Accredited Configuration Engineer (ACE) Exam – PAN-OS 8.1 Version



Question 1. A Security policy rule displayed in italic font indicates which condition?
A. The rule has been overridden.
B. The rule is active.
C. The rule is a clone.
D. The rule is disabled
Answer: D

Question 2. A Server Profile enables a firewall to locate which server type?
A. a server with remote user accounts
B. a server with firewall software updates
C. a server with firewall threat updates
D. a server with an available VPN connection
Answer: A

Question 3. An Interface Management Profile can be attached to which two interface types? (Choose two.)
A. Tap
B. Layer 2
C. Loopback
D. Layer 3
E. Virtual Wire
Answer: C,D

Question 4. App-ID running on a firewall identifies applications using which three methods? (Choose three.)
A. PAN-DB lookups
B. WildFire lookups
C. Application signatures
D. Program heuristics
E. Known protocol decoders
Answer: C,D,E

Question 5. Finding URLs matched to the not-resolved URL category in the URL Filtering log file might indicate that you should take which action?
A. Reboot the firewall.
B. Validate your Security policy rules.
C. Validate connectivity to the PAN-DB cloud.
D. Re-download the URL seed database.
Answer: C

Question 6. If a DNS sinkhole is configured, any sinkhole actions indicating a potentially infected host are recorded in which log type?
A. Traffic
B. Threat
C. WildFire Submissions
D. Data Filtering
Answer: B

Question 7. If there is an HA configuration mismatch between firewalls during peer negotiation, which state will the passive firewall enter?
Answer: C

Question 9. In a destination NAT configuration, which option accurately completes the following sentence? A Security policy rule should be written to match the _______.
A. post-NAT source and destination addresses, but the pre-NAT destination zone
B. post-NAT source and destination addresses, and the post-NAT destination zone
C. original pre-NAT source and destination addresses, but the post-NAT destination zone
D. original pre-NAT source and destination addresses, and the pre-NAT destination zone
Answer: C

Question 10. In an HA configuration, which three components are synchronized between the pair of firewalls? (Choose three.)
A. logs
B. objects
C. networks
D. policies
Answer: B,C,D

Question 11. In an HA configuration, which three functions are associated with the HA1 Control Link? (Choose three.)
A. exchanging hellos
B. exchanging heartbeats
C. synchronizing configuration
D. synchronizing sessions
Answer: A,B,C

Question 12. In an HA configuration, which two failure detection methods rely on ICMP ping? (Choose two.)
A. path monitoring
B. link groups
C. heartbeats
D. hellos
Answer: A,C

Question 13. On a firewall that has 32 Ethernet ports and is configured with a dynamic IP and port (DIPP) NAT oversubscription rate of 2x, what is the maximum number of concurrent sessions supported by each available IP address?
A. 128K
B. 64K
C. 64
D. 32
Answer: A

Question 14. Which two user mapping methods are supported by the User-ID integrated agent? (Choose two.)
A. NetBIOS Probing
B. LDAP Filters
C. Client Probing
D. WMI probing
Answer: C,D

Question 15. SSL Inbound Inspection requires that the firewall be configured with which two components? (Choose two.)
A. server’s digital certificate
B. client’s digital certificate
C. server’s private key
D. client’s public key
Answer: A,C

Question 16. The WildFire Portal website supports which three operations? (Choose three.)
A. upload files to WildFire for analysis
B. request firewall WildFire licenses
C. report incorrect verdicts
D. view WildFire verdicts
Answer: A,C,D

Question 17. What are the two separate planes that make up the PAN-OS architecture? (Choose two.)
A. routing plane
B. signature processing plane
C. HA plane
D. dataplane
E. control/management plane
Answer: D,E

Question 18. What are three connection methods for the GlobalProtect agent? (Choose three.)
A. Captcha portal
B. User-Logon
C. Pre-Logon
D. On-demand
Answer: B,C,D

Question 19. What are two benefits of attaching a Decryption Profile to a Decryption policy no-decrypt rule? (Choose two.)
A. untrusted certificate checking
B. acceptable protocol checking
C. URL category match checking
D. expired certificate checking
Answer: A,D

Question 20. What is a use case for deploying Palo Alto Networks NGFW in the public cloud?
A. centralizing your data storage on premise
B. faster WildFire analysis response time
C. cost savings through one-time purchase of Palo Alto Networks hardware and subscriptions
D. extending the corporate data center into the public cloud
Answer: D

