JN0 332.examcollection - Premium.exam.425q

JN0-332.Examcollection.Premium.Exam.
425q
Number: JN0-332
Passing Score: 800
Time Limit: 120 min
File Version: 28.0
Exam Code: JN0-332
Exam Name: Juniper Networks Certified Internet Specialist, SEC (JNCIS-SEC)
Version 28.0
JN0-332
QUESTION 1
Which configuration keyword ensures that all in-progress sessions are re-evaluated upon committing a security policy change?
A. policy-rematch
B. policy-evaluate
C. rematch-policy
D. evaluate-policy
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
Click the Exhibit button.
You need to alter the security policy shown in the exhibit to send matching traffic to an IPsec VPN tunnel. Which command causes traffic to be sent through an
IPsec VPN named remote- vpn?
A. [edit security policies from-zone trust to-zone untrust] user@host# set policy tunnel-traffic then tunnel remote-vpn
B. [edit security policies from-zone trust to-zone untrust] user@host# set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn
C. [edit security policies from-zone trust to-zone untrust] user@host# set policy tunnel-traffic then permit ipsec-vpn remote-vpn
D. [edit security policies from-zone trust to-zone untrust] user@host# set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn
Correct Answer: D
Section: (none)
Explanation
QUESTION 3
Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by AH? (Choose three.)
A. data integrity
B. data confidentiality
C. data authentication
D. outer IP header confidentiality
E. outer IP header authentication
Correct Answer: ACE

Section: (none)
Explanation
QUESTION 4
You must configure a SCREEN option that would protect your router from a session table flood.Which configuration meets this requirement?
A. [edit security screen]

user@host# show
ids-option protectFromFlood {
icmp {
ip-sweep threshold 5000;
flood threshold 2000;
}
}
B. [edit security screen]
user@host# show
tcp {
syn-flood {
attack-threshold 2000;
destination-threshold 2000;
}
}
}
C. [edit security screen]
user@host# show
udp {
}
}
D. [edit security screen]
user@host# show
limit-session {
source-ip-based 1200;
destination-ip-based 1200;
}
}
Correct Answer: D
Section: (none)
Explanation
QUESTION 5
Which type of Web filtering by default builds a cache of server actions associated with each URL it has checked?
A. Websense Redirect Web filtering

B. integrated Web filtering
C. local Web filtering
D. enhanced Web filtering
Correct Answer: B
Section: (none)
Explanation
QUESTION 6
Which security or functional zone name has special significance to the Junos OS?
A. self
B. trust
C. untrust
D. junos-global
Correct Answer: D
Section: (none)
Explanation
QUESTION 7
Which command do you use to display the status of an antivirus database update?
A. show security utm anti-virus status

B. show security anti-virus database status
C. show security utm anti-virus database
D. show security utm anti-virus update
Correct Answer: A
Section: (none)
Explanation
QUESTION 8
Which statement contains the correct parameters for a route-based IPsec VPN?
A. [edit security ipsec]

user@host# show
proposal ike1-proposal {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3200;
}
policy ipsec1-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ike1-proposal;
}
vpn VpnTunnel {
interface ge-0/0/1.0;
ike {
gateway ike1-gateway;
ipsec-policy ipsec1-policy;
}
establish-tunnels immediately;
}
B. [edit security ipsec]
user@host# show
protocol esp;
}
keys group2;
}
}
vpn VpnTunnel {
interface st0.0;
ike {
}
}
C. [edit security ipsec]
user@host# show
protocol esp;
}
keys group2;
}
}
vpn VpnTunnel {
bind-interface ge-0/0/1.0;
ike {
}
}
D. [edit security ipsec]
user@host# show
protocol esp;
}policy ipsec1-policy {
keys group2;
}
}
vpn VpnTunnel {
bind-interface st0.0;
ike {
}
}
Correct Answer: D
Section: (none)
Explanation
QUESTION 9
Which zone is system-defined?
A. security
B. functional
C. junos-global
D. management
Correct Answer: C
Section: (none)
Explanation
QUESTION 10
You want to allow your device to establish OSPF adjacencies with a neighboring device connected to interface ge-0/0/3.0. Interface ge-0/0/3.0 is a member of the
HR zone. Under which configuration hierarchy must you permit OSPF traffic?
A. [edit security policies from-zone HR to-zone HR]

B. [edit security zones functional-zone management protocols]
C. [edit security zones protocol-zone HR host-inbound-traffic]
D. [edit security zones security-zone HR host-inbound-traffic protocols]
Correct Answer: D
Section: (none)
Explanation
QUESTION 11
Which three statements are true regarding IDP? (Choose three.)
A. IDP cannot be used in conjunction with other Junos security features such as SCREEN options, zones, and security policy.
B. IDP inspects traffic up to the Application Layer.
C. IDP searches the data stream for specific attack patterns.
D. IDP inspects traffic up to the Presentation Layer.
E. IDP can drop packets, close sessions, prevent future sessions, and log attacks for review by network administrators when an attack is detected.
Correct Answer: BCE

Section: (none)
Explanation
QUESTION 12
Your IKE SAs are up, but the IPsec SAs are not up.Referring to the exhibit, what is the problem?
A. One or more of the phase 2 proposals such as authentication algorithm, encryption algorithm do not match.
B. The tunnel interface is down.
C. The proxy IDs do not match.
D. The IKE proposals do not match the IPsec proposals.
Correct Answer: C
Section: (none)
Explanation
QUESTION 13
Which two statements regarding symmetric key encryption are true? (Choose two.)
A. The same key is used for encryption and decryption.

B. It is commonly used to create digital certificate signatures.
C. It uses two keys: one for encryption and a different key for decryption.
D. An attacker can decrypt data if the attacker captures the key used for encryption.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 14
Regarding content filtering, what are two pattern lists that can be configured in the Junos OS? (Choose two.)
A. protocol list
B. MIME
C. block list
D. extension
Correct Answer: BD
Section: (none)
Explanation
QUESTION 15
Which two statements are true about hierarchical architecture? (Choose two.)
A. You can assign a logical interface to multiple zones.
B. You cannot assign a logical interface to multiple zones.
C. You can assign a logical interface to multiple routing instances.
D. You cannot assign a logical interface to multiple routing instances.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 16
Which two statements regarding external authentication servers for firewall user authentication are true? (Choose two.)
A. Up to three external authentication server types can be used simultaneously.

B. Only one external authentication server type can be used simultaneously.
C. If the local password database is not configured in the authentication order, and the configured authentication server is unreachable, authentication is bypassed.
D. If the local password database is not configured in the authentication order, and the configured authentication server rejects the authentication request,
authentication is rejected.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 17
In the exhibit, a new policy named DenyTelnet was created. You notice that Telnet traffic is still allowed.
Which statement will allow you to rearrange the policies for the DenyTelnet policy to be evaluated before your Allow policy?
A. insert security policies from-zone A to-zone B policy DenyTelnet before policy Allow
B. set security policies from-zone B to-zone A policy DenyTelnet before policy Allow
C. insert security policies from-zone A to-zone B policy DenyTelnet after policy Allow
D. set security policies from-zone B to-zone A policy Allow after policy DenyTelnet
Correct Answer: A
Section: (none)
Explanation
QUESTION 18
Which UTM feature requires a license to function?
A. integrated Web filtering

B. local Web filtering
C. redirect Web filtering
D. content filtering
Correct Answer: A
Section: (none)
Explanation
QUESTION 19
System services SSH, Telnet, FTP, and HTTP are enabled on the SRX Series device.
Referring to the configuration shown in the exhibit, which two statements are true? (Choose two.)
A. A user can use SSH to interface ge-0/0/0.0 and ge-0/0/1.0.

B. A user can use FTP to interface ge-0/0/0.0 and ge-0/0/1.0.
C. A user can use SSH to interface ge-0/0/0.0.
D. A user can use SSH to interface ge-0/0/1.0.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 20
A user wants to establish an HTTP session to a server behind an SRX device but is being pointed to Web page on the SRX device for additional authentication.
Which type of user authentication is configured?
A. pass-through with Web redirect

B. WebAuth with HTTP redirect
C. WebAuth
D. pass-through
Correct Answer: C
Section: (none)
Explanation
Web authentication is valid for all types of traffic. With Web authentication configured, users must first directly access the Junos security platform using HTTP. The
user enters the address or hostname of the device into a Web browser and then receives a prompt for a username and password. If authentication is successful,
the user can then access the restricted resource directly. Subsequent traffic from the same source IP address is automatically allowed access to the restricted
resource, as long as security policy allows for it.
QUESTION 21
Which two UTM features require a license to be activated? (Choose two.)
A. antispam
B. antivirus (full AV)
C. content filtering
D. Web-filtering redirect
Correct Answer: AB
Section: (none)
Explanation
QUESTION 22
Which two statements in a source NAT configuration are true regarding addresses, rule-sets, or rules that overlap? (Choose two.)
A. Addresses used for NAT pools should never overlap.

B. If more than one rule-set matches traffic, the rule-set with the most specific context takes precedence.
C. If traffic matches two rules within the same rule-set, both rules listed in the configuration are applied.
D. Dynamic source NAT rules take precedence over static source NAT rules.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 23
A network administrator has configured source NAT, translating to an address that is on a locally connected subnet. The administrator sees the translation working,
but traffic does not appear to come back. What is causing the problem?
A. The host needs to open the telnet port.

B. The host needs a route for the translated address.
C. The administrator must use a proxy-arp policy for the translated address.
D. The administrator must use a security policy, which will allow communication between the zones.
Correct Answer: C
Section: (none)
Explanation
QUESTION 24
Which statement describes an ALG?
A. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to deny the traffic.
B. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to permit the traffic to pass.
C. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to deny the traffic.
D. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to permit the traffic to pass.
Correct Answer: B
Section: (none)
Explanation
QUESTION 25
Which three components can be leveraged when defining a local whitelist or blacklist for antispam on a branch SRX Series device? (Choose three.)
A. spam assassin filtering score

B. sender country
C. sender IP address
D. sender domain
E. sender e-mail address
Correct Answer: CDE

Section: (none)
Explanation
QUESTION 26
What is the correct syntax for applying node-specific parameters to each node in a chassis cluster?
A. set apply-groups node$

B. set apply-groups (node)
C. set apply-groups $(node)
D. set apply-groups (node)all
Correct Answer: C
Section: (none)
Explanation
QUESTION 27
Which statement describes a security zone?
A. A security zone can contain one or more interfaces.

B. A security zone can contain interfaces in multiple routing instances.
C. A security zone must contain two or more interfaces.
D. A security zone must contain bridge groups.
Correct Answer: A
Section: (none)
Explanation
QUESTION 28
A system administrator detects thousands of open idle connections from the same source.Which problem can arise from this type of attack?
A. It enables an attacker to perform an IP sweep of devices.

B. It enables a hacker to know which operating system the system is running.
C. It can overflow the session table to its limit, which can result in rejection of legitimate traffic.
D. It creates a ping of death and can cause the entire network to be infected with a virus.
Correct Answer: C
Section: (none)
Explanation
QUESTION 29
Under which Junos hierarchy level are security policies configured?
A. [edit security]
B. [edit protocols]
C. [edit firewall]
D. [edit policy-options]
Correct Answer: A
Section: (none)
Explanation
QUESTION 30
You must configure a SCREEN option that would protect your device from a session table flood.
Which configuration meets this requirement?

user@host# show
icmp {
}
}
user@host# show
tcp {
syn-flood {
}
}
}
user@host# show
udp {
}
}
user@host# show
limit-session {
}
}
Correct Answer: D
Section: (none)
Explanation
QUESTION 31
Which three methods of source NAT does the Junos OS support? (Choose three.)
A. interface-based source NAT

B. source NAT with address shifting
C. source NAT using static source pool
D. interface-based source NAT without PAT
E. source NAT with address shifting and PAT
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 32
Which three firewall user authentication objects can be referenced in a security policy? (Choose three.)
A. access profile
B. client group
C. client
D. default profile
E. external
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 33
What is the default session timeout for TCP sessions?
A. 1 minute
B. 15 minutes
C. 30 minutes
D. 90 minutes
Correct Answer: C
Section: (none)
Explanation
QUESTION 34
Which three advanced permit actions within security policies are valid? (Choose three.)
A. Mark permitted traffic for firewall user authentication.

B. Mark permitted traffic for SCREEN options.
C. Associate permitted traffic with an IPsec tunnel.
D. Associate permitted traffic with a NAT rule.
E. Mark permitted traffic for IDP processing.
Correct Answer: ACE

Section: (none)
Explanation
QUESTION 35
Which statement is true regarding the Junos OS for security platforms?
A. SRX Series devices can store sessions in a session table.

B. SRX Series devices accept all traffic by default.
C. SRX Series devices must operate only in packet-based mode.
D. SRX Series devices must operate only in flow-based mode.
Correct Answer: A
Section: (none)
Explanation
SRX by default operates in FLOW-BASED mode.
Hovewer, it's possible to aply a filter on interface, which will enforce a PACKET-BASED mode.
QUESTION 36
Which type of NAT is being used in the exhibit?
A. no NAT
B. destination NAT
C. source NAT
D. port address translation (PAT)
Correct Answer: C
Section: (none)
Explanation
QUESTION 37
At which two levels of the Junos CLI hierarchy is the host-inbound-traffic command configured? (Choose two.)
A. [edit security idp]

B. [edit security zones security-zone trust interfaces ge-0/0/0.0]
C. [edit security zones security-zone trust]
Correct Answer: BC
Section: (none)
Explanation
QUESTION 38
Which two parameters are configured in IPsec policy? (Choose two.)
A. mode
B. IKE gateway
C. security proposal
D. Perfect Forward Secrecy
Correct Answer: CD
Section: (none)
Explanation
QUESTION 39
The SRX device receives a packet and determines that it does not match an existing session.After SCREEN options are evaluated, what is evaluated next?
A. source NAT
B. destination NAT
C. route lookup
D. zone lookup
Correct Answer: B
Section: (none)
Explanation
QUESTION 40
Which zone type can be specified in a policy?
A. security
B. functional
C. user
D. system
Correct Answer: A
Section: (none)
Explanation
QUESTION 41
Which two statements about Junos software packet handling are correct? (Choose two.)
A. The Junos OS applies service ALGs only for the first packet of a flow.
B. The Junos OS uses fast-path processing only for the first packet of a flow.
C. The Junos OS performs policy lookup only for the first packet of a flow.
D. The Junos OS applies SCREEN options for both first and consecutive packets of a flow.
Correct Answer: CD
Section: (none)
Explanation
QUESTION 42
Which Web-filtering technology can be used at the same time as integrated Web filtering on a single branch SRX Series device?
A. Websense redirect Web filtering

B. local Web filtering (blacklist or whitelist)
C. firewall user authentication
D. ICAP
Correct Answer: B
Section: (none)
Explanation
QUESTION 43
In a chassis cluster with two SRX 5800 devices, the interface ge-13/0/0 belongs to which device?
A. This interface is a system-created interface.

B. This interface belongs to node 0 of the cluster.
C. This interface belongs to node 1 of the cluster.
D. This interface will not exist because SRX 5800 devices have only 12 slots.
Correct Answer: C
Section: (none)
Explanation
QUESTION 44
An IPsec tunnel is established on an SRX Series Gateway on an interface whose IP address was obtained using DHCP. Which two statements are true? (Choose
two.)
A. Only main mode can be used for IKE negotiation.

B. A local-identity must be defined.
C. It must be the initiator for IKE.
D. A remote-identity must be defined.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 45
Which two statements about the use of SCREEN options are correct? (Choose two.)
A. SCREEN options are deployed at the ingress and egress sides of a packet flow.
B. Although SCREEN options are very useful, their use can result in more session creation.
C. SCREEN options offer protection against various attacks at the ingress zone of a packet flow.
D. SCREEN options examine traffic prior to policy processing, thereby resulting in fewer resources used for malicious packet processing.
Correct Answer: CD
Section: (none)
Explanation
QUESTION 46
In the exhibit, you decided to change my Hosts addresses. What will happen to the new sessions matching the policy and in-progress sessions that had already
matched the policy?
A. New sessions will be evaluated. In-progress sessions will be re-evaluated.

B. New sessions will be evaluated. All in-progress sessions will continue.
C. New sessions will be evaluated. All in-progress sessions will be dropped.
D. New sessions will halt until all in-progress sessions are re-evaluated. In-progress sessions will be re-evaluated and possibly dropped.
Correct Answer: A
Section: (none)
Explanation
QUESTION 47
When using UTM features in an HA cluster, which statement is true for installing the licenses on the cluster members?
A. One UTM cluster license will activate UTM features on both members.
B. Each device will need a UTM license generated for its serial number.
C. Each device will need a UTM license generated for the cluster, but licenses can be applied to either member.
D. HA clustering automatically comes with UTM licensing, no additional actions are needed.
Correct Answer: B
Section: (none)
Explanation
QUESTION 48
Which statement is true regarding NAT?
A. NAT is not supported on SRX Series devices.
B. NAT requires special hardware on SRX Series devices.
C. NAT is processed in the control plane.
D. NAT is processed in the data plane.
Correct Answer: D
Section: (none)
Explanation
The data plane on Junos security platforms, implemented on IOCs, NPCs, and SPCs for high-end devices and on CPU cores and PIMs for branch devices,
consists of Junos OS packet-handling modules compounded with a flow engine and session management like that of the ScreenOS software. Intelligent packet
processing ensures that one single thread exists for packet flow processing associated with a single flow. Real-time processes enable the Junos OS to perform
session-based packet forwarding.
QUESTION 49
Which two functions of the Junos OS are handled by the data plane? (Choose two.)
A. NAT
B. OSPF
C. SNMP
D. SCREEN options
Correct Answer: AD
Section: (none)
Explanation
QUESTION 50
After applying the policy-rematch statement under the security policies stanza, what would happen to an existing flow if the policy source address or the destination
address is changed and committed?
A. The Junos OS drops any flow that does not match the source address or destination address.
B. All traffic is dropped.
C. All existing sessions continue.
D. The Junos OS does a policy re-evaluation.
Correct Answer: D
Section: (none)
Explanation
QUESTION 51
Which statement is correct about HTTP trickling?
A. It prevents the HTTP client or server from timing-out during an antivirus update.
B. It prevents the HTTP client or server from timing-out during antivirus scanning.
C. It is an attack.
D. It is used to bypass antivirus scanners.
Correct Answer: B
Section: (none)
Explanation
QUESTION 52
For which network anomaly does Junos provide a SCREEN?
A. a telnet to port 80
B. a TCP packet with the SYN and ACK flags set
C. an SNMP getnext request
D. an ICMP packet larger than 1024 bytes
Correct Answer: D
Section: (none)
Explanation
QUESTION 53
What is the proper sequence of evaluation for the SurfControl integrated Web filter solution?
A. whitelists, blacklists, SurfControl categories

B. blacklists, whitelists, SurfControl categories
C. SurfControl categories, whitelists, blacklists
D. SurfControl categories, blacklists, whitelists
Correct Answer: B
Section: (none)
Explanation
QUESTION 54
A network administrator is using source NAT for traffic from source network 10.0.0.0/8. The administrator must also disable NAT for any traffic destined to the
202.2.10.0/24 network.Which configuration would accomplish this task?
A. [edit security nat source rule-set test]

user@host# show
from zone trust;
to zone untrust;
rule A {
match {
source-address 202.2.10.0/24;
}
then {
source-nat {
pool {
A;
}
}
}
}
rule B {
match {
destination-address 10.0.0.0/8;
}
then {
source-nat {
off;
}
}
}
B. [edit security nat source]
user@host# show rule-set test
from zone trust;
to zone untrust;
rule 1 {
match {
}
then {
source-nat {
off;
}
}
}
rule 2 {
match {
}
then {
source-nat {
pool {
A;
}
}
}
}
C. [edit security nat source rule-set test]
user@host# show
from zone trust;
to zone untrust;
rule A {
match {
}
then {
source-nat {
pool {
A;
}
}
}
}
rule B {
match {
}
then {
source-nat {
off;
}
}
}
D. [edit security nat source rule-set test]
user@host# show
from zone trust;
to zone untrust;
rule A {
match {
}
then {
source-nat {
pool {
A;
}
}
}
}
Correct Answer: B
Section: (none)
Explanation
QUESTION 55
The Junos OS blocks an HTTP request due to the category of the URL. Which form of Web filtering is being used?
A. redirect Web filtering

C. categorized Web filtering
D. local Web filtering
Correct Answer: B
Section: (none)
Explanation
QUESTION 56
Which two statements are true with regard to policy ordering? (Choose two.)
A. The last policy is the default policy, which allows all traffic.
B. The order of policies is not important.
C. New policies are placed at the end of the policy list.
D. The insert command can be used to change the order.
Correct Answer: CD
Section: (none)
Explanation
QUESTION 57
Regarding fast path processing, when does the system perform the policy check?
A. The policy is determined after the SCREEN options check.

B. The policy is determined only during the first packet path, not during fast path.
C. The policy is determined after the zone check.
D. The policy is determined after the SYN TCP flag.
Correct Answer: B
Section: (none)
Explanation
QUESTION 58
Which URL database do branch SRX Series devices use when leveraging local Web filtering?
A. The SRX Series device will download the database from an online repository to locally inspect HTTP traffic for Web filtering.
B. The SRX Series device will use an offline database to locally inspect HTTP traffic for Web filtering.
C. The SRX Series device will redirect local HTTP traffic to an external Websense server for Web filtering.
D. The SRX Series administrator will define the URLs and their associated action in the local database to inspect the HTTP traffic for Web filtering.
Correct Answer: D
Section: (none)
Explanation
QUESTION 59
How do you apply UTM enforcement to security policies on the branch SRX series?
A. UTM profiles are applied on a security policy by policy basis.

B. UTM profiles are applied at the global policy level.
C. Individual UTM features like anti-spam or anti-virus are applied directly on a security policy by policy basis.
D. Individual UTM features like anti-spam or anti-virus are applied directly at the global policy level.
Correct Answer: A
Section: (none)
Explanation
QUESTION 60
What are two rule base types within an IPS policy on an SRX Series device? (Choose two.)
A. rulebase-ips
B. rulebase-ignore
C. rulebase-idp
D. rulebase-exempt
Correct Answer: AD
Section: (none)
Explanation
QUESTION 61
Which configuration shows a pool-based source NAT without PAT?
A. [edit security nat source]

user@host# show
pool A {
address {
207.17.137.1/32 to 207.17.137.254/32;
}
}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
}
then {
source-nat pool A;
port no-translation;
}
}
}
B. [edit security nat source]
user@host# show
pool A {
address {
207.17.137.1/32 to 207.17.137.254/32;
}
overflow-pool interface;
}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
}
then {
source-nat pool A;
}
}
}
C. [edit security nat source]
user@host# show
pool A {
address {
207.17.137.1/32 to 207.17.137.254/32;
}
}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
}
then {
source-nat pool A;
}
}
}
D. [edit security nat source].
user@host# show
pool A {
address {
207.17.137.1/32 to 207.17.137.254/32;
}
overflow-pool interface;
}
rule-set 1A
{
from zone trust;
to zone untrust;
rule 1 {
match {
}
then {
source-nat pool A;
}
}
}
Correct Answer: C
Section: (none)
Explanation
QUESTION 62
Which two statements are true regarding IDP? (Choose two.)
A. IDP can be used in conjunction with other Junos security features such as SCREEN options, zones, and security policy.
B. IDP cannot be used in conjunction with other Junos security features such as SCREEN options, zones, and security policy.
C. IDP inspects traffic up to the Presentation Layer.
D. IDP inspects traffic up to the Application Layer.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 63
What is the purpose of a chassis cluster?
A. Chassis clusters are used to aggregate routes.

B. Chassis clusters are used to create aggregate interfaces.
C. Chassis clusters are used to group two chassis into one logical chassis.
D. Chassis clusters are used to group all interfaces into one cluster interface.
Correct Answer: C
Section: (none)
Explanation
The Junos OS achieves high availability on Junos security platforms using chassis clustering. Chassis clustering provides network node redundancy by grouping
two like devices into a cluster. The two nodes back each other up with one node acting as the primary and the other as the secondary node, ensuring the stateful
failover of processes and services in the event of system or hardware failure. A control link between services processing cards (SPCs) or revenue ports and an
Ethernet data link between revenue ports connect two like devices. Junos security platforms must be the same model, and all SPCs, network processing cards
(NPCs), and input/output cards (IOCs) on high-end platforms must have the same slot placement and hardware revision. The chassis clustering feature in the
Junos OS is built on the high availability methodology of Juniper Networks M Series and T Series platforms and the TX Matrix platform, including multichassis
clustering, active-passive Routing Engines (REs) , active-active Packet Forwarding Engines (PFEs), and graceful RE switchover capability.
QUESTION 64
Which three statements are true when working with high-availability clusters? (Choose three.)
A. The valid cluster-id range is between 0 and 255.

B. Junos OS security devices can belong to more than one cluster if cluster virtualization is enabled.
C. If the cluster-id value is set to 0 on a Junos security device, the device will not participate in the cluster.
D. A reboot is required if the cluster-id or node value is changed.
E. Junos OS security devices can belong to one cluster only.
Correct Answer: CDE

Section: (none)
Explanation
QUESTION 65
A network administrator wants to permit Telnet traffic initiated from the address book entry the10net in a zone called UNTRUST to the address book entry Server in
a zone called TRUST. However, the administrator does not want the server to be able to initiate any type of traffic from the TRUST zone to the UNTRUST
zone.Which configuration statement would correctly accomplish this task?
A. from-zone UNTRUST to-zone TRUST {

policy DenyServer {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone TRUST to-zone UNTRUST {
policy AllowTelnetin {
match {
source-address the10net;
destination-address Server;
application junos-telnet;
}
then {
permit;
}
}
}
B. from-zone TRUST to-zone UNTRUST {

policy DenyServer {
match {
source-address Server;
application any;
}
then {
deny;
}
}
}
from-zone UNTRUST to-zone TRUST {
match {
}
then {
permit;
}
}
}
C. from-zone UNTRUST to-zone TRUST {
match {
application junos-ftp;
}
then {
permit;
}
}
}
D. from-zone TRUST to-zone UNTRUST {
policy DenyServer {
match {
source-address Server;
application any;
}
then {
permit;
}
}
}
from-zone UNTRUST to-zone TRUST {
match {
}
then {
permit;
}
}
}
Correct Answer: B
Section: (none)
Explanation
QUESTION 66
Which command do you use to manually remove antivirus patterns?
A. request security utm anti-virus juniper-express-engine pattern-delete

B. request security utm anti-virus juniper-express-engine pattern-reload
C. request security utm anti-virus juniper-express-engine pattern-remove
D. delete security utm anti-virus juniper-express-engine antivirus-pattern
Correct Answer: A
Section: (none)
Explanation
QUESTION 67
Which three parameters are configured in the IKE policy? (Choose three.)
A. mode
B. preshared key
C. external interface
D. security proposals
E. dead peer detection settings
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 68
Which two statements are true about the relationship between static NAT and proxy ARP? (Choose two.)
A. It is necessary to forward ARP requests to remote hosts.

B. It is necessary when translated traffic belongs to the same subnet as the ingress interface.
C. It is not automatic and you must configure it.
D. It is enabled by default and you do not need to configure it.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 69
Which CLI command do you use to block MIME content at the [edit security utm feature- profile] hierarchy?
A. set content-filtering profile <name> permit-command block-mime

B. set content-filtering profile <name> block-mime
C. set content-filtering block-content-type <name> block-mime
D. set content-filtering notifications block-mime
Correct Answer: B
Section: (none)
Explanation
QUESTION 70
If both nodes in a chassis cluster initialize at different times, which configuration example will allow you to ensure that the node with the higher priority will become
primary for your RGs other than RG0?
A. [edit chassis cluster]

user@host# show
redundancy-group 1 {
node 0 priority 200;
preempt;
}
B. [edit chassis cluster]
user@host# show
monitoring;
}
C. [edit chassis cluster]
user@host# show
control-link-recovery;
}
D. [edit chassis cluster]
user@host# show
strict-priority;
}
Correct Answer: A
Section: (none)
Explanation
QUESTION 71
By default, how is traffic evaluated when the antivirus database update is in progress?
A. Traffic is scanned against the old database.

B. Traffic is scanned against the existing portion of the currently downloaded database.
C. All traffic that requires antivirus inspection is dropped and a log message generated displaying the traffic endpoints.
D. All traffic that requires antivirus inspection is forwarded with no antivirus inspection and a log message generated displaying the traffic endpoints.
Correct Answer: D
Section: (none)
Explanation
QUESTION 72
Which statement is true regarding IPsec VPNs?
A. There are five phases of IKE negotiation.

B. There are two phases of IKE negotiation.
C. IPsec VPN tunnels are not supported on SRX Series devices.
D. IPsec VPNs require a tunnel PIC in SRX Series devices.
Correct Answer: B
Section: (none)
Explanation
QUESTION 73
Which command would you use to enable chassis cluster on an SRX device, setting the cluster ID to 1 and node to 0?
A. user@host# set chassis cluster cluster-id 1 node 0 reboot

B. user@host> set chassis cluster id 1 node 0 reboot
C. user@host> set chassis cluster cluster-id 1 node 0 reboot
D. user@host# set chassis cluster id 1 node 0 reboot
Correct Answer: C
Section: (none)
Explanation
QUESTION 74
Which three are necessary for antispam to function properly on a branch SRX Series device? (Choose three.)
A. an antispam license
B. DNS servers configured on the SRX Series device
C. SMTP services on SRX
D. a UTM profile with an antispam configuration in the appropriate security policy
E. antivirus (full or express)
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 75
How many IDP policies can be active at one time on an SRX Series device by means of the set security idp active-policy configuration statement?
A. 1
B. 2
C. 4
D. 8
Correct Answer: A
Section: (none)
Explanation
QUESTION 76
Which two statements regarding firewall user authentication client groups are true? (Choose two.)
A. A client group is a list of clients associated with a group.

B. A client group is a list of groups associated with a client.
C. Client groups are referenced in security policy in the same manner in which individual clients are referenced.
D. Client groups are used to simplify configuration by enabling firewall user authentication without security policy.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 77
Your task is to provision the Junos security platform to permit transit packets from the Private zone to the External zone by using an IPsec VPN and log information
at the time of session close. Which configuration meets this requirement?
A. [edit security policies from-zone Private to-zone External]

user@host# show
policy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn VPN;
}
}
log {
session-init;
}
}
}
B. [edit security policies from-zone Private to-zone External]
user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn VPN;
}
}
count {
session-close;
}
}
}
C. [edit security policies from-zone Private to-zone External]
user@host#
showpolicy allowTransit {
match {
}
then {
permit {
tunnel {
ipsec-vpn VPN;
}
}
log {
session-close;
}
}
}
D. [edit security policies from-zone Private to-zone External]
user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn VPN;
log;
count session-close;
}
}
}
}
Correct Answer: C
Section: (none)
Explanation
QUESTION 78
A user wants to establish an FTP session to a server behind an SRX device but must authenticate to a Web page on the SRX device for additional authentication.
Which type of user authentication is configured?
A. pass-through
B. WebAuth
C. WebAuth with Web redirect
D. pass-through with Web redirect
Correct Answer: B
Section: (none)
Explanation
Web authentication is valid for all types of traffic. With Web authentication configured, users must first directly access the Junos security platform using HTTP. The
user enters the address or hostname of the device into a Web browser and then receives a prompt for a username and password. If authentication is successful,
the user can then access the restricted resource directly. Subsequent traffic from the same source IP address is automatically allowed access to the restricted
resource, as long as security policy allows for it.
QUESTION 79
What is the functionality of redundant interfaces (reth) in a chassis cluster?
A. reth interfaces are used only for VRRP.

B. reth interfaces are the same as physical interfaces.
C. reth interfaces are pseudo-interfaces that are considered the parent interface for two physical interfaces.
D. Each cluster member has a reth interface that can be used to share session state information with the other cluster members.
Correct Answer: C
Section: (none)
Explanation
QUESTION 80
A network administrator receives complaints from the engineering group that an application on one server is not working properly. After further investigation, the
administrator determines that source NAT translation is using a different source address after a random number of flows. Which two actions can the administrator
take to force the server to use one address? (Choose two.)
A. Use the custom application feature.

B. Configure static NAT for the host.
C. Use port address translation (PAT).
D. Use the address-persistent option.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 81
What is the default session timeout for UDP sessions?
A. 30 seconds
B. 1 minute
C. 5 minutes
D. 30 minutes
Correct Answer: B
Section: (none)
Explanation
QUESTION 82
Which two statements about the Diffie-Hellman (DH) key exchange process are correct? (Choose two.)
A. In the DH key exchange process, the session key is never passed across the network.
B. In the DH key exchange process, the public and private keys are mathematically related using the DH algorithm.
C. In the DH key exchange process, the session key is passed across the network to the peer for confirmation.
D. In the DH key exchange process, the public and private keys are not mathematically related, ensuring higher security.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 83
You are required to configure a SCREEN option that enables IP source route option detection. Which two configurations meet this requirement? (Choose two.)

user@host# show
ip {
loose-source-route-option;
strict-source-route-option;
}
}
user@host# show
ip {
source-route-option;
}
}
user@host# show
ip {
record-route-option;
security-option;
}
}
user@host# show
ip {
}
}
Correct Answer: AB
Section: (none)
Explanation
QUESTION 84
What are three configuration objects used to build Junos IDP rules? (Choose three.)
A. zone objects
B. policy objects
C. attack objects
D. alert and notify objects
E. network and address objects
Correct Answer: ACE

Section: (none)
Explanation
QUESTION 85
Assume the default-policy has not been configured. Given the configuration shown in the exhibit, which two statements about traffic from host_a in the HR zone to
host_b in the trust zone are true? (Choose two.)
A. DNS traffic is denied.

B. HTTP traffic is denied.
C. FTP traffic is permitted.
D. SMTP traffic is permitted.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 86
When an SRX series device receives an ESP packet, what happens?
A. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, it will immediately decrypt the packet.
B. If the destination IP address in the outer IP header of ESP does not match the IP address of the ingress interface, it will discard the packet.
C. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, based on SPI match, it will decrypt the
packet.
D. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, based on SPI match and route lookup of
inner header, it will decrypt the packet.
Correct Answer: C
Section: (none)
Explanation
QUESTION 87
[A] establishes an IPsec tunnel with [B]. The NAT device translates the IP address 1.1.1.1 to 2.1.1.1.On which port is the IKE SA established?
A. TCP 500
B. UDP 500
C. TCP 4500
D. UDP 4500
Correct Answer: D
Section: (none)
Explanation
QUESTION 88
What are two valid reasons for the output shown in the exhibit? (Choose two.)
A. The local Web-filtering daemon is not enabled or is not running.

B. The integrated Web-filtering policy server is not reachable.
C. No DNS is configured on the SRX Series device.
D. No security policy is configured to use Web filtering.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 89
What is the maximum number of layers of decompression that juniper-express-engine (express AV) can decompress for the HTTP protocol?
A. 0
B. 1
C. 4
D. 8
Correct Answer: B
Section: (none)
Explanation
QUESTION 90
Which three features are part of the branch SRX series UTM suite? (Choose three.)
A. antispam
B. antivirus
C. IPS
D. application firewalling
E. Web filtering
Correct Answer: ABE

Section: (none)
Explanation
QUESTION 91
What are two TCP flag settings that are considered suspicious? (Choose two.)
A. Do-Not-Fragment flag is set.

B. Both SYN and FIN flags are set.
C. Both ACK and PSH flags are set.
D. FIN flag is set and ACK flag is not set.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 92
The Junos OS blocks an HTTP request due to a Websense server response. Which form of Web filtering is being used?

C. categorized Web filtering
Correct Answer: A
Section: (none)
Explanation
QUESTION 93
Which two statements are true regarding redundancy groups? (Choose two.)
A. When priority settings are equal and the members participating in a cluster are initialized at the same time, the primary role for redundancy group 0 is assigned
to node 0.
B. The preempt option determines the primary and secondary roles for redundancy group 0 during a failure and recovery scenario.
C. Redundancy group 0 manages the control plane failover between the nodes of a cluster.
D. The primary role can be shared for redundancy group 0 when the active-active option is enabled.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 94
What are two components of the Junos software architecture? (Choose two.)
A. Linux kernel
B. routing protocol daemon
C. session-based forwarding module
D. separate routing and security planes
Correct Answer: BC
Section: (none)
Explanation
QUESTION 95
Which IDP policy action closes the connection and sends an RST packet to both the client and the server?
A. close-connection
B. terminate-connection
C. close-client-and-server
D. terminate-session
Correct Answer: C
Section: (none)
Explanation
QUESTION 96
Which statement describes the UTM licensing model?
A. Install the license key and all UTM features will be enabled for the life of the product.
B. Install one license key per feature and the license key will be enabled for the life of the product.
C. Install one UTM license key, which will activate all UTM features; the license will need to be renewed when it expires.
D. Install one UTM license key per UTM feature; the licenses will need to be renewed when they expire.
Correct Answer: D
Section: (none)
Explanation
QUESTION 97
You have configured a UTM profile called Block-Spam, which has the appropriate antispam configuration to block undesired spam e-mails. Which configuration
would protect an SMTP server in the dmz zone from spam originating in the untrust zone?
A. set security policies from-zone dmz to-zone untrust policy anti-spam then permit application- services utm-policy Block-Spam
B. set security policies from-zone untrust to-zone dmz policy anti-spam then permit application- services utm-policy Block-Spam
C. set security policies from-zone untrust to-zone dmz policy anti-spam then permit application- services anti-spam-policy Block-Spam
D. set security policies from-zone untrust to-zone dmz policy anti-spam then permit application- services Block-Spam
Correct Answer: B
Section: (none)
Explanation
QUESTION 98
Which two statements about the use of SCREEN options are correct? (Choose two.)
A. SCREEN options offer protection against various attacks.

B. SCREEN options are deployed prior to route and policy processing in first path packet processing.
C. SCREEN options are deployed at the ingress and egress sides of a packet flow.
D. When you deploy SCREEN options, you must take special care to protect OSPF.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 99
Given the configuration shown in the exhibit, which protocol(s) are allowed to communicate with the device on ge-0/0/0.0?
A. RIP
B. OSPF
C. BGP and RIP
D. RIP and PIM
Correct Answer: A
Section: (none)
Explanation
QUESTION 100
Which two statements about static NAT are true? (Choose two.)
A. Static NAT can only be used with destination NAT.

B. Static NAT rules take precedence over overlapping dynamic NAT rules.
C. NAT rules take precedence over overlapping static NAT rules.
D. A reverse mapping is automatically created.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 101
Which three situations will trigger an e-mail to be flagged as spam if a branch SRX Series device has been properly configured with antispam inspection enabled for
the appropriate security policy? (Choose three.)
A. The server sending the e-mail to the SRX Series device is a known open SMTP relay.
B. The server sending the e-mail to the SRX Series device is running unknown SMTP server software.
C. The server sending the e-mail to the SRX Series device is on an IP address range that is known to be dynamically assigned.
D. The e-mail that the server is sending to the SRX Series device has a virus in its attachment.
E. The server sending the e-mail to the SRX Series device is a known spammer IP address.
Correct Answer: ACE

Section: (none)
Explanation
QUESTION 102
Which statement is true regarding a session key in the Diffie-Hellman key-exchange process?
A. A session key value is exchanged across the network.

B. A session key never passes across the network.
C. A session key is used as the key for asymmetric data encryption.
D. A session key is used as the key for symmetric data encryption.
Correct Answer: B
Section: (none)
Explanation
QUESTION 103
Which zone type will allow transit-traffic?
A. system
B. security
C. default
D. functional
Correct Answer: B
Section: (none)
Explanation
QUESTION 104
Which two statements are true for a security policy? (Choose two.)
A. It controls inter-zone traffic.

B. It controls intra-zone traffic.
C. It is named with a system-defined name.
D. It controls traffic destined to the device's ingress interface.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 105
Which CLI command provides a summary of what the content-filtering engine has blocked?
A. show security utm content-filtering statistics

B. show security flow session
C. show security flow statistics
D. show security utm content-filtering summary
Correct Answer: A
Section: (none)
Explanation
QUESTION 106
You are the responder for an IPsec tunnel and you see the error messages shown in the exhibit.
What is the problem?
A. One or more of the phase 1 proposals such as authentication algorithm, encryption algorithm, or pre-shared key does not match.
B. There is no route for 2.2.2.2.
C. There is no IKE definition in the configuration for peer 2.2.2.2.
D. system services ike is not enabled on the interface with IP 1.1.1.2.
Correct Answer: C
Section: (none)
Explanation
QUESTION 107
Which URL will match the URL pattern www.news.com/asia?
A. www.news.com
B. www.news.com/asia/japan
C. www-1.news.com/asia
D. www.news.asia.com
Correct Answer: B
Section: (none)
Explanation
QUESTION 108
In the exhibit, what is the function of the configuration statements?
A. This section is where you define all chassis clustering configuration.

B. This configuration is required for members of a chassis cluster to talk to each other.
C. You can apply this configuration in the chassis cluster to make configuration easier.
D. This section is where unique node configuration is applied.
Correct Answer: D
Section: (none)
Explanation
QUESTION 109
A network administrator repeatedly receives support calls about network issues. After investigating the issues, the administrator finds that the source NAT pool is
running out of addresses. To be notified that the pool is close to exhaustion, what should the administrator configure?
A. Use the pool-utilization-alarm raise-threshold under the security nat source stanza.
B. Use a trap-group with a category of services under the SNMP stanza.
C. Use an external script that will run a show command on the SRX Series device to see when the pool is close to exhaustion.
D. Configure a syslog message to trigger a notification when the pool is close to exhaustion.
Correct Answer: A
Section: (none)
Explanation
QUESTION 110
Which two statements are true when describing the capabilities of integrated Web filtering on branch SRX Series devices? (Choose two.)
A. Integrated Web filtering can enforce UTM policies on traffic encrypted in SSL.
B. Integrated Web filtering can detect client-side exploits that attack the user's Web browser.
C. Integrated Web filtering can permit or deny access to specific categories of sites.
D. Different integrated Web-filtering policies can be applied on a firewall rule-by-rule basis to allow different policies to be enforced for different users.
Correct Answer: CD
Section: (none)
Explanation
QUESTION 111
Which statement is true when express AV detects a virus in TCP session?
A. TCP RST is sent and a session is restarted.

B. TCP connection is closed gracefully and the data content is dropped.
C. TCP traffic is allowed and an SNMP trap is sent.
D. AV scanning is restarted.
Correct Answer: B
Section: (none)
Explanation
QUESTION 112
Which command is needed to change this policy to a tunnel policy for a policy-based VPN?
A. set policy tunnel-traffic then tunnel remote-vpn

B. set policy tunnel-traffic then permit tunnel remote-vpn
C. set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn permit
D. set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn
Correct Answer: D
Section: (none)
Explanation
QUESTION 113
Which two statements describe the difference between Junos software for security platforms and a traditional router? (Choose two.)
A. Junos software for security platforms supports NAT and PAT; a traditional router does not support NAT or PAT.
B. Junos software for security platforms does not forward traffic by default; a traditional router forwards traffic by default.
C. Junos software for security platforms uses session-based forwarding; a traditional router uses packet-based forwarding.
D. Junos software for security platforms performs route lookup for every packet; a traditional router performs route lookup only for the first packet.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 114
Using a policy with the policy-rematch flag enabled, what happens to the existing and new sessions when you change the policy action from permit to deny?
A. The new sessions matching the policy are denied. The existing sessions are dropped.
B. The new sessions matching the policy are denied. The existing sessions, not being allowed to carry any traffic, simply timeout.
C. The new sessions matching the policy might be allowed through if they match another policy.
The existing sessions are dropped.
D. The new sessions matching the policy are denied. The existing sessions continue until they are completed or their timeout is reached.
Correct Answer: A
Section: (none)
Explanation
QUESTION 115
Which two content-filtering features does FTP support? (Choose two.)
A. block extension list

B. block MIME type
C. protocol command list
D. notifications-options
Correct Answer: AC
Section: (none)
Explanation
QUESTION 116
Which statement is true about a NAT rule action of off?
A. The NAT action of off is only supported for destination NAT rule-sets.
B. The NAT action of off is only supported for source NAT rule-sets.
C. The NAT action of off is useful for detailed control of NAT.
D. The NAT action of off is useful for disabling NAT when a pool is exhausted.
Correct Answer: C
Section: (none)
Explanation
QUESTION 117
You want to create an out-of-band management zone and assign the ge-0/0/0.0 interface to that zone. From the [edit] hierarchy, which command do you use to
configure this assignment?
A. set security zones management interfaces ge-0/0/0.0

B. set zones functional-zone management interfaces ge-0/0/0.0
C. set security zones functional-zone management interfaces ge-0/0/0.0
D. set security zones functional-zone out-of-band interfaces ge-0/0/0.0
Correct Answer: C
Section: (none)
Explanation
QUESTION 118
Host A opens a Telnet connection to Host B. Host A then opens another Telnet connection to Host B. These connections are the only communication between Host
A and Host B. The security policy configuration permits both connections. How many sessions exist between Host A and Host B?
A. 1
B. 2
C. 3
D. 4
Correct Answer: B
Section: (none)
Explanation
QUESTION 119
A network administrator receives complaints that the application voicecube is timing out after being idle for 30 minutes. Referring to the exhibit, what is a resolution?
A. [edit]
user@host# set applications application voicecube inactivity-timeout never
B. [edit]
user@host# set applications application voicecube inactivity-timeout 2
C. [edit]
user@host# set applications application voicecube destination-port 5060
D. [edit]
user@host# set security policies from-zone trust to-zone trust policy intrazone then timeout never
Correct Answer: A
Section: (none)
Explanation
QUESTION 120
Which parameters are valid SCREEN options for combating operating system probes?
A. syn-fin, syn-flood, and tcp-no-frag

B. syn-fin, port-scan, and tcp-no-flag
C. syn-fin, fin-no-ack, and tcp-no-frag
D. syn-fin, syn-ack-ack-proxy, and tcp-no-frag
Correct Answer: C
Section: (none)
Explanation
QUESTION 121
You have configured your chassis cluster to include redundancy group 1. Node 0 is configured to be the primary node for this redundancy group. You need to verify
that the redundancy group failover is successful. Which command do you use to manually test the failover?
A. request chassis cluster manual failover group 1 node 1

B. request cluster failover redundancy-group 1 node 1
C. request chassis cluster manual failover redundancy-group 1 node 1
D. request chassis cluster failover redundancy-group 1 node 1
Correct Answer: D
Section: (none)
Explanation
QUESTION 122
The Junos OS blocks an HTTP request due to its inclusion on the url-blacklist. Which form of Web filtering on the branch SRX device is fully executed within the
device itself?

C. blacklist Web filtering
Correct Answer: D
Section: (none)
Explanation
QUESTION 123
In the Junos OS, which statement is true?
A. vlan.0 belongs to the untrust zone.

B. You must configure Web authentication to allow inbound traffic in the untrust zone.
C. he zone name untrust has no special meaning
D. The untrust zone is not configurable.
Correct Answer: C
Section: (none)
Explanation
QUESTION 124
Which statement is true about SurfControl integrated Web filter solution?
A. The SurfControl server in the cloud provides the SRX device with the category of the URL as well as the reputation of the URL.
B. The SurfControl server in the cloud provides the SRX device with only the category of the URL.
C. The SurfControl server in the cloud provides the SRX device with only the reputation of the URL.
D. The SurfControl server in the cloud provides the SRX device with a decision to permit or deny the URL.
Correct Answer: B
Section: (none)
Explanation
QUESTION 125
Referring to the exhibit, you are not able to telnet to 192.168.10.1 from client PC 192.168.10.10.
What is causing the problem?
A. Telnet is not being permitted by self policy.

B. Telnet is not being permitted by security policy.
C. Telnet is not allowed because it is not considered secure.
D. Telnet is not enabled as a host-inbound service on the zone.
Correct Answer: D
Section: (none)
Explanation
QUESTION 126
Which two statements are true regarding firewall user authentication? (Choose two.)
A. When configured for pass-through firewall user authentication, the user must first open a connection to the Junos security platform before connecting to a
remote network resource.
B. When configured for Web firewall user authentication only, the user must first open a connection to the Junos security platform before connecting to a remote
network resource.
C. If a Junos security device is configured for pass-through firewall user authentication, new sessions are automatically intercepted to perform authentication.
D. If a Junos security device is configured for Web firewall user authentication, new sessions are automatically intercepted to perform authentication.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 127
You want to create a security policy allowing traffic from any host in the Trust zone to hostb.example.com (172.19.1.1) in the Untrust zone. How do you create this
policy?
A. Specify the IP address (172.19.1.1/32) as the destination address in the policy.

B. Specify the DNS entry (hostb.example.com) as the destination address in the policy.
C. Create an address book entry in the Trust zone for the 172.19.1.1/32 prefix and reference this entry in the policy.
D. Create an address book entry in the Untrust zone for the 172.19.1.1/32 prefix and reference this entry in the policy.
Correct Answer: D
Section: (none)
Explanation
QUESTION 128
Which three types of content filtering are supported only for HTTP? (Choose three.)
A. block Flash
B. block Java applets
C. block ActiveX
D. block EXE files
E. block MIME type
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 129
Which three represent IDP policy match conditions? (Choose three.)
A. protocol
B. source-address
C. port
D. application
E. attacks
Correct Answer: BDE

Section: (none)
Explanation
QUESTION 130
Which two statements are true regarding the system-default security policy [edit security policies default-policy]? (Choose two.)
A. Traffic is permitted from the trust zone to the untrust zone.

B. Intrazone traffic in the trust zone is permitted.
C. All traffic through the device is denied.
D. The policy is matched only when no other matching policies are found.
Correct Answer: CD
Section: (none)
Explanation
QUESTION 131
Which configuration shows the correct application of a security policy scheduler?

user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn myTunnel;
}
scheduler-name now;
}
}
}
user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn myTunnel;
}
}
}
scheduler-name now;
}
user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn myTunnel;
scheduler-name now;
}
}
}
}
user@host# show
match {
scheduler-name now;
}
then {
permit {
tunnel {
ipsec-vpn myTunnel;
}
}
}
scheduler-name now;
}
Correct Answer: B
Section: (none)
Explanation
QUESTION 132
Which three functions are provided by the Junos OS for security platforms? (Choose three.)
A. VPN establishment
B. stateful ARP lookups
C. Dynamic ARP inspection
D. Network Address Translation
E. inspection of packets at higher levels (Layer 4 and above)
Correct Answer: ADE

Section: (none)
Explanation
QUESTION 133
Which three options represent IDP policy match conditions? (Choose three.)
A. service
B. to-zone
C. attacks
D. port
E. destination-address
Correct Answer: BCE

Section: (none)
Explanation
QUESTION 134
Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by ESP? (Choose three.)
A. data integrity
B. data confidentiality
C. data authentication
D. outer IP header confidentiality
E. outer IP header authentication
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 135
Which two statements apply to policy scheduling? (Choose two.)
A. An individual policy can have only one scheduler applied.

B. You must manually configure system-time updates.
C. Multiple policies can use the same scheduler.
D. Policies that do not have schedulers are not active.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 136
Which three actions can a branch SRX Series device perform on a spam e-mail message? (Choose three.)
A. It can drop the connection at the IP address level.

B. It can block the e-mail based upon the sender ID.
C. It can allow the e-mail and bypass all UTM inspection.
D. It can allow the e-mail to be forwarded, but change the intended recipient to a new e-mail address.
E. It can allow the e-mail to be forwarded to the destination, but tag it with a custom value in the subject line.
Correct Answer: ABE

Section: (none)
Explanation
QUESTION 137
What are three different integrated UTM components available on the branch SRX Series devices? (Choose three.)
A. antivirus (full AV, express AV)

B. antivirus (desktop AV)
C. Web filtering
D. antispam
E. firewall user authentication
Correct Answer: ACD

Section: (none)
Explanation
QUESTION 138
You want to test a configured screen value prior to deploying. Which statement will allow you to accomplish this?

user@host# show
ids-option untrust-screen {
alarm-test-only;
}
user@host# show
alarm-without-drop;
}
user@host# show
alarm-no-drop;
}
user@host# show
test-without-drop;
}
Correct Answer: B
Section: (none)
Explanation
QUESTION 139
Which three contexts can be used as matching conditions in a source NAT configuration? (Choose three.)
A. routing-instance
B. zone
C. interface
D. policy
E. rule-set
Correct Answer: ABC

Section: (none)
Explanation
QUESTION 140
Which command shows the event and traceoptions file for chassis clusters?
A. show log chassisd

B. show log clusterd
C. show log jsrpd
D. show log messages
Correct Answer: C
Section: (none)
Explanation
QUESTION 141
Which encryption type is used to secure user data in an IPsec tunnel?
A. symmetric key encryption

B. asymmetric key encryption
C. RSA
D. digital certificates
Correct Answer: A
Section: (none)
Explanation
QUESTION 142
Interface ge-0/0/2.0 of your device is attached to the Internet and is configured with an IP address and network mask of 71.33.252.17/24. A Web server with IP
address 10.20.20.1 is running an HTTP service on TCP port 8080. The Web server is attached to the ge-0/0/0.0 interface of your device. You must use NAT to
make the Web server reachable from the Internet using port translation. Which type of NAT must you configure?
A. source NAT with address shifting

B. pool-based source NAT
C. static destination NAT
D. pool-based destination NAT
Correct Answer: D
Section: (none)
Explanation
QUESTION 143
Which two types of attacks are considered to be denial of service? (Choose two.)
A. zombie agents
B. SYN flood
C. IP packet fragments
D. WinNuke
Correct Answer: BD
Section: (none)
Explanation
QUESTION 144
Which antivirus solution integrated on branch SRX Series devices do you use to ensure maximum virus coverage for network traffic?
A. express AV
B. full AV
C. desktop AV
D. ICAP
Correct Answer: B
Section: (none)
Explanation
QUESTION 145
Which two statements are true about the Websense redirect Web filter solution? (Choose two.)
A. The Websense redirect Web filter solution does not require a license on the SRX device.
B. The Websense server provides the SRX device with a category for the URL and the SRX device then matches the category with its configured polices and
decides to permit or deny the URL.
C. The Websense server provides the SRX device with a decision as to whether the SRX device permits or denies the URL.
D. When the Websense server does not know the category of the URL, it sends a request back to the SRX device to validate against the integrated SurfControl
server in the cloud.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 146
Referring to the exhibit, which statement contains the correct gateway parameters?
A. [edit security ike]

user@host# show
gateway ike-phase1-gateway {
policy ike-policy1;
address 10.10.10.1;
dead-peer-detection {
interval 20;
threshold 5;
}
external-interface ge-1/0/1.0;
}
B. [edit security ike]
user@host# show
ike-policy ike-policy1;
address 10.10.10.1;
interval 20;
threshold 5;
}
}
C. [edit security ike]
user@host# show
policy ike1-policy;
address 10.10.10.1;
interval 20;
threshold 5;
}
}
D. [edit security ike]
user@host# show
ike-policy ike1-policy;
address 10.10.10.1;
interval 20;
threshold 5;
}
}
Correct Answer: B
Section: (none)
Explanation
QUESTION 147
Antispam can be leveraged with which two features on a branch SRX Series device to provide maximum protection from malicious e-mail content? (Choose two.)

B. full AV
C. IPS
Correct Answer: BC
Section: (none)
Explanation
QUESTION 148
Content filtering enables traffic to be permitted or blocked based on inspection of which three types of content? (Choose three.)
A. MIME pattern
B. file extension
C. IP spoofing
D. POP3
E. protocol command
Correct Answer: ABE

Section: (none)
Explanation
QUESTION 149
What are three valid Juniper Networks IPS attack object types? (Choose three.)
A. signature
B. anomaly
C. trojan
D. virus
E. chain
Correct Answer: ABE

Section: (none)
Explanation
QUESTION 150
Which two statements are true about AH? (Choose two.)
A. AH provides data integrity.

B. AH is identified by IP protocol 50.
C. AH is identified by IP protocol 51.
D. AH cannot work in conjunction with ESP
Correct Answer: AC
Section: (none)
Explanation
QUESTION 151
Referring to the exhibit, what is the correct proxy-id?
A. local 1.1.1.0/24, remote 2.1.1.0/24

B. local 2.1.1.0/24, remote 1.1.1.0/24
C. local 12.1.1.0/24, remote 11.1.1.0/24
D. local 11.1.1.0/24, remote 12.1.1.0/24
Correct Answer: D
Section: (none)
Explanation
QUESTION 152
On which component is the control plane implemented?
A. IOC
B. PIM
C. RE
D. SPC
Correct Answer: C
Section: (none)
Explanation
QUESTION 153
Which two packet attributes contribute to the identification of a session? (Choose two.)
A. destination port
B. TTL
C. IP options
D. protocol number
Correct Answer: AD
Section: (none)
Explanation
QUESTION 154
Which interface is used for RTO synchronization and forwarding traffic between the devices in a cluster?
A. the st interface
B. the reth interface
C. the fxp1 and fxp0 interfaces
D. the fab0 and fab1 interfaces
Correct Answer: D
Section: (none)
Explanation
QUESTION 155
In the configuration shown in the exhibit, you decided to eliminate the junos-ftp application from the match condition of the policy My Traffic. What will happen to the
existing FTP and BGP sessions?
A. The existing FTP and BGP sessions will continue.

B. The existing FTP and BGP sessions will be re-evaluated and only FTP sessions will be dropped.
C. The existing FTP and BGP sessions will be re-evaluated and all sessions will be dropped.
D. The existing FTP sessions will continue and only the existing BGP sessions will be dropped.
Correct Answer: B
Section: (none)
Explanation
QUESTION 156
Given the configuration shown in the exhibit, which configuration object would be used to associate both Nancy and Walter with firewall user authentication within a
security policy?
A. ftp-group
B. ftp-users
C. firewall-user
D. nancy and walter
Correct Answer: A
Section: (none)
Explanation
QUESTION 157
Which two statements are true about pool-based source NAT? (Choose two.)
A. PAT is not supported.

B. PAT is enabled by default.
C. It supports the address-persistent configuration option.
D. It supports the junos-global configuration option.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 158
What is the maximum number of layers of compression that kaspersky-lab-engine (full AV) can decompress for the HTTP protocol?
A. 1
B. 4
C. 8
D. 16
Correct Answer: B
Section: (none)
Explanation
QUESTION 159
The same Web site is visited for the second time using a branch SRX Series Services Gateway configured with Surf Control integrated Web filtering. Which
statement is true?
A. The SRX device sends the URL to the SurfControl server in the cloud and the SurfControl server provides the SRX with a category of the URL.
B. The SRX device sends the URL to the SurfControl server in the cloud and the SurfControl server asks the SRX device to permit the URL as it has been
previously visited.
C. The SRX device looks at its local cache to find the category of the URL.
D. The SRX device does not perform any Web filtering operation as the Web site has already been visited.
Correct Answer: C
Section: (none)
Explanation
QUESTION 160
To determine whether a particular file has a virus by only inspecting a few initial packets before receiving the entire file, which UTM feature do you enable?
A. URL white lists

B. intelligent pre-screening
C. trickling
D. scan mode extensions
Correct Answer: B
Section: (none)
Explanation
QUESTION 161
Which element occurs first during the first-packet-path processing?
A. destination NAT
B. forwarding lookup
C. route lookup
D. SCREEN options
Correct Answer: D
Section: (none)
Explanation
QUESTION 162
Which statement describes the behavior of source NAT with address shifting?
A. Source NAT with address shifting translates both the source IP address and the source port of a packet.
B. Source NAT with address shifting defines a one-to-one mapping from an original source IP address to a translated source IP address.
C. Source NAT with address shifting can translate multiple source IP addresses to the same translated IP address.
D. Source NAT with address shifting allows inbound connections to be initiated to the static source pool IP addresses.
Correct Answer: B
Section: (none)
Explanation
QUESTION 163
Which two statements are true about IPsec traffic? (Choose two.)
A. IPsec traffic can be forwarded when no IKE SA is present.

B. IPsec traffic can be forwarded when no IPsec SA is present.
C. For traffic that has to be encrypted, the security policy must be crafted based on the IP addresses in the inner IP header of the final ESP packet.
D. For traffic that has to be encrypted, the security policy must be crafted based on the IP addresses in the outer IP header of the final ESP packet.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 164
You must configure a SCREEN option that will protect your router from a session table flood.

user@host# show
icmp {

}
}

user@host# show
tcp {
syn-flood {
}
}
}
user@host# show
udp {

}
}
user@host# show
limit-session
{
}
}
Correct Answer: D
Section: (none)
Explanation
QUESTION 165
Which two statements are true regarding high-availability chassis clustering? (Choose two.)
A. A chassis cluster consists of two devices.

B. A chassis cluster consists of two or more devices.
C. Devices participating in a chassis cluster can be different models.
D. Devices participating in a chassis cluster must be the same models.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 166
Which statement is true for interfaces residing outside of redundancy groups?
A. The interfaces cannot be mapped to security zones.

B. Only interfaces that have redundancy can be active in the chassis cluster.
C. All interfaces will be redundant if they reside on a system that is part of a chassis cluster.
D. Interfaces that are not in a redundancy group can still forward traffic, but no redundancy is available for them.
Correct Answer: D
Section: (none)
Explanation
QUESTION 167
Under which configuration hierarchy is an access profile configured for firewall user authentication?
A. [edit access]
B. [edit security access]
C. [edit firewall access]
D. [edit firewall-authentication]
Correct Answer: A
Section: (none)
Explanation
QUESTION 168
Which two statements are true about juniper-express-engine (express AV)? (Choose two.)
A. It does not support scan mode by extension.

B. It can detect polymorphic viruses.
C. It cannot decompress a zipped file transmitted using FTP.
D. It cannot decompress a zipped file transmitted using POP3.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 169
What are two uses of NAT? (Choose two.)
A. enabling network migrations
B. conserving public IP addresses
C. allowing stateful packet inspection
D. preventing unauthorized connections from outside the network
Correct Answer: AB
Section: (none)
Explanation
QUESTION 170
Which three statements are true when working with high-availability clusters? (Choose three.)
A. The valid cluster-id range is between 0 and 255.

B. Junos OS security devices can belong to more than one cluster if cluster virtualization is enabled.
C. If the cluster-id value is set to 0 on a Junos security device, the device will not participate in the cluster.
D. A reboot is required if the cluster-id or node value is changed.
E. Junos OS security devices can belong to one cluster only.
Correct Answer: CDE

Section: (none)
Explanation
QUESTION 171
Which security or functional zone name has special significance to the Junos OS?
A. self
B. trust
C. untrust
D. junos-global
Correct Answer: D
Section: (none)
Explanation
QUESTION 172
Which statement is true regarding NAT?
A. NAT is not supported on SRX Series devices.

B. NAT requires special hardware on SRX Series devices.
C. NAT is processed in the control plane.
D. NAT is processed in the data plane.
Correct Answer: D
Section: (none)
Explanation
QUESTION 173
Which statement describes an ALG?
A. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to deny the traffic.
B. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to permit the traffic to pass.
C. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to deny the traffic.
D. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to permit the traffic to pass.
Correct Answer: B
Section: (none)
Explanation
QUESTION 174
Which UTM feature requires a license to function?

B. local Web filtering
C. redirect Web filtering
Correct Answer: A
Section: (none)
Explanation
QUESTION 175
Which URL will match the URL pattern "www.news.com/asia"?
A. www.news.com
B. www.news.com/asia/japan
C. www-1.news.com/asia
D. www.news.asia.com
Correct Answer: B
Section: (none)
Explanation
QUESTION 176
What are three valid Juniper Networks IPS attack object types? (Choose three.)
A. signature
B. anomaly
C. trojan
D. virus
E. chain
Correct Answer: ABE

Section: (none)
Explanation
QUESTION 177
Regarding content filtering, what are two pattern lists that can be configured in the Junos OS? (Choose two.)
A. protocol list
B. MIME
C. block list
D. extension
Correct Answer: BD
Section: (none)
Explanation
QUESTION 178
Which three are necessary for antispam to function properly on a branch SRX Series device? (Choose three.)
A. an antispam license
B. DNS servers configured on the SRX Series device
C. SMTP services on SRX
D. a UTM profile with an antispam configuration in the appropriate security policy
E. antivirus (full or express)
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 179
Which three actions can a branch SRX Series device perform on a spam e-mail message? (Choose three.)
A. It can drop the connection at the IP address level.

B. It can block the e-mail based upon the sender ID.
C. It can allow the e-mail and bypass all UTM inspection.
D. It can allow the e-mail to be forwarded, but change the intended recipient to a new e-mail address.
E. It can allow the e-mail to be forwarded to the destination, but tag it with a custom value in the subject line.
Correct Answer: ABE

Section: (none)
Explanation
QUESTION 180
You have configured your chassis cluster to include redundancy group 1. Node 0 is configured to be the primary node for this redundancy group. You need to verify
that the redundancy group failover is successful.
Which command do you use to manually test the failover?
A. request chassis cluster manual failover group 1 node 1

B. request cluster failover redundancy-group 1 node 1
C. request chassis cluster manual failover redundancy-group 1 node 1
D. request chassis cluster failover redundancy-group 1 node 1
Correct Answer: D
Section: (none)
Explanation
QUESTION 181
Which antivirus solution integrated on branch SRX Series devices do you use to ensure maximum virus coverage for network traffic?
A. express AV
B. full AV
C. desktop AV
D. ICAP
Correct Answer: B
Section: (none)
Explanation
QUESTION 182
Which two statements about static NAT are true? (Choose two.)
A. Static NAT can only be used with destination NAT.

B. Static NAT rules take precedence over overlapping dynamic NAT rules.
C. NAT rules take precedence over overlapping static NAT rules.
D. A reverse mapping is automatically created.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 183
Which statement is true about zone interface assignment?
A. A logical interface can be assigned to a functional zone.

B. A security zone must contain two or more logical interfaces.
C. A logical interface can be assigned to multiple security zones.
D. A logical interface can be assigned to a functional zone and a security zone simultaneously.
Correct Answer: A
Section: (none)
Explanation
QUESTION 184
You want to ensure end-to-end data connectivity through an IPsec tunnel.
Which feature would you activate?
A. DPD
B. VPN monitor
C. perfect forward secrecy
D. NHTB
Correct Answer: B
Section: (none)
Explanation
QUESTION 185
In which two cases would you consider the TCP flag settings to be suspicious? (Choose two.)
A. Do-Not-Fragment flag is set.

B. Both SYN and FIN flags are set.
C. Both ACK and PSH flags are set.
D. FIN flag is set and ACK flag is not set.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 186
Which operational mode command displays all active IKE phase 2 security associations?
A. show ike security-associations

B. show ipsec security-associations
C. show security ike security-associations
D. show security ipsec security-associations
Correct Answer: D
Section: (none)
Explanation
QUESTION 187
Antispam can be leveraged with which two features on a branch SRX Series device to provide maximum protection from malicious e-mail content? (Choose two.)

B. full AV
C. IPS
Correct Answer: BC
Section: (none)
Explanation
QUESTION 188
Which three security policy actions are valid? (Choose three.)
A. deny
B. allow
C. permit
D. reject
E. discard
Correct Answer: ACD

Section: (none)
Explanation
QUESTION 189
Which configuration keyword ensures that all in-progress sessions are re-evaluated upon committing a security policy change?
A. policy-rematch
B. policy-evaluate
C. rematch-policy
D. evaluate-policy
Correct Answer: A
Section: (none)
Explanation
QUESTION 190
Which URL database do branch SRX Series devices use when leveraging local Web filtering?
A. The SRX Series device will download the database from an online repository to locally inspect HTTP traffic for Web filtering.
B. The SRX Series device will use an offline database to locally inspect HTTP traffic for Web filtering.
C. The SRX Series device will redirect local HTTP traffic to an external Websense server for Web filtering.
D. The SRX Series administrator will define the URLs and their associated action in the local database to inspect the HTTP traffic for Web filtering.
Correct Answer: D
Section: (none)
Explanation
QUESTION 191
Your task is to provision the Junos security platform to permit transit packets from the Private zone to the External zone and send them through the IPsec VPN. You
must also have the device generate a log message when the session ends.

user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn VPN;
}
}
log {
session-init;
}
}
}

user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn VPN;
}
}
count {
session-close;
}
}
}

user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn VPN;
}
}
log {
session-close;
}
}
}
user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn VPN;
log;
count session-close;
}
}
}
}
Correct Answer: C
Section: (none)
Explanation
QUESTION 192
Which two statements are true for a security policy? (Choose two.)
A. It controls inter-zone traffic.

B. It controls intra-zone traffic.
C. It is named with a system-defined name.
D. It controls traffic destined to the device's ingress interface.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 193
Which command would you use to enable chassis clustering on an SRX device, setting the cluster ID to 1 and node to 0?
A. user@host# set chassis cluster cluster-id 1 node 0 reboot

B. user@host> set chassis cluster id 1 node 0 reboot
C. user@host> set chassis cluster cluster-id 1 node 0 reboot
D. user@host# set chassis cluster id 1 node 0 reboot
Correct Answer: C
Section: (none)
Explanation
QUESTION 194
Which three advanced permit actions within security policies are valid? (Choose three.)
A. Mark permitted traffic for firewall user authentication.

B. Mark permitted traffic for SCREEN options.
C. Associate permitted traffic with an IPsec tunnel.
D. Associate permitted traffic with a NAT rule.
E. Mark permitted traffic for IDP processing.
Correct Answer: ACE

Section: (none)
Explanation
QUESTION 195
Which type of Web filtering by default builds a cache of server actions associated with each URL it has checked?
A. Websense Redirect Web filtering

C. local Web filtering
D. enhanced Web filtering
Correct Answer: B
Section: (none)
Explanation
QUESTION 196
On which component is the control plane implemented?
A. IOC
B. PIM
C. RE
D. SPC
Correct Answer: C
Section: (none)
Explanation
QUESTION 197
When an SRX series device receives an ESP packet, what happens?
A. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, it will immediately decrypt the packet.
B. If the destination IP address in the outer IP header of ESP does not match the IP address of the ingress interface, it will discard the packet.
C. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, based on SPI match, it will decrypt the
packet.
D. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, based on SPI match and route lookup of
inner header, it will decrypt the packet.
Correct Answer: C
Section: (none)
Explanation
QUESTION 198
You are required to configure a SCREEN option that enables IP source route option detection. Which two configurations meet this requirement? (Choose two.)

user@host# show
ip {
}
}
user@host# show
ip {
}
}
user@host# show
ip {
security-option;
}
}
user@host# show
ip {
}
}
Correct Answer: AB
Section: (none)
Explanation
QUESTION 199
Which two statements are true about route-based VPNs? (Choose two.)
A. Route-based VPNs cannot be used to configure remote access or dialup VPNs.

B. The from-zone and to-zone, for a security policy to permit traffic over a route-based VPN, are derived from the zone in which the protected network lies and the
zone in which the IKE interface lies.
C. system services ike must be enabled on the st0.x interface.
D. You cannot re-write the DSCP bits on the inner IP header of an ESP packet that was created or forwarded using a route-based VPN.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 200
What is the purpose of an address book?
A. It holds security policies for particular hosts.

B. It holds statistics about traffic to and from particular hosts.
C. It defines the hosts in a zone so they can be referenced by policies.
D. It maps hostnames to IP addresses to serve as a backup to DNS resolution.
Correct Answer: C
Section: (none)
Explanation
QUESTION 201
Which two traffic types trigger pass-through firewall user authentication? (Choose two.)
A. SSH
B. ICMP
C. Telnet
D. FTP
Correct Answer: CD
Section: (none)
Explanation
QUESTION 202
How does the antivirus feature operate once the antivirus license has expired?
A. Any traffic matching a UTM policy will be dropped.

B. Any traffic matching a UTM policy will be permitted.
C. Any traffic matching a UTM policy will be correctly evaluated with the existing set of antivirus signatures.
D. Any traffic matching a UTM policy will be permitted with a log message of no inspection.
Correct Answer: C
Section: (none)
Explanation
QUESTION 203
What are two valid match conditions for source NAT? (Choose two.)
A. port range
B. source port
C. source address
D. destination address
Correct Answer: CD
Section: (none)
Explanation
QUESTION 204
Which two configuration elements are required for a policy-based VPN? (Choose two.)
A. IKE gateway
B. secure tunnel interface
C. security policy to permit the IKE traffic
D. security policy referencing the IPsec VPN tunnel
Correct Answer: AD
Section: (none)
Explanation
QUESTION 205
Which two statements are true for both express antivirus and full file-based antivirus? (Choose two.)
A. Signature updates of the pattern database are obtained from Symantec.

B. Intelligent prescreening functionality is identical in both express antivirus and full antivirus.
C. Both express antivirus and full file-based antivirus use the same scan engines.
D. The database pattern server is available through both HTTP and HTTPS.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 206
Which statement is true about interfaces, zones, and routing-instance relationships?
A. All interfaces in a zone must belong to the same routing instance.

B. All interfaces in a routing instance must belong to the same zone.
C. All interfaces in a zone must be in inet.0.
D. Each interface in a VR must belong to a unique security zone.
Correct Answer: A
Section: (none)
Explanation
QUESTION 207
What do you use to group interfaces with similar security requirements?
A. zones
B. policies
C. address book
D. NAT configuration
Correct Answer: A
Section: (none)
Explanation
QUESTION 208
Which statement is true when express AV detects a virus in a TCP session?
A. A TCP RST is sent and the session is restarted.

B. The TCP connection is closed gracefully and the data content is dropped.
C. TCP traffic is allowed and an SNMP trap is sent.
D. AV scanning is restarted.
Correct Answer: B
Section: (none)
Explanation
QUESTION 209
Which statement describes the behavior of a security policy?
A. The implicit default security policy permits all traffic.

B. Traffic destined to the device itself always requires a security policy.
C. Traffic destined to the device's incoming interface does not require a security policy.
D. The factory-default configuration permits all traffic from all interfaces.
Correct Answer: C
Section: (none)
Explanation
QUESTION 210
What are two rulebase types within an IPS policy on an SRX Series device? (Choose two.)
A. rulebase-ips
B. rulebase-ignore
C. rulebase-idp
D. rulebase-exempt
Correct Answer: AD
Section: (none)
Explanation
QUESTION 211
Which type of source NAT is configured in the exhibit?
A. interface-based source NAT

B. static source NAT
C. pool-based source NAT with PAT
D. pool-based source NAT without PAT
Correct Answer: A
Section: (none)
Explanation
QUESTION 212
-- Exhibit --
user@host> show security utm web-filtering statistics

UTM web-filtering statistics:
Total requests: 298171
white list hit: 0
Black list hit: 0
Queries to server: 17641
Server reply permit: 14103
Server reply block: 3538
Custom category permit: 0
Custom category block: 0
Cache hit permit: 171020
Cache hit block: 109510
Web-filtering sessions in total: 4000
Web-filtering sessions in usE. 0
Fallback: log-and-permit block
Default 0 0
Timeout 0 0
Connectivity 0 0
Too-many-requests 758 0
-- Exhibit --
Which two statements are true about the output shown in the exhibit on the branch SRX device? (Choose two.)
A. Redirect Web filtering is being used.

B. Integrated Web filtering is being used.
C. At some point the SRX had more than 4000 concurrent Web sessions.
D. Local Web filtering is being used.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 213
-- Exhibit --
[edit security policies from-zone HR to-zone trust]

user@host# show
policy two {
match {
source-address subnet_a;
destination-address host_b;
application [ junos-telnet junos-ping ];
}
then {
reject;
}
}
policy one {
match {
source-address host_a;
destination-address subnet_b;
application any;
}
then {
permit;
}
}
-- Exhibit --
host_a is in subnet_a and host_b is in subnet_b.

Given the configuration shown in the exhibit, which two statements are true about traffic from host_a to host_b (Choose two.)?

B. Telnet traffic is denied.
C. SMTP traffic is denied.
D. Ping traffic is denied.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 214
Review Below:
[edit security nat destination]

user@host# show
pool A {
address 10.1.10.5/32;
}
rule-set 1 {
from zone untrust;
rule 1A {
match {
}
then {
destination-nat pool A;
}
}
}
Which type of NAT is configured in the exhibit?
A. static destination NAT

B. static source NAT
C. pool-based destination NAT without PAT
D. pool-based destination NAT with PAT
Correct Answer: C
Section: (none)
Explanation
QUESTION 215
Regarding zone types, which statement is true?
A. You cannot assign an interface to a functional zone.

B. You can specifiy a functional zone in a security policy.
C. Security zones must have a scheduler applied.
D. You can use a security zone for traffic destined for the device itself.
Correct Answer: D
Section: (none)
Explanation
QUESTION 216
Regarding attacks, which statement is correct?
A. Both DoS and propagation attacks exploit and take control of all unprotected network devices.
B. Propagation attacks focus on suspicious packet formation using the DoS SYN-ACK-ACK proxy flood.
C. DoS attacks are directed at the network protection devices, while propagation attacks are directed at the servers.
D. DoS attacks are exploits in nature, while propagation attacks use trust relationships to take control of the devices.
Correct Answer: D
Section: (none)
Explanation
QUESTION 217
[edit schedulers]
user@host# show
scheduler now {
monday all-day;
tuesday exclude;
wednesday {
start-time 07:00:00 stop-time 18:00:00;
}
thursday {
}}
[edit security policies from-zone Private to-zone External] user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn myTunnel;
}}}
scheduler-name now;
Based on the configuration shown in the exhibit, what are the actions of the security policy?
A. The policy will always permit transit packets and use the IPsec VPN myTunnel.
B. The policy will permit transit packets only on Monday, and use the IPsec VPN Mytunnel.
C. The policy will permit transit packets and use the IPsec VPN myTunnel all day Monday and Wednesday 7am to 6pm, and Thursday 7am to 6pm.
D. The policy will always permit transit packets, but will only use the IPsec VPN myTunnel all day Monday and Wednesday 7am to 6pm, and Thursday 7am to 6pm.
Correct Answer: C
Section: (none)
Explanation
QUESTION 218
Which two statements are true regarding proxy ARP? (Choose two.)
A. Proxy ARP is enabled by default.

B. Proxy ARP is not enabled by default.
C. JUNOS security devices can forward ARP requests to a remote device when proxy ARP is enabled.
D. JUNOS security devices can reply to ARP requests intended for a remote device when proxy ARP is enabled.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 219
For IKE phase 1 negotiations, when is aggressive mode typically used?
A. when one of the tunnel peers has a dynamic IP address

B. when one of the tunnel peers wants to force main mode to be used
C. when fragmentation of the IKE packet is required between the two peers
D. when one of the tunnel peers wants to specify a different phase 1 proposal
Correct Answer: A
Section: (none)
Explanation
QUESTION 220
A traditional router is better suited than a firewall device for which function?
B. packet-based forwarding
C. stateful packet processing
Correct Answer: B
Section: (none)
Explanation
QUESTION 221
Which three functions are provided by JUNOS Software for security platforms? (Choose three.)
B. stateful ARP lookups
C. Dynamic ARP inspection
E. inspection of packets at higher levels (Layer 4 and above)
Correct Answer: ADE

Section: (none)
Explanation
QUESTION 222
Which two functions of JUNOS Software are handled by the data plane? (Choose two.)
A. NAT
B. OSPF
C. SNMP
D. SCREEN options
Correct Answer: AD
Section: (none)
Explanation
QUESTION 223
In JUNOS Software, which three packet elements can be inspected to determine if a session already exists? (Choose three.)
A. IP protocol
B. IP time-to-live
C. source and destination IP address
D. source and destination MAC address
E. source and destination TCP/UDP port
Correct Answer: ACE

Section: (none)
Explanation
QUESTION 224
By default, which condition would cause a session to be removed from the session table?
A. Route entry for the session changed.

B. Security policy for the session changed.
C. The ARP table entry for the source IP address timed out.
D. No traffic matched the session during the timeout period.
Correct Answer: D
Section: (none)
Explanation
QUESTION 225
What is the purpose of a zone in JUNOS Software?
A. A zone defines a group of security devices with a common management.

B. A zone defines the geographic region in which the security device is deployed.
C. A zone defines a group of network segments with similar security requirements.
D. A zone defines a group of network segments with similar class-of-service requirements.
Correct Answer: C
Section: (none)
Explanation
QUESTION 226
Users can define policy to control traffic flow between which two components? (Choose two.)
A. from a zone to the device itself

B. from a zone to the same zone
C. from a zone to a different zone
D. from one interface to another interface
Correct Answer: BC
Section: (none)
Explanation
QUESTION 227
Which two configurations are valid? (Choose two.)
A. [edit security zones]

user@host# show
security-zone red {
interfaces {
ge-0/0/1.0;
ge-0/0/3.0;
}}
security-zone blue {
interfaces {
ge-0/0/2.0;
ge-0/0/3.102;
}}
B. [edit security zones]
user@host# show
security-zone red {
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
}}
security-zone blue {
interfaces {
ge-0/0/1.0;
ge-0/0/3.0;
}}
C. [edit routing-instances]
user@host# show
red {
}
blue {
}
D. [edit routing-instances]
user@host# show
red {
}
blue {
}
Correct Answer: AD
Section: (none)
Explanation
QUESTION 228
Which two configuration options must be present for IPv4 transit traffic to pass between the ge- 0/0/0.0 and ge-0/0/2.0 interfaces? (Choose two.)
A. family inet
B. a security zone
C. a routing instance
D. host-inbound-traffic
Correct Answer: AB
Section: (none)
Explanation
QUESTION 229
Which zone is a system-defined zone?
A. null zone
B. trust zone
C. untrust zone
D. management zone
Correct Answer: A
Section: (none)
Explanation
QUESTION 230
Which type of zone is used by traffic transiting the device?
A. transit zone
B. default zone
C. security zone
D. functional zone
Correct Answer: C
Section: (none)
Explanation
QUESTION 231
Which two steps are performed when configuring a zone? (Choose two.)
A. Define a default policy for the zone.

B. Assign logical interfaces to the zone.
C. Assign physical interfaces to the zone.
D. Define the zone as a security or functional zone.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 232
You want to allow all hosts on interface ge-0/0/0.0 to be able to ping the device's ge- 0/0/0.0 IP address.
Where do you configure this functionality?
A. [edit interfaces]
B. [edit security zones]
C. [edit system services]
D. [edit security interfaces]
Correct Answer: B
Section: (none)
Explanation
QUESTION 233
You want to create an out-of-band management zone and assign the ge-0/0/0.0 interface to that zone.
From the [edit] hierarchy, which command do you use to configure this assignment?
A. set security zones management interfaces ge-0/0/0.0

B. set zones functional-zone management interfaces ge-0/0/0.0
C. set security zones functional-zone management interfaces ge-0/0/0.0
D. set security zones functional-zone out-of-band interfaces ge-0/0/0.0
Correct Answer: C
Section: (none)
Explanation
QUESTION 234
You are not able to telnet to the interface IP address of your device from a PC on the same subnet.

Correct Answer: D
Section: (none)
Explanation
QUESTION 235
Referring to the exhibit, you are not able to telnet to 192.168.10.1 from client PC 192.168.10.10.

Correct Answer: D
Section: (none)
Explanation
QUESTION 236
Based on the exhibit, client PC 192.168.10.10 cannot ping 1.1.1.2. Which is a potential cause for this problem?
A. The untrust zone does not have a management policy configured.

B. The trust zone does not have ping enabled as a host-inbound-traffic service.
C. The security policy from the trust zone to the untrust zone does not permit ping.
D. No security policy exists for the ICMP reply packet from the untrust zone to the trust zone.
Correct Answer: C
Section: (none)
Explanation
QUESTION 237
[edit security zones security-zone HR]

user@host# show
host-inbound-traffic {
system-services {
ping;
ssh;
https;
}}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0 {
system-services {
ping;
}}}
ge-0/0/2.0 {
system-services {
ping;
ftp;
}}}
ge-0/0/3.0 {
system-services {
all;
ssh {
except;
}}}
}}
All system services have been enabled.
Given the configuration shown in the exhibit, which interface allows both ping and SSH traffic?
A. ge-0/0/0.0
B. ge-0/0/1.0
C. ge-0/0/2.0
D. ge-0/0/3.0
Correct Answer: A
Section: (none)
Explanation
QUESTION 238
user@host> show interfaces ge-0/0/0.0 | match host-inbound Allowed host-inbound traffic : bgp ospf
Which configuration would result in the output shown in the exhibit?
A. [edit security zones functional-zone management]

user@host# show
interfaces {
ge-0/0/0.0 {
protocols {
bgp;
ospf;
vrrp;
}}}}
protocols {
all;
vrrp {
except;
}}}
B. [edit security zones functional-zone management]
user@host# show
protocols {
bgp;
ospf;
}}
C. [edit security zones security-zone trust]
user@host# show
interfaces {
ge-0/0/0.0 {
protocols {
ospf;
bgp;
}}}}
D. [edit security zones security-zone trust]
user@host# show
protocols {
bgp;
}}
interfaces {
all {
protocols {
ospf;
}}}}
Correct Answer: C
Section: (none)
Explanation
QUESTION 239
user@host> show interfaces ge-0/0/0.0 | match host-inbound Allowed host-inbound traffic : ping ssh telnet
Which configuration would result in the output shown in the exhibit?
A. [edit security zones security-zone trust]

user@host# show
system-services {
ping;
telnet;
}}
interfaces {
ge-0/0/0.0 {
system-services {
ssh;
telnet;
}}}}
B. [edit security zones functional-zone management]
user@host# show
interfaces {
all;
}
system-services {
all;
ftp {
except;
}}}
C. [edit security zones functional-zone management]
user@host# show
interfaces {
all {
system-services {
ping;
}}}}
system-services {
telnet;
ssh;
}}
D. [edit security zones security-zone trust]
user@host# show
system-services {
ssh;
ping;
telnet;
}}
interfaces {
ge-0/0/3.0 {
system-services {
ping;
}}}
ge-0/0/0.0;
}
Correct Answer: D
Section: (none)
Explanation
QUESTION 240
[edit security]
user@host# show
zones {
security-zone ZoneA {
tcp-rst;
system-services {
ping;
telnet;
}}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0;
}}
security-zone ZoneB {
interfaces {
ge-0/0/3.0;
}}}
policies {
from-zone ZoneA to-zone ZoneB {
policy A-to-B {
match {
source-address any;
application any;
}
then {
permit;
}}}}
In the exhibit, a host attached to interface ge-0/0/0.0 sends a SYN packet to open a Telnet connection to the device's ge-0/0/1.0 IP address.
What does the device do?
A. The device sends back a TCP reset packet.

B. The device silently discards the packet.
C. The device forwards the packet out the ge-0/0/1.0 interface.
D. The device responds with a TCP SYN/ACK packet and opens the connection.
Correct Answer: B
Section: (none)
Explanation
QUESTION 241
Which two commands can be used to monitor firewall user authentication? (Choose two.)
A. show access firewall-authentication

B. show security firewall-authentication users
C. show security audit log
D. show security firewall-authentication history
Correct Answer: BD
Section: (none)
Explanation
QUESTION 242
Which two statements regarding external authentication servers for firewall user authentication are true? (Choose two.)
A. Up to three external authentication server types can be used simultaneously.

B. Only one external authentication server type can be used simultaneously.
C. If the local password database is not configured in the authentication order, and the configured authentication server is unreachable, authentication is not
performed.
D. If the local password database is not configured in the authentication order, and the configured authentication server rejects the authentication request,
authentication is not performed.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 243
Which two external authentication server types are supported by JUNOS Software for firewall user authentication? (Choose two.)
A. RADIUS
B. TACACS+
C. LDAP
D. IIS
Correct Answer: AC
Section: (none)
Explanation
QUESTION 244
[edit security zones security-zone trust]

user@host# show
system-services {
all;
}}
interfaces {
ge-0/0/0.0;
}
Referring to the exhibit, which two traffic types are permitted when the destination is the ge- 0/0/0.0 IP address? (Choose two.)
A. Telnet
B. OSPF
C. ICMP
D. RIP
Correct Answer: AC
Section: (none)
Explanation
QUESTION 245
What are three main phases of an attack? (Choose three.)
A. DoS
B. exploit
C. propagation
D. port scanning
E. reconnaissance
Correct Answer: BCE

Section: (none)
Explanation
QUESTION 246
An attacker sends a low rate of TCP SYN segments to hosts, hoping that at least one port replies.
Which type of an attack does this scenario describe?
A. DoS
B. SYN flood
C. port scanning
D. IP address sweep
Correct Answer: C
Section: (none)
Explanation
QUESTION 247
Where do you configure SCREEN options?
A. zones on which an attack might arrive

B. zones you want to protect from attack
C. interfaces on which an attack might arrive
D. interfaces you want to protect from attack
Correct Answer: A
Section: (none)
Explanation
QUESTION 248
Prior to applying SCREEN options to drop traffic, you want to determine how your configuration will affect traffic.
Which mechanism would you configure to achieve this objective?
A. the log option for the particular SCREEN option

B. the permit option for the particular SCREEN option
C. the SCREEN option, because it does not drop traffic by default
D. the alarm-without-drop option for the particular SCREEN option
Correct Answer: D
Section: (none)
Explanation
QUESTION 249
You are required to configure a SCREEN option that enables IP source route option detection.
Which two configurations meet this requirement? (Choose two.)

user@host# show
ip {
}}
user@host# show
ip {
}}
user@host# show
ip {
security-option;
}}
user@host# show
ip {
}}
Correct Answer: AB
Section: (none)
Explanation
QUESTION 250
Which two statements describe the purpose of a security policy? (Choose two.)
A. It enables traffic counting and logging.

B. It enforces a set of rules for transit traffic.
C. It controls host inbound services on a zone.
D. It controls administrator rights to access the device.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 251
Exhibit.
[edit security policies]

user@host# show
from-zone trust to-zone untrust {
policy AllowHTTP{
match {
source-address HOSTA;
application junos-ftp;
}
then {
permit;
}}
policy AllowHTTP2{
match {
source-address any;
destination-address HOSTA;
application junos-http;
}
then {
permit;
}}
policy AllowHTTP3{
match {
source-address any;
application any;
}
then {
permit;
}}}
A flow of HTTP traffic needs to go from HOSTA to HOSTB. Assume that traffic will initiate from HOSTA and that HOSTA is in zone trust and HOSTB is in zone
untrust. What will happen to the traffic given the configuration in the exhibit?
A. The traffic will be permitted by policy AllowHTTP.

B. The traffic will be permitted by policy AllowHTTP3.
C. The traffic will be permitted by policy AllowHTTP2.
D. The traffic will be dropped as no policy match will be found.
Correct Answer: B
Section: (none)
Explanation
QUESTION 252
Which two security policy actions are valid? (Choose two.)
A. deny
B. discard
C. reject
D. close
Correct Answer: AC
Section: (none)
Explanation
QUESTION 253
[edit schedulers]
user@host# show
scheduler now {
monday all-day;
tuesday exclude;
wednesday {
}
thursday {
}}
[edit security policies from-zone Private to-zone External] user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn myTunnel;
}}}
scheduler-name now;
}
Based on the configuration shown in the exhibit, what will happen to the traffic matching the security policy?
A. The traffic is permitted through the myTunnel IPsec tunnel only on Tuesdays.
B. The traffic is permitted through the myTunnel IPsec tunnel daily, with the exception of Mondays.
C. The traffic is permitted through the myTunnel IPsec tunnel all day on Mondays and Wednesdays between 7:00 am and 6:00 pm, and Thursdays between 7:00
am and 6:00 pm.
D. The traffic is permitted through the myTunnel IPsec tunnel all day on Mondays and Wednesdays between 6:01 pm and 6:59 am, and Thursdays between 6:01
pm and 6:59 am.
Correct Answer: C
Section: (none)
Explanation
QUESTION 254
[edit security policies from-zone HR to-zone trust]

user@host# show
policy two {
match {
source-address subnet_a;
destination-address host_b;
application [ junos-telnet junos-ping ];
}
then {
reject;
}} policy one {
match {
source-address host_a;
destination-address subnet_b;
application any;
}
then {
permit;
}}
host_a is in subnet_a and host_b is in subnet_b.
Given the configuration shown in the exhibit, which statement is true about traffic from host_a to host_b?

B. Telnet traffic is denied.
C. SMTP traffic is denied.
D. Ping traffic is permitted.
Correct Answer: B
Section: (none)
Explanation
QUESTION 255
Which statement is true about interface-based source NAT?
A. PAT is a requirement.
B. It requires you to configure address entries in the junos-nat zone.
C. It requires you to configure address entries in the junos-global zone.
D. The IP addresses being translated must be in the same subnet as the egress interface.
Correct Answer: A
Section: (none)
Explanation
QUESTION 256
Which two statements are true about pool-based destination NAT? (Choose two.)
A. It also supports PAT.

B. PAT is not supported.
C. It allows the use of an address pool.
D. It requires you to configure an address in the junos-global zone.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 257
Which statement is true about source NAT?
A. Source NAT works only with source pools.

B. Destination NAT is required to translate the reply traffic.
C. Source NAT does not require a security policy to function.
D. The egress interface IP address can be used for source NAT.
Correct Answer: D
Section: (none)
Explanation
QUESTION 258
Which two statements are true about overflow pools? (Choose two.)
A. Overflow pools do not support PAT.

B. Overflow pools can not use the egress interface IP address for NAT.
C. Overflow pools must use PAT.
D. Overflow pools can contain the egress interface IP address or separate IP addresses.
Correct Answer: CD
Section: (none)
Explanation
QUESTION 259
Which statement is true regarding proxy ARP?
A. Proxy ARP is enabled by default on stand-alone JUNOS security devices.

B. Proxy ARP is enabled by default on chassis clusters.
C. JUNOS security devices can forward ARP requests to a remote device when proxy ARP is enabled.
D. JUNOS security devices can reply to ARP requests intended for a remote device when proxy ARP is enabled.
Correct Answer: D
Section: (none)
Explanation
QUESTION 260
You are creating a destination NAT rule-set.
Which two are valid for use with the from clause? (Choose two.)
A. security policy
B. interface
C. routing-instance
D. IP address
Correct Answer: BC
Section: (none)
Explanation
QUESTION 261
Regarding an IPsec security association (SA), which two statements are true? (Choose two.)
A. IKE SA is bidirectional.
B. IPsec SA is bidirectional.
C. IKE SA is established during phase 2 negotiations.
D. IPsec SA is established during phase 2 negotiations.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 262
Which operational mode command displays all active IPsec phase 2 security associations?
A. show ike security-associations

B. show ipsec security-associations
C. show security ike security-associations
D. show security ipsec security-associations
Correct Answer: D
Section: (none)
Explanation
QUESTION 263
Two VPN peers are negotiating IKE phase 1 using main mode. Which message pair in the negotiation contains the phase 1 proposal for the peers?
A. message 1 and 2
B. message 3 and 4
C. message 5 and 6
D. message 7 and 8
Correct Answer: A
Section: (none)
Explanation
QUESTION 264
Which attribute is required for all IKE phase 2 negotiations?
A. proxy-ID
B. preshared key
C. Diffie-Hellman group key
D. main or aggressive mode
Correct Answer: A
Section: (none)
Explanation
QUESTION 265
Which attribute is optional for IKE phase 2 negotiations?
A. proxy-ID
B. phase 2 proposal
C. Diffie-Hellman group key
D. security protocol (ESP or AH)
Correct Answer: C
Section: (none)
Explanation
QUESTION 266
A route-based VPN is required for which scenario?
A. when the remote VPN peer is behind a NAT device

B. when multiple networks need to be reached across the tunnel and GRE cannot be used
C. when the remote VPN peer is a dialup or remote access client
D. when a dynamic routing protocol is required across the VPN and GRE cannot be used
Correct Answer: D
Section: (none)
Explanation
QUESTION 267
A policy-based IPsec VPN is ideal for which scenario?
A. when you want to conserve tunnel resources

B. when the remote peer is a dialup or remote access client
C. when you want to configure a tunnel policy with an action of deny
D. when a dynamic routing protocol such as OSPF must be sent across the VPN
Correct Answer: B
Section: (none)
Explanation
QUESTION 268
Regarding a route-based versus policy-based IPsec VPN, which statement is true?
A. A route-based VPN generally uses less resources than a policy-based VPN.

B. A route-based VPN cannot have a deny action in a policy; a policy-based VPN can have a deny action.
C. A route-based VPN is better suited for dialup or remote access compared to a policy-based VPN.
D. A route-based VPN uses a policy referencing the IPsec VPN; a policy-based VPN policy does not use a policy referencing the IPsec VPN.
Correct Answer: A
Section: (none)
Explanation
QUESTION 269
Which two configuration elements are required for a route-based VPN? (Choose two.)
A. secure tunnel interface

B. security policy to permit the IKE traffic
C. a route for the tunneled transit traffic
D. tunnel policy for transit traffic referencing the IPsec VPN
Correct Answer: AC
Section: (none)
Explanation
QUESTION 270
[edit security]
user@host# show
ike {
policy ike-policy1 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$GFjm5OBEclM5QCuO1yrYgo"; ## SECRET-DATA
}
gateway remote-ike {
ike-policy ike-policy1;
address 172.19.51.170;
}}
ipsec {
policy vpn-policy1 {
}
vpn remote-vpn {
ike {
gateway remote-ike;
ipsec-policy vpn-policy1;
}}}
Assuming you want to configure a route-based VPN, which command is required to bind the VPN to secure tunnel interface st0.0?
A. set ipsec vpn remote-vpn bind-interface st0.0

B. set ike gateway remote-ike bind-interface st0.0
C. set ike policy ike-policy1 bind-interface st0.0
D. set ipsec policy vpn-policy1 bind-interface st0.0
Correct Answer: A
Section: (none)
Explanation
QUESTION 271
Regarding secure tunnel (st) interfaces, which statement is true?
A. You cannot assign st interfaces to a security zone.

B. You cannot apply static NAT on an st interface logical unit.
C. st interfaces are optional when configuring a route-based VPN.
D. A static route can reference the st interface logical unit as the next-hop.
Correct Answer: D
Section: (none)
Explanation
QUESTION 272
What are three benefits of using chassis clustering? (Choose three.)
A. Provides stateful session failover for sessions.

B. Increases security capabilities for IPsec sessions.
C. Provides active-passive control and data plane redundancy.
D. Enables automated fast-reroute capabilities.
E. Synchronizes configuration files and session state.
Correct Answer: ACE

Section: (none)
Explanation
QUESTION 273
You have been tasked with installing two SRX 5600 platforms in a high-availability cluster. Which requirement must be met for a successful installation?
A. You must enable SPC detect within the configuration.

B. You must enable active-active failover for redundancy.
C. You must ensure all SPCs use the same slot placement.
D. You must configure auto-negotiation on the control ports of both devices.
Correct Answer: C
Section: (none)
Explanation
QUESTION 274
[edit chassis]
user@host# show
cluster {
reth-count 3;
node 0 priority 1;
}}
When applying the configuration in the exhibit and initializing a chassis cluster, which statement is correct?
A. Three physical interfaces are redundant.

B. You must define an additional redundancy group.
C. node 0 will immediately become primary for redundancy group 1.
D. You must issue an operational command and reboot the system for the above configuration to take effect.
Correct Answer: D
Section: (none)
Explanation
QUESTION 275
What is a redundancy group in JUNOS Software?
A. a set of chassis clusters that fail over as a group

B. a set of devices that participate in a chassis cluster
C. a set of VRRP neighbors that fail over as a group
D. a set of chassis cluster objects that fail over as a group
Correct Answer: D
Section: (none)
Explanation
QUESTION 276
When devices are in cluster mode, which new interfaces are created?
A. No new interface is created.

B. Only the st interface is created.
C. fxp1, fab0, and fab1 are created.
D. st, fxp1, reth, fab0, and fab1 are created.
Correct Answer: C
Section: (none)
Explanation
QUESTION 277
What are two interfaces created when enabling a chassis cluster? (Choose two.)
A. st0
B. fxp1
C. fab0
D. reth0
Correct Answer: BC
Section: (none)
Explanation
QUESTION 278
Which statement is true regarding redundancy groups?
A. The preempt option determines the primary and secondary roles for redundancy group 0 during a failure and recovery scenario.
B. When priority settings are equal and the members participating in a cluster are initialized at the same time, the primary role for redundancy group 0 is assigned
to node 1.
C. The primary role can be shared for redundancy group 0 when the active-active option is enabled.
D. Redundancy group 0 manages the control plane failover between the nodes of a cluster.
Correct Answer: D
Section: (none)
Explanation
QUESTION 279
Which IDP policy action drops a packet before it can reach its destination, but does not close the connection?
A. discard-packet
B. drop-traffic
C. discard-traffic
D. drop-packet
Correct Answer: D
Section: (none)
Explanation
QUESTION 280
You have been tasked with performing an update to the IDP attack database. Which three requirements are included as part of this task? (Choose three.)
A. The IDP security package must be installed after it is downloaded.

B. The device must be rebooted to complete the update.
C. The device must be connected to a network.
D. An IDP license must be installed on your device.
E. You must be logged in as the root user.
Correct Answer: ACD

Section: (none)
Explanation
QUESTION 281
You are implementing an IDP policy template from Juniper Networks. Which three steps are included in this process? (Choose three.)
A. activating a JUNOS Software commit script?

B. configuring an IDP groups statement
C. setting up a chassis cluster
D. downloading the IDP policy templates
E. installing the policy templates
Correct Answer: ADE

Section: (none)
Explanation
QUESTION 282
Which statement regarding the implementation of an IDP policy template is true?
A. IDP policy templates are automatically installed as the active IDP policy.
B. IDP policy templates are enabled using a commit script.
C. IDP policy templates can be downloaded without an IDP license.
D. IDP policy templates are included in the factory-default configuration.
Correct Answer: B
Section: (none)
Explanation
QUESTION 283
Which two statements are true regarding firewall user authentication? (Choose two.)
A. Firewall user authentication is performed only for traffic that is accepted by a security policy.
B. Firewall user authentication is performed only for traffic that is denied by a security policy.
C. Firewall user authentication provides an additional method of controlling user access to the JUNOS security device itself.
D. Firewall user authentication provides an additional method of controlling user access to remote networks.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 284
Which statement accurately describes firewall user authentication?
A. Firewall user authentication provides another layer of security in a network.
B. Firewall user authentication provides a means for accessing a JUNOS Software-based security device.
C. Firewall user authentication enables session-based forwarding.
D. Firewall user authentication is used as a last resort security method in a network.
Correct Answer: A
Section: (none)
Explanation
QUESTION 285
Which two firewall user authentication objects can be referenced in a security policy? (Choose two.)
A. access profile
B. client group
C. client
D. default profile
Correct Answer: BC
Section: (none)
Explanation
QUESTION 286
Which high availability feature is supported only on Junos security platforms?
A. Virtual Chassis
B. VRRP
C. chassis clustering
D. graceful restart
Correct Answer: C
Section: (none)
Explanation
The Junos OS achieves high availability on Junos security platforms using chassis clustering. Chassis clustering providesnetwork node redundancy by grouping two
like devices into a cluster. The two nodes back each other up with one node acting asthe primary and the other as the secondary node, ensuring the stateful failover
of processes and services in the event of systemor hardware failure. A control link between services processing cards (SPCs) or revenue ports and an Ethernet
data link between revenue ports connect two like devices. Junos security platforms must be the same model, and all SPCs, network processing cards (NPCs), and
input/output cards (IOCs) on high-end platforms must have the same slot placement and hardware revision. The chassis clustering feature in the Junos OS is built
on the high availability methodology of Juniper Networks M Series and T Series platforms and the TX Matrix platform, including multichassis clustering, active-
passive Routing Engines (REs) , active-active Packet Forwarding Engines (PFEs), and graceful RE switchover capability.
QUESTION 287
What is a security policy?
A. a set of rules that controls traffic from a specified source to a specified destination using a specified service
B. a collection of one or more network segments sharing identical security requirements
C. a method of providing a secure connection across a network
D. a tool to protect against DoS attacks
Correct Answer: A
Section: (none)
Explanation
A security policy is a set of statements that controls traffic from a specified source to a specified destination using a specified service. If a packet arrives that
matches those specifications, the SRX Series device performs the action specified in the policy.
QUESTION 288
What is a zone?
A. a set of rules that controls traffic from a specified source to a specified destination using a specified service
B. a collection of one or more network segments sharing identical security requirements
C. a method of providing a secure connection across a network
D. a tool to protect against DoS attacks
Correct Answer: B
Section: (none)
Explanation
A zone is a collection of one or more network segments sharing identical security requirements. To group network segments within a zone, you must assign logical
interfaces from the device to a zone.
QUESTION 289
What is the function of NAT?
A. It performs Layer 3 routing.

B. It evaluates and redirects matching traffic into secure tunnels.
C. It provides translation between public and private IP addresses.
D. It performs Layer 2 switching.
Correct Answer: C
Section: (none)
Explanation
Historically, the NAT concept was born because of the shortage of public IPv4 addresses. Many organizations moved to deploy so-called private addresses using
the IPv4 private addressing space, as identified in RFC 1918. These addresses include the following ranges:
10.0.0.010.255.255.255 (10.0.0.0/8 prefix);
172.16.0.0172.31.255.255 (172.16.0.0/12 prefix); and
192.168.0.0192.168.255.255 (192.168.0.0/16 prefix).
Because private addresses are not routable within the public domain, edge network devices can deploy the NAT feature to replace private, nonroutable addresses
with public addresses prior to sending traffic to the public network and vice versa. Translation consists of replacing the IP address (NAT), port numbers (PAT), or
both, depending on the configuration.
While primarily deployed to translate private addresses to public addresses, NAT can translate from any address to any other address, including public to public and
private to private addresses.
QUESTION 290
Which statement correctly describes the default state of a high-end SRX Series Services Gateway?
A. It forwards all traffic.

B. It selectively forwards traffic based on default security policies.
C. It selectively restricts traffic based on default security policies.
D. It forwards no traffic.
Correct Answer: D
Section: (none)
Explanation
QUESTION 291
Which Junos security feature helps protect against spam, viruses, trojans, and malware?
A. session-based stateful firewall

B. IPsec VPNs
C. security policies
D. Unified Threat Management
Correct Answer: D
Section: (none)
Explanation
The major features of Unified Threat Management (UTM); A branch office network in today's market significantly contributes to the bottom line and is central to an
organization's success. Branch offices normally include a relatively smaller number of computing resources when compared to central facilities or headquarters
locations. Branch offices are typically located where customer interactions occur, which means there is increased demand for supporting applications and assuring
application performance, an increased demand for security. General security vulnerabilities exist for every branch office network. These vulnerabilities include spam
and phishing attacks, viruses, trojans and spyware infected files, unapproved website access, and unapproved content.
QUESTION 292
When the first packet in a new flow is received, which high-end SRX component is responsible for setting up the flow?
A. Routing Engine
B. I/O card
C. network processing card
D. services processing card
Correct Answer: D
Section: (none)
Explanation
QUESTION 293
Which three elements are contained in a session-close log message? (Choose three.)
A. source IP address
B. DSCP value
C. number of packets transferred
D. policy name
E. MAC address
Correct Answer: ACD

Section: (none)
Explanation
QUESTION 294
Which card performs flow lookup on incoming packets on high-end SRX Series devices?
A. Network Processing Card (NPC)

B. Services Processing Card (SPC)
C. Switch Control Board (SCB)
D. Routing Engine (RE)
Correct Answer: A
Section: (none)
Explanation
QUESTION 295
How is the control plane separated from the data plane on branch SRX Series devices?
A. by running separate kernels inside the Junos OS

B. by dedicating a separate CPU core for the control plane
C. by using separate CPUs for the control plane and data plane
D. by offloading control plane traffic to the SPC
Correct Answer: B
Section: (none)
Explanation
QUESTION 296
Which three parameters does the Junos OS attempt to match against during session lookup? (Choose three.)
A. session token
B. ingress interface
C. protocol number
D. source port number
E. egress interface
Correct Answer: ACD

Section: (none)
Explanation
QUESTION 297
You have packet loss on an IPsec VPN using the default maximum transmission unit (MTU) where the packets have the DF-bit (do not fragment) set.
Which configuration solves this problem?
A. Set an increased MTU value on the physical interface.

B. Set a reduced MSS value for VPN traffic under the [edit security flow tcp-mss] hierarchy.
C. Set a reduced MTU value for VPN traffic under the [edit security flow] hierarchy.
D. Set an increased MSS value on the st0 interface.
Correct Answer: B
Section: (none)
Explanation
QUESTION 298
The branch SRX Series Services Gateways implement the data plane on which two components? (Choose two.)
A. IOCs
B. SPCs
C. CPU cores
D. PIMs
Correct Answer: CD
Section: (none)
Explanation
QUESTION 299
Which configuration must be completed to use both packet-based and session-based forwarding on a branch SRX Series Services Gateway?
A. A stateless firewall filter must be used on the ingress interface to match traffic to be processed as session based.
B. A security policy rule must be used on the ingress interface to match traffic to be processed as session based.
C. A global security policy rule must be used on the ingress interface to match traffic to be processed as packet based.
D. A stateless firewall filter must be used on the ingress interface to match traffic to be processed as packet based.
Correct Answer: D
Section: (none)
Explanation
QUESTION 300
Which branch SRX Series Services Gateway model has a hardware-based, modular Routing Engine?
A. SRX1400
B. SRX650
C. SRX110
D. SRX240
Correct Answer: B
Section: (none)
Explanation
QUESTION 301
Which two statements are true about zones? (Choose two.)
A. Null zones accept all traffic to and from an interface.

B. Security zones filter transit traffic and traffic destined for the device itself.
C. Functional zones filter transit traffic and traffic destined for the device itself.
D. Functional zones do not pass transit traffic and allow only management access to the device.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 302
Which statement is true about factory-default zones?
A. High-end SRX devices have trust and untrust zones.

B. Branch SRX devices have trust and untrust zones.
C. High-end SRX devices have only a trust zone.
D. Branch SRX devices have no zones.
Correct Answer: B
Section: (none)
Explanation
QUESTION 303
Which two statements are true when configuring security zones? (Choose two.)
A. You can assign one or more logical interfaces to a zone.

B. You can assign a logical interface to multiple zones.
C. You can assign one or more logical interfaces to a routing instance.
D. You can assign a logical interface to multiple routing instances.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 304
What are two system-defined zones? (Choose two.)
A. null zone
B. system zone
C. Junos host zone
D. functional zone
Correct Answer: AC
Section: (none)
Explanation
QUESTION 305
Which statement is correct about zone and interface dependencies?
A. A logical interface can be assigned to multiple zones.

B. A zone can be assigned to multiple routing instances.
C. Logical interfaces are assigned to a zone.
D. A logical interface can be assigned to multiple routing instances.
Correct Answer: C
Section: (none)
Explanation
QUESTION 306
What are two functions of the junos-host zone? (Choose two.)
A. storing global address book entries

B. controlling self-generated traffic
C. controlling host inbound traffic
D. controlling global Junos Screen settings
Correct Answer: BC
Section: (none)
Explanation
QUESTION 307
Which two parameters are configurable under the [edit security zones security-zone zoneA] stanza? (Choose two.)
A. the TCP RST feature

B. the security policies for intrazone communication
C. the zone-specific address book
D. the default policy action for firewall rules in this zone
Correct Answer: AC
Section: (none)
Explanation
QUESTION 308
What are two predefined address-book entries? (Choose two.)
A. all
B. any-ipv6
C. any-ipv4
D. all-ipv4
Correct Answer: BC
Section: (none)
Explanation
QUESTION 309
What are two valid network prefixes in address books? (Choose two.)
A. 172.16.3.11/29
B. 172.16.0.0/16
C. 172.16.3.11/32
D. 172.16.3.11/24
Correct Answer: BC
Section: (none)
Explanation
QUESTION 310
You want to show interface-specific zone information and statistics. Which operational command would be used to accomplish this?
A. show security zones detail

B. show interfaces ge-0/0/3.0
C. show interfaces terse
D. show interfaces ge-0/0/3.0 extensive
Correct Answer: D
Section: (none)
Explanation
QUESTION 311
Which two statements are correct regarding the security policy parameter policy-rematch? (Choose two.)
A. Configuration changes to existing policies do not impact current sessions.

B. Configuration changes to existing policies cause re-evaluation of current sessions.
C. Configuration changes to the action field of a policy from permit to either deny or reject cause all existing sessions to drop.
D. Configuration changes to the action field of a policy from permit to either deny or reject cause all existing sessions to continue.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 312
An engineer has just created a single policy allowing ping traffic from a host in the Users zone to a server in the Servers zone.
When the host pings the server, what will happen to the return traffic?
A. The return traffic will match the session and will be permitted.
B. The return traffic will match the new policy and will be permitted.
C. The return traffic will not be permitted; it will need a separate policy.
D. The return traffic will not be permitted; it will match the system default policy.
Correct Answer: A
Section: (none)
Explanation
QUESTION 313
Following a recent security audit, you find that users are able to ping between the untrust zone and the trust zone, which is contrary to your organization's current
security policy. On examination of the current security policies, you find no policies that would allow these connections.
What are two reasons why users would be able to ping between these zones? (Choose two.)
A. The default policy has been modified to permit all traffic.

B. There is a hidden policy that permits all traffic from untrust to trust.
C. A firewall filter has been configured that places traffic into packet mode.
D. ICMP traffic is not subject to policy inspection.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 314
You must create a security policy for a custom application that requires a longer session timeout than the default application offers.
Which two actions are valid? (Choose two.)
A. Set the timeout value in the security forwarding-options section of the CLI.
B. Set the timeout value for the application in the security zone configuration.
C. Alter a built-in application and set the timeout value under the application-protocol section of the CLI.
D. Create a custom application and set the timeout value under the application-protocol section of the CLI.
Correct Answer: CD
Section: (none)
Explanation
QUESTION 315
You need to build a scheduler to apply to a policy that will allow traffic from Monday to Friday only. What will accomplish this task?
A. [edit schedulers]
user@host# show
scheduler no-weekends {
daily all-day;
sunday exclude;
saturday exclude;
}
B. [edit schedulers]
user@host# show
daily except weekends;
}
C. [edit schedulers]
user@host# show
daily;
sunday exclude;
saturday exclude;
}
D. [edit schedulers]
user@host# show
weekday all-day;
}
Correct Answer: A
Section: (none)
Explanation
QUESTION 316
You want to silently drop HTTP traffic.
Which action will accomplish this task?
A. [edit security policies from-zone untrust to-zone trust policy drop-http]

user@host# show
match {
source-address any;
}
then {
deny;
}
B. [edit security policies from-zone untrust to-zone trust policy drop-http]
user@host# show
match {
source-address any;
}
then {
reject;
}
C. [edit security policies from-zone untrust to-zone trust policy drop-http]
user@host# show
match {
source-address any;
}
then {
block;
}
D. [edit security policies from-zone untrust to-zone trust policy drop-http]
user@host# show
match {
source-address any;
}
then {
terminate;
}
Correct Answer: A
Section: (none)
Explanation
QUESTION 317
You are asked to change the behavior of the system-default policy from the default setting on an SRX Series device.
What would be the result of this change?
A. Traffic matching the default policy will be permitted.

B. Traffic matching the default policy will be denied.
C. Traffic matching the default policy will be rejected.
D. Traffic matching the default policy will be queued.
Correct Answer: A
Section: (none)
Explanation
QUESTION 318
You have just added the policy deny-host-a to prevent traffic from Host A that was previously allowed by the policy permit-all. After committing the changes, you
notice that all traffic, including traffic from Host A, is still allowed.
Which configuration statement will prevent traffic from Host A, while still allowing other hosts to send traffic?
A. activate security policies from-zone trust to-zone untrust policy deny-host-a

B. deactivate security policies from-zone trust to-zone untrust policy permit-all
C. delete security policies from-zone trust to-zone untrust policy permit-all
D. insert security policies from-zone trust to-zone untrust policy deny-host-a before policy permit-all
Correct Answer: D
Section: (none)
Explanation
QUESTION 319
You are troubleshooting a security policy. The operational command show security flow session does not show any sessions for this policy.
Which statement is correct?

A. Logging on session initialization has not been enabled in the policy.
B. Logging on session closure has not been enabled in the policy.
C. The traffic is not being matched by the policy.
D. The security monitoring performance session command should be used to show sessions.
Correct Answer: C
Section: (none)
Explanation
QUESTION 320
You want to enable local logging for security policies and have the log information stored in a separate file on a branch SRX Series device.
Which configuration will accomplish this task?
A. [edit system syslog]

user@host# show
file sec-pol-log {
user info;
}
B. [edit system syslog]
user@host# show
host 192.168.1.1 {
user info;
}
C. [edit system syslog]
user@host# show
file sec-pol-log {
any any;
}
D. [edit system syslog]
user@host# show
file sec-pol-log {
security info;
}
Correct Answer: A
Section: (none)
Explanation
QUESTION 321
You want to authenticate users accessing an internal FTP server using the SRX Series Services Gateway. You also want to use an internal LDAP server as the
authentication server.
What will satisfy this requirement?
A. a security policy with authentication redirection

B. pass-through firewall user authentication
C. captive portal
D. Web firewall user authentication
Correct Answer: B
Section: (none)
Explanation
QUESTION 322
Which two settings in the options field of an IP header will Junos Screen options block? (Choose two.)
A. traceroute
B. record route option
C. timestamp option
D. MTU probe
Correct Answer: BC
Section: (none)
Explanation
QUESTION 323
Which two statements are true about the SYN cookie Junos Screen option? (Choose two.)
A. The SYN cookie mechanism is stateless; therefore, the initial three-way handshake can complete before a session table entry is completed.
B. The SRX device will implement the SYN cookie mechanism on all connections once SYN cookies are enabled.
C. The SYN cookie mechanism uses a cryptographic hash, which can detect spoofed source addresses.
D. SYN cookie protection can stop UDP floods as well as TCP floods.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 324
Which three actions should be used when initially implementing Junos Screen options? (Choose three.)
A. Deploy Junos Screen options only in functional zones.

B. Deploy Junos Screen options only in vulnerable security zones.
C. Understand the behavior of legitimate applications.
D. Use the limit-session option.
E. Use the alarm-without-drop option.
Correct Answer: BCE

Section: (none)
Explanation
QUESTION 325
At which step in the packet flow are Junos Screen checks applied?
A. prior to the route lookup

B. prior to security policy processing
C. after ALG services are applied
D. after source NAT services are applied
Correct Answer: B
Section: (none)
Explanation
QUESTION 326
You need to apply the Junos Screen protect-zone to the public zone.
A. [edit security zones security-zone public]

user@host# show
address-book {
address host-1 192.168.1.1/32;
}
screen protect-zone;
system-services {
all;
}
}
interfaces {
ge-0/0/0.0;
}
B. [edit security zones security-zone public]
user@host# show
address-book {
address host-1 192.168.1.1/32;
}
screen protect-zone;
system-services {
all;
}
}
interfaces {
ge-0/0/0.0;
}
C. [edit security zones security-zone public]
user@host# show
address-book {
address host-1 192.168.1.1/32;
}
system-services {
all;
}
}
interfaces {
ge-0/0/0.0;
screen-protect-zone;
}
D. [edit security zones security-zone public]
user@host# show
address-book {
address host-1 192.168.1.1/32;
}
screen all;
system-services {
all;
}
}
interfaces {
ge-0/0/0.0;
}
Correct Answer: A
Section: (none)
Explanation
QUESTION 327
You need to implement Junos Screen options to protect traffic coming through the ge-0/0/0 and ge-0/0/1 interfaces which are located in the trust and DMZ zones,
respectively.
Where would you enable the Junos Screen options?
A. in the trust and DMZ zone settings

B. on the ge-0/0/0 and ge-0/0/1 interfaces
C. in a security policy
D. in the global security zone settings
Correct Answer: A
Section: (none)
Explanation
QUESTION 328
While reviewing the logs on your SRX240 device, you notice SYN floods coming from multiple hosts out on the Internet.
Which Junos Screen option would protect against these denial-of-service (DoS) attacks?

user@host# show
ids-option no-flood {
limit-session {
}
}
user@host# show
tcp {
syn-fin;
}
}
user@host# show
limit-session {
}
}
user@host# show
icmp {
flood threshold 10;
}
}
Correct Answer: A
Section: (none)
Explanation
QUESTION 329
You want to protect against attacks on interfaces in ZoneA. You create a Junos Screen option called no-flood and commit the configuration. In the weeks that
follow, the Screen does not appear to be working; whenever you enter the command show security screen statistics zone ZoneA, all counters show 0.
What would solve this problem?
A. user@host> clear security screen no-flood statistics

B. [edit security zones security-zone ZoneA]
user@host# set screen no-flood
C. user@host> clear security screen statistics zone ZoneA
D. [edit security zones]
user@host# set screen no-flood
Correct Answer: B
Section: (none)
Explanation
QUESTION 330
While reviewing the logs on your SRX240 device, you notice SYN floods coming from a host out on the Internet towards several hosts on your trusted network.
Which Junos Screen option would protect against these denial-of-service (DoS) attacks?

user@host# show
limit-session {
}
}
user@host# show
tcp {
syn-fin;
}
}
user@host# show
limit-session {
}
}
user@host# show
icmp {
flood threshold 10;
}
}
Correct Answer: C
Section: (none)
Explanation
QUESTION 331
During packet flow on an SRX Series device, which two processes occur before route lookup? (Choose two.)
A. static NAT
B. destination NAT
C. source NAT
D. reverse static NAT
Correct Answer: AB
Section: (none)
Explanation
QUESTION 332
Which Junos NAT implementation requires the use of proxy ARP?
A. destination NAT using a pool outside the IP network of the device's interface
B. source NAT using the device's egress interface
C. source NAT using a pool in the same IP network as the device's interface
D. source NAT using a pool outside the IP network of the device's interface
Correct Answer: C
Section: (none)
Explanation
QUESTION 333
You are configuring source NAT.
Which three elements are used for matching the traffic direction in the from and to statements? (Choose three.)
A. routing instance
B. zone
C. source address
D. destination address
E. interface
Correct Answer: ABE

Section: (none)
Explanation
QUESTION 334
You have just configured source NAT with a pool of addresses within the same subnet as the egress interface.
What else must be configured to make the addresses in the pool usable?
A. static NAT
B. destination NAT
C. address persistence
D. proxy ARP
Correct Answer: D
Section: (none)
Explanation
QUESTION 335
You have just changed a NAT rule and committed the change.
Which statement is true?
A. Affected sessions remain active and are not updated until the sessions restart.
B. Affected sessions are torn down and are re-initiated as soon as the SRX device receives matching traffic.
C. Affected sessions are torn down and are immediately re-initiated.
D. Affected sessions are dynamically updated with the configuration change.
Correct Answer: B
Section: (none)
Explanation
QUESTION 336
Which configuration allows direct access to the 10.10.10.0/24 network without NAT, but uses NAT for all other traffic from the untrust zone to the egress interface?
A. [edit security nat source rule-set internal]

user@host# show
from zone trust;
to zone untrust;
rule internet-access {
match {
}
then {
source-nat interface;
}
}
rule server-access {
match {
}
then {
source-nat off;
}
}
B. [edit security nat source rule-set internal]
user@host# show
from zone trust;
to zone untrust;
match {
}
then {
}
}
match {
}
then {
source-nat off;
}
}
C. [edit security nat source rule-set internal]
user@host# show
from zone trust;
to zone untrust;
match {
}
then {
source-nat off;
}
}
match {
}
then {
}
}
D. [edit security nat source rule-set internal]
user@host# show
from zone trust;
to zone untrust;
match {
}
then {
accept;
}
}
match {
}
then {
reject;
}
}
Correct Answer: C
Section: (none)
Explanation
QUESTION 337
Which two actions occur during IKE Phase 1? (Choose two.)
A. A secure channel is established between two peers.

B. The proxy ID is used to identify which security association is referenced for the VPN.
C. The Diffie-Hellman key exchange algorithm establishes a shared key for encryption.
D. The security association is identified by a unique security parameter index value.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 338
What are two valid symmetric encryption key types? (Choose two.)
A. DES
B. RSA
C. AES
D. DSA
Correct Answer: AC
Section: (none)
Explanation
QUESTION 339
Which two are negotiated during Phase 2 of an IPsec VPN tunnel establishment? (Choose two.)
A. security protocol
B. VPN monitor interval
C. UDP port number
D. proxy IDs
Correct Answer: AD
Section: (none)
Explanation
QUESTION 340
Which three algorithms are used by an SRX Series device to validate the integrity of the data exchanged through an IPsec VPN? (Choose three.)
A. 3DES
B. MD5
C. NHTB
D. SHA1
E. SHA2
Correct Answer: BDE

Section: (none)
Explanation
QUESTION 341
You are asked to implement the hashing algorithm that uses the most bits in the calculation on your Junos security device.
Which algorithm should you use?
A. SHA-512
B. SHA-256
C. MD5-Plus
D. MD5
Correct Answer: B
Section: (none)
Explanation
QUESTION 342
You are asked to establish an IPsec VPN to a remote device whose IP address is dynamically assigned by the ISP.
Which IKE Phase 1 mode must you use?
A. passive
B. aggressive
C. main
D. quick
Correct Answer: B
Section: (none)
Explanation
QUESTION 343
Which three Diffie-Hellman groups are supported during IKE Phase 1 by the Junos OS? (Choose three.)
A. 1
B. 2
C. 3
D. 4
E. 5
Correct Answer: ABE

Section: (none)
Explanation
QUESTION 344
A security association is uniquely identified by which two values? (Choose two.)
A. security parameter index value

B. security association ID
C. tunnel source address
D. security protocol
Correct Answer: AD
Section: (none)
Explanation
QUESTION 345
You are asked to establish an IPsec VPN between two sites. The remote device has been preconfigured.
Which two parameters must be identical to the remote device's parameters when designing the local IKE proposal? (Choose two.)
A. security protocol
B. Diffie-Hellman group
C. encryption algorithm
D. Perfect Forward Secrecy keys
Correct Answer: BC
Section: (none)
Explanation
QUESTION 346
Which two statements are correct about IPsec security associations? (Choose two.)
A. established during IKE Phase 1 negotiations

B. security associations are unidirectional
C. established during IKE Phase 2 negotiations
D. security associations are bidirectional
Correct Answer: BC
Section: (none)
Explanation
QUESTION 347
You are deploying a branch site which connects to two hub locations over an IPsec VPN. The branch SRX Series device should send all traffic to the first hub
unless it is unreachable and should then direct traffic to the second hub. You must use static routes to send traffic towards the hub site.
Which two technologies should you use to fail over from a primary to a secondary tunnel in less than 60 seconds? (Choose two.)
A. dead peer detection

B. VPN monitoring
C. floating static routes
D. IP monitoring
Correct Answer: BD
Section: (none)
Explanation
QUESTION 348
Which two statements are correct regarding reth interfaces? (Choose two.)
A. Child interfaces must be in the same slot on both nodes

B. Child interfaces do not need to be in the same slot on both nodes.
C. Child interfaces must be the same Ethernet interface type.
D. Child interfaces can be a mixture of Ethernet interface types.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 349
Which two statements are correct about establishing a chassis cluster with IPv6? (Choose two.)
A. Only an active/passive cluster can be deployed.

B. Dual-stacked interface addresses are allowed.
C. IPsec site-to-site VPNs over IPv6 are supported.
D. IPv6 address book entries can be used.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 350
You are asked to set up a chassis cluster between your SRX Series devices. You must ensure that the solution provides both dual redundant links per node and
node redundancy.
Which setting should you use?
A. aggregated Ethernet
B. redundant Ethernet
C. aggregated Ethernet LAG
D. redundant Ethernet LAG
Correct Answer: D
Section: (none)
Explanation
QUESTION 351
What is supported on the fabric link?
A. jumbo frames
B. filters
C. fragmentation
D. policies
Correct Answer: A
Section: (none)
Explanation
QUESTION 352
You are asked to establish a chassis cluster between two SRX Series devices. You must ensure that end-to-end connectivity is monitored and that the redundancy
group will fail over to the other node if the remote device becomes unreachable.
What would ensure this behavior?
A. Bidirectional Forwarding Detection

B. real-time performance monitoring
C. remote interface monitoring
D. remote IP address monitoring
Correct Answer: D
Section: (none)
Explanation
QUESTION 353
When using chassis clustering, which link is responsible for configuration synchronization?
A. fxp0
B. fxp1
C. fab0
D. fab1
Correct Answer: B
Section: (none)
Explanation
QUESTION 354
Redundant Ethernet interfaces (reths) have a virtual MAC address based on which two attributes? (Choose two.)
A. interface ID of the reth

B. MAC of member interfaces
C. redundancy group ID
D. cluster ID
Correct Answer: AD
Section: (none)
Explanation
QUESTION 355
You are asked to establish a chassis cluster between two branch SRX Series devices. You must ensure that no single point of failure exists.
What would prevent a single point of failure?
A. dual data plane links

B. redundant routing tables
C. redundant cluster IDs
D. dual control plane links
Correct Answer: A
Section: (none)
Explanation
QUESTION 356
Which two statements are correct regarding the cluster ID? (Choose two.)
A. You can have up to 15 unique cluster IDs on a single chassis cluster device.
B. The cluster ID value of 0 indicates that this is the primary chassis cluster on this device.
C. The cluster ID is used to calculate the reth interface's virtual MAC addresses.
D. You must reboot both nodes if you change the cluster ID value.
Correct Answer: CD
Section: (none)
Explanation
QUESTION 357
Which statement is true about real-time objects in an SRX chassis cluster?
A. Real-time objects are exchanged over the fxp1 link to provide highly accurate time synchronization.
B. Real-time objects are exchanged over the fxp1 link to synchronize IPsec security associations.
C. Real-time objects are exchanged over the fab links to provide configuration file synchronization.
D. Real-time objects are exchanged over the fab links to synchronize session table entries.
Correct Answer: D
Section: (none)
Explanation
QUESTION 358
When using chassis clustering, which action is taken by the Junos OS if the control link or the fabric link suffers a loss of keepalives or heartbeat messages?
A. Both nodes become primary.

B. Both nodes are placed in a disabled state.
C. The secondary node is placed in a disabled state.
D. The primary node fails over and is placed in a disabled state.
Correct Answer: C
Section: (none)
Explanation
QUESTION 359
You are configuring the SRX Series Services Gateway in chassis cluster mode.
What is a valid way to configure Redundancy Groups (RGs) 1 and 2 for active/active redundancy?
A. Configure RG 1 primary for Node 0 and RG 2 primary for Node 1

B. Configure RG 1 and RG 2 primary for Node 0
C. Configure RG 1 and RG 2 primary for Node 1
D. Configure RG 0 primary for Node 0
Correct Answer: A
Section: (none)
Explanation
QUESTION 360
You have just manually failed over Redundancy Group 0 on Node 0 to Node 1. You notice Node 0 is now in a secondary-hold state.
A. The previous primary node moves to the secondary-hold state because an issue occurred during failover. It stays in that state until the issue is resolved.
B. The previous primary node moves to the secondary-hold state and stays there until manually reset, after which it moves to the secondary state.
C. The previous primary node moves to the secondary-hold state and stays there until the holddown interval expires, after which it moves to the secondary state.
D. The previous primary node moves to the secondary-hold state and stays there until manually failed back to the primary node.
Correct Answer: C
Section: (none)
Explanation
QUESTION 361
Which three Unified Threat Management features require a license? (Choose three.)
A. antivirus
B. surf control Web filtering
C. Websense Web filtering
E. antispam
Correct Answer: ABE

Section: (none)
Explanation
QUESTION 362
Which global UTM configuration parameter contains lists, such as MIME patterns, filename extensions, and URL patterns, that can be used across all UTM
features?
A. custom objects
B. feature profile
C. UTM policy
D. address sets
Correct Answer: A
Section: (none)
Explanation
QUESTION 363
Your SRX Series device is configured so that all inbound traffic from the Internet is examined by the UTM content filtering feature.
As inbound traffic arrives at the SRX device, which packet processing component is responsible for sending the packets for UTM processing?
A. zone
B. security policy
C. Junos Screen options
D. forwarding lookup
Correct Answer: B
Section: (none)
Explanation
QUESTION 364
Which three UTM features require a license? (Choose three.)
A. local list Web filtering

B. express antivirus
C. e-mail filtering
D. antispam
E. enhanced Web filtering
Correct Answer: BDE

Section: (none)
Explanation
QUESTION 365
Which two SRX platforms support UTM features? (Choose two.)
A. SRX240 with base memory

B. SRX100 with high memory
C. SRX650 with base memory
D. SRX1400 with base memory
Correct Answer: BC
Section: (none)
Explanation
QUESTION 366
Which antivirus protection feature uses the first several packets of a file to determine if the file contains malicious code?
A. express scanning
B. intelligent prescreening
C. full file-based
D. Kaspersky
Correct Answer: B
Section: (none)
Explanation
QUESTION 367
Which antivirus protection feature uses virus patterns and a malware database that are located on external servers?
A. full file-based
B. Kaspersky
C. Sophos
D. express scan
Correct Answer: C
Section: (none)
Explanation
QUESTION 368
You have implemented Integrated SurfControl Web filtering on an SRX Series device. You have also created a whitelist and a blacklist on the SRX device. One
particular Web site is matching all three the whitelist, blacklist, and Surfcontrol policy.
A. Access is not allowed because the blacklist is processed first.

B. Access is allowed because the whitelist is processed first.
C. Access will be controlled by the SurfControl policy, because it is processed first.
D. Access is based on the priority of each policy as defined in the fallback settings in the UTM policy.
Correct Answer: A
Section: (none)
Explanation
QUESTION 369
You have deployed enhanced Web filtering on an SRX Series device. A user requests a URL that is not in the URL filtering cache.
What happens?
A. The request is permitted immediately but the SRX device then requests the category from the configured server and caches the response for use with
subsequent requests.
B. The request is blocked immediately but the SRX device then requests the category from the configured server and caches the response for use with
subsequent requests.
C. The SRX device requests the category from the configured server. Once the response is received, the SRX device processes the request against the policy
based on the information received and caches the response.
D. The SRX device will either permit or deny the request immediately depending on the configuration in the UTM policy. The SRX device then requests the
category from the central server and caches the response for use with subsequent requests.
Correct Answer: C
Section: (none)
Explanation
QUESTION 370
You are configuring a blacklist for Web filtering on a branch SRX Series device.
Which two URL patterns are valid? (Choose two.)
A. http://www.company.com/*
B. http://*.company.com
C. www.company.com
D. 1.2.3.4
Correct Answer: BD
Section: (none)
Explanation
QUESTION 371
Which two criteria does the enhanced Web filtering solution use to make decisions? (Choose two.)
A. site reputation
B. keyword in the document
C. results of antivirus scan
D. category
Correct Answer: AD
Section: (none)
Explanation
QUESTION 372
-- Exhibit --
[edit interfaces]
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
[edit vlans]
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
-- Exhibit --
Referring to the exhibit, you need to allow ping traffic into interface ge-0/0/1.
Which configuration step will accomplish this task?
A. set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system- services ping
B. set security zones security-zone trust interfaces ge-0/0/1 host-inbound-traffic system-services ping
C. set security zones security-zone trust interfaces vlan-trust host-inbound-traffic system-services ping
D. set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services ping
Correct Answer: D
Section: (none)
Explanation
QUESTION 373
-- Exhibit
-- Exhibit --

Referring to the exhibit, which two services are allowed on the ge-0/0/2.0 interface? (Choose two.)
A. Ping
B. DNS
C. Telnet
D. SSH
Correct Answer: BC
Section: (none)
Explanation
QUESTION 374
-- Exhibit --
[edit security policies from-zone untrust to-zone junos-host]
user@host# show
policy allow-management {
match {
source-address any;
application any;
}
then {
permit;
}
}
[edit security zones security-zone untrust]

user@host# show
protocols {
ospf;
}
}
interfaces {
ge-0/0/0.0;
}
-- Exhibit --
Referring to the exhibit, you want to be able to manage your SRX Series device from the Internet using SSH. You have created a security policy to allow the traffic
to flow into the SRX device.
Which additional configuration step is required?
A. Define the junos-host zone and add the SSH service to it.
B. Add the SSH service to the untrust zone.
C. Define the junos-host zone, add the SSH service and the loopback interface to it.
D. Rewrite the security policy to allow SSH traffic from the untrust zone to the global zone.
Correct Answer: B
Section: (none)
Explanation
QUESTION 375
-- Exhibit --
security {
policies {
policy hosts-allow {
match {
source-address hosts;
application any;
}
then {
permit;
}
scheduler-name block-hosts;
}
policy allow {
match {
source-address any;
}
then {
permit;
}
}
policy deny {
match {
source-address any;
application any;
}
then {
deny;
}
}
}
}
}
schedulers {
scheduler block-hosts {
daily {
}
}
}
-- Exhibit --
Referring to the exhibit, you have configured a scheduler to allow hosts access to the Internet during specific times. You notice that hosts are still accessing the
Internet during times outside of the scheduler's parameters.
What is allowing hosts to access the Internet?
The policy allow is allowing hosts access during unscheduled hours.
A. The policy hosts-allow should have a then statement of deny.

B. The policy hosts-allow should have an application of junos-http.
C. The policy deny should have the scheduler applied.
Correct Answer: A
Section: (none)
Explanation
QUESTION 376
-- Exhibit --
security {
policies {
policy allow-all {
match {
source-address any;
application any;
}
then {
deny;
}
}
policy allow-hosts {
match {
source-address hosts;
}
then {
permit;
}
scheduler-name block-hosts;
}
policy deny {
match {
source-address any;
application any;
}
then {
deny;
}
}
}
}
}
schedulers {
scheduler block-hosts {
daily {
}
}
}
-- Exhibit --
Referring to the exhibit, you have configured a scheduler to allow hosts access to the Internet during specific times. You notice that hosts are unable to access the
Internet.
What is blocking hosts from accessing the Internet?
A. The policy allow-all should have the scheduler applied.

B. The policy allow-hosts should match on source-address any.
C. The policy allow-hosts should have an application of any.
D. The policy allow-all should have a then statement of permit.
Correct Answer: D
Section: (none)
Explanation
QUESTION 377
-- Exhibit
-- Exhibit --

Referring to the exhibit, which policy will allow traffic from Host 1, Host 2, and Host 3 to the Internet?
A. [edit security policies]
user@host# show
global {
policy allow-internet {
match {
source-address [ host-1 host-2 host-3 ];
application any;
}
then permit;
B. [edit security policies]
user@host# show
from-zone all to-zone all {
match {
application any;
}
then permit;
C. [edit security policies]
user@host# show
default {
match {
application any;
}
then permit;
D. [edit security policies]
user@host# show
from-zone any to-zone any {
match {
application any;
}
then permit;
Correct Answer: A
Section: (none)
Explanation
QUESTION 378
-- Exhibit --
[edit security policies]
user@host# show
from-zone hr to-zone internet {
policy internet-access {
match {
source-address any;
application any;
}
then {
permit;
}
}
policy clean-up {
match {
source-address any;
application any;
}
then {
deny;
}
}
}
-- Exhibit --
You want to permit access to the Internet from the hr zone during a specified time.
Which configuration will accomplish this task?
A. Configure a scheduler, apply it to a new policy, and insert it after internet-access to permit Internet access.
B. Configure a scheduler and apply it to the policy internet-access to deny Internet access.
C. Configure a scheduler and apply it to the policy internet-access to permit Internet access.
D. Configure a scheduler, apply it to a new policy, and insert it before internet-access to permit Internet access.
Correct Answer: C
Section: (none)
Explanation
QUESTION 379
-- Exhibit
-- Exhibit --
You are asked to configure a hub-and-spoke VPN. All the VPN components have been configured, and you are able to ping the remote tunnel interfaces at Site 1
and Site 2 from the Hub site as shown in the exhibit. The Hub site's external interface is in security zone untrust and the st0 interfaces from each site are in security
zone DMZ. Users in Site 2 are unable to connect to a Web server in Site 1.
Which additional step is required at the hub site for users to access the Web server?
A. Configure a VPN between Site 1 and Site 2.

B. Configure a policy in the untrust zone that allows traffic between the sites.
C. Configure a policy in the VPN zone that allows traffic between the sites.
D. Configure a policy between the VPN and untrust zones.
Correct Answer: C
Section: (none)
Explanation
QUESTION 380
-- Exhibit
-- Exhibit --
Referring to the exhibit, you need to allow FTP traffic from the Internet to the FTP server in the Trust zone. You have built a custom application so that you can
modify the timeout value for FTP sessions and have configured a policy to allow FTP traffic from Untrust to Trust, but the traffic still does not flow. The current
status of the FTP ALG is disabled.
A. The FTP ALG has not been enabled in the security policy.
B. The FTP ALG has not been enabled in the security zones.
C. The FTP ALG has been disabled on the device.
D. The FTP ALG has not been set in the custom application definition.
Correct Answer: C
Section: (none)
Explanation
QUESTION 381
-- Exhibit
-- Exhibit --
A server in the DMZ of your company is under attack. The attacker is opening a large number of TCP connections to your server which causes resource utilization
problems on the server. All of the connections from the attacker appear to be coming from a single IP address.
Referring to the exhibit, which Junos Screen option should you enable to limit the effects of the attack while allowing legitimate traffic?
A. Apply the Junos Screen option limit-session source-based-ip to the Untrust security zone.
B. Apply the Junos Screen option limit-session source-based-ip to the DMZ security zone.
C. Apply the Junos Screen option limit-session destination-based-ip to the Untrust security zone.
D. Apply the Junos Screen option limit-session destination-based-ip to the DMZ security zone.
Correct Answer: A
Section: (none)
Explanation
QUESTION 382
-- Exhibit
-- Exhibit --
Referring to the exhibit, you want to use source NAT to translate the Web server's IP address to the IP address of ge-0/0/2.
Which source NAT type accomplishes this task and always performs PAT?
A. source NAT with address shifting

B. standard pool-based NAT
C. interface-based source NAT
D. reverse source NAT
Correct Answer: C
Section: (none)
Explanation
QUESTION 383
-- Exhibit --
user@srx> show security flow session
Session ID. 10702, Policy name: default-permit/4, Timeout: 1794, Valid
In: 2.3.4.5/5000 --> 10.1.2.3/22;tcp, IF. fe-0/0/6.0, Pkts: 88444, Bytes: 7009392
Out: 10.1.2.3/22 --> 10.1.1.1/5000;tcp, IF. .local..0, Pkts: 81672, Bytes: 6749337
-- Exhibit --
From this output, which type of NAT is configured?

A. interface source NAT
B. static destination NAT
C. static source NAT
D. pool-based source NAT with PAT
Correct Answer: C
Section: (none)
Explanation
QUESTION 384
-- Exhibit --
[edit security nat source]
user@srx# show
pool A {
address {
172.16.52.94/32;
}
}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
}
then {
source-nat {
pool {
A;
}
}
}
}
}
-- Exhibit --

Referring to the exhibit, which two statements are true? (Choose two.)
A. PAT is enabled.
B. PAT is disabled.
C. Address persistence is enabled.
D. Address persistence is disabled.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 385
-- Exhibit --
[edit security nat]
user@host# show source
pool pool-one {
address {
68.183.13.0/24;
}
}
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule pool-nat {
match {
}
then {
source-nat {
pool {
pool-one;
}
}
}
}
rule no-nat {
match {
}
then {
source-nat {
off;
}
}
}
}
-- Exhibit --
You have implemented source NAT using a source pool for address translation. However, traffic destined for 192.150.2.140 should not have NAT applied to it. The
configuration shown in the exhibit is not working correctly.
Which change is needed to correct this problem?
A. Insert no-nat before pool-nat.

B. The no-nat rule should be in a separate rule-set.
C. Destination NAT should be used to exclude the traffic destined for 192.150.2.140.
D. Proxy ARP needs to be applied on the 192.150.2.140 address for the rule to function.
Correct Answer: A
Section: (none)
Explanation
QUESTION 386
-- Exhibit
-- Exhibit --
A PC in the trust zone is trying to ping a host in the untrust zone.
Referring to the exhibit, which type of NAT is configured?
A. source NAT
B. destination NAT
C. static NAT
D. NAT pool
Correct Answer: A
Section: (none)
Explanation
QUESTION 387
-- Exhibit --
[edit security nat source]
user@host# show
pool snat-pool {
address {
10.10.10.10/32;
10.10.10.11/32;
}
}
pool-utilization-alarm raise-threshold 50 clear-threshold 40;
rule-set user-nat {
from zone trust;
to zone untrust;
rule snat {
match {
}
then {
source-nat {
pool {
snat-pool;
}
}
}
}
}
-- Exhibit --
Your network management station has generated an alarm regarding NAT utilization based on an SNMP trap received from an SRX Series device.
Referring to the exhibit, which statement is correct about the alarm?
A. The network management station will require manual intervention to clear the alarm.
B. Once utilization is below 40 percent, the Junos OS will send an SNMP trap to the network management station to clear the alarm.
C. Once utilization is below 50 percent, the Junos OS will send an SNMP trap to the network management station to clear the alarm.
D. Once utilization is below 80 percent, the Junos OS will send an SNMP trap to the network management station to clear the alarm.
Correct Answer: B
Section: (none)
Explanation
QUESTION 388
-- Exhibit
-- Exhibit --
Referring to the exhibit, which three statements are correct? (Choose three.)
A. Source NAT is configured.

B. Address shifting is configured.
C. Interface-based NAT is configured.
D. Pool-based NAT is configured.
E. IPv6 is configured to bypass NAT.
Correct Answer: ACE

Section: (none)
Explanation
QUESTION 389
-- Exhibit
-- Exhibit --

You are troubleshooting an IPsec VPN connection between a local SRX Series device using IP address 192.168.1.100 and a remote SRX device using IP address
192.168.2.100. A VPN connection cannot be established. Referring to the exhibit, you examine the kmd log file.
A. The Phase 2 proposal is invalid.

B. The Phase 1 proposal is invalid.
C. The Phase 1 gateway is invalid.
D. The Phase 2 gateway is invalid.
Correct Answer: B
Section: (none)
Explanation
QUESTION 390
-- Exhibit
-- Exhibit --
Referring to the exhibit, which statement is correct about the IPsec configuration?
A. The IPsec tunnel endpoint does not have a static IP address.

B. IKE Phase 2 is established immediately from the hub.
C. Protocol AH is used with IKE Phase 2.
D. IKE Phase 2 uses a standard proposal.
Correct Answer: A
Section: (none)
Explanation
QUESTION 391
-- Exhibit
-- Exhibit --

Referring to the exhibit, which statement is correct about the IPsec configuration?
A. Policy-based implementation is used.

B. Dynamic VPN implementation is used.
C. Route-based implementation is used.
D. Hub-and-spoke implementation is used.
Correct Answer: C
Section: (none)
Explanation
QUESTION 392
-- Exhibit
-- Exhibit --
Referring to the exhibit, you are setting up the hub in a hub-and-spoke IPsec VPN. You have verified that all configured parameters are correct at all sites, but your
IPsec VPN is not establishing to both sites.
Which configuration parameter is missing at the hub to complete the configuration?
A. A different external-interface is needed for vpn1.

B. A different st0 logical interface is needed for vpn2.
C. Establish-tunnels immediately must be configured for vpn1.
D. Multipoint needs to be configured under the st0.0 interface.
Correct Answer: D
Section: (none)
Explanation
QUESTION 393
-- Exhibit --
security {
ike {
policy IKE-STANDARD {
mode aggressive;
pre-shared-key ascii-text "XXXXXX";
}
gateway GW-HUB {
ike-policy IKE-STANDARD;
dynamic hostname site1.company.com;
}
}
ipsec {
policy IPSEC-STANDARD {
}
vpn VPN-HUB {
bind-interface st0.0;
ike {
gateway GW-HUB;
ipsec-policy IPSEC-STANDARD;
}
}
}
zones {
security-zone untrust {
system-services {
ping;
ike;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone trust {
system-services {
ping;
}
interfaces {
ge-0/0/1.0;
}
}
}
}
-- Exhibit --
You are implementing a new route-based IPsec VPN on an SRX Series device and the tunnel will not establish.
What needs to be modified in the configuration shown in the exhibit?
A. Change the bind-interface from st0.0 to ge-0/0/0.0.

B. Add st0.0 to a security zone.
C. Add esp under host-inbound-traffic on zone untrust.
D. Add ike under host-inbound-traffic on zone trust.
Correct Answer: B
Section: (none)
Explanation
QUESTION 394
-- Exhibit --
user@host> show security ike security-associations 1.1.1.2
Index Remote Address State Initiator cookie Responder cookie Mode
8 1.1.1.2 UP 3a895f8a9f620198 9040753e66d700bb Main
user@host> show security ipsec security-associations

Total active tunnels: 0
user@host> show route

inet.0: 7 destinations, 7 routes (6 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:00:25
> to 2.2.2.1 via ge-0/0/0.0
2.2.2.0/24 *[Direct/0] 00:00:25
> via ge-0/0/0.0
2.2.2.2/32 *[Local/0] 00:00:25
Local via ge-0/0/0.0
10.1.1.0/30 *[Direct/0] 00:06:06
> via st0.0
10.1.1.1/32 *[Local/0] 00:06:06
Local via st0.0
10.12.1.0/24 *[Direct/0] 00:06:06
> via ge-0/0/1.0
10.12.1.1/32 *[Local/0] 00:06:06
Local via ge-0/0/1.0
10.128.64.0/24 *[Static/5] 00:00:25
> to 2.2.2.1 via ge-0/0/0.0
user@host> show security policies

Default policy: deny-all
From zone: trust, To zone: vpn
Policy: permit-all, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
-- Exhibit --

You have created an IPsec VPN on an SRX Series device. You believe the tunnel is configured correctly, but traffic from a host with the IP address of 10.12.1.10
cannot reach a remote device over the tunnel with an IP address of 10.128.64.132. The ge-0/0/1.0 interface is in the trust zone and the st0.0 interface is in the vpn
zone. The output of four show commands is shown in the exhibit.
What is the configuration problem with the tunnel?
A. Only one IKE tunnel exists so there is no path for return IKE traffic. You need to allow IKE inbound on interface ge-0/0/0.0.
B. Because there are no IPsec security associations, the problem is in the IPsec proposal settings.
C. The static route created to reach the remote host is incorrect.
D. The VPN settings are correct, the traffic is being blocked by a security policy.
Correct Answer: C
Section: (none)
Explanation
QUESTION 395
-- Exhibit --
user@host> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<131073 ESP:3des/sha1 ac23df79 2532/ unlim - root 4500 1.1.1.1
>131073 ESP:3des/sha1 cbc9281a 2532/ unlim - root 4500 1.1.1.1
user@host> show security ipsec security-associations detail

Virtual-system: root
Local Gateway: 1.0.0.1, Remote Gateway: 1.1.1.1
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear
Direction: inbound, SPI: ac23df79, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime. Expires in 3186 seconds
Lifesize Remaining: Unlimited
Soft lifetime. Expires in 2578 seconds
Mode. Tunnel, Type. dynamic, State. installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service. counter-based enabled, Replay window size. 64
Direction: outbound, SPI: cbc9281a, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime. Expires in 3186 seconds
Lifesize Remaining: Unlimited
Soft lifetime. Expires in 2578 seconds
Mode. Tunnel, Type. dynamic, State. installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service. counter-based enabled, Replay window size. 64
-- Exhibit --
The exhibit shows output from two show commands.
What are two conclusions about the VPN tunnel from the output? (Choose two.)
A. VPN monitoring is enabled.

B. There is a device performing NAT between the two VPN endpoints.
C. 3DES is the encryption protocol.
D. Traffic with the DF-bit set that exceeds the MTU will be dropped.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 396
-- Exhibit
-- Exhibit --
Server A is communicating with Server B directly over the Internet. The servers now must begin exchanging additional information through an unencrypted protocol.
To protect this new data exchange, you want to establish a VPN tunnel between the two sites that will encrypt just the unencrypted data while leaving the existing
communications directly over the Internet.
Which statement would achieve the desired results?
A. Configure a route-based VPN and use filter-based forwarding to direct traffic into the VPN tunnel.
B. Configure a route-based VPN tunnel with traffic engineering to direct traffic into the VPN tunnel.
C. Configure a policy-based VPN with a security policy that matches the unencrypted traffic and directs it into the VPN tunnel.
D. Configure a policy-based VPN tunnel and use filter-based forwarding to direct the unencrypted traffic into interface st0.0.
Correct Answer: C
Section: (none)
Explanation
QUESTION 397
-- Exhibit --
user@host# set interfaces ge-0/0/5 gigether-options redundant-parent reth1
user@host# set interfaces ge-5/0/5 gigether-options redundant-parent reth1
user@host# set interfaces reth1.0 family inet address 192.168.1.100/30
user@host# commit
[edit interfaces reth1]
'unit 0'
reth1 needs to be associated with a non-zero redundancy-group
error: configuration check-out failed
-- Exhibit --
Referring to the exhibit, you have built a chassis cluster, set up a reth, and put interfaces into the reth. However, when you try to commit the configuration, you
receive the error shown in the exhibit.
Which configuration command will correct this error?
A. Set chassis cluster reth-count 2

B. Set chassis cluster redundancy-group 1 interface-monitor reth1
C. Set interfaces reth1 redundant-ether-options redundancy-group 1
D. Set chassis cluster redundancy-group 0 interface-monitor reth1
Correct Answer: C
Section: (none)
Explanation
QUESTION 398
-- Exhibit
-- Exhibit --

Referring to the exhibit, failover to Node 0 occurred for Redundancy Group 2 because of an interface failure. The interface has since been restored, but Node 0 is
still the primary node for Redundancy Group 2.
Which two actions will restore Node 1 as the primary node for Redundancy Group 2? (Choose two.)
A. Decrease the priority of Node 1 to 100.

B. Increase the priority of Node 1 to 255.
C. Configure preempt under Redundancy Group 2.
D. Manually fail over to Redundancy Group 2.
Correct Answer: CD
Section: (none)
Explanation
QUESTION 399
-- Exhibit --
user@host# show chassis cluster
reth-count 2;
interface-monitor {
ge-0/0/5 weight 85;
ge-0/0/6 weight 85;
ge-0/0/7 weight 85;
ge-0/0/8 weight 85;
ge-5/0/5 weight 85;
ge-5/0/6 weight 85;
ge-5/0/7 weight 85;
ge-5/0/8 weight 85;
}
}
-- Exhibit --
Referring to the exhibit, you have two SRX Series devices in a chassis cluster, and Node 0 is currently the primary node. You want to ensure that traffic using those
interfaces fails over to Node 1 if one interface goes down.
Which configuration change should be made to ensure failover to Node 1?
A. Decrease the weight of the interfaces to 1.

B. Increase the weight of the interfaces to 255.
C. Increase the weight of the interfaces to between 128 and 254.
D. Decrease the weight of the interfaces to between 1 and 64.
Correct Answer: B
Section: (none)
Explanation
QUESTION 400
-- Exhibit --
user@host# show chassis cluster
reth-count 2;
interface-monitor {
ge-0/0/5 weight 85;
ge-0/0/6 weight 85;
ge-0/0/7 weight 85;
ge-0/0/8 weight 85;
ge-5/0/5 weight 85;
ge-5/0/6 weight 85;
ge-5/0/7 weight 85;
ge-5/0/8 weight 85;
}
}
-- Exhibit --
Referring to the exhibit, you have two SRX Series devices in a chassis cluster, and Node 0 is currently the primary node. You want to ensure that traffic, using those
interfaces, fails over to Node 1 when all interfaces go down.
Which configuration change should be made to ensure failover to Node 1?
A. Decrease the weight of the interfaces to 1.

B. Increase the weight of the interfaces to 255.
C. Increase the weight of the interfaces to between 86 and 128.
D. Decrease the weight of the interfaces to between 64 and 84.
Correct Answer: D
Section: (none)
Explanation
QUESTION 401
-- Exhibit
-- Exhibit --

Referring to the exhibit, with Node 0 as primary for Redundancy Group (RG) 1, which action will the Junos OS chassis cluster take if interface ge-1/0/0 goes down?
A. RG 1 will remain primary on Node 0.

B. RG 1 will become primary to Node 1.
C. RG 1 will become disabled.
D. RG 1 will remove the interface from the redundancy group.
Correct Answer: A
Section: (none)
Explanation
QUESTION 402
-- Exhibit
-- Exhibit --
You have configured antispam on your SRX Series device as shown in the exhibit.
Assuming the antispam profile has been properly applied, what happens when an e-mail message arrives at the SRX device from bob@domain-xyz.net at IP
address 150.10.10.10?
A. The message matches the whitelist and is forwarded to the destination.

B. The message matches the blacklist and is blocked.
C. The message matches the blacklist and is forwarded to the destination with "SPAM:" automatically appended to the beginning of the e-mail subject line.
D. The message matches both lists and is blocked because the SRX device defaults to the more restrictive setting.
Correct Answer: B
Section: (none)
Explanation
QUESTION 403
-- Exhibit
-- Exhibit --
You have configured antispam on your SRX Series device as shown in the exhibit.
Assuming the antispam profile has been properly applied, what happens when an e-mail message arrives at the SRX device from mary@domain-abc.net at IP
address 150.150.150.10?
A. The message matches the whitelist and is forwarded to the destination.

B. The message matches the blacklist and is blocked.
C. The message matches the blacklist and is forwarded to the destination with "SPAM:" automatically appended to the beginning of the e-mail subject line.
D. The message matches both lists and is blocked because the device defaults to the more restrictive setting.
Correct Answer: A
Section: (none)
Explanation
QUESTION 404
-- Exhibit
-- Exhibit --
Referring to the exhibit, you have just committed the UTM configuration.
A. Intelligent prescreening is not configured.

B. Sophos scanning is configured.
C. Kaspersky scanning is configured.
D. Intelligent prescreening is configured.
Correct Answer: D
Section: (none)
Explanation
QUESTION 405
-- Exhibit --
[edit security utm feature-profile content-filtering] user@host# show
profile profileA {
block-content-type {
exe;
zip;
}
notification-options {
type message;
custom-message "Not permitted. illegal file type";
}
}
-- Exhibit --
Your SRX Series device includes the content filtering configuration shown in the exhibit.
Assuming the content filtering profile has been properly applied, what happens when a user attempts to send a zip file through the SRX device using FTP?
A. The file is blocked and silently dropped.

B. The file is blocked and a message is sent back to the user.
C. The file is permitted and forwarded to its destination, and a message is sent back to the user.
D. The file is permitted and forwarded to its destination.
Correct Answer: D
Section: (none)
Explanation
QUESTION 406
-- Exhibit --
[edit security utm]
user@host# show
custom-objects {
url-pattern {
permit {
value http://www.domain-abc.net;
}
deny {
value http://www.domain-abc.net/movies;
}
}
custom-url-category {
whitelist {
value permit;
}
blacklist {
value deny;
}
}
}
feature-profile {
web-filtering {
url-whitelist whitelist;
url-blacklist blacklist;
type juniper-local;
juniper-local {
profile profileA {
default block;
custom-block-message "Website access not permitted";
}
}
}
}
-- Exhibit --
Your SRX Series device includes the Web filtering configuration shown in the exhibit.
Assuming the Web filtering profile has been properly applied, what happens when a user attempts to access the Web site www.juniper.net through the SRX device?
A. The HTTP request is blocked and the user's Web browser eventually times out.
B. The HTTP request is blocked and a message is sent back to the user.
C. The HTTP request is intercepted and the URL is sent to the Websense server. The SRX device permits or blocks the request based on the information it
receives back from the server.
D. The HTTP request is permitted and forwarded to the Web server.
Correct Answer: B
Section: (none)
Explanation
QUESTION 407
What does a zone contain?
A. Routers
B. Interfaces
C. Routing tables
D. NAT Address
Correct Answer: B
Section: (none)
Explanation
QUESTION 408
Referring to the exhibit, which two statements are correct? (choose two)
[edit security zones] user@host#show security-zone untrust {
screen untrust-screen
system-services
{ ssh; ping;
}
}
Interfaces {
ge-0/0/1.0
ge-0/0/3.0{ host-inboun
d-traffic{ protocols {
ospf; } } }
A. An OSPF adjacency can e established on interface ge-0/0/3.

B. AN OSPF adjacency can be established on both interfaces
C. SSH can connect on interface ge-0/0/1
D. Ping is not allowed on either interface
Correct Answer: AC
Section: (none)
Explanation
QUESTION 409
Which statement is true about a logical interface?
A. A logical interface can belong to multiple zones

B. A logical interface can belong to multiple routing instances
C. A logical interface can belong to only one routing instance
D. All logical interfaces in a routing instance must belong to a single zone
Correct Answer: C
Section: (none)
Explanation
QUESTION 410
You want to configure a security policy that allows traffic to a particular host.
Which step must you perform before committing a configuration with the policy?
A. Define a static route to the host

B. Ensure that the router can ping the host
C. Define an address book entry for the host
D. Ensure that the router has an ARP entry for the host
Correct Answer: C
Section: (none)
Explanation
QUESTION 411
Which three match criteria must each security policy include? (Choose three.)
A. source address
B. source port
C. destination address
D. destination port
E. application
Correct Answer: ACE

Section: (none)
Explanation
QUESTION 412
Which three IP option fields can an attacker exploit to cause problems in a network? (Choose three.)
A. loose source routing

B. timestamp
C. time-to-live
D. record route
E. DSCP
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 413
Which statement is true about implementing IP spoofing protection as a Junos Screen option?
A. It ensures that the active route to the source has the same egress interface as the ingress interface for the packet.
B. It ensures that a route, active or not, to the source exists with the same egress interface as the ingress interface of the packet
C. It ensures that the active route to the source has the same egress zone as the ingress zone for the packet
D. It ensure that a route, active or not, to the source exists with the same egress zone as the ingress zone for the packet.
Correct Answer: A
Section: (none)
Explanation
QUESTION 414
A PC in the trust zone is trying to ping a host in the untrust zone. Referring to the exhibit, which type of NAT is configured?
A. source NAT
B. destination NAT
C. static NAT
D. NAT pool
Correct Answer: A
Section: (none)
Explanation
QUESTION 415
Which operational command produces the output shown in the exhibit?
A. show security nat source rule

B. show route forwarding-table
C. show security nat source pool all
D. show security nat source summary
Correct Answer: D
Section: (none)
Explanation
QUESTION 416
For a route-based VPN, which statement is true?
A. host-inbound-traffic system services ike must be enabled on the st0.x interface

B. host-inbound-traffic system services ike must be enabled on both the st0.x interface and the logical interface on which ike terminates
C. host-inbound-traffic system services ike must be enabled on the logical interface on which ike terminates.
D. host-inbound-traffic system services ike is not mandatory for route based VPNs.
Correct Answer: C
Section: (none)
Explanation
QUESTION 417
Which function does Diffie-Hellman exchange perform for IPsec VPN?
A. It encrypts end-user traffic between the two VPN peers.

B. It securely exchanges the pre-shared keys over the network.
C. It negotiates IPsec Phase 2 parameters with the VPN peer
D. It exchanges static routes with the VPN peer.
Correct Answer: B
Section: (none)
Explanation
QUESTION 418
Referring to the exhibit, which two statements are correct about IPsec configuration? (choose two)
A. IKE Phase 2 establishes when payload traffic flows

B. IKE Phase 2 establishes immediately
C. Protocol ESP is used
D. Protocol AH is used
Correct Answer: BC
Section: (none)
Explanation
QUESTION 419
Which three components can be downloaded and installed directly from Juniper Networks update server to an SRX Series device? (Choose three.)
A. signature package
B. PCRE package
C. detector engine
D. policy templates
E. dynamic attack detection package
Correct Answer: ACD

Section: (none)
Explanation
QUESTION 420
You have a chassis cluster established between two SRX Series devices. You re monitoring the status of the cluster and notice that some redundancy groups show
disabled.
What are two explanations for this behavior? (choose two)
A. The fxp0 interface is down

B. The fxp1 interface is down
C. The fab interface is down
D. The swfab interface is down.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 421
Referring to the exhibit, you see that Node 0 is currently primary for redundancy Group 0. You have not yet configured any chassis cluster parameters. You want to
ensure that Node 1 is always the primary node for this redundancy group if both nodes reboot at same time.
Which configuration step would accomplish this task?
user@host>show chassis cluster status

cluster ID: 1
Node Priority Status Preempt Manual Failover
Redundancy group: 0 ,Failover count: 1
Node0 1 primary no no
Node1 1 secondary no no
A. user@host# set chassis cluster redundancy-group 0 node 1 priority 1

B. user@host# set chassis cluster redundancy-group 0 node 1
C. user@host# set chassis cluster redundancy-group 0 preempt
D. user@host# set chassis cluster redundancy-group 0 node 0 priority 255
E. user@host# set chassis cluster redundancy-group 0 node 1 priority 254
Correct Answer: E
Section: (none)
Explanation
QUESTION 422
Referring to the exhibit, you have just committed the UTM antivirus configuration. You notice that the SRX Series device shows that Kaspersky scanning is being
used instead of express scanning. What must you do to resolve this problem?
A. You must configure the antivirus type to use express scanning

B. You must configure the antivirus type to disable Kaspersky
C. You must update the antivirus signatures
D. You must wait until the next pattern update
Correct Answer: A
Section: (none)
Explanation
QUESTION 423
Which type of logging is supported for UTM logging to an external syslog server on branch SRX Series devices?
A. Binary syslog
B. CHARGEN
C. WELF (structured) syslog
D. standard (unstructured) syslog
Correct Answer: C
Section: (none)
Explanation
QUESTION 424
To which depth of compressed (Zip) files can the Junos full antivirus feature scan?
A. 1 layer of compression
B. 2 layer of compression
C. 3 layer of compression
D. 4 layer of compression
Correct Answer: D
Section: (none)
Explanation
QUESTION 425
Which two statements describe full file-based antivirus protection? (Choose two.)
A. By default, the signature database is updated every 60 minutes.

B. By default, the signature database is updated once daily.
C. The signature database targets only critical viruses and malware.
D. The signature database can detect polymorphic virus types.
Correct Answer: AD
Section: (none)
Explanation

JN0 332.examcollection - Premium.exam.425q

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

JN0 332.examcollection - Premium.exam.425q

Enviado por

Direitos autorais:

Formatos disponíveis

JN0-332.Examcollection.Premium.Exam.

Exam Code: JN0-332

Exam Name: Juniper Networks Certified Internet Specialist, SEC (JNCIS-SEC)

Correct Answer: ACE

A. [edit security screen]

A. Websense Redirect Web filtering

A. show security utm anti-virus status

A. [edit security ipsec]

A. [edit security policies from-zone HR to-zone HR]

Correct Answer: BCE

A. The same key is used for encryption and decryption.

A. Up to three external authentication server types can be used simultaneously.

A. integrated Web filtering

A. A user can use SSH to interface ge-0/0/0.0 and ge-0/0/1.0.

A. pass-through with Web redirect

A. Addresses used for NAT pools should never overlap.

A. The host needs to open the telnet port.

A. spam assassin filtering score

Correct Answer: CDE

A. set apply-groups node$

A. A security zone can contain one or more interfaces.

A. It enables an attacker to perform an IP sweep of devices.

A. [edit security screen]

A. interface-based source NAT

Correct Answer: ABC

Correct Answer: ABC

A. Mark permitted traffic for firewall user authentication.

Correct Answer: ACE

A. SRX Series devices can store sessions in a session table.

Which type of NAT is being used in the exhibit?

A. [edit security idp]

A. Websense redirect Web filtering

A. This interface is a system-created interface.

A. Only main mode can be used for IKE negotiation.

A. New sessions will be evaluated. In-progress sessions will be re-evaluated.

A. whitelists, blacklists, SurfControl categories

A. [edit security nat source rule-set test]

A. redirect Web filtering

A. The policy is determined after the SCREEN options check.

A. UTM profiles are applied on a security policy by policy basis.

A. [edit security nat source]

A. Chassis clusters are used to aggregate routes.

A. The valid cluster-id range is between 0 and 255.

Correct Answer: CDE

A. from-zone UNTRUST to-zone TRUST {

B. from-zone TRUST to-zone UNTRUST {

A. request security utm anti-virus juniper-express-engine pattern-delete

Correct Answer: ABD

A. It is necessary to forward ARP requests to remote hosts.

A. set content-filtering profile <name> permit-command block-mime

A. [edit chassis cluster]

A. Traffic is scanned against the old database.

A. There are five phases of IKE negotiation.

A. user@host# set chassis cluster cluster-id 1 node 0 reboot

Correct Answer: ABD

A. A client group is a list of clients associated with a group.

A. [edit security policies from-zone Private to-zone External]

A. reth interfaces are used only for VRRP.

A. Use the custom application feature.

A. [edit security screen]

Correct Answer: ACE

A. DNS traffic is denied.

A. The local Web-filtering daemon is not enabled or is not running.