Is this exam completely free?

ExamCademy offers a free preview for every exam, covering around 20% of the total questions. Full access to all questions is available for free by signing up for an account. Optional supporters unlock AstroTutor (AI tutor) and advanced study modes.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! ExamCademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our practice questions are community-created and moderator-reviewed to align with realistic exam objectives, style, and difficulty.

ACE by Palo Alto Networks - Page 1 | ExamCademy

Mode Selection

Sort:

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25

Page 1 of 7 • Questions 1-25 of 170

1 2 3 4 5

→

Know a question that should be here? Contribute to this exam

In a Destination NAT configuration, the Translated Address field may be populated with either an IP address or an Address Object.

A True
B False

Color-coded tags can be used on all of the items listed below EXCEPT:

A Address Objects
B Zones
C Service Groups
D Vulnerability Profiles

Which of the following can provide information to a Palo Alto Networks firewall for the purposes of UserID?

A Domain Controller
B SSL Certificates
C RIPv2
D Network Access Control (NAC) device

When you have created a Security Policy Rule that allows Facebook, what must you do to block all other web browsing traffic?

A Create an additional rule that blocks all other traffic.
B When creating the policy, ensure that webbrowsing is included in the same rule.
C Ensure that the Service column is defined as "applicationdefault" for this Security policy. Doing this will automatically include the implicit webbrowsing application dependency.
D Nothing. You can depend on PANOS to block the webbrowsing traffic that is not needed for Facebook use.

As the Palo Alto Networks Administrator responsible for UserID, you need to enable mapping of network users that do not sign in using LDAP. Which information source would allow for reliable UserID mapping while requiring the least effort to configure?

A Active Directory Security Logs
B WMI Query
C Captive Portal
D Exchange CAS Security logs

Which of the following CANNOT use the source user as a match criterion?

A Policy Based Forwarding
B Secuirty Policies
C QoS
D DoS Protection
E Antivirus Profile

Which statement below is True?

A PANOS uses BrightCloud as its default URL Filtering database, but also supports PANDB.
B PANOS uses PANDB for URL Filtering, replacing BrightCloud.
C PANOS uses BrightCloud for URL Filtering, replacing PANDB.
D PANOS uses PANDB as the default URL Filtering database, but also supports BrightCloud.

When configuring a Decryption Policy rule, which option allows a firewall administrator to control SSHv2 tunneling in policies by specifying the SSHtunnel AppID?

A SSH Proxy
B SSL Forward Proxy
C SSL Inbound Inspection
D SSL Reverse Proxy

What are two sources of information for determining whether the firewall has been successful in communicating with an external UserID Agent?

A System Logs and the indicator light under the UserID Agent settings in the firewall.
B Traffic Logs and Authentication Logs.
C System Logs and an indicator light on the chassis.
D System Logs and Authentication Logs.

What Security Profile type must be configured to send files to the WildFire cloud, and with what choices for the action setting?

A A File Blocking profile with possible actions of "Forward" or "Continue and Forward".
B A Data Filtering profile with possible actions of "Forward" or "Continue and Forward".
C A Vulnerability Protection profile with the possible action of "Forward".
D A URL Filtering profile with the possible action of "Forward".

When configuring UserID on a Palo Alto Networks firewall, what is the proper procedure to limit User mappings to a particular DHCP scope?

A In the zone in which User Identification is enabled, create a User Identification ACL Include List using the same IP ranges as those allocated in the DHCP scope.
B Under the User Identification settings, under the User Mapping tab, select the "Restrict Users to Allocated IP" checkbox.
C In the zone in which User Identification is enabled, select the "Restrict Allocated IP" checkbox.
D In the DHCP settings on the Palo Alto Networks firewall, point the DHCP Relay to the IP address of the UserID agent.

A Config Lock may be removed by which of the following users?

A The administrator who set it
B Device administrators
C Any administrator
D Superusers

After the installation of a new version of PANOS, the firewall must be rebooted.

A True
B False

When configuring a Decryption Policy Rule, which of the following are available as matching criteria in the rule? (Choose three.)

A Source Zone
B URL Category
C Application
D Service
E Source User

After the installation of the Threat Prevention license, the firewall must be rebooted.

A True
B False

What is the function of the GlobalProtect Portal?

A To maintain the list of Global Protect Gateways and specify HIP data that the agent should report.
B To loadbalance
C GlobalProtect client connections to GlobalProtect Gateways.
D To maintain the list of remote GlobalProtect Portals and the list of categories for checking the client machine.
E To provide redundancy for tunneled connections through the GlobalProtect Gateways.

Which mode will allow a user to choose when they wish to connect to the Global Protect Network?

A Always On mode
B Optional mode
C Single SignOn mode
D On Demand mode

After the installation of a new Application and Threat database, the firewall must be rebooted.

A True
B False

Question Image

Taking into account only the information in the screenshot above, answer the following question:
A span port or a switch is connected to e1/4, but there are no traffic logs.
Which of the following conditions most likely explains this behavior?

A The interface is not assigned a virtual router.
B The interface is not assigned an IP address.
C The interface is not up.
D There is no zone assigned to the interface.

Which of the following platforms supports the Decryption Port Mirror function?

A PA3000
B VMSeries 100
C PA2000
D PA4000

UserID is enabled in the configuration of:

A a Security Profile.
B an Interface.
C a Security Policy.
D a Zone.

Which of the following interface types can have an IP address assigned to it?

A Layer 3
B Layer 2
C Tap
D Virtual Wire

As the Palo Alto Networks Administrator you have enabled Application Block pages.
Afterwards, not knowing they are attempting to access a blocked web based application, users call the Help Desk to complain about network connectivity issues.
What is the cause of the increased number of help desk calls?

A The File Blocking Block Page was disabled.
B Some AppID's are set with a Session Timeout value that is too low.
C The firewall admin did not create a custom response page to notify potential users that their attempt to access the web based application is being blocked due to policy.
D Application Block Pages will only be displayed when Captive Portal is configured.

Security policies specify a source interface and a destination interface.

A True
B False

Select the implicit rules that are applied to traffic that fails to match any administrator defined Security Policies.

A Intrazone traffic is allowed
B Interzone traffic is denied
C Intrazone traffic is denied
D Interzone traffic is allowed

ACEPreview