JN0 633

Juniper JN0-633
Security, Professional (JNCIP-SEC)

Version: 5.0
Juniper JN0-633 Exam
QUESTION NO: 1
What are two network scanning methods? (Choose two.)
A. SYN flood
B. ping of death
C. ping sweep
D. UDP scan
Answer: C,D
Explanation:
The question is about the network scanning. So correct answers are ping sweep and UDP scan as
both are port scanning types.
Reference:URL:http://althing.cs.dartmouth.edu/local/Network_Scanning_Techniques.pdf
QUESTION NO: 2
What are two intrusion protection mechanisms available on SRX Series Services Gateways?
(Choose two.)
A. routing update detection

B. traffic anomaly detection
C. NAT anomaly protection
D. DoS protection
Answer: B,D
Explanation:
Juniper IPS system prevents Traffic Anamoly detection and DoS/DDoS attacks.
Reference: http://www.juniper.net/in/en/products-services/software/router-services/ips/
QUESTION NO: 3
What is a benefit of using a dynamic VPN?
A. It provides a layer of redundancy on top of a point-to-point VPN mesh architecture.

B. It eliminates the need for point-to-point VPN tunnels.
C. It provides a way to grant VPN access on a per-user-group basis.
"Pass Any Exam. Any Time." - www.actualtests.com 2

D. It simplifies IPsec access for remote clients.
Answer: D
Explanation:
Reference:http://tutarticle.com/networking/benefits-of-dynamic-multipoint-vpn-dmvpn/
QUESTION NO: 4
What is a benefit of using a group VPN?
A. It provides a layer of redundancy on top of a point-to-point VPN mesh architecture.

B. It eliminates the need for point-to-point VPN tunnels.
C. It provides a way to grant VPN access on a per-user-group basis.
D. It simplifies IPsec access for remote clients.
Answer: B
Explanation:
Reference :Page 4
http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCkQFjAA
&url=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttp%2Fwww.thomas-
krenn.com%2Fredx%2Ftools%2Fmb_download.php%2Fmid.x6d7672335147784949386f3d%2FM
anual_Configuring_Group_VPN_Juniper_SRX.pdf%3Futm_source%3Dthomas-
krenn.com%26utm_medium%3DRSS-
Feed%26utm_content%3DConfiguring%2520Group%2520VPN%26utm_campaign%3DDownload
s&ei=C2HrUaSWD8WJrQfXxYGYBA&usg=AFQjCNFgKnv9ZLwqZMmbzAfvGDPvoMz7dw&bvm=
bv.49478099,d.bmk
QUESTION NO: 5
Which statement is true about Layer 2 zones when implementing transparent mode security?
A. All interfaces in the zone must be configured with the protocol family mpls.
B. All interfaces in the zone must be configured with the protocol family inet.
C. All interfaces in the zone must be configured with the protocol family bridge.
D. All interfaces in the zone must be configured with the protocol family inet6.
Answer: C
Explanation:

Reference (page no 12) http://www.juniper.net/techpubs/en_US/junos12.1x44/information-
products/pathway-pages/security/security-layer2-bridging-transparent-mode.pdf
QUESTION NO: 6
What are two AppSecure modules? (Choose two.)
A. AppDoS
B. AppFlow
C. AppTrack
D. AppNAT
Answer: A,C
Explanation:
Reference :Page No 2 Figure 1
http://www.juniper.net/us/en/local/pdf/datasheets/1000327-en.pdf
QUESTION NO: 7
You are working as a security administrator and must configure a solution to protect against
distributed botnet attacks on your company's central SRX cluster.
How would you accomplish this goal?
A. Configure AppTrack to inspect and drop traffic from the malicious hosts.
B. Configure AppQoS to block the malicious hosts.
C. Configure AppDoS to rate limit connections from the malicious hosts.
D. Configure AppID with a custom application to block traffic from the malicious hosts.
Answer: C
Explanation:
Reference :Page No 2 Figure 1
http://www.juniper.net/us/en/local/pdf/datasheets/1000327-en.pdf
QUESTION NO: 8
You are asked to change the configuration of your company's SRX device so that you can block

nested traffic from certain Web sites, but the main pages of these Web sites must remain available
to users. Which two methods will accomplish this goal? (Choose two.)
A. Enable the HTTP ALG.

B. Implement a firewall filter for Web traffic.
C. Use an IDP policy to inspect the Web traffic.
D. Configure an application firewall rule set.
Answer: B,D
Explanation:
Reference: An application layer gateway (ALG) is a feature on ScreenOS gateways that enables
the gateway to parse application layer payloads and take decisions on them.ALGs are typically
employedto support applications that use the application layer payload to communicate the
dynamic Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports on which
the applications open data connections
(http://kb.juniper.net/InfoCenter/index?page=content&id=KB13530)
IDP policy defines the rule for defining the type of traffic permittedon
network(http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-
swconfig-security/enable-idp-security-policy-section.html)
QUESTION NO: 9
You are using the AppDoS feature to control against malicious bot client attacks. The bot clients
are using file downloads to attack your server farm. You have configured a context value rate of
10,000 hits in 60 seconds. At which threshold will the bot clients no longer be classified as
malicious?
A. 5000 hits in 60 seconds

B. 8000 hits in 60 seconds
C. 7500 hits in 60 seconds
D. 9999 hits in 60 seconds
Answer: B
Explanation:
Reference :
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-
swconfig-security/appddos-protection-overview.html

QUESTION NO: 10
Your company's network has seen an increase in Facebook-related traffic. You have been asked
to restrict the amount of Facebook-related traffic to less than 100 Mbps regardless of congestion.
What are three components used to accomplish this task? (Choose three.)
A. IDP policy
B. application traffic control
C. application firewall
D. security policy
E. application signature
Answer: B,D,E
Explanation:
An IDP policy defines how your device handles the networktraffic.It will not limit the rate.
Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-
security-swconfig-security/idp-policy-overview-section.html)
Application Firewallenforces protocol and policy control at Layer 7. It inspects the actual content of
the payload and ensures that it conforms to the policy, rather thanlimiting the rate.
Reference:http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/application-
firewall-overview.html
QUESTION NO: 11
You recently implemented application firewall rules on an SRX device to act upon encrypted
traffic. However, the encrypted traffic is not being correctly identified.
Which two actions will help the SRX device correctly identify the encrypted traffic? (Choose two.)
A. Enable heuristics to detect the encrypted traffic.

B. Disable the application system cache.
C. Use the junos:UNSPECIFIED-ENCRYPTED application signature.
D. Use the junos:SPECIFIED-ENCRYPTED application signature.
Answer: A,C
Explanation:
Reference:http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/encrypted-p2p-
heuristics-detection.html

QUESTION NO: 12
You have just created a few hundred application firewall rules on an SRX device and applied them
to the appropriate firewall polices. However, you are concerned that the SRX device might
become overwhelmed with the increased processing required to process traffic through the
application firewall rules.
Which three actions will help reduce the amount of processing required by the application firewall
rules? (Choose three.)
A. Use stateless firewall filtering to block the unwanted traffic.

B. Implement AppQoS to drop the unwanted traffic.
C. Implement screen options to block the unwanted traffic.
D. Implement IPS to drop the unwanted traffic.
E. Use security policies to block the unwanted traffic.
Answer: A,C,E
Explanation:
IPS and AppDoS are the most powerful, and thus, the least efficient method of dropping traffic on
the SRX, because IPS and AppDoS tend to take up the most processing cycles.
Reference :http://answers.oreilly.com/topic/2036-how-to-protect-your-network-with-security-tools-
for-junos/
QUESTION NO: 13
Referring to the following output, which command would you enter in the CLI to produce this
result?
Pic2/1
Ruleset Application Client-to-server Rate(bps) Server-to-client Rate(bps)
http-App-QoS HTTP ftp-C2S 200 ftp-C2S 200
http-App-QoS HTTP ftp-C2S 200 ftp-C2S 200
ftp-App-QoS FTP ftp-C2S 100 ftp-C2S 100

A. show class-of-service interface ge-2/1/0
B. show interface flow-statistics ge-2/1/0
C. show security flow statistics
D. show class-of-service applications-traffic-control statistics rate-limiter
Answer: D
Explanation:
Reference :http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/reference/command-
summary/show-class-of-service-application-traffic-control-statistics-rate-limiter.html
QUESTION NO: 14
You are asked to apply individual upload and download bandwidth limits to YouTube traffic.
Where in the configuration would you create the necessary bandwidth limits?
A. under the [edit security application-firewall] hierarchy

B. under the [edit security policies] hierarchy
C. under the [edit class-of-service] hierarchy
D. under the [edit firewall policer <policer-name>] hierarchy
Answer: D
Explanation:
Reference :http://forums.juniper.net/t5/SRX-Services-Gateway/Need-help-with-bandwidth-
uploading-downloading-polcier/td-p/146666
QUESTION NO: 15
You want to verify that all application traffic traversing your SRX device uses standard ports. For
example, you need to verify that only DNS traffic runs through port 53, and no other protocols.
How would you accomplish this goal?
A. Use an IDP policy to identify the application regardless of the port used.
B. Use a custom ALG to detect the application regardless of the port used.
C. Use AppTrack to detect the application regardless of the port used.
D. Use AppID to detect the application regardless of the port used.
Answer: A

Explanation:
AppTrack for detailed visibility of application traffic Also AppTrack is aka AppID
Reference :http://forums.juniper.net/t5/SRX-Services-Gateway/What-is-AppTrack-aka-AppID/td-
p/63029
An Application Layer Gateway (ALG) is a software component that is designed to manage specific
protocols
Reference :http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-
security-swconfig-security/id-79332.html
QUESTION NO: 16
You are asked to establish a baseline for your company's network traffic to determine the
bandwidth usage per application. You want to undertake this task on the central SRX device that
connects all segments together. What are two ways to accomplish this goal? (Choose two.)
A. Configure a mirror port on the SRX device to capture all traffic on a data collection server for
further investigation.
B. Use interface packet counters for all permitted and denied traffic and calculate the values using
Junos scripts.
C. Send SNMP traps with bandwidth usage to a central SNMP server.
D. Enable AppTrack on the SRX device and configure a remote syslog server to receive AppTrack
messages.
Answer: A,D
Explanation:
AppTrack is used for visibility for application usage and bandwidth
Reference:http://www.juniper.net/us/en/local/pdf/datasheets/1000327-en.pdf
QUESTION NO: 17
Microsoft has altered the way their Web-based Hotmail application works. You want to update
your application firewall policy to correctly identify the altered Hotmail application.
Which two steps must you take to modify the application? (Choose two.)
A. user@srx> request services application-identification application copy junos:HOTMAIL

B. user@srx> request services application-identification application enable junos:HOTMAIL

C. user@srx# edit services custom application-identification my:HOTMAIL
D. user@srx# edit services application-identification my:HOTMAIL
Answer: A,D
Explanation:
Reference:http://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/command-
summary/request-services-application-identification-application.html
QUESTION NO: 18
Two companies, A and B, are connected as separate customers on an SRX5800 residing on two
virtual routers (VR-A and VR-B). These companies have recently been merged and now operate
under a common IT security policy. You have been asked to facilitate communication between
these VRs. Which two methods will accomplish this task? (Choose two.)
A. Use instance-import to share the routes between the two VRs.

B. Create logical tunnel interfaces to interconnect the two VRs.
C. Use a physical connection between VR-A and VR-B to interconnect them.
D. Create a static route using the next-table action in both VRs.
Answer: A,D
Explanation:
Logical or physical connections between instances on the same Junos device and route between
the connected instances
Reference :http://kb.juniper.net/InfoCenter/index?page=content&id=KB21260
QUESTION NO: 19
You have been asked to configure traffic to flow between two virtual routers (VRs) residing on two
unique logical systems (LSYSs) on the same SRX5800.
How would you accomplish this task?
A. Configure a security policy that contains the context from VR1 to VR2 to permit the relevant
traffic.
B. Configure a security policy that contains the context from LSYS1 to LSYS2 and relevant match
conditions in the rule set to allow traffic between the IP networks in VR1 and VR2.
C. Configure logical tunnel interfaces between VR1 and VR2 and security policies that allow
relevant traffic between VR1 and VR2 over that link.
D. Configure an interconnect LSYS to facilitate a connection between LSYS1 and LSYS2 and

relevant policies to allow the traffic.
Answer: C
Explanation:
QUESTION NO: 20
You are responding to a proposal request from an enterprise with multiple branch offices. All
branch offices connect to a single SRX device at a centralized location. The request requires each
office to be segregated on the central SRX device with separate IP networks and security
considerations. No single office should be able to starve the CPU from other branch offices on the
central SRX device due to the number of flow sessions. However, connectivity between offices
must be maintained. Which three features are required to accomplish this goal? (Choose three.)
A. Logical Systems
B. Interconnect Logical System
C. Virtual Tunnel Interface
D. Logical Tunnel Interface
E. Virtual Routing Instance
Answer: A,B,D
Explanation:
Reference :http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/logical-systems-
interfaces.html
http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-
collections/security/software-all/logical-systems-config/index.html?topic-57390.html
QUESTION NO: 21
Your company provides managed services for two customers. Each customer has been
segregated within its own routing instance on your SRX device. Customer A and customer B
inform you that they need to be able to reach certain hosts on each other's network.
Which two configuration settings would be used to share routes between these routing instances?
(Choose two.)
A. routing-group
B. instance-import
C. import-rib
D. next-table

Answer: B,D
Explanation:
Reference :http://aconaway.com/2013/03/02/junos-logical-tunnel-interfaces-with-virtual-routers/
QUESTION NO: 22
You are using logical systems to segregate customers. You have a requirement to enable
communication between the logical systems. What are two ways to accomplish this goal? (Choose
two.)
A. Use a shared DMZ zone to connect the logical systems together.

B. Use a virtual tunnel (vt-) interface to connect the logical systems together.
C. Use an external cable to connect the ports from the two logical systems.
D. Use an interconnect LSYS to connect the logical systems together.
Answer: C,D
Explanation:
Reference :http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-
collections/security/software-all/logical-systems-config/index.html?topic-53861.html
QUESTION NO: 23
Your company is providing multi-tenant security services on an SRX5800 cluster. You have been
asked to create a new logical system (LSYS) for a customer. The customer must be able to
access and manage new resources within their LSYS.
How do you accomplish this goal?
A. Create the new LSYS, allocate resources, and then create the user administrator role so that
the customer can manage their allocated resources.
B. Create the new LSYS, and then create the user administrator role so that the customer can
allocate and manage resources.
C. Create the new LSYS, and then create the master adminstrator role for the LSYS so that the
customer can allocate and manage resources.
D. Create the new LSYS, then request the required resources from the customer, and create the
required resources.
Answer: A
Explanation:

Reference :http://www.juniper.net/techpubs/en_US/junos12.1/topics/task/configuration/logical-
system-security-user-lsys-overview-configuring.html
QUESTION NO: 24
Your company has added a connection to a new ISP and you have been asked to send specific
traffic to the new ISP. You have decided to implement filter-based forwarding. You have
configured new routing instances with type forwarding. You must direct traffic into each instance.
Which step would accomplish this goal?
A. Add a firewall filter to the ingress interface that specifies the intended routing instance as the
action.
B. Create a routing policy to direct the traffic to the required forwarding instances.
C. Configure the ingress and egress interfaces in each forwarding instance.
D. Create a static default route for each ISP in inet.0, each pointing to a different forwarding
instance.
Answer: A
Explanation:
QUESTION NO: 25
You have implemented a tunnel in your network using DS-Lite. The tunnel is formed between one
of the SRX devices in your network and a DS-Lite-compatible CPE device in your customer's
network. Which two statements are true about this scenario? (Choose two.)
A. The SRX device will serve as the softwire initiator and the customer CPE device will serve as
the softwire concentrator.
B. The SRX device will serve as the softwire concentrator and the customer CPE device will serve
as the softwire initiator.
C. The infrastructure network supporting the tunnel will be based on IPv4.
D. The infrastructure network supporting the tunnel will be based on IPv6.
Answer: B,D
Explanation:
Reference:http://www.juniper.net/techpubs/en_US/junos10.4/topics/concept/ipv6-ds-lite-

overview.html
QUESTION NO: 26
You are asked to merge the corporate network with the network from a recently acquired
company. Both networks use the same private IPv4 address space (172.25.126.0/24). An SRX
device serves as the gateway for each network. Which solution allows you to merge the two
networks without adjusting the current address assignments?
A. source NAT
B. persistent NAT
C. double NAT
D. NAT444
Answer: C
Explanation:
Reference :http://class10e.com/juniper/what-should-you-do-to-meet-the-requirements/
QUESTION NO: 27
You want requests from the same internal transport address to be mapped to the same external
transport address. Only internal hosts can initialize the session.
Which Junos configuration setting supports the requirements?
A. any-remote-host
B. target-host
C. source-host
D. address-persistent
Answer: D
Explanation:
security-swconfig-security/understand-persistent-nat-section.html

QUESTION NO: 28
Which statement is true regarding dual-stack lite?
A. The softwire is an IPv4 tunnel over an IPv6 network.

B. The softwire initiator (SI) encapsulates IPv6 packets in IPv4.
C. The softwire concentrator (SC) decapsulates softwire packets.
D. SRX devices support the softwire concentrator and softwire initiator functionality.
Answer: C
Explanation:
Reference:http://www.juniper.net/techpubs/en_US/junos/topics/concept/ipv6-ds-lite-overview.html
QUESTION NO: 29
Which two statements are true regarding DNS doctoring? (Choose two.)
A. DNS doctoring translates the DNS CNAME payload.

B. DNS doctoring for IPv4 is supported on SRX devices.
C. DNS doctoring for IPv4 and IPv6 is supported on SRX devices.
D. DNS doctoring translates the DNS A-record.
Answer: B,D
Explanation:
Reference :http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-
collections/security/software-all/security/index.html?topic-61847.html
QUESTION NO: 30
In which situation is NAT proxy NDP required?
A. when translated addresses belong to the same subnet as the ingress interface
B. when filter-based forwarding and static NAT are used on the same interface
C. when working with static NAT scenarios
D. when the security device operates in transparent mode
Answer: C
Explanation:
WhenIP addressesarein the same subnet of the ingressinterface,NAT proxy ARPconfigured

Reference :http://www.juniper.net/techpubs/en_US/junos12.1x44/information-products/pathway-
pages/security/security-nat.pdf
Reference :http://www.juniper.net/techpubs/en_US/junos-space12.2/topics/concept/junos-space-
security-designer-whiteboard-nat-overview.html
QUESTION NO: 31
Which statement is true about NAT?
A. When you implement destination NAT, the router does not apply ALG services.
B. When you implement destination NAT, the router skips source NAT rules for the initiating traffic
flow.
C. When you implement static NAT, each packet must go through a route lookup.
D. When you implement static NAT, the router skips destination NAT rules for the initiating traffic
flow.
Answer: D
Explanation: The NAT type determines the order in which NAT rules are processed. During the
first packet processing for a flow, NAT rules are applied in the following order:
Reference :http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-
security-swconfig-security/topic-42804.html
QUESTION NO: 32
You have configured static NAT for a Web server in your DMZ. Both internal and external users
can reach the Web server using its IP address. However, only internal users are able to reach the
Web server using its DNS name. External users receive an error message from their browser.
Which action would solve this problem?
A. Modify the security policy.

B. Disable Web filtering.
C. Use destination NAT instead of static NAT.
D. Use DNS doctoring.
Answer: D
Explanation:

Reference :http://www.networker.co.in/2013/03/dns-doctoring.html
QUESTION NO: 33
Which two are required for the SRX device to perform DNS doctoring? (Choose two.)
A. DNS ALG
B. dns-doctoring stanza
C. name-server
D. static NAT
Answer: A,D
Explanation:
Reference :http://www.juniper.net/techpubs/en_US/junos12.1x44/information-products/pathway-
pages/security/security-alg-dns.pdf
QUESTION NO: 34
You want to implement persistent NAT for an internal resource so that external hosts are able to
initiate communications to the resource, without the internal resource having previously sent
packets to the external hosts. Which configuration setting will accomplish this goal?
A. persistent-nat permit target-host

B. persistent-nat permit any-remote-host
C. persistent-nat permit target-host-port
D. address-persistent
Answer: B
Explanation:
QUESTION NO: 35
Your SRX device is performing NAT to provide an internal resource with a public address. Your
DNS server is on the same network segment as the server. You want your internal hosts to be
able to reach the internal resource using the DNS name of the resource.

A. Implement proxy ARP.

B. Implement NAT-Traversal.
C. Implement NAT hairpinning.
D. Implement persistent NAT.
Answer: A
Explanation:
security-swconfig-security/prxy-arp-nat_srx.html
QUESTION NO: 36
You are asked to provide access for an external VoIP server to VoIP phones in your network using
private addresses. However, due to security concerns, the VoIP server should only be able to
initiate connections to each phone once the phone has logged into the VoIP server. The VoIP
server requires access to the phones using multiple ports.
Which type of persistent NAT is required?
A. any-remote-host
B. target-host
C. target-host-port
D. remote-host
Answer: B
Explanation:
QUESTION NO: 37
You must configure a central SRX device connected to two branch offices with overlapping IP
address space. The branch office connections to the central SRX device must reside in separate
routing instances. Which two components are required? (Choose two.)
A. virtual routing instance

B. forwarding instance

C. static NAT
D. persistent NAT
Answer: A,C
Explanation:
QUESTION NO: 38
You are attempting to establish an IPsec VPN between two SRX devices. However, there is
another device between the SRX devices that does not pass traffic that is using UDP port 4500.
How would you resolve this problem?
A. Enable NAT-T.
B. Disable NAT-T.
C. Disable PAT.
D. Enable PAT.
Answer: B
Explanation:
NAT-T also uses UDP port 4500 (by default) rather than the standard UDP. So disabling NAT-T
will resolve this issue.
Reference :
https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&cad=rja&ved=0CHsQFj
AJ&url=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttp%2Fchimera.labs.oreilly.com%2Fbooks%2F1234000001633%2Fch10.html&
ei=NZrtUZHHO4vJrQezmoCwAw&usg=AFQjCNGU05bAtnFu1vXNgssixHtCBoNBnw&sig2=iKzzP
NQqiH2xrsjveXIleA&bvm=bv.49478099,d.bmk
QUESTION NO: 39
Given the following session output:
Session ID. , Policy namE. default-policy-00/2, StatE. Active, Timeout: 1794, Valid
In: 2001:660:1000:8c00::b/1053 --> 2001:660:1000:9002::aafe/80;tcp, IF. reth0.0, Pkts: 4, Bytes:

574
Out: 192.168.203.10/80 --> 192.168.203.1/24770;tcp, IF. reth1.0, Pkts: 3, Bytes:

Which statement is correct about the security flow session output?
A. This session is about to expire.

B. NAT64 is used.
C. Proxy NDP is used for this session.
D. The IPv4 Web server runs services on TCP port 24770.
Answer: B
Explanation:
QUESTION NO: 40
You are asked to deploy a group VPN between various sites associated with your company. The
gateway devices at the remote locations are SRX240 devices.
Which two statements about the new deployment are true? (Choose two.)
A. The networks at the various sites must use NAT.

B. The participating endpoints in the group VPN can belong to a chassis cluster.
C. The networks at the various sites cannot use NAT.
D. The participating endpoints in the group VPN cannot be part of a chassis cluster.
Answer: C,D
Explanation:
Reference :http://www.thomas-
krenn.com/redx/tools/mb_download.php/mid.x6d7672335147784949386f3d/Manual_Configuring_
Group_VPN_Juniper_SRX.pdf
http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/NT260/SRX_HA_Deployment_
Guide_v1.2.pdf
QUESTION NO: 41
You are asked to deploy dynamic VPNs between the corporate office and remote employees that
work from home. The gateway device at the corporate office consists of a pair of SRX650s in a
chassis cluster. Which two statements about the deployment are true? (Choose two.)
A. The SRX650s must be separated as standalone devices to support the dynamic VPNs.

B. The remote clients must install client software to establish a tunnel with the corporate network.
C. The remote clients must reside behind an SRX device configured as the local tunnel endpoint.
D. The SRX650 must have HTTP or HTTPS enabled to aid in the client software distribution
process.
Answer: B,D
Explanation:
Reference :http://www.juniper.net/us/en/local/pdf/app-notes/3500201-en.pdf
QUESTION NO: 42
You are asked to deploy dynamic VPNs between the corporate office and remote employees that
work from home. The gateway device at the corporate office is a chassis cluster formed from two
SRX240s. Which two statements about this deployment are true? (Choose two.)
A. You must remove the SRX240s from the chassis cluster before enabling the dynamic VPNs.
B. The remote clients can run Windows XP, Windows Vista, Windows 7, or OS X operating
systems.
C. If more than two dynamic VPN tunnels are required, you must purchase and install a new
license.
D. The remote users can be authenticated by the SRX240s or a configured RADIUS server.
Answer: C,D
Explanation:
Reference :http://www.juniper.net/us/en/local/pdf/app-notes/3500201-en.pdf
QUESTION NO: 43
You are asked to implement IPsec tunnels between your SRX devices located at various
locations. You will use the public key infrastructure (PKI) to verify the identification of the
endpoints. What are two certificate enrollment options available for this deployment? (Choose
two.)
A. Manually generating a PKCS10 request and submitting it to an authorized CA.

B. Dynamically generating and sending a certificate request to an authorized CA using OCSP.
C. Manually generating a CRL request and submitting that request to an authorized CA.
D. Dynamically generating and sending a certificate request to an authorized CA using SCEP.
Answer: A,D
Explanation:
Reference:Page 9

http://www.juniper.net/techpubs/en_US/junos/information-products/topic-collections/nce/pki-conf-
trouble/configuring-and-troubleshooting-public-key-infrastructure.pdf
QUESTION NO: 44
Which statement is true regarding the dynamic VPN feature for Junos devices?
A. Only route-based VPNs are supported.

B. Aggressive mode is not supported.
C. Preshared keys for Phase 1 must be used.
D. It is supported on all SRX devices.
Answer: C
Explanation:
Reference:http://www.juniper.net/techpubs/en_US/junos12.1x45/information-products/pathway-
pages/security/security-vpn-dynamic.pdf
QUESTION NO: 45
You are asked to design a solution to verify IPsec peer reachability with data path forwarding.
Which feature would meet the design requirements?
A. DPD over Phase 1 SA

B. DPD over Phase 2 SA
C. VPN monitoring over Phase 1 SA
D. VPN monitoring over Phase 2 SA
Answer: D
Explanation:
Reference :http://forums.juniper.net/t5/SRX-Services-Gateway/dead-peer-detection-VS-VPN-
monitor-in-IPSEC/td-p/176671
QUESTION NO: 46
What are three advantages of group VPNs? (Choose three.)

A. Supports any-to-any member connectivity.
B. Provides redundancy with cooperative key servers.
C. Eliminates the need for full mesh VPNs.
D. Supports translating private to public IP addresses.
E. Preserves original IP source and destination addresses.
Answer: A,C,E
Explanation:
QUESTION NO: 47
You have been asked to establish a dynamic IPsec VPN between your SRX device and a remote
user. Regarding this scenario, which three statements are correct? (Choose three.)
A. You must use preshared keys.

B. IKE aggressive mode must be used.
C. Only predefined proposal sets can be used.
D. Only policy-based VPNs are supported.
E. You can use all methods of encryption.
Answer: A,B,D
Explanation:
Reference :http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/dynamic-
vpn-appnote-v12.pdf
QUESTION NO: 48
You want to implement an IPsec VPN on an SRX device using PKI certificates for authentication.
As part of the implementation, you are required to ensure that the certificate submission, renewal,
and retrieval processes are handled automatically from the certificate authority. Regarding this
scenario, which statement is correct?
A. You can use SCEP to accomplish this behavior.

B. You can use OCSP to accomplish this behavior.
C. You can use CRL to accomplish this behavior.
D. You can use SPKI to accomplish this behavior.

Answer: A
Explanation:
Reference: Page 9
http://www.juniper.net/techpubs/en_US/junos/information-products/topic-collections/nce/pki-conf-
trouble/configuring-and-troubleshooting-public-key-infrastructure.pdf
QUESTION NO: 49
You have a group IPsec VPN established with a single key server and five client devices.
Regarding this scenario, which statement is correct?
A. There is one unique Phase 1 security association and five unique Phase 2 security associations
used for this group.
B. There is one unique Phase 1 security association and one unique Phase 2 security association
used for this group.
C. There are five unique Phase 1 security associations and five unique Phase 2 security
associations used for this group.
D. There are five unique Phase 1 security associations and one unique Phase 2 security
association used for this group.
Answer: D
Explanation:
QUESTION NO: 50
You are asked to implement an IPsec VPN between your main office and a new remote office. The
remote office receives its IKE gateway address from their ISP dynamically.
Regarding this scenario, which statement is correct?
A. Configure a fully qualified domain name (FQDN) as the IKE identity.

B. Configure the dynamic-host-address option as the IKE identity.
C. Configure the unnumbered option as the IKE identity.

D. Configure a dynamic host configuration name (DHCN) as the IKE identity.
Answer: A
Explanation:
QUESTION NO: 51
You are asked to implement a point-to-multipoint hub-and-spoke topology in a mixed vendor

environment. The hub device is running the Junos OS and the spoke devices are different vendor
devices. Regarding this scenario, which statement is correct?
A. The NHTB table must be statically defined.

B. The NHTB table is automatically created during Phase 2.
C. The NHTB table is automatically created during Phase 1.
D. The NHTB table must be imported from each spoke.
Answer: A
Explanation:
Referencehttp://www.juniper.net/techpubs/en_US/junos/topics/example/vpn-hub-spoke-nhtb-
example-configuring.html
QUESTION NO: 52
You have recently deployed a dynamic VPN. Some remote users are complaining that they cannot
authenticate through the SRX device at the corporate network. The SRX device serves as the
tunnel endpoint for the dynamic VPN. What are two reasons for this problem? (Choose two.)
A. The supported number of users has been exceeded for the applied license.
B. The users are connecting to the portal using Windows Vista.
C. The SRX device does not have the required user account definitions.
D. The SRX device does not have the required access profile definitions.
Answer: A,D
Explanation:
Reference :https://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-
collections/syslog-messages/index.html?jd0e28566.html
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16477

QUESTION NO: 53
You have recently deployed a dynamic VPN. The remote users are complaining that
communications with devices on the same subnet as the SRX device are intermittent and often
fail. The tunnel is stable and up, and communications with remote devices on different subnets
work without any issues. Which configuration setting would resolve this issue?
A. adding local-redirect at the [edit security nat] hierarchy

B. adding local-redirect at the [edit interfaces <interface-name>] hierarchy
C. adding proxy-arp at the [edit security nat] hierarchy
D. adding proxy-arp at the [edit interfaces <interface-name>] hierarchy
Answer: C
Explanation:
Reference : http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf
QUESTION NO: 54
Your company is using a dynamic VPN configuration on their SRX device. Your manager asks you
to enforce password expiration policies for all VPN users.
Which authentication method meets the requirement?
A. local password database

B. TACACS+
C. RADIUS
D. LDAP
Answer: D
Explanation:
Reference : http://kb.juniper.net/InfoCenter/index?page=content&id=KB17423&actp=RSS
QUESTION NO: 55
You are asked to implement a monitoring feature that periodically verifies that the data plane is
working across your IPsec VPN. Which configuration will accomplish this task?

A. [edit security ike]
user@srx# show
policy policy-1 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$URiqPFnCBIc5QIcylLXUjH"; ## SECRET-DATA
}
gateway my-gateway {
ike-policy policy-1;
address 10.10.10.2;
dead-peer-detection;
external-interface ge-0/0/1;
}
B. [edit security ipsec]
user@srx# show
policy policy-1 {
}
vpn my-vpn {
bind-interface st0.0;
dead-peer-detection;
ike {
gateway my-gateway;
ipsec-policy policy-1;
}
establish-tunnels immediately;
}
C. [edit security ike]
user@srx# show
policy policy-1 {
mode main;
pre-shared-key ascii-text "$9$URiqPFnCBIc5QIcylLXUjH"; ## SECRET-DATA
}
gateway my-gateway {
ike-policy policy-1;
address 10.10.10.2;
vpn-monitor;
external-interface ge-0/0/1;
}
D. [edit security ipsec]
user@srx# show
policy policy-1 {
}
vpn my-vpn {
bind-interface st0.0;

vpn-monitor;
ike {
gateway my-gateway;
ipsec-policy policy-1;
}
establish-tunnels immediately;
}
Answer: D
Explanation:
Reference: https://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-
collections/security/software-all/monitoring-and-troubleshooting/index.html?topic-59092.html
QUESTION NO: 56
You want to implement a hub-and-spoke VPN topology using a single logical interface on the hub.
Which st0 interface configuration is correct for the hub device?
A. [edit interfaces]
user@srx# show
st0 {
multipoint
unit 0 {
family inet {
address 10.10.10.1/24;
}
}
}
B. [edit interfaces]
user@srx# show
st0 {
unit 0 {
family inet {
address 10.10.10.1/24;
}
}
}
C. [edit interfaces]
user@srx# show
st0 {
unit 0 {
point-to-point;
family inet {

address 10.10.10.1/24;
}
}
}
D. [edit interfaces]
user@srx# show
st0 {
unit 0 {
multipoint;
family inet {
address 10.10.10.1/24;
}
}
}
Answer: D
Explanation:
Reference: http://junos.com/techpubs/en_US/junos12.1/topics/example/ipsec-hub-and-spoke-
configuring.html
QUESTION NO: 57
You have an existing group VPN established in your internal network using the group-id 1. You
have been asked to configure a second group using the group-id 2. You must ensure that the key
server for group 1 participates in group 2 but is not the key server for that group. Which statement
is correct regarding the group configuration on the current key server for group 1?
A. You must configure both groups at the [edit security ipsec vpn] hierarchy.
B. You must configure both groups at the [edit security group-vpn member] hierarchy.
C. You must configure both groups at the [edit security ike] hierarchy.
D. You must configure both groups at the [edit security group-vpn] hierarchy.
Answer: D
Explanation:
Reference: http://www.jnpr.net/techpubs/en_US/junos11.4/information-products/topic-
collections/security/software-all/security/index.html?topic-45791.html
QUESTION NO: 58
What are the three types of attack objects used in an IPS engine? (Choose three.)

A. signature
B. chargen
C. compound
D. component
E. anomaly
Answer: A,C,E
Explanation:
Reference:http://www.juniper.net/techpubs/en_US/idp5.0/topics/concept/intrusion-detection-
prevention-idp-rulebase-attack-object-using.html
QUESTION NO: 59
At which two times does the IPS rulebase inspect traffic on an SRX device? (Choose two.)
A. When traffic matches the active IDP policy.

B. When traffic first matches an IDP rule with the terminal parameter.
C. When traffic uses the application layer gateway.
D. When traffic is established in the firewall session table.
Answer: A,B
Reference:
http://books.google.co.in/books?id=2HSLsTJIgEQC&pg=PA814&lpg=PA814&dq=what+time+IPS+
rulebase+inspects+traffic+on+SRX&source=bl&ots=_eDe_vLNBA&sig=1I4yX_S0OvkQVP-
rqL273laMCyE&hl=en&sa=X&ei=nqvzUfn1Is-
rrAf71oHYBA&ved=0CC4Q6AEwAQ#v=onepage&q=what%20time%20IPS%20rulebase%20inspe
cts%20traffic%20on%20SRX&f=false
QUESTION NO: 60
Which three match condition objects are required when creating IPS rules? (Choose three.)
A. attack objects
B. address objects
C. terminal objects
D. IP action objects
E. zone objects
Answer: A,B,E
Explanation:

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-
security-swconfig-security/topic-42453.html#understand-rule-match-cond-section
QUESTION NO: 61
Which problem is introduced by setting the terminal parameter on an IPS rule?
A. The SRX device will stop IDP processing for future sessions.
B. The SRX device might detect more false positives.
C. The SRX device will terminate the session in which the terminal rule detected the attack.
D. The SRX device might miss attacks.
Answer: D
Explanation:
Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-
QUESTION NO: 62
You have installed a new IPS license on your SRX device and successfully downloaded the attack
signature database. However, when you run the command to install the database, the database
fails to install. What are two reasons for the failure? (Choose two.)
A. The file system on the SRX device has insufficient free space to install the database.
B. The downloaded signature database is corrupt.
C. The previous version of the database must be uninstalled first.
D. The SRX device does not have the high memory option installed.
Answer: A,B
Explanation:
We don’t need to uninstall the previous version to install a new license, as we can update the
same. Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB16491. Also high
memory option is licensed feature.
The only reason for failure is either there is no space left or downloaded file is corrupted due to
incomplete download because of internet termination in between.
Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB23359

QUESTION NO: 63
You want to create a custom IDP signature for a new HTTP attack on your SRX device. You have
the exact string that identifies the attack. Which two additional elements do you need to define
your custom signature? (Choose two.)
A. service context
B. protocol number
C. direction
D. source IP address of the attacker
Answer: A,C
Explanation:
Reference: http://rtoodtoo.net/2011/09/22/how-to-write-srx-idp-custom-attacksignature/
QUESTION NO: 64
An external host is attacking your network. The host sends an HTTP request to a Web server, but
does not include the version of HTTP in the request.
Which type of attack is being performed?
A. signature-based attack
B. application identification
C. anomaly
D. fingerprinting
Answer: C
Explanation:
Reference;https://services.netscreen.com/restricted/sigupdates/nsm-
updates/HTML/HTTP%3AINVALID%3AMSNG-HTTP-VER.html
QUESTION NO: 65
You configured a custom signature attack object to match specific components of an attack:
HTTP-request

Pattern .*\x90 90 90 … 90
Direction: client-to-server
Which client traffic would be identified as an attack?
A. HTTP GET .*\x90 90 90 … 90

B. HTTP POST .*\x90 90 90 … 90
C. HTTP GET .*x909090 … 90
D. HTTP POST .*x909090 … 90
Answer: A
Explanation:
Reference: http://www.juniper.net/techpubs/en_US//idp/topics/task/configuration/intrusion-
detection-prevention-signature-attack-object-creating-nsm.html
QUESTION NO: 66
You are deploying a standalone SRX650 in transparent mode for evaluation purposes in a
potential client's network. The client will need to access the device to modify security policies and
perform other various configurations. Where would you configure a Layer 3 interface to meet this
requirement?
A. fxp0.0
B. vlan.1
C. irb.1
D. ge-0/0/0.0
Answer: C
Explanation:
Reference: http://safetynet.trapezenetworks.com/techpubs/en_US/junos12.1/information-
products/topic-collections/security/software-all/layer-2/index.html?topic-52755.html
QUESTION NO: 67
Which two configuration components are required for enabling transparent mode on an SRX
device? (Choose two.)

A. IRB
B. bridge domain
C. interface family bridge
D. interface family ethernet-switching
Answer: B,C
Explanation:
Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB21421
QUESTION NO: 68
You want to configure in-band management of an SRX device in transparent mode.
Which command is required to enable this functionality?
A. set interfaces irb unit 1 family inet address

B. set interfaces vlan unit 1 family inet address
C. set interfaces ge-0/0/0 unit 0 family inet address
D. set interfaces ge-0/0/0 unit 0 family bridge address
Answer: A
Explanation:
QUESTION NO: 69
For an SRX chassis cluster in transparent mode, which action occurs to signal a high availability
failover to neighboring switches?
A. the SRX chassis cluster generates Spanning Tree messages

B. the SRX chassis cluster generates gratuitous ARPs
C. the SRX chassis cluster flaps the former active interfaces
D. the SRX chassis cluster uses IP address monitoring
Answer: C
Explanation:
Reference:
http://books.google.co.in/books?id=2HSLsTJIgEQC&pg=PA246&lpg=PA246&dq=the+SRX+chassi
s+cluster+flaps+the+former+active+interfaces&source=bl&ots=_eDe_vRMyw&sig=x-
Px98kZEi4hZvGflcoybABdMRQ&hl=en&sa=X&ei=iMLzUcDSLcfRrQeQw4CYCA&ved=0CEAQ6A

EwBA#v=onepage&q=flap&f=false
QUESTION NO: 70
What is the default action for an SRX device in transparent mode to determine the outgoing
interface for an unknown destination MAC address?
A. Perform packet flooding.

B. Send an ARP query.
C. Send an ICMP packet with a TTL of 1.
D. Perform a traceroute request.
Answer: A
Explanation:
Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-
security-swconfig-interfaces-and-routing/understand-l2-forwarding-tables-section.html
QUESTION NO: 71
Which QoS function is supported in transparent mode?
A. 802.1p
B. DSCP
C. IP precedence
D. MPLS EXP
Answer: A
Explanation:
Reference: http://chimera.labs.oreilly.com/books/1234000001633/ch06.html
QUESTION NO: 72
You are asked to configure class of service (CoS) on an SRX device running in transparent mode.
Which command would you use?
A. set interfaces ge-0/0/0 unit 0 classifiers dscp priority-app

B. set class-of-service interfaces ge-0/0/0 unit 0 classifiers dscp priority-app

C. set class-of-service interfaces ge-0/0/0 unit 0 classifiers ieee-802.1 priority-app
D. set interfaces ge-0/0/0 unit 0 classifiers inet-precedence priority-app
Answer: C
Explanation:
QUESTION NO: 73
A security administrator has configured an IPsec tunnel between two SRX devices. The devices
are configured with OSPF on the st0 interface and an external interface destined to the IPsec
endpoint. The adminstrator notes that the IPsec tunnel and OSPF adjacency keep going up and
down. Which action would resolve this issue?
A. Create a firewall filter on the st0 interface to permit IP protocol 89.

B. Configure the IPsec tunnel to accept multicast traffic.
C. Create a /32 static route to the IPsec endpoint through the external interface.
D. Increase the OSPF metric of the external interface.
Answer: C
Explanation:
Reference: http://packetsneverlie.blogspot.in/2013/03/route-based-ipsec-vpn-with-ospf.html
QUESTION NO: 74
You are asked to troubleshoot ongoing problems with IPsec tunnels and security policy
processing. Your network consists of SRX240s and SRX5600s.
Regarding this scenario, which two statements are true? (Choose two.)
A. You must enable data plane logging on the SRX240 devices to generate security policy logs.
B. You must enable data plane logging on the SRX5600 devices to generate security policy logs.
C. IKE logs are written to the kmd log file by default.
D. IPsec logs are written to the kmd log file by default.
Answer: B,D
Explanation:
http://www.google.co.in/url?sa=t&rct=j&q=IKE%20logs%20are%20written%20to%20the%20kmd%

20log%20file%20by%20default&source=web&cd=2&ved=0CC8QFjAB&url=https%3A%2F%2F2.gy-118.workers.dev/%3A443%2Fhttp%2Fwww
.juniper.net%2Fus%2Fen%2Flocal%2Fpdf%2Fapp-notes%2F3500175-
en.pdf&ei=SNHzUZntEcaPrQfnpICYDQ&usg=AFQjCNGb-rMrVcm6cqqBLWDif54CaCTrrw
QUESTION NO: 75
You are troubleshooting an IPsec session and see the following IPsec security associations:
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
< 192.168.224.1 500 ESP:aes-256/sha1 d6393645 26/ unlim - 0
> 192.168.224.1 500 ESP:aes-256/sha1 153ec235 26/ unlim - 0
< 192.168.224.1 500 ESP:aes-256/sha1 f9a2db9a 3011/ unlim - 0
> 192.168.224.1 500 ESP:aes-256/sha1 153ec236 3011/ unlim - 0
What are two reasons for this behavior? (Choose two.)
A. Both peers are trying to establish IKE Phase 1 but are not successful.
B. Both peers have established SAs with one another, resulting in two IPsec tunnels.
C. The lifetime of the Phase 2 negotiation is close to expiration.
D. Both peers have establish-tunnels immediately configured.
Answer: C,D
Explanation:
Reference: http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-
swcmdref/show-security-ipsec-security-associations.html
QUESTION NO: 76
HostA (1.1.1.1) is sending TCP traffic to HostB (2.2.2.2). You need to capture the TCP packets
locally on the SRX240. Which configuration would you use to enable this capture?
A. [edit security flow]

user@srx# show
traceoptions {

file dump;
flag basic-datapath;
}
B. [edit security]
user@srx# show
application-tracking {
enable;
}
flow {
traceoptions {
file dump;
flag basic-datapath;
}
}
C. [edit firewall filter capture term one]
user@srx# show
from {
source-address {
1.1.1.1;
}
destination-address {
2.2.2.2;
}
protocol tcp;
}
then {
port-mirror;
accept;
}
D. [edit firewall filter capture term one]
user@srx# show
from {
source-address {
1.1.1.1;
}
destination-address {
2.2.2.2;
}
protocol tcp;
}
then {
sample;
accept;
}
Answer: D
Explanation:

Reference:http://khurramkhalid.wordpress.com/2012/05/22/packet-capture-on-srx-devices/
QUESTION NO: 77
You are troubleshooting an SRX240 acting as a NAT translator for transit traffic. Traffic is dropping
at the SRX240 in your network. Which three tools would you use to troubleshoot the issue?
(Choose three.)
A. security flow traceoptions

B. monitor interface traffic
C. show security flow session
D. monitor traffic interface
E. debug flow basic
Answer: A,B,C
Explanation:
QUESTION NO: 78
Somebody has inadvertently configured several security policies with application firewall rule sets
on an SRX device. These security policies are now dropping traffic that should be allowed. You
must find and remove the application firewall rule sets that are associated with these policies.
Which two commands allow you to view these associations? (Choose two.)
A. show security policies

B. show services application-identification application-system-cache
C. show security application-firewall rule-set all
D. show security policies application-firewall
Answer: A,D
Explanation:
Reference:http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/application-firewall-
configuring.html
QUESTION NO: 79

Click the Exhibit button.
-- Exhibit --
[edit security]
user@srx# show idp
application-ddos Webserver {
service http;
connection-rate-threshold 1000;
context http-get-url {
hit-rate-threshold 60000;
value-hit-rate-threshold 30000;
time-binding-count 10;
time-binding-period 25;
-- Exhibit --
You are using AppDoS to protect your network against a bot attack, but noticed an approved
application has falsely triggered the configured IDP action of drop. You adjusted your AppDoS
configuration as shown in the exhibit. However, the approved traffic is still dropped.
A. The approved traffic results in 50,000 HTTP GET requests per minute.
B. The approved traffic results in 25 HTTP GET requests within 10 seconds from a single host.
C. The active IDP policy has not been defined in the security configuration.
D. The IDP action is still in effect due to the timeout configuration.
Answer: A,D
Explanation:
Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-
security-swconfig-security/appddos-protection-overview.html

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-
swconfig-security/appddos-proctecting-against.html#appddos-proctecting-against
QUESTION NO: 80
-- Exhibit –
-- Exhibit --
Referring to the exhibit, AppTrack is only logging the session closure messages for sessions that
last 1 to 3 minutes.
What is causing this behavior?
A. AppTrack is not properly configured under the [edit security application-tracking] hierarchy.
B. AppTrack only generates session update messages.
C. AppTrack only generates session closure messages.
D. AppTrack generates other messages only when the update interval is surpassed.
Answer: D
Explanation:
Reference :http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-

QUESTION NO: 81
-- Exhibit –
-- Exhibit --
You have been asked to block YouTube video streaming for internal users. You have implemented
the configuration shown in the exhibit, however users are still able to stream videos.
What must be modified to correct the problem?
A. The application firewall rule needs to be applied to an IDP policy.

B. You must create a custom application to block YouTube streaming.
C. The application firewall rule needs to be applied to the security policy.
D. You must apply the dynamic application to the security policy

Answer: C
Explanation:
Reference:http://www.redelijkheid.com/blog/2013/5/10/configure-application-firewalling-on
QUESTION NO: 82
-- Exhibit –
-- Exhibit --
Referring to the exhibit, the session close log was generated by the application firewall rule set
HTTP.
Why did the session close?
A. The application identification engine was unable to determine which application was in use,
which caused the SRX device to close the session.
B. The host with the IP address of 192.168.1.123 received a TCP segment with the FIN flag set
from the host with the IP address of 65.197.244.218.
C. The SRX device was unable to determine the user and role in the allotted time, which caused
the session to close.
D. The host with the IP address of 192.168.1.123 sent a TCP segment with the FIN flag set to the
host with the IP address of 65.197.244.218.
Answer: D
Explanation:
Reference:http://netscreen.com/techpubs/software/junos/junos92/syslog-
messages/download/rt.pdf
QUESTION NO: 83

-- Exhibit –
-- Exhibit --
Referring to the exhibit, the application firewall configuration fails to commit.
What must you do to allow the configuration to commit?
A. Each firewall rule set must only have one rule.

B. A firewall rule set cannot mix dynamic applications and dynamic application groups.
C. The action in the rules must be different than the action in the default rule.
D. The action in the default rule must be set to deny.
Answer: C
Explanation:
Reference:http://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/application-firewall-
overview.html

QUESTION NO: 84
-- Exhibit --
user@srx240< show route summary
Router ID.
inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
Direct: 1 routes, 1 active
Local: 1 routes, 1 active
StatiC. 1 routes, 1 active
customer-A.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
customer-B.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
OSPF. 1 routes, 1 active
customer-B.inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
-- Exhibit --
In the output, how many user-configured routing instances have active routes?
A. 1
B. 2

C. 3
D. 4
Answer: B
Explanation:
Reference:http://www.juniper.net/techpubs/en_US/junos11.4/topics/reference/command-
summary/show-route-summary.html#jd0e185
QUESTION NO: 85
-- Exhibit –
-- Exhibit --
TCP traffic sourced from Host A destined for Host B is being redirected using filter-based
forwarding to use the Red network. However, return traffic from Host B destined for Host A is
using the Blue network and getting dropped by the SRX device.
Which action will resolve the issue?
A. Enable asyncronous-routing under the Blue zone.

B. Configure ge-0/0/1 to belong to the Red zone.
C. Disable RPF checking.
D. Disable TCP sequence checking.
Answer: B

Explanation:
Reference:https://kb.juniper.net/InfoCenter/index?page=content&id=KB21046
QUESTION NO: 86
-- Exhibit –
-- Exhibit --
Referring to the exhibit, which feature allows the hosts in the Trust and DMZ zones to route to
either ISP, based on source address?
A. source NAT
B. static NAT
C. filter-based forwarding
D. source-based routing
Answer: C
Explanation:
Reference:http://www.juniper.net/techpubs/en_US/junos12.2/topics/example/logical-systems-filter-

based-forwarding.html
QUESTION NO: 87
-- Exhibit –
-- Exhibit --
In the network shown in the exhibit, you want to forward traffic from the employees to ISP1 and
ISP2. You want to forward all Web traffic to ISP1 and all other traffic to ISP2. While
troubleshooting, you change your filter to forward all traffic to ISP1. However, no traffic is sent to
ISP1.

A. The filter is applied to the wrong interface.
B. The filter should use the next-hop action instead of the routing-instance action.
C. The filter term does not have a required from statement.
D. The filter term does not have the accept statement.
Answer: A
Explanation:
QUESTION NO: 88
-- Exhibit –
-- Exhibit --
In the network shown in the exhibit, you want to forward traffic from the employees to ISP1 and
ISP2. You want to forward all Web traffic to ISP1 and all other traffic to ISP2. However, your

configuration is not producing the expected results. Part of the configuration is shown in the
exhibit. When you run the show route table isp1 command, you do not see the default route listed.
A. The autonomous system number is incorrect, which is preventing the device from receiving a
default route from ISP1.
B. The device is not able to resolve the next-hop.
C. The isp1 routing instance is configured with an incorrect instance-type.
D. The show route table isp1 command does not display the default route unless you add the
exact 0.0.0.0/0 option.
Answer: B
Explanation:
QUESTION NO: 89
-- Exhibit --
[edit]
user@srx# run show route
inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 01:09:08
> to 172.18.1.1 via ge-0/0/3.0
10.210.14.128/27 *[Direct/0] 8w6d 15:43:09
> via ge-0/0/0.0
10.210.14.135/32 *[Local/0] 11w0d 06:43:04
Local via ge-0/0/0.0
172.18.1.0/30 *[Direct/0] 8w6d 15:43:01

> via ge-0/0/3.0
172.18.1.2/32 *[Local/0] 11w0d 06:43:03
172.19.1.0/24 *[Direct/0] 03:46:56
> via ge-0/0/1.0
172.19.1.1/32 *[Local/0] 03:46:56
172.20.105.0/24 *[Direct/0] 03:46:56
> via ge-0/0/4.105
172.20.105.1/32 *[Local/0] 03:46:56
192.168.30.1/32 *[Direct/0] 4d 03:44:41
> via lo0.0
fbf.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:00:11
> to 172.19.1.2 via ge-0/0/1.0
172.19.1.0/24 *[Direct/0] 00:00:11
> via ge-0/0/1.0
[edit]
user@srx# show routing-instances
fbf {
routing-options {
static {
route 0.0.0.0/0 next-hop 172.19.1.2;

}
[edit]
user@srx# show routing-options
interface-routes {
rib-group inet fbf-int;
static {
route 0.0.0.0/0 next-hop 172.18.1.1;
rib-groups {
fbf-int {
import-rib [ inet.0 fbf.inet.0 ];
import-policy fbf-pol;
[edit]
user@srx# show policy-options policy-statement fbf-pol
term 1 {
from interface ge-0/0/1.0;
to rib fbf.inet.0;
then accept;
term 2 {
then reject;

-- Exhibit --
Referring to the exhibit, you notice that filter-based forwarding is not working.
What is the reason for this behavior?
A. The RIB group is configured incorrectly.

B. The routing policy is configured incorrectly.
C. The routing instance is configured incorrectly.
D. The default static routes are configured incorrectly.
Answer: C
Explanation:
Bydefault, wehave a static route in a routing instancesendingthe default route to
172.19.1.2.Wewant to hijack traffic matching a particular filter and send the traffic to a different
next-hop, 172.18.1.1. Weshouldcreate your rib group by importing FIRST the table belonging to
your virtual router and SECOND the table for the forwarding instancethat has the next-hop
specified.
QUESTION NO: 90
-- Exhibit –

-- Exhibit --
Host A cannot resolve the www.target.host.com Web page when using its configured DNS server.
As shown in the exhibit, Host A's configured DNS server and the Web server hosting the
www.target.host.com Web page are in the same subnet. You have verified bidirectional
reachability between Host A and the Web server hosting the Web page.
What would cause this behavior on the SRX device in Company B's network?
A. DNS replication is enabled.

B. DNS doctoring is enabled.
C. DNS replication is disabled.
D. DNS doctoring is disabled.
Answer: D
Explanation:
Reference:http://www.trapezenetworks.com/techpubs/en_US/junos12.2/topics/concept/dns-alg-
nat-doctoring-overview.html
QUESTION NO: 91
-- Exhibit –
-- Exhibit --
You are asked to implement NAT to translate addresses between the IPv4 and IPv6 networks
shown in the exhibit.
What are three configuration requirements? (Choose three.)

A. Disable SYN checking.
B. Enable IPv6 flow mode.
C. Configure proxy ARP.
D. Configure stateless filtering.
E. Configure proxy NDP.
Answer: B,C,E
Explanation:
Reference:http://forums.juniper.net/jnet/attachments/jnet/srx/16228/1/NAT64-Overview.pdf
QUESTION NO: 92
-- Exhibit –
-- Exhibit --
Referring to the topology shown in the exhibit, which two configuration tasks will allow Host A to
telnet to the public IP address associated with Server B? (Choose two.)

A. Configure transparent mode to bypass the NAT processing of Server B's public IP address.
B. Configure a stateless filter redirecting local traffic destined to Server B's public IP address.
C. Configure a destination NAT rule that matches local traffic destined to Server B's public IP
address.
D. Configure a source NAT rule that matches local traffic destined to Server B's public IP address.
Answer: C,D
Explanation:
In this scenario wehave a host be accessible on the Internet by one address, but have it be
translated to another address when it initiates connections out to the Internet.So we need to
combine Source and destination NAT.
Reference:http://chimera.labs.oreilly.com/books/1234000001633/ch09.html#destination_nat
QUESTION NO: 93
-- Exhibit –
-- Exhibit --
You must configure two SRX devices to enable bidirectional communications between the two
networks shown in the exhibit. You have been allocated the 172.16.1.0/24 and 172.16.2.0/24
networks to use for this purpose.
Which configuration will accomplish this task?
A. Use an IPsec VPN to connect the two networks and hide the addresses from the Internet.
B. Using destination NAT, translate traffic destined to 172.16.1.0/24 to Site1's addresses, and
translate traffic destined to 172.16.2.0/24 to Site2's addresses.
C. Using source NAT, translate traffic from Site1's addresses to 172.16.1.0/24, and translate traffic
from Site2's addresses to 172.16.2.0/24.
D. Using static NAT, translate traffic destined to 172.16.1.0/24 to Site1's addresses, and translate

traffic destined to 172.16.2.0/24 to Site2's addresses.
Answer: D
Explanation:
To examine bidirectional communication you need multiple packet filters, one for each direction.
Reference :http://my.safaribooksonline.com/book/networking/junos/9781449381721/security-
policy/troubleshooting_security_policy_and_traf
QUESTION NO: 94
-- Exhibit –
-- Exhibit --
Based on the output shown in the exhibit, what are two results? (Choose two.)
A. The output shows source NAT.

B. The output shows destination NAT.
C. The port information is changed.
D. The port information is unchanged.
Answer: B,D
Explanation:
Reference:http://junos.com/techpubs/software/junos-security/junos-security10.2/junos-security-cli-
reference/index.html?show-security-flow-session.html
QUESTION NO: 95
-- Exhibit --

security {
nat {
destination {
pool Web-Server {
address 10.0.1.5/32;
rule-set From-Internet {
from zone Untrust;
rule To-Web-Server {
match {
source-address 0.0.0.0/0;
destination-address 172.16.1.7/32;
then {
destination-nat pool Web-Server;
zones {
security-zone Untrust {
address-book {
address Web-Server-External 172.16.1.7/32;
address Web-Server-Internal 10.0.1.5/32;
interfaces {

ge-0/0/0.0;
security-zone DMZ {
address-book {
address Web-Server-External 172.16.1.7/32;
address Web-Server-Internal 10.0.1.5/32;
interfaces {
ge-0/0/1.0;
-- Exhibit --
You are migrating from one external address block to a different external address block. You want
to enable a smooth transition to the new address block. You temporarily want to allow external
users to contact the Web server using both the existing external address as well as the new
external address 192.168.1.1.
A. Add address 192.168.1.1/32 under [edit security nat destination pool Web-Server].
B. Change the address Web-Server-Ext objects to be address-set objects that include both
addresses.
C. Change the destination address under [edit security nat destination rule-set From-Internet rule
To-Web-Server match] to include both 172.16.1.7/32 and 192.168.1.2/32.
D. Create a new rule for the new address in the [edit security nat destination rule-set From-
Internet] hierarchy.
Answer: D
Explanation:
Reference:http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/nat-security-source-

and-destination-nat-translation-configuring.html
QUESTION NO: 96
-- Exhibit --
Feb 8 10:39:40 Unable to find phase-1 policy as remote peer:2.2.2.2 is not recognized.
Feb 8 10:39:40 KMD_PM_P1_POLICY_LOOKUP_FAILURE. Policy lookup for Phase-1

[responder] failed for p1_local=ipv4(any:0,[0..3]=1.1.1.2) p1_remote=ipv4(any:0,[0..3]=2.2.2.2)
Feb 8 10:39:40 1.1.1.2:500 (Responder) <-> 2.2.2.2:500 { dbe1d0af - a4d6d829 f9ed3bba [-1] /
0x00000000 } IP; Error = No proposal chosen (14)
-- Exhibit --
According to the log shown in the exhibit, you notice that the IPsec session is not establishing.
A. mismatched preshared key

B. mismatched proxy ID
C. incorrect peer address
D. mismatched peer ID
Answer: C,D
Explanation:
If the peer was not matched with the peer ID, the line "Unable to find phase-1 policy as remote
peer:192.168.1.60 is not recognized." should be shown
Reference :http://kb.juniper.net/InfoCenter/index?page=content&id=KB10097&pmv=print
QUESTION NO: 97

-- Exhibit –
-- Exhibit --
An attacker is using a nonstandard port for HTTP for reconnaissance into your network.
Referring to the exhibit, which two statements are true? (Choose two.)
A. The IPS engine will not detect the application due to the nonstandard port.
B. The IPS engine will detect the application regardless of the nonstandard port.
C. The IPS engine will perform application identification until the session is established.
D. The IPS engine will perform application identification until it processes the first 256 bytes of the
packet.
Answer: B,D
Explanation:
Reference:https://www.juniper.net/techpubs/en_US/idp/topics/example/simple/intrusion-detection-
prevention-idp-rulebase-default-service-usage.html
QUESTION NO: 98

-- Exhibit –
-- Exhibit --
You have configured an IDP policy as shown in the exhibit. The configuration commits
successfully. Which traffic will be examined for attacks?
A. only originating traffic from source to destination in a session

B. only reply traffic from destination to source in a session
C. both originating and reply traffic between hosts in a session
D. recommended traffic between the source and destination hosts
Answer: C
Explanation:
Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-
security-swconfig-security/config-idp-ips-rulebase-section.html#config-idp-ips-rulebase-section

QUESTION NO: 99
-- Exhibit --
[edit security]
user@srx# show
idp {
idp-policy NewPolicy {
rulebase-exempt {
rule 1 {
description AllowExternalRule;
match {
source-address any;
destination-address
-- Exhibit --
You are performing the initial IDP installation on your new SRX device. You have configured the
IDP exempt rulebase as shown in the exhibit, but the commit is not successful.
Referring to the exhibit, what solves the issue?
A. You must configure the destination zone match.

B. You must configure the IPS exempt accept action.
C. You must configure the IPS rulebase.
D. You must configure the IPS engine flow action to ignore.

Answer: C
Explanation:
Reference:http://jncie-sec.exactnetworks.net/2013/01/srx-idp-overview-initial-setup.html
QUESTION NO: 100
-- Exhibit --
[edit security idp]
user@srx# show
security-package {
url https://services.netscreen.com/cgi-bin/index.cgi;
automatic {
start-time "2012-12-11.01:00:00 +0000";
interval 120;
enable;
-- Exhibit --
You have configured your SRX device to download and install attack signature updates as shown
in the exhibit. You discover that updates are not being downloaded.
A. No security policy is configured to allow the SRX device to contact the update server.
B. The SRX device does not have a DNS server configured.
C. The management zone interface does not have an IP address configured.
D. The SRX device has no Internet connectivity.
Answer: B,D
Explanation:
Configuration is correct. Only reason is that SRZ device is not able to connect to definition server.

QUESTION NO: 101
-- Exhibit --
[edit security idp]
user@srx# show | no-more
idp-policy basic {
rulebase-ips {
rule 1 {
match {
from-zone untrust;
source-address any;
to-zone trust;
destination-address any;
application default;
attacks {
custom-attacks data-inject;
then {
action {
recommended;
notification {
log-attacks;

}
active-policy basic;
custom-attack data-inject {
recommended-action close;
severity critical;
attack-type {
signature {
context mssql-query;
pattern "SELECT * FROM accounts";
direction client-to-server;
-- Exhibit --
You have configured the custom attack signature shown in the exhibit. This configuration is valid,
but you want to improve the efficiency and performance of your IDP.
Which two commands should you use? (Choose two.)
A. set custom attack data-inject recommended-action drop

B. set custom-attack data-inject attack-type signature protocol-binding tcp
C. set idp-policy basic rulebase-ips rule 1 match destination-address webserver
D. set idp-policy basic rulebase-ips rule 1 match application any
Answer: B,C
Explanation:

QUESTION NO: 102
-- Exhibit –
-- Exhibit --
You receive complaints from users that their Web browsing sessions keep dropping prematurely.
Upon investigation, you find that the IDP policy shown in the exhibit is detecting the users'
sessions as HTTP:WIN-CMD:WIN-CMD-EXE attacks, even though their sessions are not actual
attacks. You must allow these sessions but still inspect for all other relevant attacks.
How would you configure your SRX device to meet this goal?
A. Create a new security policy that allows HTTP for all users and does not apply IDP.
B. Modify the security policy to add an application exception.
C. Modify the IDP policy to delete this particular attack from the IDP rulebase.

D. Modify the IDP policy to add an exempt rulebase rule to not inspect for this attack.
Answer: D
Explanation:
QUESTION NO: 103
-- Exhibit –

-- Exhibit --
In the exhibit, the SRX device has hosts connected to interface ge-0/0/1 and ge-0/0/6. The devices
are not able to ping each other. What is causing this behavior?

A. The interfaces must be in trunk mode.
B. The interfaces need to be configured for Ethernet switching.
C. The default security policy does not apply to transparent mode.
D. A bridge domain has not been defined.
Answer: D
Explanation:
QUESTION NO: 104
-- Exhibit –
-- Exhibit --
Referring to the exhibit, a pair of SRX3600s is in an active/passive chassis cluster configured for
transparent mode. Which type of traffic would traverse the secondary SRX3600 (node 1)?
A. all traffic including non-IP traffic

B. any IP traffic
C. only TCP and UDP traffic
D. only BPDU traffic
Answer: D
Explanation:
QUESTION NO: 105
-- Exhibit --
user@srx# show security datapath-debug
capture-file pkt-cap-file format pcap size 5m;
action-profile {
pkt-cap-profile {
event np-ingress {
packet-dump;
packet-filter pkt-filter {
action-profile pkt-capture;
source-prefix 1.2.3.4/32;
-- Exhibit --
You want to capture transit traffic passing through your SRX3600. You add the configuration
shown in the exhibit but do not see entries added to the capture file.
What is causing the problem?
A. You are missing the configuration set security datapath-debug maximum-capture-size 1500.

B. You are missing the configuration set security datapath-debug packet-filter pkt-filter destination-
prefix 5.6.7.8/32.
C. You must start the capture from operational mode with the command request security datapath-
debug capture start.
D. You must start the capture from operational mode with the command monitor start capture.
Answer: C
Explanation:
QUESTION NO: 106
-- Exhibit –
-- Exhibit --
Host traffic is traversing through an IPsec tunnel. Users are complaining of intermittent issues with
their connection.

Referring to the exhibit, what is the problem?
A. The tunnel is down due to a configuration change.

B. The do-not-fragment bit is copied to the tunnel header.
C. The MSS option on the SYN packet is set to 1300.
D. The TCP SYN check option is disabled for tunnel traffic.
Answer: B
Explanation:
QUESTION NO: 107
-- Exhibit --
CID-0:RT: flow process pak fast ifl 71 in_ifp ge-0/0/5.0
CID-0:RT: ge-0/0/5.0:10.0.0.2/55892->192.168.1.2/80, tcp, flag 2 syn
CID-0:RT: find flow: table 0x5a386c90, hash 50728(0xffff), sa 10.0.0.2, da 192.168.1.2, sp 55892,
dp 80, proto 6, tok 7
CID-0:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0
CID-0:RT: flow_first_create_session
CID-0:RT: flow_first_in_dst_nat: in <ge-0/0/5.0>, out <N/A> dst_adr 192.168.1.2, sp 55892, dp 80

CID-0:RT: chose interface ge-0/0/5.0 as incoming nat if.
CID-0:RT:flow_first_rule_dst_xlatE. DST no-xlatE. 0.0.0.0(0) to 192.168.1.2(80)
CID-0:RT:flow_first_routinG. vr_id 0, call flow_route_lookup(): src_ip 10.0.0.2, x_dst_ip

192.168.1.2, in ifp ge-0/0/5.0, out ifp N/A sp 55892, dp 80, ip_proto 6, tos 10
CID-0:RT:Doing DESTINATION addr route-lookup
CID-0:RT: routed (x_dst_ip 192.168.1.2) from LAN (ge-0/0/5.0 in 0) to ge-0/0/1.0, Next-hop:

172.16.32.1
CID-0:RT:flow_first_policy_searcH. policy search from zone LAN-> zone WAN

(0x0,0xda540050,0x50)
CID-0:RT:Policy lkup: vsys 0 zone(7:LAN) -> zone(6:WAN) scope:0
CID-0:RT: 10.0.0.2/55892 -> 192.168.1.2/80 proto 6
CID-0:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0
CID-0:RT: 10.0.0.2/55892 -> 192.168.1.2/80 proto 6
CID-0:RT: app 6, timeout 1800s, curr ageout 20s
CID-0:RT: packet dropped, denied by policy
CID-0:RT: denied by policy default-policy-00(2), dropping pkt
CID-0:RT: packet dropped, policy deny.
CID-0:RT: flow find session returns error.
CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
CID-0:RT:jsf sess close notify
CID-0:RT:flow_ipv4_del_flow: sess , in hash 32
-- Exhibit --
A host is not able to communicate with a Web server.
Based on the logs shown in the exhibit, what is the problem?
A. A policy is denying the traffic between these two hosts.

B. A session has not been created for this flow.
C. A NAT policy is translating the address to a private address.
D. The session table is running out of resources.

Answer: A
Explanation:
QUESTION NO: 108
-- Exhibit –
-- Exhibit --
Referring to the exhibit, which two statements are true? (Choose two.)
A. Packets may get fragmented.

B. The tunnel automatically fragments packets based on MTU discovery.
C. The Phase 2 association will never expire.
D. The Phase 2 association will expire without traffic.
Answer: A,D
Explanation:

QUESTION NO: 109
-- Exhibit --
user@srx> show security flow session
Session ID. 7724, Policy namE. default-permit/4, Timeout: 2
In: 1.1.70.6/17 --> 100.0.0.1/2326;icmp, IF. ge-0/0/3
Out: 10.1.10.5/2326 --> 1.1.70.6/17;icmp, IF. ge-0/0/2
Session ID. 18408, Policy namE. default-permit/4, Timeout: 2
In: 10.1.10.5/64513 --> 1.1.70.6/512;icmp, IF. ge-0/0/2.0
Out: 1.1.70.6/512 --> 100.0.0.1/64513;icmp, IF. ge-0/0/3.10
-- Exhibit --
A user has reported a traffic drop issue between a host with the 10.1.10.5 internal IP address and
a host with the 1.1.70.6 IP address. The traffic transits an SRX240 acting as a NAT translator. You
are investigating the issue on the SRX240 using the output shown in the exhibit.
Regarding this scenario, which two statements are true? (Choose two.)
A. The sessions shown indicate interface-based NAT processing.

B. The sessions shown indicate static NAT processing.
C. ICMP traffic is passing in both directions.
D. ICMP traffic is passing in one direction.
Answer: B,C
Explanation:
QUESTION NO: 110
-- Exhibit --
[edit forwarding-options]
user@srx240# show

packet-capture {
file filename my-packet-capture;
maximum-capture-size 1500;
-- Exhibit --
Referring to the exhibit, you are attempting to perform a packet capture on an SRX240 to
troubleshoot an SSH issue in your network. However, no information appears in the packet
capture file.
Which firewall filter must you apply to the necessary interface to collect data for the packet
capture?
A. user@srx240# show
filter pkt-capture {
term pkt-capture-term {
from {
protocol tcp;
port ssh;
}
then packet-mode;
}
term allow-all {
then accept;
}
}
[edit firewall family inet]
B. user@srx240# show
from {
protocol tcp;
port ssh;
}
then {
count packet-capture;
}
}
term allow-all {
then accept;
}

}
C. user@srx240# show
from {
protocol tcp;
port ssh;
}
then {
routing-instance packet-capture;
}
}
term allow-all {
then accept;
}
}
D. user@srx240# show
from {
protocol tcp;
port ssh;
}
then {
sample;
accept;
}
}
term allow-all {
then accept;
}
}
Answer: D
Explanation:

JN0 633

Uploaded by

Copyright:

Available Formats

JN0 633

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

JN0 633

Uploaded by

Copyright:

Available Formats

Juniper JN0-633

Security, Professional (JNCIP-SEC)

What are two network scanning methods? (Choose two.)

A. routing update detection

What is a benefit of using a dynamic VPN?

A. It provides a layer of redundancy on top of a point-to-point VPN mesh architecture.

"Pass Any Exam. Any Time." - www.actualtests.com 2

What is a benefit of using a group VPN?

A. It provides a layer of redundancy on top of a point-to-point VPN mesh architecture.

"Pass Any Exam. Any Time." - www.actualtests.com 3

What are two AppSecure modules? (Choose two.)

How would you accomplish this goal?

"Pass Any Exam. Any Time." - www.actualtests.com 4

A. Enable the HTTP ALG.

A. 5000 hits in 60 seconds

"Pass Any Exam. Any Time." - www.actualtests.com 5

A. Enable heuristics to detect the encrypted traffic.

"Pass Any Exam. Any Time." - www.actualtests.com 6

A. Use stateless firewall filtering to block the unwanted traffic.

Ruleset Application Client-to-server Rate(bps) Server-to-client Rate(bps)

http-App-QoS HTTP ftp-C2S 200 ftp-C2S 200

http-App-QoS HTTP ftp-C2S 200 ftp-C2S 200

ftp-App-QoS FTP ftp-C2S 100 ftp-C2S 100

"Pass Any Exam. Any Time." - www.actualtests.com 7

A. under the [edit security application-firewall] hierarchy

"Pass Any Exam. Any Time." - www.actualtests.com 8

A. user@srx> request services application-identification application copy junos:HOTMAIL

"Pass Any Exam. Any Time." - www.actualtests.com 9

A. Use instance-import to share the routes between the two VRs.

How would you accomplish this task?

"Pass Any Exam. Any Time." - www.actualtests.com 10

"Pass Any Exam. Any Time." - www.actualtests.com 11

A. Use a shared DMZ zone to connect the logical systems together.

How do you accomplish this goal?

"Pass Any Exam. Any Time." - www.actualtests.com 12

"Pass Any Exam. Any Time." - www.actualtests.com 13

Which Junos configuration setting supports the requirements?

"Pass Any Exam. Any Time." - www.actualtests.com 14

Which statement is true regarding dual-stack lite?

A. The softwire is an IPv4 tunnel over an IPv6 network.

A. DNS doctoring translates the DNS CNAME payload.

In which situation is NAT proxy NDP required?

"Pass Any Exam. Any Time." - www.actualtests.com 15

Which statement is true about NAT?

Which action would solve this problem?

A. Modify the security policy.

"Pass Any Exam. Any Time." - www.actualtests.com 16

A. persistent-nat permit target-host

"Pass Any Exam. Any Time." - www.actualtests.com 17

A. Implement proxy ARP.

Which type of persistent NAT is required?

A. virtual routing instance

"Pass Any Exam. Any Time." - www.actualtests.com 18

How would you resolve this problem?

Given the following session output:

In: 2001:660:1000:8c00::b/1053 --> 2001:660:1000:9002::aafe/80;tcp, IF. reth0.0, Pkts: 4, Bytes:

Out: 192.168.203.10/80 --> 192.168.203.1/24770;tcp, IF. reth1.0, Pkts: 3, Bytes:

"Pass Any Exam. Any Time." - www.actualtests.com 19

Which statement is correct about the security flow session output?