Question 21. What is the result of performing a firewall Commit operation?
A. The loaded configuration becomes the candidate configuration.
B. The candidate configuration becomes the running configuration.
C. The saved configuration becomes the loaded configuration.
D. The candidate configuration becomes the saved configuration.
Answer: B

Question 22. When SSL traffic passes through the firewall, which component is evaluated first?
A. Decryption policy
B. Decryption exclusions list
C. Security policy
D. Decryption Profile
Answer: C

Question 23. Where does a GlobalProtect client connect to first when trying to connect to the network?
A. AD agent
B. User-ID agent
C. GlobalProtect Portal
D. GlobalProtect Gateway
Answer: C

Question 24. Which four actions can be applied to traffic matching a URL Filtering Security Profile? (Choose four.)
A. Reset Client
B. Override
C. Continue
D. Alert
E. Block
F. Reset Server
Answer: B,C,D,E

Question 25. Which interface type does NOT require any configuration changes to adjacent network devices?
A. Layer 3
B. Virtual Wire
C. Tap
D. Layer 2
Answer: B

Question 26. Which statement describes a function provided by an Interface Management Profile?
A. It determines the NetFlow and LLDP interface management settings.
B. It determines which firewall services are accessible from external devices.
C. It determines which administrators can manage which interfaces.
D. It determines which external services are accessible by the firewall.
Answer: B

Question 27. Which statement describes the Export named configuration snapshot operation?
A. The running configuration is transferred from memory to the firewall’s storage device.
B. The candidate configuration is transferred from memory to the firewall’s storage device.
C. A saved configuration is transferred to an external hosts storage device.
D. A copy of the configuration is uploaded to the cloud as a backup.
Answer: C

Question 28. Which statement is true about a URL Filtering Profile override password?
A. There is a single, per-firewall password.
B. There is a password per firewall administrator account.
C. There is a password per session.
D. There is a password per website.
Answer: A

Question 29. Which three are valid configuration options in a WildFire Analysis Profile? (Choose three.)
A. file types
B. maximum file size
C. direction
D. application
Answer: A,C,D

Question 30. Which three MGT port configuration settings are required in order to access the WebUI from a remote subnet? (Choose three.)
A. Hostname
B. Default gateway
C. Netmask
D. IP address
Answer: B,C,D

Question 31. Which three statements are true regarding sessions on the firewall? (Choose three.)
A. The only session information tracked in the session logs are the five-tuples.
B. Sessions are always matched to a Security policy rule.
C. Return traffic is allowed.
D. Network packets are always matched to a session.
Answer: B,C,D

Question 32. Which two file types can be sent to WildFire for analysis if a firewall has only a standard subscription service? (Choose two.)
A. .pdf
B. .dll
C. .jar
D. .exe
Answer: B,D

Question 33. Which user mapping method is recommended for a highly mobile user base?
A. Client Probing
B. Session Monitoring
C. GlobalProtect
D. Server Monitoring
Answer: C

Question 34. Which User-ID user mapping method is recommended for environments where users frequently change IP addresses?
A. Captive Portal
B. Session Monitoring
C. Client Probing
D. Server Monitoring
Answer: C

Question 35. GlobalProtect clientless VPN provides secure remote access to web applications that use which three technologies? (Choose three.)
A. JavaScript
B. Ruby
C. Python
E. Java
Answer: A,D,F

Question 36. Which three subscription services are included as part of the GlobalProtect cloud service? (Choose three.)
A. Threat Prevention
B. Aperture
C. URL Filtering
D. AutoFocus
E. WildFire®
F. Panorama
Answer: A,C,E

Question 37. The decryption broker feature is supported by which three Palo Alto Networks firewall series? (Choose three.)
A. PA-3200
B. PA-3000
C. PA-7000
D. PA-5200
E. PA-220
F. PA-5000
Answer: A,C,D

Question 38. Which three HTTP header insertion types are predefined? (Choose three.)
A. YouTube
B. WebEx
C. Dropbox
D. Box
E. Google
F. Slack
Answer: A,C,E

Question 39. Which VM-Series model was introduced with the release of PAN-OS® 8.1?
A. VM-300 Lite
B. VM-50 Lite
C. VM-200 Lite
D. VM-100 Lite
Answer: B

Question 40. Which cloud computing platform provides shared resources, servers, and storage in a pay-as-you-go model?
A. community
B. public
C. private
D. hybrid
Answer: B

Question 41. Which essential cloud characteristic is designed for applications that will be required to run on all platforms including smartphones, tablets, and laptops?
A. on-demand self service
B. rapid elasticity
C. broad network access
D. measured services
Answer: C

Question 42. Because a firewall examines every packet in a session, a firewall can detect application ________?
A. groups
B. shifts
C. errors
D. filters
Answer: B

Question 43. For which firewall feature should you create forward trust and forward untrust certificates?
A. SSL Inbound Inspection decryption
B. SSL forward proxy decryption
C. SSL client-side certificate checking
D. SSH decryption
Answer: B

Question 44. The User-ID feature is enabled per __________?
A. firewall interface
B. User-ID agent
C. firewall security zone
D. firewall
Answer: C

Question 45. What is a characteristic of Dynamic Admin Roles?
A. Role privileges can be dynamically updated by a firewall administrator.
B. Role privileges can be dynamically updated with newer software releases.
C. They can be dynamically modified by external authorization systems.
D. They can be dynamically created or deleted by a firewall administrator.
Answer: B

Question 46. Which action in a File Blocking Security Profile results in the user being prompted to verify a file transfer?
A. Block
B. Continue
C. Alert
D. Allow
Answer: B

Question 47. Which feature is a dynamic grouping of applications used in Security policy rules?
A. dependent applications
B. application group
C. application filter
D. implicit applications
Answer: C

Question 48. Which three components can be sent to WildFire for analysis? (Choose three.)
A. files traversing the firewall
B. MGT interface traffic
C. email attachments
D. URL links found in email
Answer: A,C,D

Question 49. Which three interface types can control or shape network traffic? (Choose three.)
A. Virtual Wire
B. Layer 2
C. Tap
D. Layer 3
Answer: A,B,D

Question 50. An Antivirus Security Profile specifies Actions and WildFire Actions. Wildfire Actions enable you to configure the firewall to perform which operation?
A. Download new antivirus signatures from WildFire.
B. Block traffic when a WildFire virus signature is detected.
C. Delete packet data when a virus is suspected.
D. Upload traffic to WildFire when a virus is suspected.
Answer: B

Question 51. Application block pages can be enabled for which applications?
A. non-TCP/IP
B. MGT port-based
C. web-based
D. any
Answer: C

Question 52. Which interface type is NOT assigned to a security zone?
C. Layer 3
D. Virtual Wire
Answer: B

Question 53. Which type of content update does NOT have to be scheduled for download on the firewall?
A. dynamic update threat signatures
B. PAN-DB updates
C. dynamic update antivirus signatures
D. WildFire antivirus signatures
Answer: B

Question 54. Which file must be downloaded from the firewall to create a Heatmap and Best Practices Assessment report?
A. Tech Support File
B. XML file
C. firewall config file
D. stats dump file
Answer: A

Question 55. What is the maximum number of WildFire® appliances that can be grouped in to a WildFire® appliance cluster?
A. 24
B. 12
C. 32
D. 20
Answer: D

Question 56. Which cloud computing service model will enable an application developer to develop, manage, and test their applications without the expense of purchasing equipment?
A. platform as a service
B. infrastructure as a service
C. software as a service
D. code as a service
Answer: A

Question 57. Cloud security is a shared responsibility between the cloud provider and the customer. Which security platform is the cloud provider responsible for?
A. encryption management
B. identity and access management
C. firewall and network traffic
D. foundation services
Answer: D

Question 58. The firewall acts as a proxy for which two types of traffic? (Choose two.)
A. SSL outbound
B. Non-SSL
C. SSL Inbound Inspection
Answer: A,D

Question 59. In a Security Profile, which action does a firewall take when the profile’s action is configured as Reset Server? (Choose two.)
A. For UDP sessions, the connection is dropped.
B. The traffic responder is reset.
C. The client is reset.
D. UDP sessions, the connection is reset.
Answer: A,B

Question 60. The Threat log records events from which three Security Profiles? (Choose three.)
A. Vulnerability Protection
B. Anti-Spyware
C. Antivirus
D. WildFire Analysis
E. URL Filtering
F. File Blocking
Answer: A,B,C

Question 61. Which condition must exist before a firewall’s in-band interface can process traffic?
A. The firewall must be assigned an IP address.
B. The firewall must not be a loopback interface.
C. The firewall must be enabled.
D. The firewall must be assigned to a security zone.

Question 62. Which two User-ID methods are used to verify known IP address-to-user mappings? (Choose two.)
A. Captive Portal
B. Session Monitoring
C. Server Monitoring
D. Client Probing
Answer: B,D



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.