ACE Online Practice Questions and Answers

For correct routing to SSL VPN clients to occur, the following must be configured:

A. Network Address Translation must be enabled for the SSL VPN client IP pool

B. A dynamic routing protocol between the Palo Alto Networks device and the next-hop gateway to advertise the SSL VPN client IP pool

C. A static route on the next-hop gateway of the SSL VPN client IP pool with a destination of the Palo Alto Networks device

D. No routing needs to be configured - the PAN device automatically responds to ARP requests for the SSL VPN client IP pool

Which of the following is NOT a valid option for built-in CLI access roles?

A. read/write

B. superusers

C. vsysadmin

D. deviceadmin

WildFire Analysis Reports are available for the following Operating Systems (select all that apply)

A. Windows XP

B. Windows 7

C. Windows 8

D. Mac OS-X

Which of the Dynamic Updates listed below are issued on a daily basis?

A. Global Protect

B. URL Filtering

C. Antivirus

D. Applications and Threats

All of the interfaces on a Palo Alto Networks device must be of the same interface type.

A. True

B. False

Which of the following types of protection are available in DoS policy?

A. Session Limit, SYN Flood, UDP Flood

B. Session Limit, Port Scanning, Host Swapping, UDP Flood

C. Session Limit, SYN Flood, Host Swapping, UDP Flood

D. Session Limit, SYN Flood, Port Scanning, Host Swapping

Traffic going to a public IP address is being translated by a Palo Alto Networks firewall to an internal server's private IP address. Which IP address should the Security Policy use as the "Destination IP" in order to allow traffic to the server?

A. The firewall's gateway IP

B. The server's public IP

C. The server's private IP

D. The firewall's MGT IP

Which of the following can provide information to a Palo Alto Networks firewall for the purposes of User-ID? (Select all correct answers.)

A. Network Access Control (NAC) device

B. Domain Controller

C. RIPv2

D. SSL Certificates

Which routing protocol is supported on the Palo Alto Networks platform?

A. BGP

B. RSTP

C. ISIS

D. RIPv1

When you have created a Security Policy Rule that allows Facebook, what must you do to block all other webbrowsing traffic?

A. Create an additional rule that blocks all other traffic.

B. When creating the policy, ensure that webbrowsing is included in the same rule.

C. Ensure that the Service column is defined as "applicationdefault" for this Security policy. Doing this will automatically include the implicit webbrowsing application dependency.

D. Nothing. You can depend on PANOS to block the webbrowsing traffic that is not needed for Facebook use.

Where does a GlobalProtect client connect to first when trying to connect to the network?

A. AD agent

B. User-ID agent

C. GlobalProtect Gateway

D. GlobalProtect Portal

An Interface Management Profile can be attached to which two interface types? (Choose two.)

A. Loopback

B. Virtual Wire

C. Layer 2

D. Layer 3

E. Tap

What needs to be done prior to committing a configuration in Panorama after making a change via the CLI or web interface on a device?

A. No additional actions required

B. Synchronize the configuration between the device and Panorama

C. Make the same change again via Panorama

D. Re-import the configuration from the device into Panorama

When allowing an Application in a Security policy on a PAN-OS 5.0 device, would a dependency Application need to also be enabled if the application does not employ HTTP, SSL, MSRPC, RPC, t.120, RTSP, RTMP, and NETBIOS-SS.

A. Yes

B. No

Which of the following statements is NOT True regarding a Decryption Mirror interface?

A. Requires superuser privilege

B. Supports SSL outbound

C. Can be a member of any VSYS

D. Supports SSL inbound