ACE Exam
Question 1 of 72.
Which of the following is not defined or assigned as part of the security rules?
答案:A
NAT rules
File blocking profile
Security profiles
Applications
Mark for follow up
Question 2 of 72.
It is possible to use different SSL forward proxy certificates for different vsys in a multi-vsys environment.
答案:A
True
False
Mark for follow up
Question 3 of 72.
In Active/Active HA environments, redundancy for the HA3 interface can be achieved by
答案:C
Configuring HA3 in a redundant group
Configuring a corresponding HA4 interface
Configuring HA3 as an Aggregate Ethernet bundle
Configuring multiple HA3 interfaces
Mark for follow up
Question 4 of 72.
In PANOS 4.0 or greater, which of the following is an accurate statement in regard to support for IPv6?
答案:C
PANOS supports Content ID in IPv6, but only in Layer 3 Mode.
User ID is only supported in IPv6 when the Palo Alto Networks firewall is deployed in Vwire mode.
PANOS supports dual-stack IP, for IPv4 and IPv6. This includes Virtual Wire and Layer 3 deployments.
Threat Prevention capabilities are not supported in IPv6.
None of the above
Mark for follow up
Question 5 of 72.
What needs to be done prior to committing a configuration in Panorama after making a change via the CLI or web interface on a device?
答案:D
Re-import the configuration from the device into Panorama
Make the same change again via Panorama
Synchronize the configuration between the device and Panorama
No additional actions required
None of the above
Mark for follow up
Question 6 of 72.
If a customer has 1 forest with 3 domains and wants a resilient PAN Agent deployment, what is the most appropriate agent architecture?
答案:B
Agents deployed on two separate servers within the forest
Two Agents deployed per domain, on separate servers
Two agents deployed on virtual servers on a server within the forest
An agent deployed on a server within each domain
Mark for follow up
Question 7 of 72.
Which mode will allow a user to choose how they wish to connect to the GlobalProtect Network as they would like?
答案: C
Optional Mode
Always On Mode
On Demand Mode
Single Sign-On Mode
Mark for follow up
Question 8 of 72.
Active/Active HA can be configured to provide:
答案:C
Higher session count
Redundant Virtual Routers
Support for asymmetric routing environments
Lower fail-over times
Mark for follow up
Question 9 of 72.
When forwarding multicast packets in L2 mode, we can configure security polices to match on multicast IP addresses.
答案:B
True
False
Mark for follow up
Question 10 of 72.
To properly configure DOS protection to limit the number of sessions individually from specific source IPs you would configure a DOS Protection rule with the following characteristics:
答案:B
Action: Protect, Aggregate Profile with \
Action: Protect, Classified Profile with \ \
Action: Deny, Aggregate Profile with \
Action: Deny, Classified Profile with \ \None of the above
Mark for follow up
Question 11 of 72.
For correct routing to SSL VPN clients to occur, the following must be configured:
答案:B
A static route on the next-hop gateway of the SSL VPN client IP pool with a destination of the PAN device No routing needs to be configured - the PAN device automatically responds to ARP requests for the SSL VPN client IP pool
Network Address Translation must be enabled for the SSL VPN client IP pool
A dynamic routing protocol between the PAN device and the next-hop gateway to advertise the SSL VPN client IP pool
Mark for follow up
Question 12 of 72.
When Network Address Translation has been performed on traffic, Destination Zones in Security rules should be based on:
答案:A
Post-NAT addresses
Pre-NAT addresses
the same zones used in the NAT rules
None of the above
Mark for follow up