JN0-332

Juniper JN0-332
Juniper Networks Certified Internet Specialist, SEC

(JNCIS-SEC)
Version: 18.0
Juniper JN0-332 Exam
Topic 1, Volume A
QUESTION NO: 1
Which configuration keyword ensures that all in-progress sessions are re-evaluated upon
committing a security policy change?
A. policy-rematch
B. policy-evaluate
C. rematch-policy
D. evaluate-policy
Answer: A
Explanation:
QUESTION NO: 2
Click the Exhibit button.
You need to alter the security policy shown in the exhibit to send matching traffic to an IPsec VPN
tunnel. Which command causes traffic to be sent through an IPsec VPN named remote-vpn?
A. [edit security policies from-zone trust to-zone untrust]

user@host# set policy tunnel-traffic then tunnel remote-vpn
B. [edit security policies from-zone trust to-zone untrust]
user@host# set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn
C. [edit security policies from-zone trust to-zone untrust]
user@host# set policy tunnel-traffic then permit ipsec-vpn remote-vpn
D. [edit security policies from-zone trust to-zone untrust]
user@host# set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn
Answer: D
Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com 2

QUESTION NO: 3
Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by AH?
(Choose three.)
A. data integrity
B. data confidentiality
C. data authentication
D. outer IP header confidentiality
E. outer IP header authentication
Answer: A,C,E
Explanation:
QUESTION NO: 4
You must configure a SCREEN option that would protect your router from a session table
flood.Which configuration meets this requirement?
A. [edit security screen]

user@host# show
ids-option protectFromFlood {
icmp {
ip-sweep threshold 5000;
flood threshold 2000;
}
}
B. [edit security screen]
user@host# show
tcp {
syn-flood {
attack-threshold 2000;
destination-threshold 2000;
}
}
}
C. [edit security screen]
user@host# show

udp {
}
}
D. [edit security screen]
user@host# show
limit-session {
source-ip-based 1200;
destination-ip-based 1200;
}
}
Answer: D
Explanation:
QUESTION NO: 5
Which type of Web filtering by default builds a cache of server actions associated with each URL it
has checked?
A. Websense Redirect Web filtering

B. integrated Web filtering
C. local Web filtering
D. enhanced Web filtering
Answer: B
Explanation:
QUESTION NO: 6
Which security or functional zone name has special significance to the Junos OS?
A. self
B. trust
C. untrust
D. junos-global
Answer: D
Explanation:

QUESTION NO: 7
Which command do you use to display the status of an antivirus database update?
A. show security utm anti-virus status

B. show security anti-virus database status
C. show security utm anti-virus database
D. show security utm anti-virus update
Answer: A
Explanation:
QUESTION NO: 8
Which statement contains the correct parameters for a route-based IPsec VPN?
A. [edit security ipsec]

user@host# show
proposal ike1-proposal {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3200;
}
policy ipsec1-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ike1-proposal;
}
vpn VpnTunnel {
interface ge-0/0/1.0;
ike {
gateway ike1-gateway;
ipsec-policy ipsec1-policy;
}
establish-tunnels immediately;
}
B. [edit security ipsec]
user@host# show

protocol esp;
}
keys group2;
}
}
vpn VpnTunnel {
interface st0.0;
ike {
}
}
C. [edit security ipsec]
user@host# show
protocol esp;
}
keys group2;
}
}
vpn VpnTunnel {
bind-interface ge-0/0/1.0;
ike {
}
}
D. [edit security ipsec]
user@host# show
protocol esp;

}policy ipsec1-policy {
keys group2;
}
}
vpn VpnTunnel {
bind-interface st0.0;
ike {
}
}
Answer: D
Explanation:
QUESTION NO: 9
Which zone is system-defined?
A. security
B. functional
C. junos-global
D. management
Answer: C
Explanation:
QUESTION NO: 10
You want to allow your device to establish OSPF adjacencies with a neighboring device connected
to interface ge-0/0/3.0. Interface ge-0/0/3.0 is a member of the HR zone. Under which
configuration hierarchy must you permit OSPF traffic?
A. [edit security policies from-zone HR to-zone HR]

B. [edit security zones functional-zone management protocols]
C. [edit security zones protocol-zone HR host-inbound-traffic]
D. [edit security zones security-zone HR host-inbound-traffic protocols]

Answer: D
Explanation:
QUESTION NO: 11
Which three statements are true regarding IDP? (Choose three.)
A. IDP cannot be used in conjunction with other Junos security features such as SCREEN options,
zones, and security policy.
B. IDP inspects traffic up to the Application Layer.
C. IDP searches the data stream for specific attack patterns.
D. IDP inspects traffic up to the Presentation Layer.
E. IDP can drop packets, close sessions, prevent future sessions, and log attacks for review by
network administrators when an attack is detected.
Answer: B,C,E
Explanation:
QUESTION NO: 12
Your IKE SAs are up, but the IPsec SAs are not up.Referring to the exhibit, what is the problem?
A. One or more of the phase 2 proposals such as authentication algorithm, encryption algorithm
do not match.
B. The tunnel interface is down.
C. The proxy IDs do not match.
D. The IKE proposals do not match the IPsec proposals.
Answer: C

Explanation:
QUESTION NO: 13
Which two statements regarding symmetric key encryption are true? (Choose two.)
A. The same key is used for encryption and decryption.

