Escolar Documentos
Profissional Documentos
Cultura Documentos
425q
Number: JN0-332
Passing Score: 800
Time Limit: 120 min
File Version: 28.0
Version 28.0
JN0-332
QUESTION 1
Which configuration keyword ensures that all in-progress sessions are re-evaluated upon committing a security policy change?
A. policy-rematch
B. policy-evaluate
C. rematch-policy
D. evaluate-policy
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
Click the Exhibit button.
You need to alter the security policy shown in the exhibit to send matching traffic to an IPsec VPN tunnel. Which command causes traffic to be sent through an
IPsec VPN named remote- vpn?
A. [edit security policies from-zone trust to-zone untrust] user@host# set policy tunnel-traffic then tunnel remote-vpn
B. [edit security policies from-zone trust to-zone untrust] user@host# set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn
C. [edit security policies from-zone trust to-zone untrust] user@host# set policy tunnel-traffic then permit ipsec-vpn remote-vpn
D. [edit security policies from-zone trust to-zone untrust] user@host# set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 3
Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by AH? (Choose three.)
A. data integrity
B. data confidentiality
C. data authentication
D. outer IP header confidentiality
E. outer IP header authentication
Explanation/Reference:
QUESTION 4
You must configure a SCREEN option that would protect your router from a session table flood.Which configuration meets this requirement?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 5
Which type of Web filtering by default builds a cache of server actions associated with each URL it has checked?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 6
Which security or functional zone name has special significance to the Junos OS?
A. self
B. trust
C. untrust
D. junos-global
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 7
Which command do you use to display the status of an antivirus database update?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 8
Which statement contains the correct parameters for a route-based IPsec VPN?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 9
Which zone is system-defined?
A. security
B. functional
C. junos-global
D. management
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 10
You want to allow your device to establish OSPF adjacencies with a neighboring device connected to interface ge-0/0/3.0. Interface ge-0/0/3.0 is a member of the
HR zone. Under which configuration hierarchy must you permit OSPF traffic?
Explanation/Reference:
QUESTION 11
Which three statements are true regarding IDP? (Choose three.)
A. IDP cannot be used in conjunction with other Junos security features such as SCREEN options, zones, and security policy.
B. IDP inspects traffic up to the Application Layer.
C. IDP searches the data stream for specific attack patterns.
D. IDP inspects traffic up to the Presentation Layer.
E. IDP can drop packets, close sessions, prevent future sessions, and log attacks for review by network administrators when an attack is detected.
Explanation/Reference:
QUESTION 12
Click the Exhibit button.
Your IKE SAs are up, but the IPsec SAs are not up.Referring to the exhibit, what is the problem?
A. One or more of the phase 2 proposals such as authentication algorithm, encryption algorithm do not match.
B. The tunnel interface is down.
C. The proxy IDs do not match.
D. The IKE proposals do not match the IPsec proposals.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 13
Which two statements regarding symmetric key encryption are true? (Choose two.)
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 14
Regarding content filtering, what are two pattern lists that can be configured in the Junos OS? (Choose two.)
A. protocol list
B. MIME
C. block list
D. extension
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 15
Which two statements are true about hierarchical architecture? (Choose two.)
A. You can assign a logical interface to multiple zones.
B. You cannot assign a logical interface to multiple zones.
C. You can assign a logical interface to multiple routing instances.
D. You cannot assign a logical interface to multiple routing instances.
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 16
Which two statements regarding external authentication servers for firewall user authentication are true? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 17
Click the Exhibit button.
In the exhibit, a new policy named DenyTelnet was created. You notice that Telnet traffic is still allowed.
Which statement will allow you to rearrange the policies for the DenyTelnet policy to be evaluated before your Allow policy?
A. insert security policies from-zone A to-zone B policy DenyTelnet before policy Allow
B. set security policies from-zone B to-zone A policy DenyTelnet before policy Allow
C. insert security policies from-zone A to-zone B policy DenyTelnet after policy Allow
D. set security policies from-zone B to-zone A policy Allow after policy DenyTelnet
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 18
Which UTM feature requires a license to function?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 19
Click the Exhibit button.
System services SSH, Telnet, FTP, and HTTP are enabled on the SRX Series device.
Referring to the configuration shown in the exhibit, which two statements are true? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 20
A user wants to establish an HTTP session to a server behind an SRX device but is being pointed to Web page on the SRX device for additional authentication.
Which type of user authentication is configured?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Web authentication is valid for all types of traffic. With Web authentication configured, users must first directly access the Junos security platform using HTTP. The
user enters the address or hostname of the device into a Web browser and then receives a prompt for a username and password. If authentication is successful,
the user can then access the restricted resource directly. Subsequent traffic from the same source IP address is automatically allowed access to the restricted
resource, as long as security policy allows for it.
QUESTION 21
Which two UTM features require a license to be activated? (Choose two.)
A. antispam
B. antivirus (full AV)
C. content filtering
D. Web-filtering redirect
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 22
Which two statements in a source NAT configuration are true regarding addresses, rule-sets, or rules that overlap? (Choose two.)
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 23
A network administrator has configured source NAT, translating to an address that is on a locally connected subnet. The administrator sees the translation working,
but traffic does not appear to come back. What is causing the problem?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 24
Which statement describes an ALG?
A. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to deny the traffic.
B. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to permit the traffic to pass.
C. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to deny the traffic.
D. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to permit the traffic to pass.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 25
Which three components can be leveraged when defining a local whitelist or blacklist for antispam on a branch SRX Series device? (Choose three.)
Explanation/Reference:
QUESTION 26
What is the correct syntax for applying node-specific parameters to each node in a chassis cluster?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 27
Which statement describes a security zone?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 28
A system administrator detects thousands of open idle connections from the same source.Which problem can arise from this type of attack?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 29
Under which Junos hierarchy level are security policies configured?
A. [edit security]
B. [edit protocols]
C. [edit firewall]
D. [edit policy-options]
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 30
You must configure a SCREEN option that would protect your device from a session table flood.
Which configuration meets this requirement?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 31
Which three methods of source NAT does the Junos OS support? (Choose three.)
Explanation/Reference:
QUESTION 32
Which three firewall user authentication objects can be referenced in a security policy? (Choose three.)
A. access profile
B. client group
C. client
D. default profile
E. external
Explanation/Reference:
QUESTION 33
What is the default session timeout for TCP sessions?
A. 1 minute
B. 15 minutes
C. 30 minutes
D. 90 minutes
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 34
Which three advanced permit actions within security policies are valid? (Choose three.)
Explanation/Reference:
QUESTION 35
Which statement is true regarding the Junos OS for security platforms?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
SRX by default operates in FLOW-BASED mode.
Hovewer, it's possible to aply a filter on interface, which will enforce a PACKET-BASED mode.
QUESTION 36
Click the Exhibit button.
A. no NAT
B. destination NAT
C. source NAT
D. port address translation (PAT)
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 37
At which two levels of the Junos CLI hierarchy is the host-inbound-traffic command configured? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 38
Which two parameters are configured in IPsec policy? (Choose two.)
A. mode
B. IKE gateway
C. security proposal
D. Perfect Forward Secrecy
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 39
The SRX device receives a packet and determines that it does not match an existing session.After SCREEN options are evaluated, what is evaluated next?
A. source NAT
B. destination NAT
C. route lookup
D. zone lookup
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 40
Which zone type can be specified in a policy?
A. security
B. functional
C. user
D. system
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 41
Which two statements about Junos software packet handling are correct? (Choose two.)
A. The Junos OS applies service ALGs only for the first packet of a flow.
B. The Junos OS uses fast-path processing only for the first packet of a flow.
C. The Junos OS performs policy lookup only for the first packet of a flow.
D. The Junos OS applies SCREEN options for both first and consecutive packets of a flow.
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 42
Which Web-filtering technology can be used at the same time as integrated Web filtering on a single branch SRX Series device?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 43
In a chassis cluster with two SRX 5800 devices, the interface ge-13/0/0 belongs to which device?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 44
An IPsec tunnel is established on an SRX Series Gateway on an interface whose IP address was obtained using DHCP. Which two statements are true? (Choose
two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 45
Which two statements about the use of SCREEN options are correct? (Choose two.)
A. SCREEN options are deployed at the ingress and egress sides of a packet flow.
B. Although SCREEN options are very useful, their use can result in more session creation.
C. SCREEN options offer protection against various attacks at the ingress zone of a packet flow.
D. SCREEN options examine traffic prior to policy processing, thereby resulting in fewer resources used for malicious packet processing.
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 46
Click the Exhibit button.
In the exhibit, you decided to change my Hosts addresses. What will happen to the new sessions matching the policy and in-progress sessions that had already
matched the policy?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 47
When using UTM features in an HA cluster, which statement is true for installing the licenses on the cluster members?
A. One UTM cluster license will activate UTM features on both members.
B. Each device will need a UTM license generated for its serial number.
C. Each device will need a UTM license generated for the cluster, but licenses can be applied to either member.
D. HA clustering automatically comes with UTM licensing, no additional actions are needed.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 48
Which statement is true regarding NAT?
A. NAT is not supported on SRX Series devices.
B. NAT requires special hardware on SRX Series devices.
C. NAT is processed in the control plane.
D. NAT is processed in the data plane.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The data plane on Junos security platforms, implemented on IOCs, NPCs, and SPCs for high-end devices and on CPU cores and PIMs for branch devices,
consists of Junos OS packet-handling modules compounded with a flow engine and session management like that of the ScreenOS software. Intelligent packet
processing ensures that one single thread exists for packet flow processing associated with a single flow. Real-time processes enable the Junos OS to perform
session-based packet forwarding.
QUESTION 49
Which two functions of the Junos OS are handled by the data plane? (Choose two.)
A. NAT
B. OSPF
C. SNMP
D. SCREEN options
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 50
After applying the policy-rematch statement under the security policies stanza, what would happen to an existing flow if the policy source address or the destination
address is changed and committed?
A. The Junos OS drops any flow that does not match the source address or destination address.
B. All traffic is dropped.
C. All existing sessions continue.
D. The Junos OS does a policy re-evaluation.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 51
Which statement is correct about HTTP trickling?
A. It prevents the HTTP client or server from timing-out during an antivirus update.
B. It prevents the HTTP client or server from timing-out during antivirus scanning.
C. It is an attack.
D. It is used to bypass antivirus scanners.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 52
For which network anomaly does Junos provide a SCREEN?
A. a telnet to port 80
B. a TCP packet with the SYN and ACK flags set
C. an SNMP getnext request
D. an ICMP packet larger than 1024 bytes
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 53
What is the proper sequence of evaluation for the SurfControl integrated Web filter solution?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 54
A network administrator is using source NAT for traffic from source network 10.0.0.0/8. The administrator must also disable NAT for any traffic destined to the
202.2.10.0/24 network.Which configuration would accomplish this task?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 55
The Junos OS blocks an HTTP request due to the category of the URL. Which form of Web filtering is being used?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 56
Which two statements are true with regard to policy ordering? (Choose two.)
