowed file types Protection against unwanted downloads, by alerting the user with a response page indicating that s file is going to be downloaded The Administrator the ability to leverage Authentication Profiles in order to protect against unwanted downloads Question 28 of 50. Which of the following would be a reason to use an XML API to communicate with a Palo Alto Networks firewall? So that information can be pulled from other network resources for User-ID To allow the firewall to push User-ID information to a NAC To permit syslogging of User Identification events Question 29 of 50. Which link is used by an Active-Passive cluster to synchronize session information? The Data Link The Control Link The Uplink The Management Link Question 30 of 50. An interface in tap mode can transmit packets on the wire. Question 31 of 50. Which of the following describes the sequence of the Global Protect agent connecting to a Gateway? The Agent connects to the Portal obtains a list of Gateways, and connects to the Gateway with the fastest SSL response time https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evallvl=5&redirect_url=%2flms%2fusertranscript%2fmainview.aspx 5 / 9

The agent connects to the closest Gateway and sends the HIP report to the portal The agent connects to the portal, obtains a list of gateways, and connects to the gateway with the fastest PING response time The agent connects to the portal and randomly establishes a connection to the first available gateway Question 32 of 50. Taking into account only the information in the screenshot above, answer the following question. In order for ping traffic to traverse this device from e1/2 to e1/1, what else needs to be configured? Select all that apply. Security policy from trust zone to Internet zone that allows ping Create the appropriate routes in the default virtual router Security policy from Internet zone to trust zone that allows ping Create a Management profile that allows ping. Assign that management profile to e1/1 and e1/2 Question 33 of 50. What is the default DNS Sinkhole address used by Palo Alto Networks Firewall to cut off communication? MGT interface address Loopback interface address Any one Layer 3 interface address Localhost address Question 34 of 50. When configuring Admin Roles for Web UI access, what are the available access levels? Enable and Disable only None, Superuser, Device Administrator Allow and Deny only Enable, Read-Only and Disable Question 35 of 50. Which fields can be altered in the default Vulnerability Protection Profile? Category Severity None Question 36 of 50. Which of the following interfaces types will have a MAC address? Layer 3 Tap Vwire Layer 2 https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evallvl=5&redirect_url=%2flms%2fusertranscript%2fmainview.aspx 6 / 9

Question 37 of 50. When creating an Application filter, which of the following is true? Excessive bandwidth may be used as a filter match criteria they are called dynamic because they automatically adapt to new IP addresses they are called dynamic because they will automatically include new applications from an application signature update if the new applications filter type is included in the filter they are used by malware Question 38 of 50. WildFire Analysis Reports are available for the following Operating Systems (select all that apply) Windows XP Windows 7 Windows 8 Mac OS-X Question 39 of 50. What will the user experience when browsing a Blocked hacking website such as www.2600.com via Google Translator? The URL filtering policy to Block is enforced It will be translated successfully It will be redirected to www.2600.com User will get "HTTP Error 503 - Service unavailable" message Question 40 of 50. What option should be configured when using User-ID Enable User-ID per zone Enable User-ID per interface Enable User-ID per Security Policy None of the above Question 41 of 50. What is the default setting for 'Action' in a Decryption Policy's rule? no-decrypt decrypt any none Question 42 of 50. When using remote authentication for users (LDAP, Radius, AD, etc),what must be done to allow a user to authenticate through multiple methods? This can not be done. A single user can only use one authentication type Create multiple authentication profiles for the same user. Create an Authentication Sequence, dictating the order of authentication profiles This can not be done. Although multiple authentication methods exist, a firewall must choose a single, global authentication type, and all users must use this method https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evallvl=5&redirect_url=%2flms%2fusertranscript%2fmainview.aspx 7 / 9

Question 43 of 50. Which of the following platforms supports the Decryption Port Mirror function? PA-VM300 PA-4000 PA-3000 PA-2000 Question 44 of 50. As the Palo Alto Networks Administrator you have enabled Application Block pages. Afterward, some users do not receive web-based feedback for all denied applications. What is the cause? Application Block Pages will only be displayed when users attempt to access a denied web-based application Application Block Pages will only be displayed when Captive Portal is configured Some users are accessing the Palo Alto Networks firewall through a virtual system that does not have Application Block Pages enabled Some Application ID's are set with a Session Timeout value that is too low Question 45 of 50. With IKE, each device is identified to the other by a Peer ID. In most cases, this is just the public IP address of the device. In situations where the public ID is not static, this value can be replaced with a domain name or other text value Question 46 of 50. In PAN-OS, how is Wildfire enabled? Via the "Forward" and "Continue and Forward" File-Blocking actions Via the URL-Filtering "Continue" action Wildfire is automatically enabled with a valid URL-Filtering license A custom file blocking action must be enabled for all PDF and PE type files Question 47 of 50. How do you limit the amount of information recorded in the URL Content Filtering Logs? Enable "Log container page only" Disable URL packet captures Enable URL log caching Enable DSRI Question 48 of 50. In which of the following objects can User-ID be used to provide a match condition? Security Policies NAT Policies Zone Protection Policies Threat Profiles Question 49 of 50. When configuring a Decryption Policy, which of the following are available as matching criteria in a policy? (Choose 3) Source Zone https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evallvl=5&redirect_url=%2flms%2fusertranscript%2fmainview.aspx 8 / 9

Source User Service URL-Category Application Question 50 of 50. Which of the following are methods HA clusters use to identify network outages? Path and Link Monitoring VR and VSys Monitors Heartbeat and Session Monitors Link and Session Monitors Save / Return Later Summary https://paloaltonetworks.csod.com/evaluations/evallaunch.aspx?loid=e971abab-e169-4145-841e-7a72a409f724&evallvl=5&redirect_url=%2flms%2fusertranscript%2fmainview.aspx 9 / 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback