PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Transcription

1 PASS4TEST \ We offer free update service for one year

2 Exam : JN0-633 Title : Security, Professional (JNCIP- SEC) Exam Vendor : Juniper Version : DEMO Get Latest & Valid JN0-633 Exam's Question and Answers 1 from Pass4test.com. 1

3 NO.1 Your company has added a connection to a new ISP and you have been asked to send specific traffic to the new ISP. You have decided to implement filter-based forwarding. You have configured new routing instances with type forwarding. You must direct traffic into each instance.which step would accomplish this goal? A. Add a firewall filter to the ingress interface that specifies the intended routing instance as the action. B. Create a routing policy to direct the traffic to the required forwarding instances. C. Configure the ingress and egress interfaces in each forwarding instance. D. Create a static default route for each ISP in inet.0, each pointing to a different forwarding instance. Explanation: Reference : NO.2 Click the Exhibit button. user@key-server> show security group-vpn server ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 97 UP bb cc5d 435b c2 Main UP 242c d15 ab ba8 Main user@key-server> show security group-vpn server ipsec security-associations Group: group-1, Group Id: 1 Total IPsec SAs: 1 IPsec SA Algorithm SPI Lifetime group-l-sa ESP:3des/shal c 2736 Group: group-2, Group id: 2 Total IPsec SAs: 1 IPsec SA Algorithm SPI Lifetime group-2-sa ESP:3des/shal 13be9e Group: group-3, Group Id: 3 Total IPsec SAs: 1 IPsec SA Algorithm SPI Lifetime group-3-sa ESP:3des/shal Group: group-4, Group Id: 4 Total IPsec SAs: 1 IPsec SA Algorithm SPI Lifetime group-4-sa ESP:3des/shal 5111c2e Which statement is correct regarding the outputs shown in the exhibit? A. Two established peers are in the group VPNs. B. One established peer is in the group VPNs. C. No established peer is in the group VPNs. D. Four established peers are in the group VPNs. NO.3 Which action will allow an administrator to connect in band to an SRX Series device in transparent mode over SSH? A. Use a VLAN interface. B. Use the loopback interface. C. Use a logical interface. D. Use an irb interface. Answer: D NO.4 Click the Exhibit button. user@host# show interfaces ge-0/0/0 { unit 1 { Get Latest & Valid JN0-633 Exam's Question and Answers 2 from Pass4test.com. 2

4 family bridge { interface-mode trunk; vlan-id-list 20; vlan-rewrite { translate 2 20; Referring to the exhibit, which two statements are correct regarding VLAN rewrite? (Choose two.) A. An incoming packet with VLAN tag 20 will be translated to VLAN tag 2. B. An outgoing packet with VLAN tag 2 will be translated to VLAN tag 20. C. An incoming packet with VLAN tag 2 will be translated to VLAN tag 20. D. An outgoing packet with VLAN tag 20 will be translated to VLAN tag 2. Answer: C NO.5 You are using the AppDoS feature to control against malicious bot client attacks. The bot clients are using file downloads to attack your server farm. You have configured a context value rate of 10,000 hits in 60 seconds.at which threshold will the bot clients no longer be classified as malicious? A hits in 60 seconds B hits in 60 seconds C hits in 60 seconds D hits in 60 seconds Answer: B Explanation: Reference : NO.6 Click the Exhibit button. -- Exhibit- Get Latest & Valid JN0-633 Exam's Question and Answers 3 from Pass4test.com. 3

5 -- Exhibit - In the network shown in the exhibit, you want to forward traffic from the employees to ISP1 and ISP2. You want to forward all Web traffic to ISP1 and all other traffic to ISP2. While troubleshooting, you change your filter to forward all traffic to ISP1. However, no traffic is sent to ISP1. What is causing this behavior? A. The filter is applied to the wrong interface. B. The filter should use the next-hop action instead of the routing-instance action. C. The filter term does not have a required from statement. D. The filter term does not have the accept statement. Reference: NO.7 You have configured an IPsec VPN with traffic selectors; however, your IPsec tunnel does not appear to be working properly. What are two reasons for the problem? (Choose two.) A. You are configured a remote address value of /0. B. You are trying to use traffic selectors with policy-based VPNs. C. You have configured 15 traffic selectors on each SRX Series device. D. You are trying to use traffic selectors with route-based VPNs.,B NO.8 Your company provides managed services for two customers. Each customer has been Get Latest & Valid JN0-633 Exam's Question and Answers 4 from Pass4test.com. 4

6 segregated within its own routing instance on your SRX device. Customer A and customer B inform you that they need to be able to reach certain hosts on each other's network. Which two configuration settings would be used to share routes between these routing instances? (Choose two.) A. routing-group B. instance-import C. import-rib D. next-table Answer: B,D Explanation: Reference : NO.9 A branch SRX Series device in flow mode is forwarding between two virtual routers using a paired set of logical tunnel interfaces. You have a server connected to one virtual router and the client is on the other virtual router. How many security policies are needed to connect from the client to the server across the logical tunnel link? A. 0 B. 2 C. 3 D. 1 Answer: D NO.10 Click the Exhibit button. [edit] user@host# run show log debug Feb3 22:04:31 22:04: :CID-0:RT:flow_first_policy_search: policy search from zone host-> zone attacker (Ox0,0xe ,0x17) Feb3 22:04:31 22:04: :CID-0:RT:Policy lkup: vsys 0 zone(9:host) -> zone(10:attacker) scope: 0 Feb3 22:04:31 22:04: :CID-0:RT: / > /23 proto 6 Feb3 22:04:31 22:04: :CID-0:RT:Policy lkup: vsys 0 zone(5:umkmowm) -> zone(5:umkmowm) scope: 0 Feb3 22:04:31 22:04: :CID-0:RT: / > /23 proto 6 Feb3 22:04:31 22:04: :CID-0:RT: app 10, timeout 1800s, curr ageout 20s Feb3 22:04:31 22:04: :CID-0:RT: permitted by policy default-policy-00(2) Feb3 22:04:31 22:04: :CID-0:RT: packet passed, Permitted by policy. Feb3 22:04:31 22:04: :CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed; False Feb3 22:04:31 22:04: :CID-0:RT:flow_first_src_xlate: incoming src port is: Which two statements are true regarding the output shown in the exhibit? (Choose two.) A. The packet does not match any user-configured security policies. B. The user has configured a security policy to allow the packet. C. The log is showing the first path packet flow. D. The log shows the reverse flow of the session. Answer: C Get Latest & Valid JN0-633 Exam's Question and Answers 5 from Pass4test.com. 5

7 NO.11 Your SRX device is performing NAT to provide an internal resource with a public address. Your DNS server is on the same network segment as the server. You want your internal hosts to be able to reach the internal resource using the DNS name of the resource. How do you accomplish this goal? A. Implement proxy ARP. B. Implement NAT-Traversal. C. Implement NAT hairpinning. D. Implement persistent NAT. Explanation: Reference : NO.12 Which AppSecure module provides Quality of Service? A. AppTrack B. AppFW C. AppID D. AppQoS Answer: D NO.13 What are three techniques to mark DSCP values on an SRX Series device? (Choose three.) A. IDP attack action-based DSCP rewriters B Q C. VLAN rewrite D. ALG-based DSCP rewriters E. Layer 7 application-based DSCP rewriters.,d,e NO.14 Click the Exhibit button. {primarynode0[edit security idp idp-policy test-ips-policy] user@host# show rulebase-ips { rule r1 { match { source-address any; attacks { predefined-attack-groups "HTTP - All"; then { action { drop-packet; Get Latest & Valid JN0-633 Exam's Question and Answers 6 from Pass4test.com. 6

8 terminal; rule r2 { match { source-address /12; attacks { predefined-attack-groups "FTP - All"; then { action { no-action; rule r3 { match { source-address /12; attacks { predefined-attack-groups "TELNET - All"; then { action { no-action; rule r4 { match { source-address any; attacks { predefined-attack-groups "FTP - All"; then { action { drop-packet; A user with IP address initiates an FTP session to a host with IP address through an SRX Series device and is subject to the IPS policy shown in the exhibit. If the user tries to execute thecd ~rootcommand, which statement is correct? A. The FTP command will be denied with the offending packet dropped and the session will be closed by the SRX device. B. The FTP command will be denied with the offending packet dropped and the rest of the FTP session will be inspected by the IPS policy. C. The FTP command will be allowed to execute and the rest of the FTP session will be ignored by the IPS policy. D. The FTP command will be allowed to execute but any other attacks executed during the session will be inspected. Answer: D NO.15 You configured a custom signature attack object to match specific components of an attack: Get Latest & Valid JN0-633 Exam's Question and Answers 7 from Pass4test.com. 7

9 HTTP-request Pattern.*\x Direction: client-to-server Which client traffic would be identified as an attack? A. HTTP GET.*\x B. HTTP POST.*\x C. HTTP GET.*x D. HTTP POST.*x Reference: Get Latest & Valid JN0-633 Exam's Question and Answers 8 from Pass4test.com. 8