JN0-230: Security, Associate (JNCIA-SEC) by CUNS

You configure and applied several global policies and some of the policies have overlapping match
criteria. In this scenario, how are these global policies applies?
The first matched policy is the only policy applied.

Which statement is correct regarding the interface configuration shown in the exhibit?
The IP address is assigned to unit 0.

The Sky ATP premium or basic-Threat Feed license is needed for which two features? (Choose two.)
C&C feeds
Custom feeds

Which statement is correct about IKE?

IKE phase 1 negotiates a secure channel between gateways.

Which two segments describes IPsec VPNs? (Choose two.)

IPsec VPN traffic is always authenticated.
IPsec VPNs use security to secure traffic over a public network between two remote sites.

Users on the network are restricted from accessing Facebook, however, a recent examination of the
logs show that users are accessing Facebook. Why is this problem happening?
Zone-based rules are honored before global rules

You have created a zones-based security policy that permits traffic to a specific webserver for the
marketing team. Other groups in the company are not permitted to access the webserver. When
marketing users attempt to access the server they are unable to do so. What are two reasons for this
access failure? (Choose two.)
You failed to commit the policy change.
You failed to position the policy before the policy that denies access the webserver

Which two match conditions would be used in both static NAT and destination NAT rule sets? (Choose
two.)
Destination address
Source zone

Which statements is correct about global security policies?

Global policies allow you to regulate traffic with addresses and applications, regardless of their
security zones.

You have configured a Web filtering UTM policy. Which action must be performed before the Web
filtering UTM policy takes effect?
The UTM policy must be linked to a security policy.
By default, revenue interface are placed into which system-defined security zone on an SRX series
device?
Null

What is the purpose of the Shadow Policies workspace in J-Web?

The Shadow Policies workspace shows unused security policies due to policy overlap.
Referring to the exhibit. Which type of NAT is being performed?
Source NAT with PAT

Your company uses SRX Series devices to secure the edge of the network. You are asked protect the
company from ransom ware attacks.
Which solution will satisfy this requirement?
Sky ATP

Which type of security policy protect restricted services from running on non-standard ports?
IDP

Which statements is correct about Junos security zones?

Logical interface are added to user defined security zones.

A new SRX Series device has been delivered to your location. The device has the factory-default
configuration loaded. You have powered on the device and connected to the console port. What would
you use to log into the device to begin the initial configuration?
Root with no password

Which two statements are true about UTM on an SRX340? (Choose two.)
No default profile is created.
No default UTM policy is created

What must you do first to use the Monitor/Events workspace in the j-Web interface?

You must enable event mode security logging on the SRX Series device.

Which statements about NAT are correct? (Choose two.)

When multiple NAT rules have overlapping match conditions, the rule listed first is chosen.
Source NAT translates the source IP address of packet.

We are configuring the antispam UTM feature on an SRX Series device. Which two actions would be
performed by the SRX Series device for e-mail that is identified as spam? (Choose two.)
Tag the e-mail
Block the e-mail

You are concerned that unauthorized traffic is using non-standardized ports on your network. In this
scenario, which type of security feature should you implement?
Application firewall

What are two characteristic of static NAT SRX Series devices? (Choose two.)
A reverse mapping rule is automatically created for the source translation.
Static NAT rule take precedence over source and destination NAT rules.

Exhibit.
Which two statements are true? (Choose two.)
Logs for this security policy are generated.
Traffic statistics for this security policy are generated.
You have configured antispam to allow e-mail from example.com, however the logs you see that
jcart@example.com is blocked
Referring to the exhibit. What are two ways to solve this problem?
Add jcart@exmple.com to the profile antispam address whitelist.
Delete jcart@example.com from the profile antispam address blacklist

Which statement about IPsec is correct?

IPsec is a standards-based protocol.

Your company has been assigned one public IP address. You want to enable internet traffic to reach
multiple servers in your DMZ that are configured with private address.
In this scenario, which type of NAT would be used to accomplish this tasks?
Destination NAT

Which method do VPNs use to prevent outside parties from viewing packet in clear text?
Encryption

What should you configure if you want to translate private source IP addresses to a single public IP
address?
Source NAT

Which security object defines a source or destination IP address that is used for an employee
Workstation?
Address book entry

What is the correct order of processing when configuring NAT rules and security policies?
Static NAT > destination NAT> policy lookup > source NAT

Firewall filters define which type of security?

Stateless

Which statement about IPsec is correct?

IPsec support both tunnel and transport modes.

Which two statements are true regarding zone-based security policies? (Choose two.)
Zone-based policies must reference a source address in the match criteria.
Zone-based policies must reference a destination address in the match criteria.

Referring to the exhibit.

****Exhibit is Missing****
Which type of NAT is performed by the SRX Series device?
Destination NAT with PAT

What are the valid actions for a source NAT rule in J-Web? (choose three.)
Off
Pool
interface
Which UTM feature should you use to protect users from visiting certain blacklisted websites?
Web filtering

Which security feature is applied to traffic on an SRX Series device when the device is running on
packet mode?
Firewall filters

Users in your network are downloading files with file extensions that you consider to be unsafe for your
network. You must prevent files with specific file extensions from entering your network. Which UTM
feature should be enable on an SRX Series device to accomplish this task?
Content filtering

On an SRX device, you want to regulate traffic base on network segments. In this scenario, what do you
configure to accomplish this task?

Zones

Which two actions are performed on an incoming packet matching an existing session? (Choose two.)
Service ALG processing
Screens processing

Which two statements are correct about using global-based policies over zone-based policies?
(Choose two.)
With global-based policies, you do not need to specify a destination zone in the match criteria

With global-based policies,you do not need to specify a source zone in the match criteria.

Which two statements are true about the null zone? (Choose two.)
All interface belong to the null zone by default.
All traffic to the null zone is dropped.

You want to automatically generate the encryption and authentication keys during IPsec VPN
establishment. What would be used to accomplish this task?
Diffie_Hellman

Which actions would be applied for the pre-ID default policy unified policies?
Log the session

Which two statements are true about security policy actions? (Choose two.)
The reject action drops the traffic and sends a message to the source device.
The deny action silently drop the traffic
Which management software supports metadata-based security policies that are ideal for cloud
deployments?
Security Director

Which three actions would be performed on traffic traversing an IPsec VPN? (Choose three.)
Authentication
Encryption
Payload verification

You want to generate reports from the J-Web on an SRX Series device. Which logging mode would
you use in this scenario?
Event

Which two notifications are available when the antivirus engine detects and infected file? (Choose
two.)
e-mail notifications
Protocol-only notification

You are designing a new security policy on an SRX Series device. You must block an application and
log all concurrence of the application access attempts.
In this scenario, which two actions must be enabled in the security policy? (Choose two.)
Log the session initiations
Enable a deny action

Host-inbound-traffic is configured on the DMZ zone and the ge-0/0/9.0 interface attached to that zone.
Referring to the exhibit, which two types of management traffic would be performed on the SRX Series
device? (Choose two.)
SSH
HTTP

Which two statements are correct about functional zones? (Choose two.)
Traffic received on the management interface in the functional zone cannot transit out other
interface.
A function is used for special purpose, such as management interface.

Which flow module components handles processing for UTM?

Services

Users should not have access to Facebook, however, a recent examination of the logs security show
that users are accessing Facebook.
Referring to the exhibit, what should you do to solve this problem?
Move the Block-Facebook-Access rule from a zone policy to a global policy.

Which two elements are needed on an SRX Series device to set up a remote syslog server? (Choose
two.)
Data type
IP address

Which two feature on the SRX Series device are common across all Junos devices? (Choose two.)
Stateless firewall filters
The separation of control and forwarding planes
You want to integrate an SRX Series device with SKY ATP. What is the first action to accomplish
task?
Create an account with the Sky ATP Web UI.

What must you do first to use the Monitor/Alarms/Policy Log workspace in J-Web?
You must enable event mode security logging on the SRX Series device.

You are configuring an IPsec VPN tunnel between two locations on your network. Each packet must
be encrypted and authenticated.Which protocol would satisfy these requirements?
ESP

Which two private cloud solution support vSRX devices? (Choose two.)
Microsoft Azure
Amazon Web Services (AWS

You verify that the SSH service is configured correctly on your SRX Series device, yet administrators
attempting to connect through a revenue port are not able to connect.
In this scenario, what must be configured to solve this problem?
A host-inbound-traffic setting on the incoming zone.

The free licensing model for Sky ATP includes which features? (Choose two.)
Infected host blocking
Executable file inspection

Which statements is correct about SKY ATP ?

Sky ATP is a cloud-based security threat analyzer that performs multiple tasks.

On an SRX Series device, how should you configure your IKE gateway if the remote endpoint is a
branch office-using a dynamic IP address?
Configure the IKE policy to use aggressive mode

Which statements is correct about Sky ATP ?

Sky ATP can provide live threat feeds to SRX Services devices.

Click the Exhbit button

You are configure an IPSec VPN for the network shown in the Exhbit
Which feature must be enabled for the VPN establish successfully?
Aggressive mode must be configured on the IKE gateway.

Which source NAT rule set would be used when a packet matches the conditions in multiple rule sets
?
The first rule set matched will be used

What dose IPSec use to negotiates encryption algorithms ?

ESP

What dose IPSec use to negotiates encryption algorithms ?

ESP
What is a type of security feed that Sky ATP provides to a vSRX Series device by default ?
C & C feeds.

When configuring IPSec VPNs, setting a hash alogrithm solves which security concern ?
integrity

Which statement describes stateless firewalls on SRX Series devices ?

Each packet is analyzed by firewall filters.

What is the behavior of an SRX Series device when UDP and TCP traffic is rejected by a security
policy action ? (Choose two)
The reject action drop UDP packets sends and ICMP message to the source.
The reject action drop TCP packets sends and sends an RST message to the source.

Click the Exhibit button

You are configured source
being received by the SRX
proxy ARP

What is a characteristic of the Junos Enhanced Web filtering solution ?

Junos Enhanced Web filtering allows the SRX Series device to categorizes the URLs using an
on-premises Websense server.

Which two statements are correct about security zone ? (Choose two)
Security zone use Security policies that enforce rules for the transit traffic.
Security zone use a stateful firewall to provide secure network connection.

Which two statements are correct about global security polices ? (Choose two)
Global-based polices can reference the destination zone.
Global-based polices can reference the source zone

Which statement is correct about sky ATP ?

Sky ATP provide live threat feeds to SRX services devices

You are configuring an IPsec VPN for the network shown in the exhibit.

Which feature must be enabled for vpn to etablish successfuly ?

Agressive mode must be configured

D
Which soure NAT rule set would be used when a packet matches the conditions in multiple rule
sets ?

The first rule set matched wil be used

What does IPsec use to negociate en cryption algorithms ?

IKE

What is a type of security feed that sky ATP provides to a vSRX series device by default ?

Malware feeds

You have configured source…..

Being received by the SRX… ?

Reverse static NAT

What is characterstic of the junos enchanced web filtering solution ?

The websense could categorizes the Urls and also provides site reputation information

When configuring Ipsec VPns, setting a hash algorithm sloves which security concern ?

Integrity

Which two statements are correct about security zones ?

Security zones use security policies that enforce rules for the transit traffic

Security zones use aa statefull firewall to provide secure network connections

Which two statement are correct about global security policies ?

Global based policies can reference the destination zone

Global based policies can reference the source zone

Which statement descibes statless firewalls on SRX Series devices ?

Each packet is analyzed by firewall filters

What is the behavior of an SRX series device when udp and TCP traffic is rejected by a security policy
action ?

The reject action drops UDP packets and sends an ICMP message to the source

The reject action drops TCP packets and sends an RST message to the source