A. The last policy is the default policy, which allows all traffic.
B. The order of policies is not important.
C. New policies are placed at the end of the policy list.
D. The insert command can be used to change the order.
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 57
Regarding fast path processing, when does the system perform the policy check?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 58
Which URL database do branch SRX Series devices use when leveraging local Web filtering?
A. The SRX Series device will download the database from an online repository to locally inspect HTTP traffic for Web filtering.
B. The SRX Series device will use an offline database to locally inspect HTTP traffic for Web filtering.
C. The SRX Series device will redirect local HTTP traffic to an external Websense server for Web filtering.
D. The SRX Series administrator will define the URLs and their associated action in the local database to inspect the HTTP traffic for Web filtering.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 59
How do you apply UTM enforcement to security policies on the branch SRX series?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 60
What are two rule base types within an IPS policy on an SRX Series device? (Choose two.)
A. rulebase-ips
B. rulebase-ignore
C. rulebase-idp
D. rulebase-exempt
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 61
Which configuration shows a pool-based source NAT without PAT?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 62
Which two statements are true regarding IDP? (Choose two.)
A. IDP can be used in conjunction with other Junos security features such as SCREEN options, zones, and security policy.
B. IDP cannot be used in conjunction with other Junos security features such as SCREEN options, zones, and security policy.
C. IDP inspects traffic up to the Presentation Layer.
D. IDP inspects traffic up to the Application Layer.
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 63
What is the purpose of a chassis cluster?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The Junos OS achieves high availability on Junos security platforms using chassis clustering. Chassis clustering provides network node redundancy by grouping
two like devices into a cluster. The two nodes back each other up with one node acting as the primary and the other as the secondary node, ensuring the stateful
failover of processes and services in the event of system or hardware failure. A control link between services processing cards (SPCs) or revenue ports and an
Ethernet data link between revenue ports connect two like devices. Junos security platforms must be the same model, and all SPCs, network processing cards
(NPCs), and input/output cards (IOCs) on high-end platforms must have the same slot placement and hardware revision. The chassis clustering feature in the
Junos OS is built on the high availability methodology of Juniper Networks M Series and T Series platforms and the TX Matrix platform, including multichassis
clustering, active-passive Routing Engines (REs) , active-active Packet Forwarding Engines (PFEs), and graceful RE switchover capability.
QUESTION 64
Which three statements are true when working with high-availability clusters? (Choose three.)
Explanation/Reference:
QUESTION 65
A network administrator wants to permit Telnet traffic initiated from the address book entry the10net in a zone called UNTRUST to the address book entry Server in
a zone called TRUST. However, the administrator does not want the server to be able to initiate any type of traffic from the TRUST zone to the UNTRUST
zone.Which configuration statement would correctly accomplish this task?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 66
Which command do you use to manually remove antivirus patterns?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 67
Which three parameters are configured in the IKE policy? (Choose three.)
A. mode
B. preshared key
C. external interface
D. security proposals
E. dead peer detection settings
Explanation/Reference:
QUESTION 68
Which two statements are true about the relationship between static NAT and proxy ARP? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 69
Which CLI command do you use to block MIME content at the [edit security utm feature- profile] hierarchy?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 70
If both nodes in a chassis cluster initialize at different times, which configuration example will allow you to ensure that the node with the higher priority will become
primary for your RGs other than RG0?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 71
By default, how is traffic evaluated when the antivirus database update is in progress?
Explanation/Reference:
QUESTION 72
Which statement is true regarding IPsec VPNs?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 73
Which command would you use to enable chassis cluster on an SRX device, setting the cluster ID to 1 and node to 0?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 74
Which three are necessary for antispam to function properly on a branch SRX Series device? (Choose three.)
A. an antispam license
B. DNS servers configured on the SRX Series device
C. SMTP services on SRX
D. a UTM profile with an antispam configuration in the appropriate security policy
E. antivirus (full or express)
Explanation/Reference:
QUESTION 75
How many IDP policies can be active at one time on an SRX Series device by means of the set security idp active-policy configuration statement?
A. 1
B. 2
C. 4
D. 8
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 76
Which two statements regarding firewall user authentication client groups are true? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 77
Your task is to provision the Junos security platform to permit transit packets from the Private zone to the External zone by using an IPsec VPN and log information
at the time of session close. Which configuration meets this requirement?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 78
A user wants to establish an FTP session to a server behind an SRX device but must authenticate to a Web page on the SRX device for additional authentication.
Which type of user authentication is configured?
A. pass-through
B. WebAuth
C. WebAuth with Web redirect
D. pass-through with Web redirect
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Web authentication is valid for all types of traffic. With Web authentication configured, users must first directly access the Junos security platform using HTTP. The
user enters the address or hostname of the device into a Web browser and then receives a prompt for a username and password. If authentication is successful,
the user can then access the restricted resource directly. Subsequent traffic from the same source IP address is automatically allowed access to the restricted
resource, as long as security policy allows for it.
QUESTION 79
What is the functionality of redundant interfaces (reth) in a chassis cluster?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 80
A network administrator receives complaints from the engineering group that an application on one server is not working properly. After further investigation, the
administrator determines that source NAT translation is using a different source address after a random number of flows. Which two actions can the administrator
take to force the server to use one address? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 81
What is the default session timeout for UDP sessions?
A. 30 seconds
B. 1 minute
C. 5 minutes
D. 30 minutes
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 82
Which two statements about the Diffie-Hellman (DH) key exchange process are correct? (Choose two.)
A. In the DH key exchange process, the session key is never passed across the network.
B. In the DH key exchange process, the public and private keys are mathematically related using the DH algorithm.
C. In the DH key exchange process, the session key is passed across the network to the peer for confirmation.
D. In the DH key exchange process, the public and private keys are not mathematically related, ensuring higher security.
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 83
You are required to configure a SCREEN option that enables IP source route option detection. Which two configurations meet this requirement? (Choose two.)
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 84
What are three configuration objects used to build Junos IDP rules? (Choose three.)
A. zone objects
B. policy objects
C. attack objects
D. alert and notify objects
E. network and address objects
Explanation/Reference:
QUESTION 85
Click the Exhibit button.
Assume the default-policy has not been configured. Given the configuration shown in the exhibit, which two statements about traffic from host_a in the HR zone to
host_b in the trust zone are true? (Choose two.)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 86
When an SRX series device receives an ESP packet, what happens?
A. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, it will immediately decrypt the packet.
B. If the destination IP address in the outer IP header of ESP does not match the IP address of the ingress interface, it will discard the packet.
C. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, based on SPI match, it will decrypt the
packet.
D. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, based on SPI match and route lookup of
inner header, it will decrypt the packet.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 87
Click the Exhibit button.
[A] establishes an IPsec tunnel with [B]. The NAT device translates the IP address 1.1.1.1 to 2.1.1.1.On which port is the IKE SA established?
A. TCP 500
B. UDP 500
C. TCP 4500
D. UDP 4500
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 88
Click the Exhibit button.
What are two valid reasons for the output shown in the exhibit? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 89
What is the maximum number of layers of decompression that juniper-express-engine (express AV) can decompress for the HTTP protocol?
A. 0
B. 1
C. 4
D. 8
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 90
Which three features are part of the branch SRX series UTM suite? (Choose three.)
A. antispam
B. antivirus
C. IPS
D. application firewalling
E. Web filtering
Explanation/Reference:
QUESTION 91
What are two TCP flag settings that are considered suspicious? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 92
The Junos OS blocks an HTTP request due to a Websense server response. Which form of Web filtering is being used?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 93
Which two statements are true regarding redundancy groups? (Choose two.)
A. When priority settings are equal and the members participating in a cluster are initialized at the same time, the primary role for redundancy group 0 is assigned
to node 0.
B. The preempt option determines the primary and secondary roles for redundancy group 0 during a failure and recovery scenario.
C. Redundancy group 0 manages the control plane failover between the nodes of a cluster.
D. The primary role can be shared for redundancy group 0 when the active-active option is enabled.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 94
What are two components of the Junos software architecture? (Choose two.)
A. Linux kernel
B. routing protocol daemon
C. session-based forwarding module
D. separate routing and security planes
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 95
Which IDP policy action closes the connection and sends an RST packet to both the client and the server?
A. close-connection
B. terminate-connection
C. close-client-and-server
D. terminate-session
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 96
Which statement describes the UTM licensing model?
A. Install the license key and all UTM features will be enabled for the life of the product.
B. Install one license key per feature and the license key will be enabled for the life of the product.
C. Install one UTM license key, which will activate all UTM features; the license will need to be renewed when it expires.
D. Install one UTM license key per UTM feature; the licenses will need to be renewed when they expire.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 97
You have configured a UTM profile called Block-Spam, which has the appropriate antispam configuration to block undesired spam e-mails. Which configuration
would protect an SMTP server in the dmz zone from spam originating in the untrust zone?
A. set security policies from-zone dmz to-zone untrust policy anti-spam then permit application- services utm-policy Block-Spam
B. set security policies from-zone untrust to-zone dmz policy anti-spam then permit application- services utm-policy Block-Spam
C. set security policies from-zone untrust to-zone dmz policy anti-spam then permit application- services anti-spam-policy Block-Spam
D. set security policies from-zone untrust to-zone dmz policy anti-spam then permit application- services Block-Spam
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 98
Which two statements about the use of SCREEN options are correct? (Choose two.)
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 99
Click the Exhibit button.
Given the configuration shown in the exhibit, which protocol(s) are allowed to communicate with the device on ge-0/0/0.0?
A. RIP
B. OSPF
C. BGP and RIP
D. RIP and PIM
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 100
Which two statements about static NAT are true? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 101
Which three situations will trigger an e-mail to be flagged as spam if a branch SRX Series device has been properly configured with antispam inspection enabled for
the appropriate security policy? (Choose three.)
A. The server sending the e-mail to the SRX Series device is a known open SMTP relay.
B. The server sending the e-mail to the SRX Series device is running unknown SMTP server software.
C. The server sending the e-mail to the SRX Series device is on an IP address range that is known to be dynamically assigned.
D. The e-mail that the server is sending to the SRX Series device has a virus in its attachment.
E. The server sending the e-mail to the SRX Series device is a known spammer IP address.
QUESTION 102
Which statement is true regarding a session key in the Diffie-Hellman key-exchange process?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 103
Which zone type will allow transit-traffic?
A. system
B. security
C. default
D. functional
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 104
Which two statements are true for a security policy? (Choose two.)
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 105
Which CLI command provides a summary of what the content-filtering engine has blocked?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 106
Click the Exhibit button.
You are the responder for an IPsec tunnel and you see the error messages shown in the exhibit.
What is the problem?
A. One or more of the phase 1 proposals such as authentication algorithm, encryption algorithm, or pre-shared key does not match.
B. There is no route for 2.2.2.2.
C. There is no IKE definition in the configuration for peer 2.2.2.2.
D. system services ike is not enabled on the interface with IP 1.1.1.2.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 107
Which URL will match the URL pattern www.news.com/asia?
A. www.news.com
B. www.news.com/asia/japan
C. www-1.news.com/asia
D. www.news.asia.com
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 108
Click the Exhibit button.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 109
A network administrator repeatedly receives support calls about network issues. After investigating the issues, the administrator finds that the source NAT pool is
running out of addresses. To be notified that the pool is close to exhaustion, what should the administrator configure?
A. Use the pool-utilization-alarm raise-threshold under the security nat source stanza.
B. Use a trap-group with a category of services under the SNMP stanza.
C. Use an external script that will run a show command on the SRX Series device to see when the pool is close to exhaustion.
D. Configure a syslog message to trigger a notification when the pool is close to exhaustion.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 110
Which two statements are true when describing the capabilities of integrated Web filtering on branch SRX Series devices? (Choose two.)
A. Integrated Web filtering can enforce UTM policies on traffic encrypted in SSL.
B. Integrated Web filtering can detect client-side exploits that attack the user's Web browser.
C. Integrated Web filtering can permit or deny access to specific categories of sites.
D. Different integrated Web-filtering policies can be applied on a firewall rule-by-rule basis to allow different policies to be enforced for different users.
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 111
Which statement is true when express AV detects a virus in TCP session?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 112
Click the Exhibit button.
Which command is needed to change this policy to a tunnel policy for a policy-based VPN?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 113
Which two statements describe the difference between Junos software for security platforms and a traditional router? (Choose two.)
A. Junos software for security platforms supports NAT and PAT; a traditional router does not support NAT or PAT.
B. Junos software for security platforms does not forward traffic by default; a traditional router forwards traffic by default.
C. Junos software for security platforms uses session-based forwarding; a traditional router uses packet-based forwarding.
D. Junos software for security platforms performs route lookup for every packet; a traditional router performs route lookup only for the first packet.
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 114
Using a policy with the policy-rematch flag enabled, what happens to the existing and new sessions when you change the policy action from permit to deny?
A. The new sessions matching the policy are denied. The existing sessions are dropped.
B. The new sessions matching the policy are denied. The existing sessions, not being allowed to carry any traffic, simply timeout.
C. The new sessions matching the policy might be allowed through if they match another policy.
The existing sessions are dropped.
D. The new sessions matching the policy are denied. The existing sessions continue until they are completed or their timeout is reached.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 115
Which two content-filtering features does FTP support? (Choose two.)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 116
Which statement is true about a NAT rule action of off?
A. The NAT action of off is only supported for destination NAT rule-sets.
B. The NAT action of off is only supported for source NAT rule-sets.
C. The NAT action of off is useful for detailed control of NAT.
D. The NAT action of off is useful for disabling NAT when a pool is exhausted.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 117
You want to create an out-of-band management zone and assign the ge-0/0/0.0 interface to that zone. From the [edit] hierarchy, which command do you use to
configure this assignment?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 118
Host A opens a Telnet connection to Host B. Host A then opens another Telnet connection to Host B. These connections are the only communication between Host
A and Host B. The security policy configuration permits both connections. How many sessions exist between Host A and Host B?
A. 1
B. 2
C. 3
D. 4
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 119
Click the Exhibit button.
A network administrator receives complaints that the application voicecube is timing out after being idle for 30 minutes. Referring to the exhibit, what is a resolution?
A. [edit]
user@host# set applications application voicecube inactivity-timeout never
B. [edit]
user@host# set applications application voicecube inactivity-timeout 2
C. [edit]
user@host# set applications application voicecube destination-port 5060
D. [edit]
user@host# set security policies from-zone trust to-zone trust policy intrazone then timeout never
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 120
Which parameters are valid SCREEN options for combating operating system probes?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 121
You have configured your chassis cluster to include redundancy group 1. Node 0 is configured to be the primary node for this redundancy group. You need to verify
that the redundancy group failover is successful. Which command do you use to manually test the failover?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 122
The Junos OS blocks an HTTP request due to its inclusion on the url-blacklist. Which form of Web filtering on the branch SRX device is fully executed within the
device itself?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 123
In the Junos OS, which statement is true?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 124
Which statement is true about SurfControl integrated Web filter solution?
A. The SurfControl server in the cloud provides the SRX device with the category of the URL as well as the reputation of the URL.
B. The SurfControl server in the cloud provides the SRX device with only the category of the URL.
C. The SurfControl server in the cloud provides the SRX device with only the reputation of the URL.
D. The SurfControl server in the cloud provides the SRX device with a decision to permit or deny the URL.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 125
Click the Exhibit button.
Referring to the exhibit, you are not able to telnet to 192.168.10.1 from client PC 192.168.10.10.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 126
Which two statements are true regarding firewall user authentication? (Choose two.)
A. When configured for pass-through firewall user authentication, the user must first open a connection to the Junos security platform before connecting to a
remote network resource.
B. When configured for Web firewall user authentication only, the user must first open a connection to the Junos security platform before connecting to a remote
network resource.
C. If a Junos security device is configured for pass-through firewall user authentication, new sessions are automatically intercepted to perform authentication.
D. If a Junos security device is configured for Web firewall user authentication, new sessions are automatically intercepted to perform authentication.
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 127
You want to create a security policy allowing traffic from any host in the Trust zone to hostb.example.com (172.19.1.1) in the Untrust zone. How do you create this
policy?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 128
Which three types of content filtering are supported only for HTTP? (Choose three.)
A. block Flash
B. block Java applets
C. block ActiveX
D. block EXE files
E. block MIME type
Explanation/Reference:
QUESTION 129
Which three represent IDP policy match conditions? (Choose three.)
A. protocol
B. source-address
C. port
D. application
E. attacks
QUESTION 130
Which two statements are true regarding the system-default security policy [edit security policies default-policy]? (Choose two.)
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 131
Which configuration shows the correct application of a security policy scheduler?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 132
Which three functions are provided by the Junos OS for security platforms? (Choose three.)
A. VPN establishment
B. stateful ARP lookups
C. Dynamic ARP inspection
D. Network Address Translation
E. inspection of packets at higher levels (Layer 4 and above)
Explanation/Reference:
QUESTION 133
Which three options represent IDP policy match conditions? (Choose three.)
A. service
B. to-zone
C. attacks
D. port
E. destination-address
Explanation/Reference:
QUESTION 134
Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by ESP? (Choose three.)
A. data integrity
B. data confidentiality
C. data authentication
D. outer IP header confidentiality
E. outer IP header authentication
Explanation/Reference:
QUESTION 135
Which two statements apply to policy scheduling? (Choose two.)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 136
Which three actions can a branch SRX Series device perform on a spam e-mail message? (Choose three.)
Explanation/Reference:
QUESTION 137
What are three different integrated UTM components available on the branch SRX Series devices? (Choose three.)
Explanation/Reference:
QUESTION 138
You want to test a configured screen value prior to deploying. Which statement will allow you to accomplish this?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 139
Which three contexts can be used as matching conditions in a source NAT configuration? (Choose three.)
A. routing-instance
B. zone
C. interface
D. policy
E. rule-set
Explanation/Reference:
QUESTION 140
Which command shows the event and traceoptions file for chassis clusters?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 141
Which encryption type is used to secure user data in an IPsec tunnel?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 142
Interface ge-0/0/2.0 of your device is attached to the Internet and is configured with an IP address and network mask of 71.33.252.17/24. A Web server with IP
address 10.20.20.1 is running an HTTP service on TCP port 8080. The Web server is attached to the ge-0/0/0.0 interface of your device. You must use NAT to
make the Web server reachable from the Internet using port translation. Which type of NAT must you configure?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 143
Which two types of attacks are considered to be denial of service? (Choose two.)
A. zombie agents
B. SYN flood
C. IP packet fragments
D. WinNuke
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 144
Which antivirus solution integrated on branch SRX Series devices do you use to ensure maximum virus coverage for network traffic?
A. express AV
B. full AV
C. desktop AV
D. ICAP
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 145
Which two statements are true about the Websense redirect Web filter solution? (Choose two.)
A. The Websense redirect Web filter solution does not require a license on the SRX device.
B. The Websense server provides the SRX device with a category for the URL and the SRX device then matches the category with its configured polices and
decides to permit or deny the URL.
C. The Websense server provides the SRX device with a decision as to whether the SRX device permits or denies the URL.
D. When the Websense server does not know the category of the URL, it sends a request back to the SRX device to validate against the integrated SurfControl
server in the cloud.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 146
Click the Exhibit button.
Referring to the exhibit, which statement contains the correct gateway parameters?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 147
Antispam can be leveraged with which two features on a branch SRX Series device to provide maximum protection from malicious e-mail content? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 148
Content filtering enables traffic to be permitted or blocked based on inspection of which three types of content? (Choose three.)
A. MIME pattern
B. file extension
C. IP spoofing
D. POP3
E. protocol command
Explanation/Reference:
QUESTION 149
What are three valid Juniper Networks IPS attack object types? (Choose three.)
A. signature
B. anomaly
C. trojan
D. virus
E. chain
QUESTION 150
Which two statements are true about AH? (Choose two.)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 151
Click the Exhibit button.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 152
On which component is the control plane implemented?
A. IOC
B. PIM
C. RE
D. SPC
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 153
Which two packet attributes contribute to the identification of a session? (Choose two.)
A. destination port
B. TTL
C. IP options
D. protocol number
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 154
Which interface is used for RTO synchronization and forwarding traffic between the devices in a cluster?
A. the st interface
B. the reth interface
C. the fxp1 and fxp0 interfaces
D. the fab0 and fab1 interfaces
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 155
Click the Exhibit button.
In the configuration shown in the exhibit, you decided to eliminate the junos-ftp application from the match condition of the policy My Traffic. What will happen to the
existing FTP and BGP sessions?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 156
Click the Exhibit button.
Given the configuration shown in the exhibit, which configuration object would be used to associate both Nancy and Walter with firewall user authentication within a
security policy?
A. ftp-group
B. ftp-users
C. firewall-user
D. nancy and walter
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 157
Which two statements are true about pool-based source NAT? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 158
What is the maximum number of layers of compression that kaspersky-lab-engine (full AV) can decompress for the HTTP protocol?
A. 1
B. 4
C. 8
D. 16
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 159
The same Web site is visited for the second time using a branch SRX Series Services Gateway configured with Surf Control integrated Web filtering. Which
statement is true?
A. The SRX device sends the URL to the SurfControl server in the cloud and the SurfControl server provides the SRX with a category of the URL.
B. The SRX device sends the URL to the SurfControl server in the cloud and the SurfControl server asks the SRX device to permit the URL as it has been
previously visited.
C. The SRX device looks at its local cache to find the category of the URL.
D. The SRX device does not perform any Web filtering operation as the Web site has already been visited.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 160
To determine whether a particular file has a virus by only inspecting a few initial packets before receiving the entire file, which UTM feature do you enable?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 161
Which element occurs first during the first-packet-path processing?
A. destination NAT
B. forwarding lookup
C. route lookup
D. SCREEN options
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 162
Which statement describes the behavior of source NAT with address shifting?
A. Source NAT with address shifting translates both the source IP address and the source port of a packet.
B. Source NAT with address shifting defines a one-to-one mapping from an original source IP address to a translated source IP address.
C. Source NAT with address shifting can translate multiple source IP addresses to the same translated IP address.
D. Source NAT with address shifting allows inbound connections to be initiated to the static source pool IP addresses.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 163
Which two statements are true about IPsec traffic? (Choose two.)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 164
You must configure a SCREEN option that will protect your router from a session table flood.
Which configuration meets this requirement?
syn-flood {
attack-threshold 2000;
destination-threshold 2000;
}
}
}
C. [edit security screen]
user@host# show
ids-option protectFromFlood {
udp {
{
source-ip-based 1200;
destination-ip-based 1200;
}
}
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 165
Which two statements are true regarding high-availability chassis clustering? (Choose two.)
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 166
Which statement is true for interfaces residing outside of redundancy groups?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 167
Under which configuration hierarchy is an access profile configured for firewall user authentication?
A. [edit access]
B. [edit security access]
C. [edit firewall access]
D. [edit firewall-authentication]
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 168
Which two statements are true about juniper-express-engine (express AV)? (Choose two.)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 169
What are two uses of NAT? (Choose two.)
A. enabling network migrations
B. conserving public IP addresses
C. allowing stateful packet inspection
D. preventing unauthorized connections from outside the network
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 170
Which three statements are true when working with high-availability clusters? (Choose three.)
Explanation/Reference:
QUESTION 171
Which security or functional zone name has special significance to the Junos OS?
A. self
B. trust
C. untrust
D. junos-global
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 172
Which statement is true regarding NAT?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 173
Which statement describes an ALG?
A. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to deny the traffic.
B. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to permit the traffic to pass.
C. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to deny the traffic.
D. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to permit the traffic to pass.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 174
Which UTM feature requires a license to function?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 175
Which URL will match the URL pattern "www.news.com/asia"?
A. www.news.com
B. www.news.com/asia/japan
C. www-1.news.com/asia
D. www.news.asia.com
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 176
What are three valid Juniper Networks IPS attack object types? (Choose three.)
A. signature
B. anomaly
C. trojan
D. virus
E. chain
Explanation/Reference:
QUESTION 177
Regarding content filtering, what are two pattern lists that can be configured in the Junos OS? (Choose two.)
A. protocol list
B. MIME
C. block list
D. extension
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 178
Which three are necessary for antispam to function properly on a branch SRX Series device? (Choose three.)
A. an antispam license
B. DNS servers configured on the SRX Series device
C. SMTP services on SRX
D. a UTM profile with an antispam configuration in the appropriate security policy
E. antivirus (full or express)
Explanation/Reference:
QUESTION 179
Which three actions can a branch SRX Series device perform on a spam e-mail message? (Choose three.)
Explanation/Reference:
QUESTION 180
You have configured your chassis cluster to include redundancy group 1. Node 0 is configured to be the primary node for this redundancy group. You need to verify
that the redundancy group failover is successful.
Explanation/Reference:
QUESTION 181
Which antivirus solution integrated on branch SRX Series devices do you use to ensure maximum virus coverage for network traffic?
A. express AV
B. full AV
C. desktop AV
D. ICAP
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 182
Which two statements about static NAT are true? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 183
Which statement is true about zone interface assignment?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 184
You want to ensure end-to-end data connectivity through an IPsec tunnel.
Which feature would you activate?
A. DPD
B. VPN monitor
C. perfect forward secrecy
D. NHTB
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 185
In which two cases would you consider the TCP flag settings to be suspicious? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 186
Which operational mode command displays all active IKE phase 2 security associations?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 187
Antispam can be leveraged with which two features on a branch SRX Series device to provide maximum protection from malicious e-mail content? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 188
Which three security policy actions are valid? (Choose three.)
A. deny
B. allow
C. permit
D. reject
E. discard
Explanation/Reference:
QUESTION 189
Which configuration keyword ensures that all in-progress sessions are re-evaluated upon committing a security policy change?
A. policy-rematch
B. policy-evaluate
C. rematch-policy
D. evaluate-policy
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 190
Which URL database do branch SRX Series devices use when leveraging local Web filtering?
A. The SRX Series device will download the database from an online repository to locally inspect HTTP traffic for Web filtering.
B. The SRX Series device will use an offline database to locally inspect HTTP traffic for Web filtering.
C. The SRX Series device will redirect local HTTP traffic to an external Websense server for Web filtering.
D. The SRX Series administrator will define the URLs and their associated action in the local database to inspect the HTTP traffic for Web filtering.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 191
Your task is to provision the Junos security platform to permit transit packets from the Private zone to the External zone and send them through the IPsec VPN. You
must also have the device generate a log message when the session ends.
Which configuration meets this requirement?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 192
Which two statements are true for a security policy? (Choose two.)
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 193
Which command would you use to enable chassis clustering on an SRX device, setting the cluster ID to 1 and node to 0?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 194
Which three advanced permit actions within security policies are valid? (Choose three.)
Explanation/Reference:
QUESTION 195
Which type of Web filtering by default builds a cache of server actions associated with each URL it has checked?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 196
On which component is the control plane implemented?
A. IOC
B. PIM
C. RE
D. SPC
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 197
When an SRX series device receives an ESP packet, what happens?
A. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, it will immediately decrypt the packet.
B. If the destination IP address in the outer IP header of ESP does not match the IP address of the ingress interface, it will discard the packet.
C. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, based on SPI match, it will decrypt the
packet.
D. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, based on SPI match and route lookup of
inner header, it will decrypt the packet.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 198
You are required to configure a SCREEN option that enables IP source route option detection. Which two configurations meet this requirement? (Choose two.)
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 199
Which two statements are true about route-based VPNs? (Choose two.)
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 200
What is the purpose of an address book?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 201
Which two traffic types trigger pass-through firewall user authentication? (Choose two.)
A. SSH
B. ICMP
C. Telnet
D. FTP
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 202
How does the antivirus feature operate once the antivirus license has expired?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 203
What are two valid match conditions for source NAT? (Choose two.)
A. port range
B. source port
C. source address
D. destination address
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 204
Which two configuration elements are required for a policy-based VPN? (Choose two.)
A. IKE gateway
B. secure tunnel interface
C. security policy to permit the IKE traffic
D. security policy referencing the IPsec VPN tunnel
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 205
Which two statements are true for both express antivirus and full file-based antivirus? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 206
Which statement is true about interfaces, zones, and routing-instance relationships?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 207
What do you use to group interfaces with similar security requirements?
A. zones
B. policies
C. address book
D. NAT configuration
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 208
Which statement is true when express AV detects a virus in a TCP session?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 209
Which statement describes the behavior of a security policy?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 210
What are two rulebase types within an IPS policy on an SRX Series device? (Choose two.)
A. rulebase-ips
B. rulebase-ignore
C. rulebase-idp
D. rulebase-exempt
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 211
Click the Exhibit button.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 212
Click the Exhibit button.
-- Exhibit --
Which two statements are true about the output shown in the exhibit on the branch SRX device? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 213
Click the Exhibit button.
-- Exhibit --
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 214
Review Below:
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 215
Regarding zone types, which statement is true?
Explanation/Reference:
QUESTION 216
Regarding attacks, which statement is correct?
A. Both DoS and propagation attacks exploit and take control of all unprotected network devices.
B. Propagation attacks focus on suspicious packet formation using the DoS SYN-ACK-ACK proxy flood.
C. DoS attacks are directed at the network protection devices, while propagation attacks are directed at the servers.
D. DoS attacks are exploits in nature, while propagation attacks use trust relationships to take control of the devices.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 217
Click the Exhibit button.
[edit schedulers]
user@host# show
scheduler now {
monday all-day;
tuesday exclude;
wednesday {
start-time 07:00:00 stop-time 18:00:00;
}
thursday {
start-time 07:00:00 stop-time 18:00:00;
}}
[edit security policies from-zone Private to-zone External] user@host# show
policy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn myTunnel;
}}}
scheduler-name now;
Based on the configuration shown in the exhibit, what are the actions of the security policy?
A. The policy will always permit transit packets and use the IPsec VPN myTunnel.
B. The policy will permit transit packets only on Monday, and use the IPsec VPN Mytunnel.
C. The policy will permit transit packets and use the IPsec VPN myTunnel all day Monday and Wednesday 7am to 6pm, and Thursday 7am to 6pm.
D. The policy will always permit transit packets, but will only use the IPsec VPN myTunnel all day Monday and Wednesday 7am to 6pm, and Thursday 7am to 6pm.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 218
Which two statements are true regarding proxy ARP? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 219
For IKE phase 1 negotiations, when is aggressive mode typically used?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 220
A traditional router is better suited than a firewall device for which function?
A. VPN establishment
B. packet-based forwarding
C. stateful packet processing
D. Network Address Translation
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 221
Which three functions are provided by JUNOS Software for security platforms? (Choose three.)
A. VPN establishment
B. stateful ARP lookups
C. Dynamic ARP inspection
D. Network Address Translation
E. inspection of packets at higher levels (Layer 4 and above)
Explanation/Reference:
QUESTION 222
Which two functions of JUNOS Software are handled by the data plane? (Choose two.)
A. NAT
B. OSPF
C. SNMP
D. SCREEN options
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 223
In JUNOS Software, which three packet elements can be inspected to determine if a session already exists? (Choose three.)
A. IP protocol
B. IP time-to-live
C. source and destination IP address
D. source and destination MAC address
E. source and destination TCP/UDP port
Explanation/Reference:
QUESTION 224
By default, which condition would cause a session to be removed from the session table?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 225
What is the purpose of a zone in JUNOS Software?
Explanation/Reference:
QUESTION 226
Users can define policy to control traffic flow between which two components? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 227
Which two configurations are valid? (Choose two.)
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 228
Which two configuration options must be present for IPv4 transit traffic to pass between the ge- 0/0/0.0 and ge-0/0/2.0 interfaces? (Choose two.)
A. family inet
B. a security zone
C. a routing instance
D. host-inbound-traffic
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 229
Which zone is a system-defined zone?
A. null zone
B. trust zone
C. untrust zone
D. management zone
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 230
Which type of zone is used by traffic transiting the device?
A. transit zone
B. default zone
C. security zone
D. functional zone
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 231
Which two steps are performed when configuring a zone? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 232
You want to allow all hosts on interface ge-0/0/0.0 to be able to ping the device's ge- 0/0/0.0 IP address.
A. [edit interfaces]
B. [edit security zones]
C. [edit system services]
D. [edit security interfaces]
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 233
You want to create an out-of-band management zone and assign the ge-0/0/0.0 interface to that zone.
From the [edit] hierarchy, which command do you use to configure this assignment?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 234
You are not able to telnet to the interface IP address of your device from a PC on the same subnet.
Explanation/Reference:
QUESTION 235
Click the Exhibit button.
Referring to the exhibit, you are not able to telnet to 192.168.10.1 from client PC 192.168.10.10.
What is causing the problem?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 236
Click the Exhibit button.
Based on the exhibit, client PC 192.168.10.10 cannot ping 1.1.1.2. Which is a potential cause for this problem?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 237
Click the Exhibit button.
Given the configuration shown in the exhibit, which interface allows both ping and SSH traffic?
A. ge-0/0/0.0
B. ge-0/0/1.0
C. ge-0/0/2.0
D. ge-0/0/3.0
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 238
Click the Exhibit button.
user@host> show interfaces ge-0/0/0.0 | match host-inbound Allowed host-inbound traffic : bgp ospf
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 239
Click the Exhibit button.
user@host> show interfaces ge-0/0/0.0 | match host-inbound Allowed host-inbound traffic : ping ssh telnet
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 240
Click the Exhibit button.
[edit security]
user@host# show
zones {
security-zone ZoneA {
tcp-rst;
host-inbound-traffic {
system-services {
ping;
telnet;
}}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0;
}}
security-zone ZoneB {
interfaces {
ge-0/0/3.0;
}}}
policies {
from-zone ZoneA to-zone ZoneB {
policy A-to-B {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}}}}
In the exhibit, a host attached to interface ge-0/0/0.0 sends a SYN packet to open a Telnet connection to the device's ge-0/0/1.0 IP address.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 241
Which two commands can be used to monitor firewall user authentication? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 242
Which two statements regarding external authentication servers for firewall user authentication are true? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 243
Which two external authentication server types are supported by JUNOS Software for firewall user authentication? (Choose two.)
A. RADIUS
B. TACACS+
C. LDAP
D. IIS
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 244
Click the Exhibit button.
Referring to the exhibit, which two traffic types are permitted when the destination is the ge- 0/0/0.0 IP address? (Choose two.)
A. Telnet
B. OSPF
C. ICMP
D. RIP
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 245
What are three main phases of an attack? (Choose three.)
A. DoS
B. exploit
C. propagation
D. port scanning
E. reconnaissance
Explanation/Reference:
QUESTION 246
An attacker sends a low rate of TCP SYN segments to hosts, hoping that at least one port replies.
Which type of an attack does this scenario describe?
A. DoS
B. SYN flood
C. port scanning
D. IP address sweep
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 247
Where do you configure SCREEN options?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 248
Prior to applying SCREEN options to drop traffic, you want to determine how your configuration will affect traffic.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 249
You are required to configure a SCREEN option that enables IP source route option detection.
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 250
Which two statements describe the purpose of a security policy? (Choose two.)
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 251
Exhibit.
A flow of HTTP traffic needs to go from HOSTA to HOSTB. Assume that traffic will initiate from HOSTA and that HOSTA is in zone trust and HOSTB is in zone
untrust. What will happen to the traffic given the configuration in the exhibit?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 252
Which two security policy actions are valid? (Choose two.)
A. deny
B. discard
C. reject
D. close
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 253
Click the Exhibit button.
[edit schedulers]
user@host# show
scheduler now {
monday all-day;
tuesday exclude;
wednesday {
start-time 07:00:00 stop-time 18:00:00;
}
thursday {
start-time 07:00:00 stop-time 18:00:00;
}}
[edit security policies from-zone Private to-zone External] user@host# show
policy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn myTunnel;
}}}
scheduler-name now;
}
Based on the configuration shown in the exhibit, what will happen to the traffic matching the security policy?
A. The traffic is permitted through the myTunnel IPsec tunnel only on Tuesdays.
B. The traffic is permitted through the myTunnel IPsec tunnel daily, with the exception of Mondays.
C. The traffic is permitted through the myTunnel IPsec tunnel all day on Mondays and Wednesdays between 7:00 am and 6:00 pm, and Thursdays between 7:00
am and 6:00 pm.
D. The traffic is permitted through the myTunnel IPsec tunnel all day on Mondays and Wednesdays between 6:01 pm and 6:59 am, and Thursdays between 6:01
pm and 6:59 am.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 254
Click the Exhibit button.
Given the configuration shown in the exhibit, which statement is true about traffic from host_a to host_b?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 255
Which statement is true about interface-based source NAT?
A. PAT is a requirement.
B. It requires you to configure address entries in the junos-nat zone.
C. It requires you to configure address entries in the junos-global zone.
D. The IP addresses being translated must be in the same subnet as the egress interface.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 256
Which two statements are true about pool-based destination NAT? (Choose two.)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 257
Which statement is true about source NAT?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 258
Which two statements are true about overflow pools? (Choose two.)
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 259
Which statement is true regarding proxy ARP?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 260
You are creating a destination NAT rule-set.
Which two are valid for use with the from clause? (Choose two.)
A. security policy
B. interface
C. routing-instance
D. IP address
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 261
Regarding an IPsec security association (SA), which two statements are true? (Choose two.)
A. IKE SA is bidirectional.
B. IPsec SA is bidirectional.
C. IKE SA is established during phase 2 negotiations.
D. IPsec SA is established during phase 2 negotiations.
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 262
Which operational mode command displays all active IPsec phase 2 security associations?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 263
Two VPN peers are negotiating IKE phase 1 using main mode. Which message pair in the negotiation contains the phase 1 proposal for the peers?
A. message 1 and 2
B. message 3 and 4
C. message 5 and 6
D. message 7 and 8
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 264
Which attribute is required for all IKE phase 2 negotiations?
A. proxy-ID
B. preshared key
C. Diffie-Hellman group key
D. main or aggressive mode
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 265
Which attribute is optional for IKE phase 2 negotiations?
A. proxy-ID
B. phase 2 proposal
C. Diffie-Hellman group key
D. security protocol (ESP or AH)
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 266
A route-based VPN is required for which scenario?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 267
A policy-based IPsec VPN is ideal for which scenario?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 268
Regarding a route-based versus policy-based IPsec VPN, which statement is true?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 269
Which two configuration elements are required for a route-based VPN? (Choose two.)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 270
Click the Exhibit button.
[edit security]
user@host# show
ike {
policy ike-policy1 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$GFjm5OBEclM5QCuO1yrYgo"; ## SECRET-DATA
}
gateway remote-ike {
ike-policy ike-policy1;
address 172.19.51.170;
external-interface ge-0/0/3.0;
}}
ipsec {
policy vpn-policy1 {
proposal-set standard;
}
vpn remote-vpn {
ike {
gateway remote-ike;
ipsec-policy vpn-policy1;
}}}
Assuming you want to configure a route-based VPN, which command is required to bind the VPN to secure tunnel interface st0.0?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 271
Regarding secure tunnel (st) interfaces, which statement is true?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 272
What are three benefits of using chassis clustering? (Choose three.)
Explanation/Reference:
QUESTION 273
You have been tasked with installing two SRX 5600 platforms in a high-availability cluster. Which requirement must be met for a successful installation?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 274
Click the Exhibit button.
[edit chassis]
user@host# show
cluster {
reth-count 3;
redundancy-group 1 {
node 0 priority 1;
node 1 priority 100;
}}
When applying the configuration in the exhibit and initializing a chassis cluster, which statement is correct?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 275
What is a redundancy group in JUNOS Software?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 276
When devices are in cluster mode, which new interfaces are created?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 277
What are two interfaces created when enabling a chassis cluster? (Choose two.)
A. st0
B. fxp1
C. fab0
D. reth0
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 278
Which statement is true regarding redundancy groups?
A. The preempt option determines the primary and secondary roles for redundancy group 0 during a failure and recovery scenario.
B. When priority settings are equal and the members participating in a cluster are initialized at the same time, the primary role for redundancy group 0 is assigned
to node 1.
C. The primary role can be shared for redundancy group 0 when the active-active option is enabled.
D. Redundancy group 0 manages the control plane failover between the nodes of a cluster.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 279
Which IDP policy action drops a packet before it can reach its destination, but does not close the connection?
A. discard-packet
B. drop-traffic
C. discard-traffic
D. drop-packet
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 280
You have been tasked with performing an update to the IDP attack database. Which three requirements are included as part of this task? (Choose three.)
Explanation/Reference:
QUESTION 281
You are implementing an IDP policy template from Juniper Networks. Which three steps are included in this process? (Choose three.)
Explanation/Reference:
QUESTION 282
Which statement regarding the implementation of an IDP policy template is true?
A. IDP policy templates are automatically installed as the active IDP policy.
B. IDP policy templates are enabled using a commit script.
C. IDP policy templates can be downloaded without an IDP license.
D. IDP policy templates are included in the factory-default configuration.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 283
Which two statements are true regarding firewall user authentication? (Choose two.)
A. Firewall user authentication is performed only for traffic that is accepted by a security policy.
B. Firewall user authentication is performed only for traffic that is denied by a security policy.
C. Firewall user authentication provides an additional method of controlling user access to the JUNOS security device itself.
D. Firewall user authentication provides an additional method of controlling user access to remote networks.
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 284
Which statement accurately describes firewall user authentication?
A. Firewall user authentication provides another layer of security in a network.
B. Firewall user authentication provides a means for accessing a JUNOS Software-based security device.
C. Firewall user authentication enables session-based forwarding.
D. Firewall user authentication is used as a last resort security method in a network.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 285
Which two firewall user authentication objects can be referenced in a security policy? (Choose two.)
A. access profile
B. client group
C. client
D. default profile
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 286
Which high availability feature is supported only on Junos security platforms?
A. Virtual Chassis
B. VRRP
C. chassis clustering
D. graceful restart
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
The Junos OS achieves high availability on Junos security platforms using chassis clustering. Chassis clustering providesnetwork node redundancy by grouping two
like devices into a cluster. The two nodes back each other up with one node acting asthe primary and the other as the secondary node, ensuring the stateful failover
of processes and services in the event of systemor hardware failure. A control link between services processing cards (SPCs) or revenue ports and an Ethernet
data link between revenue ports connect two like devices. Junos security platforms must be the same model, and all SPCs, network processing cards (NPCs), and
input/output cards (IOCs) on high-end platforms must have the same slot placement and hardware revision. The chassis clustering feature in the Junos OS is built
on the high availability methodology of Juniper Networks M Series and T Series platforms and the TX Matrix platform, including multichassis clustering, active-
passive Routing Engines (REs) , active-active Packet Forwarding Engines (PFEs), and graceful RE switchover capability.
QUESTION 287
What is a security policy?
A. a set of rules that controls traffic from a specified source to a specified destination using a specified service
B. a collection of one or more network segments sharing identical security requirements
C. a method of providing a secure connection across a network
D. a tool to protect against DoS attacks
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
A security policy is a set of statements that controls traffic from a specified source to a specified destination using a specified service. If a packet arrives that
matches those specifications, the SRX Series device performs the action specified in the policy.
QUESTION 288
What is a zone?
A. a set of rules that controls traffic from a specified source to a specified destination using a specified service
B. a collection of one or more network segments sharing identical security requirements
C. a method of providing a secure connection across a network
D. a tool to protect against DoS attacks
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
A zone is a collection of one or more network segments sharing identical security requirements. To group network segments within a zone, you must assign logical
interfaces from the device to a zone.
QUESTION 289
What is the function of NAT?
Explanation/Reference:
Historically, the NAT concept was born because of the shortage of public IPv4 addresses. Many organizations moved to deploy so-called private addresses using
the IPv4 private addressing space, as identified in RFC 1918. These addresses include the following ranges:
10.0.0.010.255.255.255 (10.0.0.0/8 prefix);
Because private addresses are not routable within the public domain, edge network devices can deploy the NAT feature to replace private, nonroutable addresses
with public addresses prior to sending traffic to the public network and vice versa. Translation consists of replacing the IP address (NAT), port numbers (PAT), or
both, depending on the configuration.
While primarily deployed to translate private addresses to public addresses, NAT can translate from any address to any other address, including public to public and
private to private addresses.
QUESTION 290
Which statement correctly describes the default state of a high-end SRX Series Services Gateway?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 291
Which Junos security feature helps protect against spam, viruses, trojans, and malware?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The major features of Unified Threat Management (UTM); A branch office network in today's market significantly contributes to the bottom line and is central to an
organization's success. Branch offices normally include a relatively smaller number of computing resources when compared to central facilities or headquarters
locations. Branch offices are typically located where customer interactions occur, which means there is increased demand for supporting applications and assuring
application performance, an increased demand for security. General security vulnerabilities exist for every branch office network. These vulnerabilities include spam
and phishing attacks, viruses, trojans and spyware infected files, unapproved website access, and unapproved content.
QUESTION 292
When the first packet in a new flow is received, which high-end SRX component is responsible for setting up the flow?
A. Routing Engine
B. I/O card
C. network processing card
D. services processing card
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 293
Which three elements are contained in a session-close log message? (Choose three.)
A. source IP address
B. DSCP value
C. number of packets transferred
D. policy name
E. MAC address
Explanation/Reference:
QUESTION 294
Which card performs flow lookup on incoming packets on high-end SRX Series devices?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 295
How is the control plane separated from the data plane on branch SRX Series devices?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 296
Which three parameters does the Junos OS attempt to match against during session lookup? (Choose three.)
A. session token
B. ingress interface
C. protocol number
D. source port number
E. egress interface
Explanation/Reference:
QUESTION 297
You have packet loss on an IPsec VPN using the default maximum transmission unit (MTU) where the packets have the DF-bit (do not fragment) set.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 298
The branch SRX Series Services Gateways implement the data plane on which two components? (Choose two.)
A. IOCs
B. SPCs
C. CPU cores
D. PIMs
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 299
Which configuration must be completed to use both packet-based and session-based forwarding on a branch SRX Series Services Gateway?
A. A stateless firewall filter must be used on the ingress interface to match traffic to be processed as session based.
B. A security policy rule must be used on the ingress interface to match traffic to be processed as session based.
C. A global security policy rule must be used on the ingress interface to match traffic to be processed as packet based.
D. A stateless firewall filter must be used on the ingress interface to match traffic to be processed as packet based.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 300
Which branch SRX Series Services Gateway model has a hardware-based, modular Routing Engine?
A. SRX1400
B. SRX650
C. SRX110
D. SRX240
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 301
Which two statements are true about zones? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 302
Which statement is true about factory-default zones?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 303
Which two statements are true when configuring security zones? (Choose two.)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 304
What are two system-defined zones? (Choose two.)
A. null zone
B. system zone
C. Junos host zone
D. functional zone
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 305
Which statement is correct about zone and interface dependencies?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 306
What are two functions of the junos-host zone? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 307
Which two parameters are configurable under the [edit security zones security-zone zoneA] stanza? (Choose two.)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 308
What are two predefined address-book entries? (Choose two.)
A. all
B. any-ipv6
C. any-ipv4
D. all-ipv4
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 309
What are two valid network prefixes in address books? (Choose two.)
A. 172.16.3.11/29
B. 172.16.0.0/16
C. 172.16.3.11/32
D. 172.16.3.11/24
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 310
You want to show interface-specific zone information and statistics. Which operational command would be used to accomplish this?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 311
Which two statements are correct regarding the security policy parameter policy-rematch? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 312
An engineer has just created a single policy allowing ping traffic from a host in the Users zone to a server in the Servers zone.
When the host pings the server, what will happen to the return traffic?
A. The return traffic will match the session and will be permitted.
B. The return traffic will match the new policy and will be permitted.
C. The return traffic will not be permitted; it will need a separate policy.
D. The return traffic will not be permitted; it will match the system default policy.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 313
Following a recent security audit, you find that users are able to ping between the untrust zone and the trust zone, which is contrary to your organization's current
security policy. On examination of the current security policies, you find no policies that would allow these connections.
What are two reasons why users would be able to ping between these zones? (Choose two.)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 314
You must create a security policy for a custom application that requires a longer session timeout than the default application offers.
A. Set the timeout value in the security forwarding-options section of the CLI.
B. Set the timeout value for the application in the security zone configuration.
C. Alter a built-in application and set the timeout value under the application-protocol section of the CLI.
D. Create a custom application and set the timeout value under the application-protocol section of the CLI.
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 315
You need to build a scheduler to apply to a policy that will allow traffic from Monday to Friday only. What will accomplish this task?
A. [edit schedulers]
user@host# show
scheduler no-weekends {
daily all-day;
sunday exclude;
saturday exclude;
}
B. [edit schedulers]
user@host# show
scheduler no-weekends {
daily except weekends;
}
C. [edit schedulers]
user@host# show
scheduler no-weekends {
daily;
sunday exclude;
saturday exclude;
}
D. [edit schedulers]
user@host# show
scheduler no-weekends {
weekday all-day;
}
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 316
You want to silently drop HTTP traffic.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 317
You are asked to change the behavior of the system-default policy from the default setting on an SRX Series device.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 318
You have just added the policy deny-host-a to prevent traffic from Host A that was previously allowed by the policy permit-all. After committing the changes, you
notice that all traffic, including traffic from Host A, is still allowed.
Which configuration statement will prevent traffic from Host A, while still allowing other hosts to send traffic?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 319
You are troubleshooting a security policy. The operational command show security flow session does not show any sessions for this policy.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 320
You want to enable local logging for security policies and have the log information stored in a separate file on a branch SRX Series device.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 321
You want to authenticate users accessing an internal FTP server using the SRX Series Services Gateway. You also want to use an internal LDAP server as the
authentication server.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 322
Which two settings in the options field of an IP header will Junos Screen options block? (Choose two.)
A. traceroute
B. record route option
C. timestamp option
D. MTU probe
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 323
Which two statements are true about the SYN cookie Junos Screen option? (Choose two.)
A. The SYN cookie mechanism is stateless; therefore, the initial three-way handshake can complete before a session table entry is completed.
B. The SRX device will implement the SYN cookie mechanism on all connections once SYN cookies are enabled.
C. The SYN cookie mechanism uses a cryptographic hash, which can detect spoofed source addresses.
D. SYN cookie protection can stop UDP floods as well as TCP floods.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 324
Which three actions should be used when initially implementing Junos Screen options? (Choose three.)
Explanation/Reference:
QUESTION 325
At which step in the packet flow are Junos Screen checks applied?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 326
You need to apply the Junos Screen protect-zone to the public zone.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 327
You need to implement Junos Screen options to protect traffic coming through the ge-0/0/0 and ge-0/0/1 interfaces which are located in the trust and DMZ zones,
respectively.
Where would you enable the Junos Screen options?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 328
While reviewing the logs on your SRX240 device, you notice SYN floods coming from multiple hosts out on the Internet.
Which Junos Screen option would protect against these denial-of-service (DoS) attacks?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 329
You want to protect against attacks on interfaces in ZoneA. You create a Junos Screen option called no-flood and commit the configuration. In the weeks that
follow, the Screen does not appear to be working; whenever you enter the command show security screen statistics zone ZoneA, all counters show 0.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 330
While reviewing the logs on your SRX240 device, you notice SYN floods coming from a host out on the Internet towards several hosts on your trusted network.
Which Junos Screen option would protect against these denial-of-service (DoS) attacks?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 331
During packet flow on an SRX Series device, which two processes occur before route lookup? (Choose two.)
A. static NAT
B. destination NAT
C. source NAT
D. reverse static NAT
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 332
Which Junos NAT implementation requires the use of proxy ARP?
A. destination NAT using a pool outside the IP network of the device's interface
B. source NAT using the device's egress interface
C. source NAT using a pool in the same IP network as the device's interface
D. source NAT using a pool outside the IP network of the device's interface
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 333
You are configuring source NAT.
Which three elements are used for matching the traffic direction in the from and to statements? (Choose three.)
A. routing instance
B. zone
C. source address
D. destination address
E. interface
Explanation/Reference:
QUESTION 334
You have just configured source NAT with a pool of addresses within the same subnet as the egress interface.
What else must be configured to make the addresses in the pool usable?
A. static NAT
B. destination NAT
C. address persistence
D. proxy ARP
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 335
You have just changed a NAT rule and committed the change.
A. Affected sessions remain active and are not updated until the sessions restart.
B. Affected sessions are torn down and are re-initiated as soon as the SRX device receives matching traffic.
C. Affected sessions are torn down and are immediately re-initiated.
D. Affected sessions are dynamically updated with the configuration change.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 336
Which configuration allows direct access to the 10.10.10.0/24 network without NAT, but uses NAT for all other traffic from the untrust zone to the egress interface?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 337
Which two actions occur during IKE Phase 1? (Choose two.)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 338
What are two valid symmetric encryption key types? (Choose two.)
A. DES
B. RSA
C. AES
D. DSA
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 339
Which two are negotiated during Phase 2 of an IPsec VPN tunnel establishment? (Choose two.)
A. security protocol
B. VPN monitor interval
C. UDP port number
D. proxy IDs
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 340
Which three algorithms are used by an SRX Series device to validate the integrity of the data exchanged through an IPsec VPN? (Choose three.)
A. 3DES
B. MD5
C. NHTB
D. SHA1
E. SHA2
Explanation/Reference:
QUESTION 341
You are asked to implement the hashing algorithm that uses the most bits in the calculation on your Junos security device.
A. SHA-512
B. SHA-256
C. MD5-Plus
D. MD5
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 342
You are asked to establish an IPsec VPN to a remote device whose IP address is dynamically assigned by the ISP.
A. passive
B. aggressive
C. main
D. quick
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 343
Which three Diffie-Hellman groups are supported during IKE Phase 1 by the Junos OS? (Choose three.)
A. 1
B. 2
C. 3
D. 4
E. 5
Explanation/Reference:
QUESTION 344
A security association is uniquely identified by which two values? (Choose two.)
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 345
You are asked to establish an IPsec VPN between two sites. The remote device has been preconfigured.
Which two parameters must be identical to the remote device's parameters when designing the local IKE proposal? (Choose two.)
A. security protocol
B. Diffie-Hellman group
C. encryption algorithm
D. Perfect Forward Secrecy keys
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 346
Which two statements are correct about IPsec security associations? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 347
You are deploying a branch site which connects to two hub locations over an IPsec VPN. The branch SRX Series device should send all traffic to the first hub
unless it is unreachable and should then direct traffic to the second hub. You must use static routes to send traffic towards the hub site.
Which two technologies should you use to fail over from a primary to a secondary tunnel in less than 60 seconds? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 348
Which two statements are correct regarding reth interfaces? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 349
Which two statements are correct about establishing a chassis cluster with IPv6? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 350
You are asked to set up a chassis cluster between your SRX Series devices. You must ensure that the solution provides both dual redundant links per node and
node redundancy.
A. aggregated Ethernet
B. redundant Ethernet
C. aggregated Ethernet LAG
D. redundant Ethernet LAG
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 351
What is supported on the fabric link?
A. jumbo frames
B. filters
C. fragmentation
D. policies
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 352
You are asked to establish a chassis cluster between two SRX Series devices. You must ensure that end-to-end connectivity is monitored and that the redundancy
group will fail over to the other node if the remote device becomes unreachable.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 353
When using chassis clustering, which link is responsible for configuration synchronization?
A. fxp0
B. fxp1
C. fab0
D. fab1
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 354
Redundant Ethernet interfaces (reths) have a virtual MAC address based on which two attributes? (Choose two.)
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 355
You are asked to establish a chassis cluster between two branch SRX Series devices. You must ensure that no single point of failure exists.
What would prevent a single point of failure?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 356
Which two statements are correct regarding the cluster ID? (Choose two.)
A. You can have up to 15 unique cluster IDs on a single chassis cluster device.
B. The cluster ID value of 0 indicates that this is the primary chassis cluster on this device.
C. The cluster ID is used to calculate the reth interface's virtual MAC addresses.
D. You must reboot both nodes if you change the cluster ID value.
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 357
Which statement is true about real-time objects in an SRX chassis cluster?
A. Real-time objects are exchanged over the fxp1 link to provide highly accurate time synchronization.
B. Real-time objects are exchanged over the fxp1 link to synchronize IPsec security associations.
C. Real-time objects are exchanged over the fab links to provide configuration file synchronization.
D. Real-time objects are exchanged over the fab links to synchronize session table entries.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 358
When using chassis clustering, which action is taken by the Junos OS if the control link or the fabric link suffers a loss of keepalives or heartbeat messages?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 359
You are configuring the SRX Series Services Gateway in chassis cluster mode.
What is a valid way to configure Redundancy Groups (RGs) 1 and 2 for active/active redundancy?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 360
You have just manually failed over Redundancy Group 0 on Node 0 to Node 1. You notice Node 0 is now in a secondary-hold state.
A. The previous primary node moves to the secondary-hold state because an issue occurred during failover. It stays in that state until the issue is resolved.
B. The previous primary node moves to the secondary-hold state and stays there until manually reset, after which it moves to the secondary state.
C. The previous primary node moves to the secondary-hold state and stays there until the hold- down interval expires, after which it moves to the secondary state.
D. The previous primary node moves to the secondary-hold state and stays there until manually failed back to the primary node.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 361
Which three Unified Threat Management features require a license? (Choose three.)
A. antivirus
B. surf control Web filtering
C. Websense Web filtering
D. content filtering
E. antispam
Explanation/Reference:
QUESTION 362
Which global UTM configuration parameter contains lists, such as MIME patterns, filename extensions, and URL patterns, that can be used across all UTM
features?
A. custom objects
B. feature profile
C. UTM policy
D. address sets
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 363
Your SRX Series device is configured so that all inbound traffic from the Internet is examined by the UTM content filtering feature.
As inbound traffic arrives at the SRX device, which packet processing component is responsible for sending the packets for UTM processing?
A. zone
B. security policy
C. Junos Screen options
D. forwarding lookup
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 364
Which three UTM features require a license? (Choose three.)
Explanation/Reference:
QUESTION 365
Which two SRX platforms support UTM features? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 366
Which antivirus protection feature uses the first several packets of a file to determine if the file contains malicious code?
A. express scanning
B. intelligent prescreening
C. full file-based
D. Kaspersky
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 367
Which antivirus protection feature uses virus patterns and a malware database that are located on external servers?
A. full file-based
B. Kaspersky
C. Sophos
D. express scan
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 368
You have implemented Integrated SurfControl Web filtering on an SRX Series device. You have also created a whitelist and a blacklist on the SRX device. One
particular Web site is matching all three the whitelist, blacklist, and Surfcontrol policy.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 369
You have deployed enhanced Web filtering on an SRX Series device. A user requests a URL that is not in the URL filtering cache.
What happens?
A. The request is permitted immediately but the SRX device then requests the category from the configured server and caches the response for use with
subsequent requests.
B. The request is blocked immediately but the SRX device then requests the category from the configured server and caches the response for use with
subsequent requests.
C. The SRX device requests the category from the configured server. Once the response is received, the SRX device processes the request against the policy
based on the information received and caches the response.
D. The SRX device will either permit or deny the request immediately depending on the configuration in the UTM policy. The SRX device then requests the
category from the central server and caches the response for use with subsequent requests.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 370
You are configuring a blacklist for Web filtering on a branch SRX Series device.
A. http://www.company.com/*
B. http://*.company.com
C. www.company.com
D. 1.2.3.4
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 371
Which two criteria does the enhanced Web filtering solution use to make decisions? (Choose two.)
A. site reputation
B. keyword in the document
C. results of antivirus scan
D. category
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 372
-- Exhibit --
[edit interfaces]
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
[edit vlans]
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
-- Exhibit --
Referring to the exhibit, you need to allow ping traffic into interface ge-0/0/1.
Which configuration step will accomplish this task?
A. set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system- services ping
B. set security zones security-zone trust interfaces ge-0/0/1 host-inbound-traffic system-services ping
C. set security zones security-zone trust interfaces vlan-trust host-inbound-traffic system-services ping
D. set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services ping
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 373
-- Exhibit
-- Exhibit --
A. Ping
B. DNS
C. Telnet
D. SSH
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 374
-- Exhibit --
[edit security policies from-zone untrust to-zone junos-host]
user@host# show
policy allow-management {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
Referring to the exhibit, you want to be able to manage your SRX Series device from the Internet using SSH. You have created a security policy to allow the traffic
to flow into the SRX device.
A. Define the junos-host zone and add the SSH service to it.
B. Add the SSH service to the untrust zone.
C. Define the junos-host zone, add the SSH service and the loopback interface to it.
D. Rewrite the security policy to allow SSH traffic from the untrust zone to the global zone.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 375
-- Exhibit --
security {
policies {
from-zone TRUST to-zone UNTRUST {
policy hosts-allow {
match {
source-address hosts;
destination-address any;
application any;
}
then {
permit;
}
scheduler-name block-hosts;
}
policy allow {
match {
source-address any;
destination-address any;
application junos-http;
}
then {
permit;
}
}
policy deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
}
}
schedulers {
scheduler block-hosts {
daily {
start-time 10:00:00 stop-time 18:00:00;
}
}
}
-- Exhibit --
Referring to the exhibit, you have configured a scheduler to allow hosts access to the Internet during specific times. You notice that hosts are still accessing the
Internet during times outside of the scheduler's parameters.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 376
-- Exhibit --
security {
policies {
from-zone TRUST to-zone UNTRUST {
policy allow-all {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
policy allow-hosts {
match {
source-address hosts;
destination-address any;
application junos-http;
}
then {
permit;
}
scheduler-name block-hosts;
}
policy deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
}
}
schedulers {
scheduler block-hosts {
daily {
start-time 10:00:00 stop-time 18:00:00;
}
}
}
-- Exhibit --
Referring to the exhibit, you have configured a scheduler to allow hosts access to the Internet during specific times. You notice that hosts are unable to access the
Internet.
What is blocking hosts from accessing the Internet?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 377
-- Exhibit
-- Exhibit --
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 378
-- Exhibit --
[edit security policies]
user@host# show
from-zone hr to-zone internet {
policy internet-access {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy clean-up {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
-- Exhibit --
You want to permit access to the Internet from the hr zone during a specified time.
Which configuration will accomplish this task?
A. Configure a scheduler, apply it to a new policy, and insert it after internet-access to permit Internet access.
B. Configure a scheduler and apply it to the policy internet-access to deny Internet access.
C. Configure a scheduler and apply it to the policy internet-access to permit Internet access.
D. Configure a scheduler, apply it to a new policy, and insert it before internet-access to permit Internet access.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 379
-- Exhibit
-- Exhibit --
You are asked to configure a hub-and-spoke VPN. All the VPN components have been configured, and you are able to ping the remote tunnel interfaces at Site 1
and Site 2 from the Hub site as shown in the exhibit. The Hub site's external interface is in security zone untrust and the st0 interfaces from each site are in security
zone DMZ. Users in Site 2 are unable to connect to a Web server in Site 1.
Which additional step is required at the hub site for users to access the Web server?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 380
-- Exhibit
-- Exhibit --
Referring to the exhibit, you need to allow FTP traffic from the Internet to the FTP server in the Trust zone. You have built a custom application so that you can
modify the timeout value for FTP sessions and have configured a policy to allow FTP traffic from Untrust to Trust, but the traffic still does not flow. The current
status of the FTP ALG is disabled.
A. The FTP ALG has not been enabled in the security policy.
B. The FTP ALG has not been enabled in the security zones.
C. The FTP ALG has been disabled on the device.
D. The FTP ALG has not been set in the custom application definition.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 381
-- Exhibit
-- Exhibit --
A server in the DMZ of your company is under attack. The attacker is opening a large number of TCP connections to your server which causes resource utilization
problems on the server. All of the connections from the attacker appear to be coming from a single IP address.
Referring to the exhibit, which Junos Screen option should you enable to limit the effects of the attack while allowing legitimate traffic?
A. Apply the Junos Screen option limit-session source-based-ip to the Untrust security zone.
B. Apply the Junos Screen option limit-session source-based-ip to the DMZ security zone.
C. Apply the Junos Screen option limit-session destination-based-ip to the Untrust security zone.
D. Apply the Junos Screen option limit-session destination-based-ip to the DMZ security zone.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 382
-- Exhibit
-- Exhibit --
Referring to the exhibit, you want to use source NAT to translate the Web server's IP address to the IP address of ge-0/0/2.
Which source NAT type accomplishes this task and always performs PAT?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 383
-- Exhibit --
user@srx> show security flow session
Session ID. 10702, Policy name: default-permit/4, Timeout: 1794, Valid
In: 2.3.4.5/5000 --> 10.1.2.3/22;tcp, IF. fe-0/0/6.0, Pkts: 88444, Bytes: 7009392
Out: 10.1.2.3/22 --> 10.1.1.1/5000;tcp, IF. .local..0, Pkts: 81672, Bytes: 6749337
-- Exhibit --
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 384
-- Exhibit --
[edit security nat source]
user@srx# show
pool A {
address {
172.16.52.94/32;
}
}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
source-address 192.168.233.0/24;
}
then {
source-nat {
pool {
A;
}
}
}
}
}
-- Exhibit --
A. PAT is enabled.
B. PAT is disabled.
C. Address persistence is enabled.
D. Address persistence is disabled.
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 385
-- Exhibit --
[edit security nat]
user@host# show source
pool pool-one {
address {
68.183.13.0/24;
}
}
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule pool-nat {
match {
source-address 10.10.10.1/24;
}
then {
source-nat {
pool {
pool-one;
}
}
}
}
rule no-nat {
match {
destination-address 192.150.2.140/32;
}
then {
source-nat {
off;
}
}
}
}
-- Exhibit --
You have implemented source NAT using a source pool for address translation. However, traffic destined for 192.150.2.140 should not have NAT applied to it. The
configuration shown in the exhibit is not working correctly.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 386
-- Exhibit
-- Exhibit --
A. source NAT
B. destination NAT
C. static NAT
D. NAT pool
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 387
-- Exhibit --
[edit security nat source]
user@host# show
pool snat-pool {
address {
10.10.10.10/32;
10.10.10.11/32;
}
}
pool-utilization-alarm raise-threshold 50 clear-threshold 40;
rule-set user-nat {
from zone trust;
to zone untrust;
rule snat {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
pool {
snat-pool;
}
}
}
}
}
-- Exhibit --
Your network management station has generated an alarm regarding NAT utilization based on an SNMP trap received from an SRX Series device.
