paloalto-ACE7-知识点考试复习题库

A"Continue"actioncanbeconfiguredonwhichofthefollowingSecurityProfiles?

URLFilteringandFileBlocking

URLFilteringonly

URLFilteringandAnti-virus

AConfigLockmayberemovedbywhichofthefollowingusers?(Selectallcorrectanswers.)

Theadministratorwhosetit

Anyadministrator

Deviceadministrators

Superusers

AftertheinstallationofanewApplicationandThreatdatabase,thefirewallmustberebooted.

True

False

AsaPaloAltoNetworksfirewalladministrator,youhavemadeunwantedchangestotheCandidateconfiguration.ThesechangesmaybeundonebyDevice>Setup>Operations>ConfigurationManagement>andthenwhatoperation?

ReverttoRunningConfiguration

ReverttolastSavedConfiguration

LoadConfigurationVersion

ImportNamedConfigurationSnapshot

AsthePaloAltoNetworksAdministratoryouhaveenabledApplicationBlockpages.Afterwards,notknowingtheyareattemptingtoaccessablockedweb-basedapplication,userscalltheHelpDesktocomplainaboutnetworkconnectivityissues.Whatisthecauseoftheincreasednumberofhelpdeskcalls?

Thefirewalladmindidnotcreateacustomresponsepagetonotifypotentialusersthattheirattempttoaccesstheweb-basedapplicationisbeingblockedduetocompanypolicy.

SomeApp-ID'saresetwithaSessionTimeoutvaluethatistoolow.

TheFileBlockingBlockPagewasdisabled.

ApplicationBlockPageswillonlybedisplayedwhenCaptivePortalisconfigured.

BothSSLdecryptionandSSHdecryptionaredisabledbydefault.

True

False

InaDestinationNATconfiguration,theTranslatedAddressfieldmaybepopulatedwitheitheranIPaddressoranAddressObject.

True

False

PaloAltoNetworksfirewallssupporttheuseofbothDynamic(built-inuserroles)andRole-Based(customizeduserroles)forAdministratorAccounts.

True

False

ReconnaissanceProtectionisafeatureusedtoprotectthePaloAltoNetworksfirewallfromportscans.ToenablethisfeaturewithintheGUIgoto…

Network>NetworkProfiles>ZoneProtection

Objects>ZoneProtection

Interfaces>InterfaceNumber>ZoneProtection

Policies>Profile>ZoneProtection

WhataretwosourcesofinformationfordeterminingwhetherthefirewallhasbeensuccessfulincommunicatingwithanexternalUser-IDAgent?

SystemLogsandtheindicatorlightundertheUser-IDAgentsettingsinthefirewall.

SystemLogsandanindicatorlightonthechassis.

TrafficLogsandAuthenticationLogs.

SystemLogsandAuthenticationLogs.

Whatisthemaximumfilesizeof.EXEfilesuploadedfromthefirewalltoWildFire?

Always2megabytes.

Always10megabytes.

Configurableupto2megabytes.

Configurableupto10megabytes

WhatwilltheuserexperiencewhenattemptingtoaccessablockedhackingwebsitethroughatranslationservicesuchasGoogleTranslateorBingTranslator?

A“Blocked”pageresponsewhentheURLfilteringpolicytoblockisenforced.

A“Success”pageresponsewhenthesiteissuccessfullytranslated.

Thebrowserwillberedirectedtotheoriginalwebsiteaddress.

An"HTTPError503-Serviceunavailable"message.

WhenaninterfaceisinTapmodeandaPolicy’sactionissetto“block”,theinterfacewillsendaTCPreset.

True

False

WhenusingConfigAudit,thecoloryellowindicateswhichofthefollowing?

Asettinghasbeenchangedbetweenthetwoconfigfiles

Asettinghasbeendeletedfromaconfigfile.

Asettinghasbeenaddedtoaconfigfile

Aninvalidvaluehasbeenusedinaconfigfile.

WhichofthefollowingmostaccuratelydescribesDynamicIPinaSourceNATconfiguration?

ThenextavailableIPaddressintheconfiguredpoolisused,butthesourceportnumberisunchanged.

AsingleIPaddressisused,andthesourceportnumberischanged.

Thenextavailableaddressintheconfiguredpoolisused,andthesourceportnumberischanged.

AsingleIPaddressisused,andthesourceportnumberisunchanged.

WhichofthefollowingservicesareenabledontheMGTinterfacebydefault?(Selectallcorrectanswers.)

HTTPS

SSH

Telnet

HTTP

WildFiremaybeusedforidentifyingwhichofthefollowingtypesoftraffic?

DHCP

OSPF

RIPv2

Malware

WillanexportedconfigurationcontainManagementInterfacesettings?

Yes

No

WithIKEPhase1,eachdeviceisidentifiedtotheotherbyaPeerID.Inmostcases,thePeerIDisjustthepublicIPaddressofthedevice.InsituationswherethepublicIPaddressisnotstatic,thePeerIDcanbeatextvalue.

True

False

TrueorFalse:ThePAN-DBURLFilteringServiceisofferedasbothaPrivateCloudsolutionandaPublicCloudsolution.

True

False

TrueorFalse:TheWildFireAnalysisProfilecanonlybeconfiguredtosendunknownfilestotheWildFirePublicCloudonly.

True

False

PAN-OS7.0introducedanewSecurityProfiletype.Whatisthenameofthisnewsecurityprofiletype?

ThreatAnalysis

MalwareAnalysis

WildFireAnalysis

FileAnalysis

AftertheinstallationofanewversionofPAN-OS,thefirewallmustberebooted.

True

False

Consideringtheinformationinthescreenshotabove,whatistheorderofevaluationforthisURLFilteringProfile?

BlockList,AllowList,CustomCategories,URLCategories(BrightCloudorPAN-DB).

AllowList,BlockList,CustomCategories,URLCategories(BrightCloudorPAN-DB).

Enabling"HighlightUnusedRules"intheSecurityPolicywindowwill:

DisplayrulesthatcausedavalidationerrortooccuratthetimeaCommitwasperformed.

Highlightallrulesthathavenotmatchedtrafficsincetherulewascreatedorsincethelastrebootofthefirewall.

Choosethebestanswer:InPAN-OS,theWildFireSubscriptionServiceallowsupdatesformalwaresignaturestobedistributedasoftenas…

Onceevery15minutes

Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion:Aspanportoraswitchisconnectedtoe1/4,buttherearenotrafficlogs.Whichofthefollowingconditionsmostlikelyexplainsthisbehavior?

Thereisnozoneassignedtotheinterface.

TrafficgoingtoapublicIPaddressisbeingtranslatedbyaPaloAltoNetworksfirewalltoaninternalserver’sprivateIPaddress.WhichIPaddressshouldtheSecurityPolicyuseasthe"DestinationIP"inordertoallowtraffictotheserver?

Theserver’spublicIP

Thefirewall’sMGTIP

Theserver’sprivateIP

Usersmaybeauthenticatedsequentiallytomultipleauthenticationserversbyconfiguring:

AnAuthenticationProfile.

AnAuthenticationSequence.

WhatisthedefaultDNSsinkholeaddressusedbythePaloAltoNetworksFirewalltocutoffcommunication?

Anylayer3interfaceaddressspecifiedbythefirewalladministrator.

Thedefaultgatewayofthefirewall.

Thelocalloopbackaddress.

WhatwillbetheuserexperiencewhenthesafesearchoptionisNOTenabledforGooglesearchbutthefirewallhas"SafeSearchEnforcement"Enabled?

AblockpagewillbepresentedwithinstructionsonhowtosetthestrictSafeSearchoptionfortheGooglesearch.

Ataskbarpop-upmessagewillbepresentedtoenableSafeSearch.

TheFirewallwillenforceSafeSearchiftheURLfilteringlicenseisstillvalid.

WhenconfiguringaDecryptionPolicyrule,whichoptionallowsafirewalladministratortocontrolSSHv2tunnelinginpoliciesbyspecifyingtheSSH-tunnelApp-ID?

SSHProxy

SSLForwardProxy

SSLReverseProxy

WhenconfiguringaSecurityPolicyRulebasedonFQDNAddressObjects,whichofthefollowingstatementsisTrue?

InordertocreateFQDN-basedobjects,youneedtomanuallydefinealistofassociatedIPaddresses.

ThefirewallresolvestheFQDNfirstwhenthepolicyiscommitted,andresolvestheFQDNagainatDNSTTLexpiration

WhenconfiguringthefirewallforUser-ID,whatisthemaximumnumberofDomainControllersthatcanbeconfigured?

50

10

100

WhentroubleshootingPhase1ofanIPsecVPNtunnel,whichlocationandlogwillbemostinformative?

Respondingside,Trafficlog

Respondingside,SystemLog

Whenusingremoteauthenticationforusers(LDAP,RADIUS,ActiveDirectory,etc.),whatmustbedonetoallowausertoauthenticatethroughmultiplemethods?

Createmultipleauthenticationprofilesforthesameuser.

CreateanAuthenticationSequence,dictatingtheorderofauthenticationprofiles.

Whichfeaturecanbeconfiguredtoblocksessionsthatthefirewallcannotdecrypt?

DecryptionProfileinDecryptionPolicy

WhichlinkisusedbyanActive/Passiveclustertosynchronizesessioninformation?

TheDataLink

TheUplink

TheManagementLink

WhichofthefollowingisNOTavalidoptionforbuilt-inCLIAdminroles?

deviceadmin

read/write

WhichofthefollowingmustbeenabledinorderforUser-IDtofunction?

CaptivePortalPoliciesmustbeenabled.

User-IDmustbeenabledforthesourcezoneofthetrafficthatistobeidentified

WhichroutingprotocolissupportedonthePaloAltoNetworksplatform?

BGP

RIPv1

RSTP

WhichstatementaboutconfiglocksisTrue?

Aconfiglockcanberemovedonlybyasuperuser.

Aconfiglockcanberemovedonlybytheadministratorwhosetit.

Aconfiglockcanonlyberemovedbytheadministratorwhosetitorbyasuperuser.

WhichstatementbelowisTrue?

PAN-OSusesPAN-DBasthedefaultURLFilteringdatabase,butalsosupportsBrightCloud.

WithoutaWildFiresubscription,whichofthefollowingfilescanbesubmittedbytheFirewalltothehostedWildFirevirtualizedsandbox?

PEfilesonly

Attackerswillemployanumberoftacticstohidemalware.Onesuchtacticistoencodeand/orcompressthefilesoastohidethemalware.WithPAN-OS7.0thefirewallcandecodeuptofourlevels.Butifanattackerhasencodedthefilebeyondfourlevels,whatcanyouasanadministerdotoprotectyourusers?

CreateaDecryptionPolicyformulti-levelencodedfilesandsettheactiontoblock.

CreateaFileBlockingProfileformulti-levelencodedfileswiththeactionsettoblock.

CreateaDecryptionProfileformulti-levelencodedfilesandapplyittoaDecryptionPolicy.

AsofPAN-OS7.0,whenconfiguringaDecryptionPolicyRule,whichofthefollowingisNOTanavailableoptionasmatchingcriteriaintherule?

Application

SourceUser

SourceZone

AftertheinstallationoftheThreatPreventionlicense,thefirewallmustberebooted.

True

False

AninterfaceinVirtualWiremodemustbeassignedanIPaddress.

True

False

Canmultipleadministratoraccountsbeconfiguredonasinglefirewall?

Yes

No

HowdoyoureducetheamountofinformationrecordedintheURLContentFilteringLogs?

Enable"Logcontainerpageonly".

DisableURLpacketcaptures.

EnableURLlogcaching.

EnableDSRI.

InPAN-OS6.0andlater,rulenumbersare:

Numbersthatspecifytheorderinwhichsecuritypoliciesareevaluated.

Numberscreatedtobeuniqueidentifiersineachfirewall’spolicydatabase.

Numberscreatedtomakeiteasierforuserstodiscussacomplicatedordifficultsequenceofrules.

Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion.Anadministratorispingingandfailstoreceivearesponse.Whatisthemostlikelyreasonforthelackofresponse?

Theinterfaceisdown.

ThereisnoManagementProfile.

Thereisnoroutebacktothemachineoriginatingtheping.

Takingintoaccountonlytheinformationinthescreenshotabove,answerthefollowingquestion.Whichapplicationswillbeallowedontheirstandardports?(Selectallcorrectanswers.)

Gnutella

BitTorrent

SSH

Skype

Thefollowingcanbeconfiguredasanexthopinastaticroute:

APolicy-BasedForwardingRule

VirtualSystems

VirtualSwitch

VirtualRouter

Thescreenshotaboveshowspartofafirewall’sconfiguration.Ifpingtrafficcantraversethisdevicefrome1/2toe1/1,whichofthefollowingstatementsmustbeTrueaboutthisfirewall’sconfiguration?(Selectallcorrectanswers.)

TheremustbeasecuritypolicyrulefromInternetzonetotrustzonethatallowsping.

Theremustbeappropriateroutesinthedefaultvirtualrouter.

TheremustbeasecuritypolicyrulefromtrustzonetoInternetzonethatallowsping.

TheremustbeaManagementProfilethatallowsping.(ThenassignthatManagementProfiletoe1/1ande1/2.)

WhenDestinationNetworkAddressTranslationisbeingperformed,thedestinationinthecorrespondingSecurityPolicyRuleshoulduse:

ThePre-NATdestinationzoneandPre-NATIPaddresses.

ThePost-NATdestinationzoneandPost-NATIPaddresses.

ThePost-NATdestinationzoneandPre-NATIPaddresses.

ThePre-NATdestinationzoneandPost-NATIPaddresses.

WhichofthefollowingcanprovideinformationtoaPaloAltoNetworksfirewallforthepurposesofUser-ID?(Selectallcorrectanswers.)

NetworkAccessControl(NAC)device

DomainController

RIPv2

SSLCertificates

PaloAltoNetworksoffersWildFireusersthreesolutiontypes.ThesesolutiontypesaretheWildFirePublicCloud,TheWF-500PrivateAppliance,andtheWildFireHybridsolution.WhatisthemainreasonandpurposefortheWildFireHybridsolution?

TheWildFireHybridsolutionenablescompaniestosendtotheWF-500PrivateAppliancekeepingtheminternaltotheirnetwork,aswellprovidingtheoptiontosendother,generalfilestotheWildFirePublicCloudforanalysis.

TheWildFireHybridsolutionplacesWF-500satmultipleplacesinthecloud,sothatfirewallappliancesdistributedthroughoutanenterprise'snetworkreceiveWildFireverdictswithminimallatencywhileretainingdataprivacy.

TheWildFireHybridsolutionenablesoutsidecompaniestosharethesameWF-500AppliancewhileatthesametimeallowingthemtosendonlytheirprivatefilestotheprivateWF-500.

TheWildFireHybridsolutionisonlyofferedtocompaniesthathavesensitivefilestoprotectanddoesnotrequireaWildFiresubscription.

InwhichofthefollowingcanUser-IDbeusedtoprovideamatchcondition?(Selectallcorrectanswers.)

SecurityPolicies

NATPolicies

ZoneProtectionPolicies

ThreatProfiles

AnenterprisePKIsystemisrequiredtodeploySSLForwardProxydecryptioncapabilities.

True

False

Aninterfaceintapmodecantransmitpacketsonthewire.

True

False

WhichofthefollowingCANNOTusethesourceuserasamatchcriterion?

Anti-virusProfile

Securitypolicyrulesspecifyasourceinterfaceandadestinationinterface.

True

False

The"Drive-ByDownload"protectionfeature,underFileBlockingprofilesinContent-ID,provides:

Protectionagainstunwanteddownloadsbyshowingtheuseraresponsepageindicatingthatafileisgoingtobedownloaded.

User-IDisenabledintheconfigurationof…

AnInterface.

AZone.

ASecurityPolicy.

Whichofthefollowingfactsaboutdynamicupdatesiscorrect?

ThreatandURLFilteringupdatesarereleaseddaily.ApplicationandAnti-virusupdatesarereleasedweekly.

Anti-virusupdatesarereleaseddaily.ApplicationandThreatupdatesarereleasedweekly.

WhichofthefollowinginterfacetypescanhaveanIPaddressassignedtoit?

Layer3

Layer2

Tap

WhichofthefollowingwouldbeareasontousethePAN-OSXMLAPItocommunicatewithaPaloAltoNetworksfirewall?

TopullinformationfromothernetworkresourcesforUser-ID.

YoucanassignanIPaddresstoaninterfaceinVirtualWiremode.

True

False

InPAN-OS7.0whichoftheavailablechoicesservesasanalertwarningbydefiningpatternsofsuspicioustrafficandnetworkanomaliesthatmayindicateahosthasbeencompromised?

CorrelationObjects

CorrelationEvents

CustomSignatures

PrevioustoPAN-OS7.0thefirewallwasabletodecodeuptotwolevels.WithPAN-OS7.0thefirewallcannowdecodeuptohowmanylevels?

Four

Three

Color-codedtagscanbeusedonalloftheitemslistedbelowEXCEPT:

VulnerabilityProfiles

ServiceGroups

AddressObjects

InPaloAltoNetworksterms,anapplicationis:

Aspecificprogramdetectedwithinanidentifiedstreamthatcanbedetected,monitored,and/orblocked.

Acombinationofportandprotocolthatcanbedetected,monitored,and/orblocked.

Afileinstalledonalocalmachinethatcanbedetected,monitored,and/orblocked.

Web-basedtrafficfromaspecificIPaddressthatcanbedetected,monitored,and/orblocked.

WhichofthefollowingplatformssupportstheDecryptionPortMirrorfunction?

PA-3000

VM-Series100

PA-2000

PA-4000

UsingtheAPIinPAN-OS6.1,WildFiresubscriberscanuploaduptohowmanysamplesperday?

10

500

1000

50

AlloftheinterfacesonaPaloAltoNetworksdevicemustbeofthesameinterfacetype.

True

False

Whatisthedefaultsettingfor'Action'inaDecryptionPolicy'srule?

No-Decrypt

None

Decrypt

WhenconfiguringAdminRolesforWebUIaccess,whataretheavailableaccesslevels?

AllowandDenyonly

Enable,Read-Only,andDisable

EnableandDisableonly

WhichofthefollowingaremethodsthatHAclustersusetoidentifynetworkoutages?

PathandLinkMonitoring

LinkandSessionMonitors

WhichofthefollowingisTrueofanapplicationfilter?

Anapplicationfilterautomaticallyincludesanewapplicationwhenoneofthenewapplication’scharacteristicsareincludedinthefilter.

AnapplicationfilterautomaticallyadaptswhenanapplicationmovesfromoneIPaddresstoanother.

Anapplicationfilterspecifiestheusersallowedtoaccessanapplication.

Whichpre-definedAdminRolehasallrightsexcepttherightstocreateadministrativeaccountsandvirtualsystems?

DeviceAdministrator

vsysadmin

WhenyouhavecreatedaSecurityPolicyRulethatallowsFacebook,whatmustyoudotoblockallotherweb-browsingtraffic?

EnsurethattheServicecolumnisdefinedas"application-default"forthisSecuritypolicy.Doingthiswillautomaticallyincludetheimplicitweb-browsingapplicationdependency.

Nothing.YoucandependonPAN-OStoblocktheweb-browsingtrafficthatisnotneededforFacebookuse.

Whencreatingthepolicy,ensurethatweb-browsingisincludedinthesamerule.

AsthePaloAltoNetworksAdministratorresponsibleforUser-ID,youneedtoenablemappingofnetworkusersthatdonotsign-inusin