Realtests JN q

Transcription

1 Realtests JN q Number: JN0-633 Passing Score: 800 Time Limit: 120 min File Version: 16.5 Juniper JN0-633 Security, Professional (JNCIP-SEC) I have correct many of questions answers. If there is any more then update this vce and re-upload. It is a good certification for success of life.

2

3 Exam A QUESTION 1 What are two network scanning methods? (Choose two.) A. SYN flood B. ping of death C. ping sweep D. UDP scan Correct Answer: CD The question is about the network scanning. So correct answers are ping sweep and UDP scan as both are port scanning types. Reference:URL: QUESTION 2 What are two intrusion protection mechanisms available on SRX Series Services Gateways? (Choose two.) A. routing update detection B. traffic anomaly detection C. NAT anomaly protection D. DoS protection Correct Answer: BD Juniper IPS system prevents Traffic Anamoly detection and DoS/DDoS attacks. Reference: QUESTION 3 What is a benefit of using a group VPN?

4 A. It provides a layer of redundancy on top of a point-to-point VPN mesh architecture. B. It eliminates the need for point-to-point VPN tunnels. C. It provides a way to grant VPN access on a per-user-group basis. D. It simplifies IPsec access for remote clients. Correct Answer: B Reference :Page 4 &url=http%3a%2f%2fwww.thomaskrenn.com%2fredx%2ftools%2fmb_download.php%2fmid.x6d f3d%2fm anual_configuring_group_vpn_juniper_srx.pdf% 3Futm_source%3Dthomas- krenn.com%26utm_medium%3drss- Feed%26utm_content%3DConfiguring%2520Group%2520VPN%26utm_campaign%3DDownload s&ei=c2hruaswd8wjrqfxxygyba&usg=afqjcnfgknv9zlwqzmmbzafvgdpvomz7dw&bvm= bv ,d.bmk QUESTION 4 Which statement is true about Layer 2 zones when implementing transparent mode security? A. All interfaces in the zone must be configured with the protocol family mpls. B. All interfaces in the zone must be configured with the protocol family inet. C. All interfaces in the zone must be configured with the protocol family bridge. D. All interfaces in the zone must be configured with the protocol family inet6. Correct Answer: C Real 3 Reference (page no 12) products/pathway-pages/security/security-layer2-bridging-transparentmode.pdf

5 QUESTION 5 You are working as a security administrator and must configure a solution to protect against distributed botnet attacks on your company's central SRX cluster. How would you accomplish this goal? A. Configure AppTrack to inspect and drop traffic from the malicious hosts. B. Configure AppQoS to block the malicious hosts. C. Configure AppDoS to rate limit connections from the malicious hosts. D. Configure AppID with a custom application to block traffic from the malicious hosts. Correct Answer: C Reference :Page No 2 Figure 1 QUESTION 6 You are asked to change the configuration of your company's SRX device so that you can block Real 4 nested traffic from certain Web sites, but the main pages of these Web sites must remain available to users. Which two methods will accomplish this goal? (Choose two.) A. Enable the HTTP ALG. B. Implement a firewall filter for Web traffic. C. Use an IDP policy to inspect the Web traffic. D. Configure an application firewall rule set.

6 Correct Answer: BD Reference: An application layer gateway (ALG) is a feature on ScreenOS gateways that enables the gateway to parse application layer payloads and take decisions on them.algs are typically employedto support applications that use the application layer payload to communicate the dynamic Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports on which the applications open data connections ( IDP policy defines the rule for defining the type of traffic permittedon network( swconfig-security/enable-idp-security-policy-section.html) QUESTION 7 You have just created a few hundred application firewall rules on an SRX device and applied them to the appropriate firewall polices. However, you are concerned that the SRX device might become overwhelmed with the increased processing required to process traffic through the application firewall rules. Which three actions will help reduce the amount of processing required by the application firewall rules? (Choose three.) A. Use stateless firewall filtering to block the unwanted traffic. B. Implement AppQoS to drop the unwanted traffic. C. Implement screen options to block the unwanted traffic. D. Implement IPS to drop the unwanted traffic. E. Use security policies to block the unwanted traffic. Correct Answer: ACE IPS and AppDoS are the most powerful, and thus, the least efficient method of dropping traffic on the SRX, because IPS and AppDoS tend to take up the most processing cycles. Reference : for-junos/ QUESTION 8 Referring to the following output, which command would you enter in the CLI to produce this result?

7 Pic2/1 Ruleset Application Client-to-server Rate(bps) Server-to-client Rate(bps) http-app-qos HTTP ftp-c2s 200 ftp-c2s 200 http-app-qos HTTP ftp-c2s 200 ftp-c2s 200 ftp-app-qos FTP ftp-c2s 100 ftp-c2s 100 Real 7 A. show class-of-service interface ge-2/1/0 B. show interface flow-statistics ge-2/1/0 C. show security flow statistics D. show class-of-service applications-traffic-control statistics rate-limiter Correct Answer: D Reference : summary/show-class-of-service-application-traffic-control-statisticsrate-limiter.html QUESTION 9 You are asked to apply individual upload and download bandwidth limits to YouTube traffic. Where in the configuration would you create the necessary bandwidth limits? A. under the [edit security application-firewall] hierarchy B. under the [edit security policies] hierarchy C. under the [edit class-of-service] hierarchy D. under the [edit firewall policer <policer-name>] hierarchy Correct Answer: D

8 Reference : uploading-downloading-polcier/td-p/ QUESTION 10 You want to verify that all application traffic traversing your SRX device uses standard ports. For example, you need to verify that only DNS traffic runs through port 53, and no other protocols. How would you accomplish this goal? A. Use an IDP policy to identify the application regardless of the port used. B. Use a custom ALG to detect the application regardless of the port used. C. Use AppTrack to detect the application regardless of the port used. D. Use AppID to detect the application regardless of the port used. Correct Answer: A Real 8 AppTrack for detailed visibility of application traffic Also AppTrack is aka AppID Reference : p/63029 An Application Layer Gateway (ALG) is a software component that is designed to manage specific protocols Reference : security-swconfig-security/id html QUESTION 11 You are asked to establish a baseline for your company's network traffic to determine the bandwidth usage per application. You want to undertake this task on the central SRX device that connects all segments together. What are two ways to accomplish this goal? (Choose two.) A. Configure a mirror port on the SRX device to capture all traffic on a data collection server for further investigation. B. Use interface packet counters for all permitted and denied traffic and calculate the values using Junos scripts. C. Send SNMP traps with bandwidth usage to a central SNMP server. D. Enable AppTrack on the SRX device and configure a remote syslog server to receive AppTrack messages.

9 Correct Answer: AD AppTrack is used for visibility for application usage and bandwidth Reference: QUESTION 12 You have been asked to configure traffic to flow between two virtual routers (VRs) residing on two unique logical systems (LSYSs) on the same SRX5800. How would you accomplish this task? A. Configure a security policy that contains the context from VR1 to VR2 to permit the relevant traffic. B. Configure a security policy that contains the context from LSYS1 to LSYS2 and relevant match conditions in the rule set to allow traffic between the IP networks in VR1 and VR2. C. Configure logical tunnel interfaces between VR1 and VR2 and security policies that allow relevant traffic between VR1 and VR2 over that link. D. Configure an interconnect LSYS to facilitate a connection between LSYS1 and LSYS2 and Real 10 relevant policies to allow the traffic. Correct Answer: C Reference : QUESTION 13 You are using logical systems to segregate customers. You have a requirement to enable communication between the logical systems. What are two ways to accomplish this goal? (Choose two.) A. Use a shared DMZ zone to connect the logical systems together. B. Use a virtual tunnel (vt-) interface to connect the logical systems together. C. Use an external cable to connect the ports from the two logical systems. D. Use an interconnect LSYS to connect the logical systems together.

10 Correct Answer: CD Reference : collections/security/software-all/logical-systems-config/index.html?topic html QUESTION 14 Your company is providing multi-tenant security services on an SRX5800 cluster. You have been asked to create a new logical system (LSYS) for a customer. The customer must be able to access and manage new resources within their LSYS. How do you accomplish this goal? A. Create the new LSYS, allocate resources, and then create the user administrator role so that the customer can manage their allocated resources. B. Create the new LSYS, and then create the user administrator role so that the customer can allocate and manage resources. C. Create the new LSYS, and then create the master adminstrator role for the LSYS so that the customer can allocate and manage resources. D. Create the new LSYS, then request the required resources from the customer, and create the required resources. Correct Answer: A Real 12 Reference : system-security-user-lsys-overview-configuring.html QUESTION 15 Your company has added a connection to a new ISP and you have been asked to send specific traffic to the new ISP. You have decided to implement filter-based forwarding. You have configured new routing instances with type forwarding. You must direct traffic into each instance. Which step would accomplish this goal? A. Add a firewall filter to the ingress interface that specifies the intended routing instance as the action. B. Create a routing policy to direct the traffic to the required forwarding instances. C. Configure the ingress and egress interfaces in each forwarding instance.

11 D. Create a static default route for each ISP in inet.0, each pointing to a different forwarding instance. Correct Answer: A Reference : QUESTION 16 You want requests from the same internal transport address to be mapped to the same external transport address. Only internal hosts can initialize the session. Which Junos configuration setting supports the requirements? A. any-remote-host B. target-host C. source-host D. address-persistent Correct Answer: D Reference : security-swconfig-security/understand-persistent-nat-section.html Real 14 QUESTION 17 Which statement is true about NAT?

12 A. When you implement destination NAT, the router does not apply ALG services. B. When you implement destination NAT, the router skips source NAT rules for the initiating traffic flow. C. When you implement static NAT, each packet must go through a route lookup. D. When you implement static NAT, the router skips destination NAT rules for the initiating traffic flow. Correct Answer: D The NAT type determines the order in which NAT rules are processed. During the first packet processing for a flow, NAT rules are applied in the following order: Reference : security-swconfig-security/topic html QUESTION 18 You want to implement persistent NAT for an internal resource so that external hosts are able to initiate communications to the resource, without the internal resource having previously sent packets to the external hosts. Which configuration setting will accomplish this goal? A. persistent-nat permit target-host B. persistent-nat permit any-remote-host C. persistent-nat permit target-host-port D. address-persistent Correct Answer: B

13 Reference : security-swconfig-security/understand-persistent-nat-section.html QUESTION 19 Your SRX device is performing NAT to provide an internal resource with a public address. Your DNS server is on the same network segment as the server. You want your internal hosts to be able to reach the internal resource using the DNS name of the resource. Real 17 How do you accomplish this goal? A. Implement proxy ARP. B. Implement NAT-Traversal. C. Implement NAT hairpinning. D. Implement persistent NAT. Correct Answer: A Reference : security-swconfig-security/prxy-arp-nat_srx.html QUESTION 20 You are asked to provide access for an external VoIP server to VoIP phones in your network using private addresses. However, due to security concerns, the VoIP server should only be able to initiate connections to each phone once the phone has logged into the VoIP server. The VoIP server requires access to the phones using multiple ports. Which type of persistent NAT is required? A. any-remote-host B. target-host C. target-host-port D. remote-host Correct Answer: B

14 Reference : security-swconfig-security/understand-persistent-nat-section.html QUESTION 21 Given the following session output: Session ID., Policy name. default-policy-00/2, StatE. Active, Timeout: 1794, Valid In: 2001:660:1000:8c00::b/ > 2001:660:1000:9002::aafe/80;tcp, IF. reth0.0, Pkts: 4, Bytes: Out: /80 --> /24770;tcp, IF. reth1.0, Pkts: 3, Bytes: Real 19 Which statement is correct about the security flow session output? A. This session is about to expire. B. NAT64 is used. C. Proxy NDP is used for this session. D. The IPv4 Web server runs services on TCP port Correct Answer: B Reference : QUESTION 22 You are asked to deploy dynamic VPNs between the corporate office and remote employees that work from home. The gateway device at the corporate office is a chassis cluster formed from two SRX240s. Which two statements about this deployment are true? (Choose two.) A. You must remove the SRX240s from the chassis cluster before enabling the dynamic VPNs. B. The remote clients can run Windows XP, Windows Vista, Windows 7, or OS X operating systems. C. If more than two dynamic VPN tunnels are required, you must purchase and install a new license. D. The remote users can be authenticated by the SRX240s or a configured RADIUS server. Correct Answer: CD

15 Reference : QUESTION 23 You are asked to implement IPsec tunnels between your SRX devices located at various locations. You will use the public key infrastructure (PKI) to verify the identification of the endpoints. What are two certificate enrollment options available for this deployment? (Choose two.) A. Manually generating a PKCS10 request and submitting it to an authorized CA. B. Dynamically generating and sending a certificate request to an authorized CA using OCSP. C. Manually generating a CRL request and submitting that request to an authorized CA. D. Dynamically generating and sending a certificate request to an authorized CA using SCEP. Correct Answer: AD Reference:Page 9 Real 21 trouble/configuring-and-troubleshooting-public-keyinfrastructure.pdf QUESTION 24 You are asked to design a solution to verify IPsec peer reachability with data path forwarding. Which feature would meet the design requirements? A. DPD over Phase 1 SA B. DPD over Phase 2 SA C. VPN monitoring over Phase 1 SA D. VPN monitoring over Phase 2 SA Correct Answer: D

16 Reference : monitor-in-ipsec/td-p/ QUESTION 25 You want to implement an IPsec VPN on an SRX device using PKI certificates for authentication. As part of the implementation, you are required to ensure that the certificate submission, renewal, and retrieval processes are handled automatically from the certificate authority. Regarding this scenario, which statement is correct? A. You can use SCEP to accomplish this behavior. B. You can use OCSP to accomplish this behavior. C. You can use CRL to accomplish this behavior. D. You can use SPKI to accomplish this behavior. Real 23 Correct Answer: A Reference: Page 9 trouble/configuring-and-troubleshooting-public-keyinfrastructure.pdf QUESTION 26 You are asked to implement an IPsec VPN between your main office and a new remote office. The remote office receives its IKE gateway address from their ISP dynamically. Regarding this scenario, which statement is correct? A. Configure a fully qualified domain name (FQDN) as the IKE identity. B. Configure the dynamic-host-address option as the IKE identity. C. Configure the unnumbered option as the IKE identity. Real 24

17 D. Configure a dynamic host configuration name (DHCN) as the IKE identity. Correct Answer: A QUESTION 27 You have recently deployed a dynamic VPN. Some remote users are complaining that they cannot authenticate through the SRX device at the corporate network. The SRX device serves as the tunnel endpoint for the dynamic VPN. What are two reasons for this problem? (Choose two.) A. The supported number of users has been exceeded for the applied license. B. The users are connecting to the portal using Windows Vista. C. The SRX device does not have the required user account definitions. D. The SRX device does not have the required access profile definitions. Correct Answer: AD Reference : collections/syslog-messages/index.html?jd0e28566.html kb.juniper.net/infocenter/index?page=content&id=kb16477 Real 25 QUESTION 28 Your company is using a dynamic VPN configuration on their SRX device. Your manager asks you to enforce password expiration policies for all VPN users. Which authentication method meets the requirement? A. local password database B. TACACS+ C. RADIUS D. LDAP

18 Correct Answer: D Reference : QUESTION 29 You want to implement a hub-and-spoke VPN topology using a single logical interface on the hub. Which st0 interface configuration is correct for the hub device? A. [edit interfaces] user@srx# show st0 { multipoint unit 0 { family inet { address /24; B. [edit interfaces] user@srx# show st0 { unit 0 { family inet { address /24; C. [edit interfaces] user@srx# show st0 { unit 0 { point-to-point; family inet { Real 28 address /24;

19 D. [edit interfaces] show st0 { unit 0 { multipoint; family inet { address /24; Correct Answer: D Reference: configuring.html QUESTION 30 At which two times does the IPS rulebase inspect traffic on an SRX device? (Choose two.) A. When traffic matches the active IDP policy. B. When traffic first matches an IDP rule with the terminal parameter. C. When traffic uses the application layer gateway. D. When traffic is established in the firewall session table. Correct Answer: AB Reference: rulebase+inspects+traffic+on +SRX&source=bl&ots=_eDe_vLNBA&sig=1I4yX_S0OvkQVP- rql273lamcye&hl=en&sa=x&ei=nqvzufn1isrraf71ohyba&ved=0cc4q6aewaq#v=onepage&q=what%20time%20ips%20rulebase%20inspe cts%20traffic%20on%20srx&f=false QUESTION 31

20 Which problem is introduced by setting the terminal parameter on an IPS rule? A. The SRX device will stop IDP processing for future sessions. B. The SRX device might detect more false positives. C. The SRX device will terminate the session in which the terminal rule detected the attack. D. The SRX device might miss attacks. Correct Answer: D Reference: security-swconfig-security/topic html QUESTION 32 You have installed a new IPS license on your SRX device and successfully downloaded the attack signature database. However, when you run the command to install the database, the database fails to install. What are two reasons for the failure? (Choose two.) A. The file system on the SRX device has insufficient free space to install the database. B. The downloaded signature database is corrupt. C. The previous version of the database must be uninstalled first. D. The SRX device does not have the high memory option installed. Correct Answer: AB We don't need to uninstall the previous version to install a new license, as we can update the same. Reference: page=content&id=kb Also high memory option is licensed feature. The only reason for failure is either there is no space left or downloaded file is corrupted due to incomplete download because of internet termination in between. Reference: Real 31 QUESTION 33

21 You are deploying a standalone SRX650 in transparent mode for evaluation purposes in a potential client's network. The client will need to access the device to modify security policies and perform other various configurations. Where would you configure a Layer 3 interface to meet this requirement? A. fxp0.0 B. vlan.1 C. irb.1 D. ge-0/0/0.0 Correct Answer: C Reference: products/topic-collections/security/software-all/layer-2/index.html?topic html QUESTION 34 Which two configuration components are required for enabling transparent mode on an SRX device? (Choose two.) Real 33 A. IRB B. bridge domain C. interface family bridge D. interface family ethernet-switching Correct Answer: BC Reference: QUESTION 35 What is the default action for an SRX device in transparent mode to determine the outgoing interface for an unknown destination MAC address?

22 A. Perform packet flooding. B. Send an ARP query. C. Send an ICMP packet with a TTL of 1. D. Perform a traceroute request. Correct Answer: A Reference: security-swconfig-interfaces-and-routing/understand-l2-forwardingtables-section.html QUESTION 36 Which QoS function is supported in transparent mode? A p B. DSCP C. IP precedence D. MPLS EXP Correct Answer: A Reference: QUESTION 37 A security administrator has configured an IPsec tunnel between two SRX devices. The devices are configured with OSPF on the st0 interface and an external interface destined to the IPsec endpoint. The adminstrator notes that the IPsec tunnel and OSPF adjacency keep going up and down. Which action would resolve this issue? A. Create a firewall filter on the st0 interface to permit IP protocol 89. B. Configure the IPsec tunnel to accept multicast traffic. C. Create a /32 static route to the IPsec endpoint through the external interface. D. Increase the OSPF metric of the external interface.

23 Correct Answer: C Reference: QUESTION 38 HostA ( ) is sending TCP traffic to HostB ( ). You need to capture the TCP packets locally on the SRX240. Which configuration would you use to enable this capture? A. [edit security flow] user@srx# show traceoptions { Real 37 file dump; flag basic-datapath; B. [edit security] user@srx# show application-tracking { enable; flow { traceoptions { file dump; flag basic-datapath; C. [edit firewall filter capture term one] user@srx# show from { source-address { ; destination-address { ;

24 protocol tcp; then { port-mirror; accept; D. [edit firewall filter capture term one] user@srx# show from { source-address { ; destination-address { ; protocol tcp; then { sample; accept; Correct Answer: D Real 38 Reference: QUESTION 39 Somebody has inadvertently configured several security policies with application firewall rule sets on an SRX device. These security policies are now dropping traffic that should be allowed. You must find and remove the application firewall rule sets that are associated with these policies. Which two commands allow you to view these associations? (Choose two.)

25 A. show security policies B. show services application-identification application-system-cache C. show security application-firewall rule-set all D. show security policies application-firewall Correct Answer: AD Reference: configuring.html QUESTION 40 Click the Exhibit button. -- Exhibit

26

27 -- Exhibit -- You have been asked to block YouTube video streaming for internal users. You have implemented the configuration shown in the exhibit, however users are still able to stream videos. What must be modified to correct the problem? A. The application firewall rule needs to be applied to an IDP policy. B. You must create a custom application to block YouTube streaming. C. The application firewall rule needs to be applied to the security policy. D. You must apply the dynamic application to the security policy Real 42 Correct Answer: C Reference: QUESTION 41 Click the Exhibit button. -- Exhibit -- Exhibit -- Referring to the exhibit, the session close log was generated by the application firewall rule set HTTP. Why did the session close? A. The application identification engine was unable to determine which application was in use, which caused the SRX device to close the session.

28 B. The host with the IP address of received a TCP segment with the FIN flag set from the host with the IP address of C. The SRX device was unable to determine the user and role in the allotted time, which caused the session to close. D. The host with the IP address of sent a TCP segment with the FIN flag set to the host with the IP address of Correct Answer: D Reference: messages/download/rt.pdf QUESTION 42 Click the Exhibit button. -- Exhibit -- Exhibit -- TCP traffic sourced from Host A destined for Host B is being redirected using filter-based forwarding to use the Red network. However, return traffic from Host B destined for Host A is using the Blue network and getting dropped by the SRX device. Which action will resolve the issue? A. Enable asyncronous-routing under the Blue zone. B. Configure ge-0/0/1 to belong to the Red zone. C. Disable RPF checking. D. Disable TCP sequence checking.

29 Correct Answer: B Real 46 Reference: QUESTION 43 Click the Exhibit button. -- Exhibit -- Exhibit -- Referring to the exhibit, which feature allows the hosts in the Trust and DMZ zones to route to either ISP, based on source address? A. source NAT

30 B. static NAT C. filter-based forwarding D. source-based routing Correct Answer: C Reference: Real 47 based-forwarding.html QUESTION 44 Click the Exhibit button. -- Exhibit

31 -- Exhibit -- In the network shown in the exhibit, you want to forward traffic from the employees to ISP1 and ISP2. You want to forward all Web traffic to ISP1 and all other traffic to ISP2. While troubleshooting, you change your filter to forward all traffic to ISP1. However, no traffic is sent to ISP1. What is causing this behavior? Real 48 A. The filter is applied to the wrong interface. B. The filter should use the next-hop action instead of the routing-instance action. C. The filter term does not have a required from statement. D. The filter term does not have the accept statement. Correct Answer: A

32 Reference: QUESTION Exhibit -- [edit] run show route inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both /0 *[Static/5] 01:09:08 > to via ge-0/0/ /27 *[Direct/0] 8w6d 15:43:09 > via ge-0/0/ /32 *[Local/0] 11w0d 06:43:04 Local via ge-0/0/ /30 *[Direct/0] 8w6d 15:43:01 Real 50 > via ge-0/0/ /32 *[Local/0] 11w0d 06:43:03 Local via ge-0/0/ /24 *[Direct/0] 03:46:56

33 > via ge-0/0/ /32 *[Local/0] 03:46:56 Local via ge-0/0/ /24 *[Direct/0] 03:46:56 > via ge-0/0/ /32 *[Local/0] 03:46:56 Local via ge-0/0/ /32 *[Direct/0] 4d 03:44:41 > via lo0.0 fbf.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both /0 *[Static/5] 00:00:11 > to via ge-0/0/ /24 *[Direct/0] 00:00:11 > via ge-0/0/1.0 [edit] user@srx# show routing-instances fbf { routing-options { static { route /0 next-hop ;

34 Real 51 [edit] show routing-options interface-routes { rib-group inet fbf-int; static { route /0 next-hop ; rib-groups { fbf-int { import-rib [ inet.0 fbf.inet.0 ]; import-policy fbf-pol; [edit] user@srx# show policy-options policy-statement fbf-pol term 1 {

35 from interface ge-0/0/1.0; to rib fbf.inet.0; then accept; term 2 { then reject; Real Exhibit -- Referring to the exhibit, you notice that filter-based forwarding is not working. What is the reason for this behavior? A. The RIB group is configured incorrectly. B. The routing policy is configured incorrectly. C. The routing instance is configured incorrectly. D. The default static routes are configured incorrectly. Correct Answer: C Bydefault, wehave a static route in a routing instancesendingthe default route to Wewant to hijack traffic matching a particular filter and send the traffic to a different next-hop, Weshouldcreate your rib group by importing FIRST the table belonging to your virtual router and SECOND the table for the forwarding instancethat has the next-hop specified. Reference: QUESTION 46 Click the Exhibit button.

36 -- Exhibit Real Exhibit -- Host A cannot resolve the Web page when using its configured DNS server. As shown in the exhibit, Host A's configured DNS server and the Web server hosting the Web page are in the same subnet. You have verified bidirectional reachability between Host A and the Web server hosting the Web page. What would cause this behavior on the SRX device in Company B's network? A. DNS replication is enabled. B. DNS doctoring is enabled. C. DNS replication is disabled. D. DNS doctoring is disabled. Correct Answer: D

37 Reference: nat-doctoring-overview.html QUESTION 47 Click the Exhibit button. -- Exhibit -- Exhibit -- You must configure two SRX devices to enable bidirectional communications between the two networks shown in the exhibit. You have been allocated the /24 and /24 networks to use for this purpose. Which configuration will accomplish this task? A. Use an IPsec VPN to connect the two networks and hide the addresses from the Internet. B. Using destination NAT, translate traffic destined to /24 to Site1's addresses, and translate traffic destined to /24 to Site2's addresses. C. Using source NAT, translate traffic from Site1's addresses to /24, and translate traffic from Site2's addresses to /24. D. Using static NAT, translate traffic destined to /24 to Site1's addresses, and translate Real 56 traffic destined to /24 to Site2's addresses. Correct Answer: D To examine bidirectional communication you need multiple packet filters, one for each direction. Reference : junos/ /security- policy/troubleshooting_security_policy_and_traf

38 QUESTION 48 Click the Exhibit button. -- Exhibit -- Exhibit -- Based on the output shown in the exhibit, what are two results? (Choose two.) A. The output shows source NAT. B. The output shows destination NAT. C. The port information is changed. D. The port information is unchanged. Correct Answer: BD Reference: reference/index.html?show-security-flow-session.html QUESTION 49 Click the Exhibit button. -- Exhibit -- Real 57 security { nat {

39 destination { pool Web-Server { address /32; rule-set From-Internet { from zone Untrust; rule To-Web-Server { match { source-address /0; destination-address /32; then { destination-nat pool Web-Server; zones { security-zone Untrust { address-book {

40 address Web-Server-External /32; address Web-Server-Internal /32; interfaces { Real 58 ge-0/0/0.0; security-zone DMZ { address-book { address Web-Server-External /32; address Web-Server-Internal /32; interfaces { ge-0/0/1.0; -- Exhibit -- You are migrating from one external address block to a different external address block. You want to enable a smooth transition to the new address block. You temporarily want to allow external users to contact the Web server using both the existing external address as well as the new external address

41 How do you accomplish this goal? A. Add address /32 under [edit security nat destination pool Web-Server]. B. Change the address Web-Server-Ext objects to be address-set objects that include both addresses. C. Change the destination address under [edit security nat destination rule-set From-Internet rule To-Web-Server match] to include both /32 and /32. D. Create a new rule for the new address in the [edit security nat destination rule-set From- Internet] hierarchy. Correct Answer: D Reference: Real 59 and-destination-nat-translation-configuring.html QUESTION 50 Click the Exhibit button. -- Exhibit -- Feb 8 10:39:40 Unable to find phase-1 policy as remote peer: is not recognized. Feb 8 10:39:40 KMD_PM_P1_POLICY_LOOKUP_FAILURE. Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]= ) p1_remote=ipv4 (any:0,[0..3]= ) Feb 8 10:39: :500 (Responder) <-> :500 { dbe1d0af - a4d6d829 f9ed3bba [-1] / 0x IP; Error = No proposal chosen (14)

42 -- Exhibit -- According to the log shown in the exhibit, you notice that the IPsec session is not establishing. What are two reasons for this behavior? (Choose two.) A. mismatched preshared key B. mismatched proxy ID C. incorrect peer address D. mismatched peer ID Correct Answer: CD If the peer was not matched with the peer ID, the line "Unable to find phase-1 policy as remote peer: is not recognized." should be shown Reference : QUESTION 51 Real 61 Click the Exhibit button. -- Exhibit

43 -- Exhibit -- You have configured an IDP policy as shown in the exhibit. The configuration commits successfully. Which traffic will be examined for attacks? A. only originating traffic from source to destination in a session B. only reply traffic from destination to source in a session C. both originating and reply traffic between hosts in a session

44 D. recommended traffic between the source and destination hosts Correct Answer: C Reference: security-swconfig-security/config-idp-ips-rulebase-section.html#configidp-ips-rulebase-section Real 62 QUESTION 52 Click the Exhibit button. -- Exhibit -- [edit security idp] user@srx# show security-package { url automatic { start-time " :00: "; interval 120; enable; -- Exhibit -- You have configured your SRX device to download and install attack signature updates as shown in the exhibit. You discover that updates are not being

45 downloaded. What are two reasons for this behavior? (Choose two.) A. No security policy is configured to allow the SRX device to contact the update server. B. The SRX device does not have a DNS server configured. C. The management zone interface does not have an IP address configured. D. The SRX device has no Internet connectivity. Correct Answer: BD Configuration is correct. Only reason is that SRZ device is not able to connect to definition server. Real 64 Reference: QUESTION 53 Click the Exhibit button. -- Exhibit -- [edit security idp] user@srx# show no-more idp-policy basic { rulebase-ips { rule 1 { match { from-zone untrust; source-address any;

46 to-zone trust; destination-address any; application default; attacks { custom-attacks data-inject; then { action { recommended; notification { log-attacks; Real 65 active-policy basic; custom-attack data-inject {

47 recommended-action close; severity critical; attack-type { signature { context mssql-query; pattern "SELECT * FROM accounts"; direction client-to-server; -- Exhibit -- You have configured the custom attack signature shown in the exhibit. This configuration is valid, but you want to improve the efficiency and performance of your IDP. Which two commands should you use? (Choose two.) A. set custom attack data-inject recommended-action drop B. set custom-attack data-inject attack-type signature protocol-binding tcp C. set idp-policy basic rulebase-ips rule 1 match destination-address webserver D. set idp-policy basic rulebase-ips rule 1 match application any Correct Answer: BC Real 66

48 QUESTION 54 Click the Exhibit button. -- Exhibit -- show security datapath-debug capture-file pkt-cap-file format pcap size 5m; action-profile { pkt-cap-profile { event np-ingress { packet-dump; packet-filter pkt-filter { action-profile pkt-capture; source-prefix /32; -- Exhibit -- You want to capture transit traffic passing through your SRX3600. You add the configuration shown in the exhibit but do not see entries added to the capture file. What is causing the problem? A. You are missing the configuration set security datapath-debug maximum-capture-size Real 71

49 B. You are missing the configuration set security datapath-debug packet-filter pkt-filter destination- prefix /32. C. You must start the capture from operational mode with the command request security datapath- debug capture start. D. You must start the capture from operational mode with the command monitor start capture. Correct Answer: C QUESTION 55 Click the Exhibit button. -- Exhibit

50 -- Exhibit -- Host traffic is traversing through an IPsec tunnel. Users are complaining of intermittent issues with their connection. Real 72 Referring to the exhibit, what is the problem?

51 A. The tunnel is down due to a configuration change. B. The do-not-fragment bit is copied to the tunnel header. C. The MSS option on the SYN packet is set to D. The TCP SYN check option is disabled for tunnel traffic. Correct Answer: B QUESTION 56 Click the Exhibit button. -- Exhibit

52 -- Exhibit -- Referring to the exhibit, which two statements are true? (Choose two.) A. Packets may get fragmented. B. The tunnel automatically fragments packets based on MTU discovery. C. The Phase 2 association will never expire. D. The Phase 2 association will expire without traffic. Correct Answer: AD

53 Real 75 QUESTION 57 Click the Exhibit button. -- Exhibit -- show security flow session Session ID. 7724, Policy name. default-permit/4, Timeout: 2 In: /17 --> /2326;icmp, IF. ge-0/0/3 Out: / > /17;icmp, IF. ge-0/0/2 Session ID , Policy name. default-permit/4, Timeout: 2 In: / > /512;icmp, IF. ge-0/0/2.0 Out: /512 --> /64513;icmp, IF. ge-0/0/ Exhibit -- A user has reported a traffic drop issue between a host with the internal IP address and a host with the IP address. The traffic transits an SRX240 acting as a NAT translator. You are investigating the issue on the SRX240 using the output shown in the exhibit. Regarding this scenario, which two statements are true? (Choose two.) A. The sessions shown indicate interface-based NAT processing. B. The sessions shown indicate static NAT processing. C. ICMP traffic is passing in both directions. D. ICMP traffic is passing in one direction. Correct Answer: BC

54 QUESTION 58 Click the Exhibit button. -- Exhibit -- [edit forwarding-options] show Real 76 packet-capture { file filename my-packet-capture; maximum-capture-size 1500; -- Exhibit -- Referring to the exhibit, you are attempting to perform a packet capture on an SRX240 to troubleshoot an SSH issue in your network. However, no information appears in the packet capture file. Which firewall filter must you apply to the necessary interface to collect data for the packet capture? A. user@srx240# show filter pkt-capture { term pkt-capture-term { from { protocol tcp; port ssh; then packet-mode; term allow-all { then accept;

55 [edit firewall family inet] B. show filter pkt-capture { term pkt-capture-term { from { protocol tcp; port ssh; then { count packet-capture; term allow-all { then accept; Real 77 [edit firewall family inet] C. user@srx240# show filter pkt-capture { term pkt-capture-term { from { protocol tcp; port ssh; then { routing-instance packet-capture; term allow-all { then accept; [edit firewall family inet] D. user@srx240# show filter pkt-capture { term pkt-capture-term { from { protocol tcp;

56 port ssh; then { sample; accept; term allow-all { then accept; [edit firewall family inet] Correct Answer: D Real 78