A. The network management station will require manual intervention to clear the alarm.
B. Once utilization is below 40 percent, the Junos OS will send an SNMP trap to the network management station to clear the alarm.
C. Once utilization is below 50 percent, the Junos OS will send an SNMP trap to the network management station to clear the alarm.
D. Once utilization is below 80 percent, the Junos OS will send an SNMP trap to the network management station to clear the alarm.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 388
-- Exhibit
-- Exhibit --
Click the Exhibit button.
Referring to the exhibit, which three statements are correct? (Choose three.)
Explanation/Reference:
QUESTION 389
-- Exhibit
-- Exhibit --
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 390
-- Exhibit
-- Exhibit --
Referring to the exhibit, which statement is correct about the IPsec configuration?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 391
-- Exhibit
-- Exhibit --
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 392
-- Exhibit
-- Exhibit --
Referring to the exhibit, you are setting up the hub in a hub-and-spoke IPsec VPN. You have verified that all configured parameters are correct at all sites, but your
IPsec VPN is not establishing to both sites.
Which configuration parameter is missing at the hub to complete the configuration?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 393
-- Exhibit --
security {
ike {
policy IKE-STANDARD {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "XXXXXX";
}
gateway GW-HUB {
ike-policy IKE-STANDARD;
dynamic hostname site1.company.com;
external-interface ge-0/0/0.0;
}
}
ipsec {
policy IPSEC-STANDARD {
proposal-set standard;
}
vpn VPN-HUB {
bind-interface st0.0;
ike {
gateway GW-HUB;
ipsec-policy IPSEC-STANDARD;
}
}
}
zones {
security-zone untrust {
host-inbound-traffic {
system-services {
ping;
ike;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone trust {
system-services {
ping;
}
interfaces {
ge-0/0/1.0;
}
}
}
}
-- Exhibit --
You are implementing a new route-based IPsec VPN on an SRX Series device and the tunnel will not establish.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 394
-- Exhibit --
user@host> show security ike security-associations 1.1.1.2
Index Remote Address State Initiator cookie Responder cookie Mode
8 1.1.1.2 UP 3a895f8a9f620198 9040753e66d700bb Main
A. Only one IKE tunnel exists so there is no path for return IKE traffic. You need to allow IKE inbound on interface ge-0/0/0.0.
B. Because there are no IPsec security associations, the problem is in the IPsec proposal settings.
C. The static route created to reach the remote host is incorrect.
D. The VPN settings are correct, the traffic is being blocked by a security policy.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 395
-- Exhibit --
user@host> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<131073 ESP:3des/sha1 ac23df79 2532/ unlim - root 4500 1.1.1.1
>131073 ESP:3des/sha1 cbc9281a 2532/ unlim - root 4500 1.1.1.1
What are two conclusions about the VPN tunnel from the output? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 396
-- Exhibit
-- Exhibit --
Server A is communicating with Server B directly over the Internet. The servers now must begin exchanging additional information through an unencrypted protocol.
To protect this new data exchange, you want to establish a VPN tunnel between the two sites that will encrypt just the unencrypted data while leaving the existing
communications directly over the Internet.
A. Configure a route-based VPN and use filter-based forwarding to direct traffic into the VPN tunnel.
B. Configure a route-based VPN tunnel with traffic engineering to direct traffic into the VPN tunnel.
C. Configure a policy-based VPN with a security policy that matches the unencrypted traffic and directs it into the VPN tunnel.
D. Configure a policy-based VPN tunnel and use filter-based forwarding to direct the unencrypted traffic into interface st0.0.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 397
-- Exhibit --
user@host# set interfaces ge-0/0/5 gigether-options redundant-parent reth1
user@host# set interfaces ge-5/0/5 gigether-options redundant-parent reth1
user@host# set interfaces reth1.0 family inet address 192.168.1.100/30
user@host# commit
[edit interfaces reth1]
'unit 0'
reth1 needs to be associated with a non-zero redundancy-group
error: configuration check-out failed
-- Exhibit --
Referring to the exhibit, you have built a chassis cluster, set up a reth, and put interfaces into the reth. However, when you try to commit the configuration, you
receive the error shown in the exhibit.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 398
-- Exhibit
-- Exhibit --
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 399
-- Exhibit --
user@host# show chassis cluster
reth-count 2;
redundancy-group 1 {
node 0 priority 200;
node 1 priority 100;
interface-monitor {
ge-0/0/5 weight 85;
ge-0/0/6 weight 85;
ge-0/0/7 weight 85;
ge-0/0/8 weight 85;
ge-5/0/5 weight 85;
ge-5/0/6 weight 85;
ge-5/0/7 weight 85;
ge-5/0/8 weight 85;
}
}
-- Exhibit --
Referring to the exhibit, you have two SRX Series devices in a chassis cluster, and Node 0 is currently the primary node. You want to ensure that traffic using those
interfaces fails over to Node 1 if one interface goes down.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 400
-- Exhibit --
user@host# show chassis cluster
reth-count 2;
redundancy-group 1 {
node 0 priority 200;
node 1 priority 100;
interface-monitor {
ge-0/0/5 weight 85;
ge-0/0/6 weight 85;
ge-0/0/7 weight 85;
ge-0/0/8 weight 85;
ge-5/0/5 weight 85;
ge-5/0/6 weight 85;
ge-5/0/7 weight 85;
ge-5/0/8 weight 85;
}
}
-- Exhibit --
Referring to the exhibit, you have two SRX Series devices in a chassis cluster, and Node 0 is currently the primary node. You want to ensure that traffic, using those
interfaces, fails over to Node 1 when all interfaces go down.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 401
-- Exhibit
-- Exhibit --
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 402
-- Exhibit
-- Exhibit --
You have configured antispam on your SRX Series device as shown in the exhibit.
Assuming the antispam profile has been properly applied, what happens when an e-mail message arrives at the SRX device from bob@domain-xyz.net at IP
address 150.10.10.10?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 403
-- Exhibit
-- Exhibit --
You have configured antispam on your SRX Series device as shown in the exhibit.
Assuming the antispam profile has been properly applied, what happens when an e-mail message arrives at the SRX device from mary@domain-abc.net at IP
address 150.150.150.10?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 404
-- Exhibit
-- Exhibit --
Referring to the exhibit, you have just committed the UTM configuration.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 405
-- Exhibit --
[edit security utm feature-profile content-filtering] user@host# show
profile profileA {
block-content-type {
exe;
zip;
}
notification-options {
type message;
custom-message "Not permitted. illegal file type";
}
}
-- Exhibit --
Your SRX Series device includes the content filtering configuration shown in the exhibit.
Assuming the content filtering profile has been properly applied, what happens when a user attempts to send a zip file through the SRX device using FTP?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 406
-- Exhibit --
[edit security utm]
user@host# show
custom-objects {
url-pattern {
permit {
value http://www.domain-abc.net;
}
deny {
value http://www.domain-abc.net/movies;
}
}
custom-url-category {
whitelist {
value permit;
}
blacklist {
value deny;
}
}
}
feature-profile {
web-filtering {
url-whitelist whitelist;
url-blacklist blacklist;
type juniper-local;
juniper-local {
profile profileA {
default block;
custom-block-message "Website access not permitted";
}
}
}
}
-- Exhibit --
Your SRX Series device includes the Web filtering configuration shown in the exhibit.
Assuming the Web filtering profile has been properly applied, what happens when a user attempts to access the Web site www.juniper.net through the SRX device?
A. The HTTP request is blocked and the user's Web browser eventually times out.
B. The HTTP request is blocked and a message is sent back to the user.
C. The HTTP request is intercepted and the URL is sent to the Websense server. The SRX device permits or blocks the request based on the information it
receives back from the server.
D. The HTTP request is permitted and forwarded to the Web server.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 407
What does a zone contain?
A. Routers
B. Interfaces
C. Routing tables
D. NAT Address
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 408
Referring to the exhibit, which two statements are correct? (choose two)
screen untrust-screen
host-inbound-traffic {
system-services
{ ssh; ping;
}
}
Interfaces {
ge-0/0/1.0
ge-0/0/3.0{ host-inboun
d-traffic{ protocols {
ospf; } } }
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 409
Which statement is true about a logical interface?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 410
You want to configure a security policy that allows traffic to a particular host.
Which step must you perform before committing a configuration with the policy?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 411
Which three match criteria must each security policy include? (Choose three.)
A. source address
B. source port
C. destination address
D. destination port
E. application
Explanation/Reference:
QUESTION 412
Which three IP option fields can an attacker exploit to cause problems in a network? (Choose three.)
Explanation/Reference:
QUESTION 413
Which statement is true about implementing IP spoofing protection as a Junos Screen option?
A. It ensures that the active route to the source has the same egress interface as the ingress interface for the packet.
B. It ensures that a route, active or not, to the source exists with the same egress interface as the ingress interface of the packet
C. It ensures that the active route to the source has the same egress zone as the ingress zone for the packet
D. It ensure that a route, active or not, to the source exists with the same egress zone as the ingress zone for the packet.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 414
A PC in the trust zone is trying to ping a host in the untrust zone. Referring to the exhibit, which type of NAT is configured?
A. source NAT
B. destination NAT
C. static NAT
D. NAT pool
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 415
Which operational command produces the output shown in the exhibit?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 416
For a route-based VPN, which statement is true?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 417
Which function does Diffie-Hellman exchange perform for IPsec VPN?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 418
Referring to the exhibit, which two statements are correct about IPsec configuration? (choose two)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 419
Which three components can be downloaded and installed directly from Juniper Networks update server to an SRX Series device? (Choose three.)
A. signature package
B. PCRE package
C. detector engine
D. policy templates
E. dynamic attack detection package
Explanation/Reference:
QUESTION 420
You have a chassis cluster established between two SRX Series devices. You re monitoring the status of the cluster and notice that some redundancy groups show
disabled.
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 421
Referring to the exhibit, you see that Node 0 is currently primary for redundancy Group 0. You have not yet configured any chassis cluster parameters. You want to
ensure that Node 1 is always the primary node for this redundancy group if both nodes reboot at same time.
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
QUESTION 422
Referring to the exhibit, you have just committed the UTM antivirus configuration. You notice that the SRX Series device shows that Kaspersky scanning is being
used instead of express scanning. What must you do to resolve this problem?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 423
Which type of logging is supported for UTM logging to an external syslog server on branch SRX Series devices?
A. Binary syslog
B. CHARGEN
C. WELF (structured) syslog
D. standard (unstructured) syslog
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 424
To which depth of compressed (Zip) files can the Junos full antivirus feature scan?
A. 1 layer of compression
B. 2 layer of compression
C. 3 layer of compression
D. 4 layer of compression
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 425
Which two statements describe full file-based antivirus protection? (Choose two.)
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference: