Realize Your Potential: paloaltonetworks Page 1 of 12

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 8.1 Version

ACE 8.1

Question 1 of 45.

A Security policy rule displayed in italic font indicates which condition?

The rule is a clone.

The rule is disabled.

The rule is active.

The rule has been overridden.

Mark for follow up

Question 2 of 45.

A Server Profile enables a firewall to locate which server type?

a server with firewall threat updates

a server with firewall software updates

a server with remote user accounts

a server with an available VPN connection

Mark for follow up

Question 3 of 45.

An Interface Management Profile can be attached to which two interface types? (Choose two.)
Layer 2
Virtual Wire
 Layer 3
Tap
 Loopback

Mark for follow up

Question 4 of 45.

Application block pages can be enabled for which applications?

web-based

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c1... 5/12/2018
Realize Your Potential: paloaltonetworks Page 2 of 12

non-TCP/IP
any

MGT port-based

Mark for follow up

Question 5 of 45.

Because a firewall examines every packet in a session, a firewall can detect application ________?

groups
filters
errors

shifts

Mark for follow up

Question 6 of 45.

Finding URLs matched to the not-resolved URL category in the URL Filtering log file might indicate that you
should take which action?

Validate connectivity to the PAN-DB cloud.

Re-download the URL seed database.
Validate your Security policy rules.

Reboot the firewall.

 Mark for follow up

Question 7 of 45.

For which firewall feature should you create forward trust and forward untrust certificates?

SSL client-side certificate checking

SSL Inbound Inspection decryption
SSL forward proxy decryption

SSH decryption

Mark for follow up

Question 8 of 45.

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c1... 5/12/2018
Realize Your Potential: paloaltonetworks Page 3 of 12

If there is an HA configuration mismatch between firewalls during peer negotiation, which state will the passive
firewall enter?

NON-FUNCTIONAL
PASSIVE
ACTIVE
INITIAL

Mark for follow up

Question 9 of 45.

In an HA configuration, which three components are synchronized between the pair of firewalls? (Choose three.)
 networks
 policies
 objects

logs

 Mark for follow up

Question 10 of 45.

In an HA configuration, which three functions are associated with the HA1 Control Link? (Choose three.)
 synchronizing configuration
synchronizing sessions
 exchanging heartbeats
 exchanging hellos

 Mark for follow up

Question 11 of 45.

In an HA configuration, which two failure detection methods rely on ICMP ping? (Choose two.)
hellos
 heartbeats
link groups
 path groups

Mark for follow up

Question 12 of 45.

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c1... 5/12/2018
Realize Your Potential: paloaltonetworks Page 4 of 12

On a firewall that has 32 Ethernet ports and is configured with a dynamic IP and port (DIPP) NAT oversubscription
rate of 2x, what is the maximum number of concurrent sessions supported by each available IP address?

32
64
64K
128K

 Mark for follow up

Question 13 of 45.

Which two user mapping methods are supported by the User-ID integrated agent? (Choose two.)
 WMI probing
 Client Probing

LDAP Filters

NetBIOS Probing

 Mark for follow up

Question 14 of 45.

SSL Inbound Inspection requires that the firewall be configured with which two components? (Choose two.)
client's public key
 server's private key

client's digital certificate

 server's digital certificate

 Mark for follow up

Question 15 of 45.

The firewall acts as a proxy for which two types of traffic? (Choose two.)
 SSH

Non-SSL
SSL outbound
 SSL Inbound Inspection

Mark for follow up

Question 16 of 45.

The Threat log records events from which three Security Profiles? (Choose three.)

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c1... 5/12/2018
Realize Your Potential: paloaltonetworks Page 5 of 12

 Antivirus

 Vulnerability Protection
 URL Filtering

WildFire Analysis
File Blocking
Anti-Spyware

Mark for follow up

Question 17 of 45.

The WildFire Portal website supports which three operations? (Choose three.)
request firewall WildFire licenses
 view WildFire verdicts
 upload files to WildFire for analysis
 report incorrect verdicts

Mark for follow up

Question 18 of 45.

What are two benefits of attaching a Decryption Profile to a Decryption policy no-decrypt rule? (Choose two.)
acceptable protocol checking
 expired certificate checking
 untrusted certificate checking

URL category match checking

Mark for follow up

Question 19 of 45.

What is a characteristic of Dynamic Admin Roles?

Role privileges can be dynamically updated by a firewall administrator.

They can be dynamically modified by external authorization systems.

Role privileges can be dynamically updated with newer software releases.
They can be dynamically created or deleted by a firewall administrator.

Mark for follow up

Question 20 of 45.

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c1... 5/12/2018
Realize Your Potential: paloaltonetworks Page 6 of 12

What is a use case for deploying Palo Alto Networks NGFW in the public cloud?

faster WildFire analysis response time

extending the corporate data center into the public cloud
centralizing your data storage on premise
cost savings through one-time purchase of Palo Alto Networks hardware and subscriptions

Mark for follow up

Question 21 of 45.

What is the result of performing a firewall Commit operation?

The loaded configuration becomes the candidate configuration.

The saved configuration becomes the loaded configuration.

The candidate configuration becomes the running configuration.

The candidate configuration becomes the saved configuration.

Mark for follow up

Question 22 of 45.

Where does a GlobalProtect client connect to first when trying to connect to the network?

AD agent
GlobalProtect Portal

User-ID agent
GlobalProtect Gateway

Mark for follow up

Question 23 of 45.

Which action in a File Blocking Security Profile results in the user being prompted to verify a file transfer?

Block
Alert
Continue
Allow

Mark for follow up

Question 24 of 45.

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c1... 5/12/2018
Realize Your Potential: paloaltonetworks Page 7 of 12

Which condition must exist before a firewall's in-band interface can process traffic?

The firewall must be assigned to a security zone.

The firewall must not be a loopback interface.

The firewall must be enabled.
The firewall must be assigned an IP address.

 Mark for follow up

Question 25 of 45.

Which feature is a dynamic grouping of applications used in Security policy rules?

dependent applications
implicit applications

application filter
application group

Mark for follow up

Question 26 of 45.

Which interface type does NOT require any configuration changes to adjacent network devices?

Virtual Wire

Layer 3
Tap

Layer 2

Mark for follow up

Question 27 of 45.

Which interface type is NOT assigned to a security zone?

Virtual Wire
Layer 3
HA
VLAN

Mark for follow up

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c1... 5/12/2018
Realize Your Potential: paloaltonetworks Page 8 of 12

Question 28 of 45.

Which statement describes a function provided by an Interface Management Profile?

It determines which firewall services are accessible from external devices.

It determines the NetFlow and LLDP interface management settings.
It determines which administrators can manage which interfaces.

It determines which external services are accessible by the firewall.

Mark for follow up

Question 29 of 45.

Which statement describes the Export named configuration snapshot operation?

The candidate configuration is transferred from memory to the firewall's storage device.

The running configuration is transferred from memory to the firewall's storage device.
A saved configuration is transferred to an external hosts storage device.

A copy of the configuration is uploaded to the cloud as a backup.

Mark for follow up

Question 30 of 45.

Which statement is true about a URL Filtering Profile continue password?

There is a password per website.

There is a password per session.

There is a password per firewall administrator account.

There is a single, per-firewall password.

Mark for follow up

Question 31 of 45.

Which three are valid configuration options in a WildFire Analysis Profile? (Choose three.)
 file types
 direction

maximum file size

 application

Mark for follow up

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c1... 5/12/2018
Realize Your Potential: paloaltonetworks Page 9 of 12

Question 32 of 45.

Which three components can be sent to WildFire for analysis? (Choose three.)
MGT interface traffic
 email attachments
 files traversing the firewall
 URL links found in email

Mark for follow up

Question 33 of 45.

Which three interface types can control or shape network traffic? (Choose three.)
 Layer 2
Tap
 Virtual Wire
 Layer 3

Mark for follow up

Question 34 of 45.

Which three MGT port configuration settings are required in order to access the WebUI? (Choose three.)
Hostname
 Netmask
 Default gateway
 IP address

Mark for follow up

Question 35 of 45.

Which three network modes are supported by active/passive HA? (Choose three.)
 Layer 2
 Tap
Virtual Wire
 Layer 3

 Mark for follow up

Question 36 of 45.

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c1... 5/12/2018
Realize Your Potential: paloaltonetworks Page 10 of 12

Which three statements are true regarding sessions on the firewall? (Choose three.)
The only session information tracked in the session logs are the five-tuples.
 Return traffic is allowed.
 Sessions are always matched to a Security policy rule.
 Network packets are always matched to a session.

Mark for follow up

Question 37 of 45.

Which two file types can be sent to WildFire for analysis if a firewall has only a standard subscription service?
(Choose two.)
.pdf
.jar
 .dll

 .exe

Mark for follow up

Question 38 of 45.

Which two User-ID methods are used to verify known IP address-to-user mappings? (Choose two.)
Captive Portal
Client Probing
 Session Monitoring
 Server Monitoring

Mark for follow up

Question 39 of 45.

Which User-ID user mapping method is recommended for environments where users frequently change IP
addresses?

Captive Portal
Client Probing

Session Monitoring
Server Monitoring

Mark for follow up

Question 40 of 45.

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c1... 5/12/2018
Realize Your Potential: paloaltonetworks Page 11 of 12

Which file must be downloaded from the firewall to create a Heatmap and Best Practices Assessment report?

stats dump file

XML file
firewall config file
Tech Support File

 Mark for follow up

Question 41 of 45.

Which three subscription services are included as part of the GlobalProtect cloud service? (Choose three.)
 URL Filtering
 Threat Prevention
Aperture

 WildFire®
AutoFocus

Panorama

Mark for follow up

Question 42 of 45.

The decryption broker feature is supported by which three Palo Alto Networks firewall series? (Choose three.)
PA-3000
PA-5000

 PA-5200
 PA-3200
VM-Series
 PA-7000

Mark for follow up

Question 43 of 45.

Which VM-Series model was introduced with the release of PAN-OS® 8.1?

VM-50 Lite
VM-200 Lite
VM-300 Lite
VM-100 Lite

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c1... 5/12/2018
Realize Your Potential: paloaltonetworks Page 12 of 12

Mark for follow up

Question 44 of 45.

Which cloud computing service model will enable an application developer to develop, manage, and test their
applications without the expense of purchasing equipment?

code as a service
software as a service
infrastructure as a service

platform as a service

Mark for follow up

Question 45 of 45.

Which essential cloud characteristic is designed for applications that will be required to run on all platforms
including smartphones, tablets, and laptops?

rapid elasticity
broad network access

on-demand self service

measured services

Mark for follow up

Save / Return Later Summary

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=431337b0-bb1c-4c1... 5/12/2018