B. It is commonly used to create digital certificate signatures.
C. It uses two keys: one for encryption and a different key for decryption.
D. An attacker can decrypt data if the attacker captures the key used for encryption.
Answer: A,D
Explanation:
QUESTION NO: 14
Regarding content filtering, what are two pattern lists that can be configured in the Junos OS?
(Choose two.)
A. protocol list
B. MIME
C. block list
D. extension
Answer: B,D
Explanation:
QUESTION NO: 15
Which two statements are true about hierarchical architecture? (Choose two.)
A. You can assign a logical interface to multiple zones.

B. You cannot assign a logical interface to multiple zones.
C. You can assign a logical interface to multiple routing instances.
D. You cannot assign a logical interface to multiple routing instances.
Answer: B,D
Explanation:

QUESTION NO: 16
Which two statements regarding external authentication servers for firewall user authentication are
true? (Choose two.)
A. Up to three external authentication server types can be used simultaneously.

B. Only one external authentication server type can be used simultaneously.
C. If the local password database is not configured in the authentication order, and the configured
authentication server is unreachable, authentication is bypassed.
D. If the local password database is not configured in the authentication order, and the configured
authentication server rejects the authentication request, authentication is rejected.
Answer: B,D
Explanation:
QUESTION NO: 17

In the exhibit, a new policy named DenyTelnet was created. You notice that Telnet traffic is still
allowed.
Which statement will allow you to rearrange the policies for the DenyTelnet policy to be evaluated
before your Allow policy?
A. insert security policies from-zone A to-zone B policy DenyTelnet before policy Allow
B. set security policies from-zone B to-zone A policy DenyTelnet before policy Allow
C. insert security policies from-zone A to-zone B policy DenyTelnet after policy Allow
D. set security policies from-zone B to-zone A policy Allow after policy DenyTelnet
Answer: A
Explanation:
QUESTION NO: 18
Which UTM feature requires a license to function?
A. integrated Web filtering

B. local Web filtering
C. redirect Web filtering
D. content filtering
Answer: A
Explanation:
QUESTION NO: 19

System services SSH, Telnet, FTP, and HTTP are enabled on the SRX Series device.
Referring to the configuration shown in the exhibit, which two statements are true? (Choose two.)
A. A user can use SSH to interface ge-0/0/0.0 and ge-0/0/1.0.

B. A user can use FTP to interface ge-0/0/0.0 and ge-0/0/1.0.
C. A user can use SSH to interface ge-0/0/0.0.
D. A user can use SSH to interface ge-0/0/1.0.
Answer: B,C
Explanation:
QUESTION NO: 20
A user wants to establish an HTTP session to a server behind an SRX device but is being pointed
to Web page on the SRX device for additional authentication. Which type of user authentication is
configured?
A. pass-through with Web redirect

B. WebAuth with HTTP redirect
C. WebAuth

D. pass-through
Answer: C
Explanation: Web authentication is valid for all types of traffic. With Web authentication
configured, users must first directly access the Junos security platform using HTTP. The user
enters the address or hostname of the device into a Web browser and then receives a prompt for
a username and password. If authentication is successful, the user can then access the restricted
resource directly. Subsequent traffic from the same source IP address is automatically allowed
access to the restricted resource, as long as security policy allows for it.
QUESTION NO: 21
Which two UTM features require a license to be activated? (Choose two.)
A. antispam
B. antivirus (full AV)
C. content filtering
D. Web-filtering redirect
Answer: A,B
Explanation:
QUESTION NO: 22
Which two statements in a source NAT configuration are true regarding addresses, rule-sets, or
rules that overlap? (Choose two.)
A. Addresses used for NAT pools should never overlap.

B. If more than one rule-set matches traffic, the rule-set with the most specific context takes
precedence.
C. If traffic matches two rules within the same rule-set, both rules listed in the configuration are
applied.
D. Dynamic source NAT rules take precedence over static source NAT rules.
Answer: A,B
Explanation:

QUESTION NO: 23
A network administrator has configured source NAT, translating to an address that is on a locally
connected subnet. The administrator sees the translation working, but traffic does not appear to
come back. What is causing the problem?
A. The host needs to open the telnet port.

B. The host needs a route for the translated address.
C. The administrator must use a proxy-arp policy for the translated address.
D. The administrator must use a security policy, which will allow communication between the
zones.
Answer: C
Explanation:
QUESTION NO: 24
Which statement describes an ALG?
A. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to
deny the traffic.
B. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic
policies to permit the traffic to pass.
C. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic
policies to deny the traffic.
D. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to
permit the traffic to pass.
Answer: B
Explanation:
QUESTION NO: 25
Which three components can be leveraged when defining a local whitelist or blacklist for antispam
on a branch SRX Series device? (Choose three.)
A. spam assassin filtering score

B. sender country
C. sender IP address

D. sender domain
E. sender e-mail address
Answer: C,D,E
Explanation:
QUESTION NO: 26
What is the correct syntax for applying node-specific parameters to each node in a chassis
cluster?
A. set apply-groups node$

B. set apply-groups (node)
C. set apply-groups $(node)
D. set apply-groups (node)all
Answer: C
Explanation:
QUESTION NO: 27
Which statement describes a security zone?
A. A security zone can contain one or more interfaces.

B. A security zone can contain interfaces in multiple routing instances.
C. A security zone must contain two or more interfaces.
D. A security zone must contain bridge groups.
Answer: A
Explanation:
QUESTION NO: 28
A system administrator detects thousands of open idle connections from the same source.Which
problem can arise from this type of attack?
A. It enables an attacker to perform an IP sweep of devices.

B. It enables a hacker to know which operating system the system is running.

C. It can overflow the session table to its limit, which can result in rejection of legitimate traffic.
D. It creates a ping of death and can cause the entire network to be infected with a virus.
Answer: C
Explanation:
QUESTION NO: 29
Under which Junos hierarchy level are security policies configured?
A. [edit security]
B. [edit protocols]
C. [edit firewall]
D. [edit policy-options]
Answer: A
Explanation:
QUESTION NO: 30
You must configure a SCREEN option that would protect your device from a session table flood.
Which configuration meets this requirement?

user@host# show
icmp {
}
}
user@host# show
tcp {
syn-flood {
}
}
}

user@host# show
udp {
}
}
user@host# show
limit-session {
}
}
Answer: D
Explanation:
QUESTION NO: 31
Which three methods of source NAT does the Junos OS support? (Choose three.)
A. interface-based source NAT

B. source NAT with address shifting
C. source NAT using static source pool
D. interface-based source NAT without PAT
E. source NAT with address shifting and PAT
Answer: A,B,C
Explanation:
QUESTION NO: 32
Which three firewall user authentication objects can be referenced in a security policy? (Choose
three.)
A. access profile
B. client group
C. client
D. default profile

E. external
Answer: A,B,C
Explanation:
QUESTION NO: 33
What is the default session timeout for TCP sessions?
A. 1 minute
B. 15 minutes
C. 30 minutes
D. 90 minutes
Answer: C
Explanation:
QUESTION NO: 34
Which three advanced permit actions within security policies are valid? (Choose three.)
A. Mark permitted traffic for firewall user authentication.

B. Mark permitted traffic for SCREEN options.
C. Associate permitted traffic with an IPsec tunnel.
D. Associate permitted traffic with a NAT rule.
E. Mark permitted traffic for IDP processing.
Answer: A,C,E
Explanation:
QUESTION NO: 35
Which statement is true regarding the Junos OS for security platforms?
A. SRX Series devices can store sessions in a session table.

B. SRX Series devices accept all traffic by default.
C. SRX Series devices must operate only in packet-based mode.
D. SRX Series devices must operate only in flow-based mode.

Answer: A
Explanation: SRX by default operates in FLOW-BASED mode.
Hovewer, it’s possible to aply a filter on interface, which will enforce a PACKET-BASED mode.
QUESTION NO: 36
Which type of NAT is being used in the exhibit?
A. no NAT
B. destination NAT
C. source NAT
D. port address translation (PAT)
Answer: C
Explanation:
QUESTION NO: 37
At which two levels of the Junos CLI hierarchy is the host-inbound-traffic command configured?
(Choose two.)
A. [edit security idp]

B. [edit security zones security-zone trust interfaces ge-0/0/0.0]
C. [edit security zones security-zone trust]
Answer: B,C
Explanation:

QUESTION NO: 38
Which two parameters are configured in IPsec policy? (Choose two.)
A. mode
B. IKE gateway
C. security proposal
D. Perfect Forward Secrecy
Answer: C,D
Explanation:
QUESTION NO: 39
The SRX device receives a packet and determines that it does not match an existing session.After
SCREEN options are evaluated, what is evaluated next?
A. source NAT
B. destination NAT
C. route lookup
D. zone lookup
Answer: B
Explanation:
QUESTION NO: 40
Which zone type can be specified in a policy?
A. security
B. functional
C. user
D. system
Answer: A
Explanation:
QUESTION NO: 41

Which two statements about Junos software packet handling are correct? (Choose two.)
A. The Junos OS applies service ALGs only for the first packet of a flow.
B. The Junos OS uses fast-path processing only for the first packet of a flow.
C. The Junos OS performs policy lookup only for the first packet of a flow.
D. The Junos OS applies SCREEN options for both first and consecutive packets of a flow.
Answer: C,D
Explanation:
QUESTION NO: 42
Which Web-filtering technology can be used at the same time as integrated Web filtering on a
single branch SRX Series device?
A. Websense redirect Web filtering

B. local Web filtering (blacklist or whitelist)
C. firewall user authentication
D. ICAP
Answer: B
Explanation:
QUESTION NO: 43
In a chassis cluster with two SRX 5800 devices, the interface ge-13/0/0 belongs to which device?
A. This interface is a system-created interface.

B. This interface belongs to node 0 of the cluster.
C. This interface belongs to node 1 of the cluster.
D. This interface will not exist because SRX 5800 devices have only 12 slots.
Answer: C
Explanation:
QUESTION NO: 44
An IPsec tunnel is established on an SRX Series Gateway on an interface whose IP address was

obtained using DHCP. Which two statements are true? (Choose two.)
A. Only main mode can be used for IKE negotiation.

B. A local-identity must be defined.
C. It must be the initiator for IKE.
D. A remote-identity must be defined.
Answer: B,C
Explanation:
QUESTION NO: 45
Which two statements about the use of SCREEN options are correct? (Choose two.)
A. SCREEN options are deployed at the ingress and egress sides of a packet flow.
B. Although SCREEN options are very useful, their use can result in more session creation.
C. SCREEN options offer protection against various attacks at the ingress zone of a packet flow.
D. SCREEN options examine traffic prior to policy processing, thereby resulting in fewer resources
used for malicious packet processing.
Answer: C,D
Explanation:
QUESTION NO: 46

In the exhibit, you decided to change my Hosts addresses. What will happen to the new sessions
matching the policy and in-progress sessions that had already matched the policy?
A. New sessions will be evaluated. In-progress sessions will be re-evaluated.

B. New sessions will be evaluated. All in-progress sessions will continue.
C. New sessions will be evaluated. All in-progress sessions will be dropped.
D. New sessions will halt until all in-progress sessions are re-evaluated. In-progress sessions will
be re-evaluated and possibly dropped.
Answer: A
Explanation:
QUESTION NO: 47
When using UTM features in an HA cluster, which statement is true for installing the licenses on
the cluster members?
A. One UTM cluster license will activate UTM features on both members.
B. Each device will need a UTM license generated for its serial number.
C. Each device will need a UTM license generated for the cluster, but licenses can be applied to
either member.
D. HA clustering automatically comes with UTM licensing, no additional actions are needed.

Answer: B
Explanation:
QUESTION NO: 48
Which statement is true regarding NAT?
A. NAT is not supported on SRX Series devices.

B. NAT requires special hardware on SRX Series devices.
C. NAT is processed in the control plane.
D. NAT is processed in the data plane.
Answer: D
Explanation:
The data plane on Junos security platforms, implemented on IOCs, NPCs, and SPCs for high-end
devices and on CPU cores and PIMs for branch devices, consists of Junos OS packet-handling
modules compounded with a flow engine and session management like that of the ScreenOS
software. Intelligent packet processing ensures that one single thread exists for packet flow
processing associated with a single flow. Real-time processes enable the Junos OS to perform
session-based packet forwarding.
QUESTION NO: 49
Which two functions of the Junos OS are handled by the data plane? (Choose two.)
A. NAT
B. OSPF
C. SNMP
D. SCREEN options
Answer: A,D
Explanation:
QUESTION NO: 50

After applying the policy-rematch statement under the security policies stanza, what would happen
to an existing flow if the policy source address or the destination address is changed and
committed?
A. The Junos OS drops any flow that does not match the source address or destination address.
B. All traffic is dropped.
C. All existing sessions continue.
D. The Junos OS does a policy re-evaluation.
Answer: D
Explanation:
QUESTION NO: 51
Which statement is correct about HTTP trickling?
A. It prevents the HTTP client or server from timing-out during an antivirus update.
B. It prevents the HTTP client or server from timing-out during antivirus scanning.
C. It is an attack.
D. It is used to bypass antivirus scanners.
Answer: B
Explanation:
QUESTION NO: 52
For which network anomaly does Junos provide a SCREEN?
A. a telnet to port 80
B. a TCP packet with the SYN and ACK flags set
C. an SNMP getnext request
D. an ICMP packet larger than 1024 bytes
Answer: D
Explanation:
QUESTION NO: 53

What is the proper sequence of evaluation for the SurfControl integrated Web filter solution?
A. whitelists, blacklists, SurfControl categories

B. blacklists, whitelists, SurfControl categories
C. SurfControl categories, whitelists, blacklists
D. SurfControl categories, blacklists, whitelists
Answer: B
Explanation:
QUESTION NO: 54
A network administrator is using source NAT for traffic from source network 10.0.0.0/8. The
administrator must also disable NAT for any traffic destined to the 202.2.10.0/24 network.Which
configuration would accomplish this task?
A. [edit security nat source rule-set test]

user@host# show
from zone trust;
to zone untrust;
rule A {
match {
source-address 202.2.10.0/24;
}
then {
source-nat {
pool {
A;
}
}
}
}
rule B {
match {
destination-address 10.0.0.0/8;
}
then {
source-nat {
off;
}
}
}
B. [edit security nat source]

user@host# show rule-set test
from zone trust;
to zone untrust;
rule 1 {
match {
}
then {
source-nat {
off;
}
}
}
rule 2 {
match {
}
then {
source-nat {
pool {
A;
}
}
}
}
C. [edit security nat source rule-set test]
user@host# show
from zone trust;
to zone untrust;
rule A {
match {
}
then {
source-nat {
pool {
A;
}
}
}
}
rule B {
match {
}
then {
source-nat {

off;
}
}
}
D. [edit security nat source rule-set test]
user@host# show
from zone trust;
to zone untrust;
rule A {
match {
}
then {
source-nat {
pool {
A;
}
}
}
}
Answer: B
Explanation:
QUESTION NO: 55
The Junos OS blocks an HTTP request due to the category of the URL. Which form of Web
filtering is being used?
A. redirect Web filtering

C. categorized Web filtering
D. local Web filtering
Answer: B
Explanation:
QUESTION NO: 56
Which two statements are true with regard to policy ordering? (Choose two.)

A. The last policy is the default policy, which allows all traffic.
B. The order of policies is not important.
C. New policies are placed at the end of the policy list.
D. The insert command can be used to change the order.
Answer: C,D
Explanation:
QUESTION NO: 57
Regarding fast path processing, when does the system perform the policy check?
A. The policy is determined after the SCREEN options check.

B. The policy is determined only during the first packet path, not during fast path.
C. The policy is determined after the zone check.
D. The policy is determined after the SYN TCP flag.
Answer: B
Explanation:
QUESTION NO: 58
Which URL database do branch SRX Series devices use when leveraging local Web filtering?
A. The SRX Series device will download the database from an online repository to locally inspect
HTTP traffic for Web filtering.
B. The SRX Series device will use an offline database to locally inspect HTTP traffic for Web
filtering.
C. The SRX Series device will redirect local HTTP traffic to an external Websense server for Web
filtering.
D. The SRX Series administrator will define the URLs and their associated action in the local
database to inspect the HTTP traffic for Web filtering.
Answer: D
Explanation:
QUESTION NO: 59
How do you apply UTM enforcement to security policies on the branch SRX series?

A. UTM profiles are applied on a security policy by policy basis.
B. UTM profiles are applied at the global policy level.
C. Individual UTM features like anti-spam or anti-virus are applied directly on a security policy by
policy basis.
D. Individual UTM features like anti-spam or anti-virus are applied directly at the global policy
level.
Answer: A
Explanation:
QUESTION NO: 60
What are two rule base types within an IPS policy on an SRX Series device? (Choose two.)
A. rulebase-ips
B. rulebase-ignore
C. rulebase-idp
D. rulebase-exempt
Answer: A,D
Explanation:
QUESTION NO: 61
Which configuration shows a pool-based source NAT without PAT?
A. [edit security nat source]

user@host# show
pool A {
address {
207.17.137.1/32 to 207.17.137.254/32;
}
}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
}
then {

source-nat pool A;
port no-translation;
}
}
}
B. [edit security nat source]
user@host# show
pool A {
address {
207.17.137.1/32 to 207.17.137.254/32;
}
overflow-pool interface;
}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
}
then {
source-nat pool A;
}
}
}
C. [edit security nat source]
user@host# show
pool A {
address {
207.17.137.1/32 to 207.17.137.254/32;
}
}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
}
then {
source-nat pool A;
}
}
}
D. [edit security nat source].

user@host# show
pool A {
address {
207.17.137.1/32 to 207.17.137.254/32;
}
overflow-pool interface;
}
rule-set 1A
{
from zone trust;
to zone untrust;
rule 1 {
match {
}
then {
source-nat pool A;
}
}
}
Answer: C
Explanation:
QUESTION NO: 62
Which two statements are true regarding IDP? (Choose two.)
A. IDP can be used in conjunction with other Junos security features such as SCREEN options,
B. IDP cannot be used in conjunction with other Junos security features such as SCREEN options,
C. IDP inspects traffic up to the Presentation Layer.
D. IDP inspects traffic up to the Application Layer.
Answer: A,D
Explanation:
QUESTION NO: 63
What is the purpose of a chassis cluster?

A. Chassis clusters are used to aggregate routes.
B. Chassis clusters are used to create aggregate interfaces.
C. Chassis clusters are used to group two chassis into one logical chassis.
D. Chassis clusters are used to group all interfaces into one cluster interface.
Answer: C
Explanation: The Junos OS achieves high availability on Junos security platforms using chassis
clustering. Chassis clustering provides network node redundancy by grouping two like devices into
a cluster. The two nodes back each other up with one node acting as the primary and the other as
the secondary node, ensuring the stateful failover of processes and services in the event of
system or hardware failure. A control link between services processing cards (SPCs) or revenue
ports and an Ethernet data link between revenue ports connect two like devices. Junos security
platforms must be the same model, and all SPCs, network processing cards (NPCs), and
input/output cards (IOCs) on high-end platforms must have the same slot placement and hardware
revision.
The chassis clustering feature in the Junos OS is built on the high availability methodology of
Juniper Networks M Series and T Series platforms and the TX Matrix platform, including
multichassis clustering, active-passive Routing Engines (REs) , active-active Packet Forwarding
Engines (PFEs), and graceful RE switchover capability.
QUESTION NO: 64
Which three statements are true when working with high-availability clusters? (Choose three.)
A. The valid cluster-id range is between 0 and 255.

B. Junos OS security devices can belong to more than one cluster if cluster virtualization is
enabled.
C. If the cluster-id value is set to 0 on a Junos security device, the device will not participate in the
cluster.
D. A reboot is required if the cluster-id or node value is changed.
E. Junos OS security devices can belong to one cluster only.
Answer: C,D,E
Explanation:
QUESTION NO: 65
A network administrator wants to permit Telnet traffic initiated from the address book entry
the10net in a zone called UNTRUST to the address book entry Server in a zone called TRUST.

However, the administrator does not want the server to be able to initiate any type of traffic from
the TRUST zone to the UNTRUST zone.Which configuration statement would correctly
accomplish this task?
A. from-zone UNTRUST to-zone TRUST {

policy DenyServer {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone TRUST to-zone UNTRUST {
policy AllowTelnetin {
match {
source-address the10net;
destination-address Server;
application junos-telnet;
}
then {
permit;
}
}
}
B. from-zone TRUST to-zone UNTRUST {
policy DenyServer {
match {
source-address Server;
application any;
}
then {
deny;
}
}
}
from-zone UNTRUST to-zone TRUST {
match {

}
then {
permit;
}
}
}
C. from-zone UNTRUST to-zone TRUST {
match {
application junos-ftp;
}
then {
permit;
}
}
}
D. from-zone TRUST to-zone UNTRUST {
policy DenyServer {
match {
source-address Server;
application any;
}
then {
permit;
}
}
}
from-zone UNTRUST to-zone TRUST {
match {
}
then {
permit;
}
}
}
Answer: B
Explanation:

QUESTION NO: 66
Which command do you use to manually remove antivirus patterns?
A. request security utm anti-virus juniper-express-engine pattern-delete

B. request security utm anti-virus juniper-express-engine pattern-reload
C. request security utm anti-virus juniper-express-engine pattern-remove
D. delete security utm anti-virus juniper-express-engine antivirus-pattern
Answer: A
Explanation:
QUESTION NO: 67
Which three parameters are configured in the IKE policy? (Choose three.)
A. mode
B. preshared key
C. external interface
D. security proposals
E. dead peer detection settings
Answer: A,B,D
Explanation:
QUESTION NO: 68
Which two statements are true about the relationship between static NAT and proxy ARP?
(Choose two.)
A. It is necessary to forward ARP requests to remote hosts.

B. It is necessary when translated traffic belongs to the same subnet as the ingress interface.
C. It is not automatic and you must configure it.
D. It is enabled by default and you do not need to configure it.
Answer: B,C
Explanation:

QUESTION NO: 69
Which CLI command do you use to block MIME content at the [edit security utm feature-profile]
hierarchy?
A. set content-filtering profile <name> permit-command block-mime

B. set content-filtering profile <name> block-mime
C. set content-filtering block-content-type <name> block-mime
D. set content-filtering notifications block-mime
Answer: B
Explanation:
QUESTION NO: 70
If both nodes in a chassis cluster initialize at different times, which configuration example will allow
you to ensure that the node with the higher priority will become primary for your RGs other than
RG0?
A. [edit chassis cluster]

user@host# show
redundancy-group 1 {
node 0 priority 200;
preempt;
}
B. [edit chassis cluster]
user@host# show
monitoring;
}
C. [edit chassis cluster]
user@host# show
control-link-recovery;
}
D. [edit chassis cluster]

user@host# show
strict-priority;
}
Answer: A
Explanation:
QUESTION NO: 71
By default, how is traffic evaluated when the antivirus database update is in progress?
A. Traffic is scanned against the old database.

B. Traffic is scanned against the existing portion of the currently downloaded database.
C. All traffic that requires antivirus inspection is dropped and a log message generated displaying
the traffic endpoints.
D. All traffic that requires antivirus inspection is forwarded with no antivirus inspection and a log
message generated displaying the traffic endpoints.
Answer: D
Explanation:
QUESTION NO: 72
Which statement is true regarding IPsec VPNs?
A. There are five phases of IKE negotiation.

B. There are two phases of IKE negotiation.
C. IPsec VPN tunnels are not supported on SRX Series devices.
D. IPsec VPNs require a tunnel PIC in SRX Series devices.
Answer: B
Explanation:
QUESTION NO: 73
Which command would you use to enable chassis cluster on an SRX device, setting the cluster ID

to 1 and node to 0?
A. user@host# set chassis cluster cluster-id 1 node 0 reboot

B. user@host> set chassis cluster id 1 node 0 reboot
C. user@host> set chassis cluster cluster-id 1 node 0 reboot
D. user@host# set chassis cluster id 1 node 0 reboot
Answer: C
Explanation:
QUESTION NO: 74
Which three are necessary for antispam to function properly on a branch SRX Series device?
(Choose three.)
A. an antispam license
B. DNS servers configured on the SRX Series device
C. SMTP services on SRX
D. a UTM profile with an antispam configuration in the appropriate security policy
E. antivirus (full or express)
Answer: A,B,D
Explanation:
QUESTION NO: 75
How many IDP policies can be active at one time on an SRX Series device by means of the set
security idp active-policy configuration statement?
A. 1
B. 2
C. 4
D. 8
Answer: A
Explanation:
QUESTION NO: 76

Which two statements regarding firewall user authentication client groups are true? (Choose two.)
A. A client group is a list of clients associated with a group.

B. A client group is a list of groups associated with a client.
C. Client groups are referenced in security policy in the same manner in which individual clients
are referenced.
D. Client groups are used to simplify configuration by enabling firewall user authentication without
security policy.
Answer: B,C
Explanation:
QUESTION NO: 77
Your task is to provision the Junos security platform to permit transit packets from the Private zone
to the External zone by using an IPsec VPN and log information at the time of session close.
A. [edit security policies from-zone Private to-zone External]

user@host# show
policy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn VPN;
}
}
log {
session-init;
}
}
}
B. [edit security policies from-zone Private to-zone External]
user@host# show
match {

}
then {
permit {
tunnel {
ipsec-vpn VPN;
}
}
count {
session-close;
}
}
}
C. [edit security policies from-zone Private to-zone External]
user@host#
showpolicy allowTransit {
match {
}
then {
permit {
tunnel {
ipsec-vpn VPN;
}
}
log {
session-close;
}
}
}
D. [edit security policies from-zone Private to-zone External]
user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn VPN;
log;
count session-close;

}
}
}
}
Answer: C
Explanation:
QUESTION NO: 78
A user wants to establish an FTP session to a server behind an SRX device but must authenticate
to a Web page on the SRX device for additional authentication. Which type of user authentication
is configured?
A. pass-through
B. WebAuth
C. WebAuth with Web redirect
D. pass-through with Web redirect
Answer: B
Explanation: Web authentication is valid for all types of traffic. With Web authentication
configured, users must first directly access the Junos security platform using HTTP. The user
enters the address or hostname of the device into a Web browser and then receives a prompt for
a username and password. If authentication is successful, the user can then access the restricted
resource directly. Subsequent traffic from the same source IP address is automatically allowed
access to the restricted resource, as long as security policy allows for it.
QUESTION NO: 79
What is the functionality of redundant interfaces (reth) in a chassis cluster?
A. reth interfaces are used only for VRRP.

B. reth interfaces are the same as physical interfaces.
C. reth interfaces are pseudo-interfaces that are considered the parent interface for two physical
interfaces.
D. Each cluster member has a reth interface that can be used to share session state information
with the other cluster members.
Answer: C

Explanation:
QUESTION NO: 80
A network administrator receives complaints from the engineering group that an application on one
server is not working properly. After further investigation, the administrator determines that source
NAT translation is using a different source address after a random number of flows. Which two
actions can the administrator take to force the server to use one address? (Choose two.)
A. Use the custom application feature.

B. Configure static NAT for the host.
C. Use port address translation (PAT).
D. Use the address-persistent option.
Answer: B,D
Explanation:
QUESTION NO: 81
What is the default session timeout for UDP sessions?
A. 30 seconds
B. 1 minute
C. 5 minutes
D. 30 minutes
Answer: B
Explanation:
QUESTION NO: 82
Which two statements about the Diffie-Hellman (DH) key exchange process are correct? (Choose
two.)
A. In the DH key exchange process, the session key is never passed across the network.
B. In the DH key exchange process, the public and private keys are mathematically related using
the DH algorithm.
C. In the DH key exchange process, the session key is passed across the network to the peer for

confirmation.
D. In the DH key exchange process, the public and private keys are not mathematically related,
ensuring higher security.
Answer: A,B
Explanation:
QUESTION NO: 83
You are required to configure a SCREEN option that enables IP source route option detection.
Which two configurations meet this requirement? (Choose two.)

user@host# show
ip {
loose-source-route-option;
strict-source-route-option;
}
}
user@host# show
ip {
source-route-option;
}
}
user@host# show
ip {
record-route-option;
security-option;
}
}
user@host# show
ip {
}
}

Answer: A,B
Explanation:
QUESTION NO: 84
What are three configuration objects used to build Junos IDP rules? (Choose three.)
A. zone objects
B. policy objects
C. attack objects
D. alert and notify objects
E. network and address objects
Answer: A,C,E
Explanation:
QUESTION NO: 85

Assume the default-policy has not been configured. Given the configuration shown in the exhibit,
which two statements about traffic from host_a in the HR zone to host_b in the trust zone are true?
(Choose two.)
A. DNS traffic is denied.

B. HTTP traffic is denied.
C. FTP traffic is permitted.
D. SMTP traffic is permitted.
Answer: A,C
Explanation:
QUESTION NO: 86
When an SRX series device receives an ESP packet, what happens?
A. If the destination address of the outer IP header of the ESP packet matches the IP address of
the ingress interface, it will immediately decrypt the packet.
B. If the destination IP address in the outer IP header of ESP does not match the IP address of the
ingress interface, it will discard the packet.
C. If the destination address of the outer IP header of the ESP packet matches the IP address of
the ingress interface, based on SPI match, it will decrypt the packet.
D. If the destination address of the outer IP header of the ESP packet matches the IP address of
the ingress interface, based on SPI match and route lookup of inner header, it will decrypt the
packet.
Answer: C
Explanation:
QUESTION NO: 87
[A] establishes an IPsec tunnel with [B]. The NAT device translates the IP address 1.1.1.1 to
2.1.1.1.On which port is the IKE SA established?

A. TCP 500
B. UDP 500
C. TCP 4500
D. UDP 4500
Answer: D
Explanation:
QUESTION NO: 88
What are two valid reasons for the output shown in the exhibit? (Choose two.)
A. The local Web-filtering daemon is not enabled or is not running.

B. The integrated Web-filtering policy server is not reachable.
C. No DNS is configured on the SRX Series device.
D. No security policy is configured to use Web filtering.
Answer: B,C
Explanation:
QUESTION NO: 89
What is the maximum number of layers of decompression that juniper-express-engine (express

AV) can decompress for the HTTP protocol?
A. 0
B. 1
C. 4
D. 8
Answer: B
Explanation:

QUESTION NO: 90
Which three features are part of the branch SRX series UTM suite? (Choose three.)
A. antispam
B. antivirus
C. IPS
D. application firewalling
E. Web filtering
Answer: A,B,E
Explanation:
QUESTION NO: 91
What are two TCP flag settings that are considered suspicious? (Choose two.)
A. Do-Not-Fragment flag is set.

B. Both SYN and FIN flags are set.
C. Both ACK and PSH flags are set.
D. FIN flag is set and ACK flag is not set.
Answer: B,D
Explanation:
QUESTION NO: 92
The Junos OS blocks an HTTP request due to a Websense server response. Which form of Web
filtering is being used?

C. categorized Web filtering
Answer: A
Explanation:

QUESTION NO: 93
Which two statements are true regarding redundancy groups? (Choose two.)
A. When priority settings are equal and the members participating in a cluster are initialized at the
same time, the primary role for redundancy group 0 is assigned to node 0.
B. The preempt option determines the primary and secondary roles for redundancy group 0 during
a failure and recovery scenario.
C. Redundancy group 0 manages the control plane failover between the nodes of a cluster.
D. The primary role can be shared for redundancy group 0 when the active-active option is
enabled.
Answer: A,C
Explanation:
QUESTION NO: 94
What are two components of the Junos software architecture? (Choose two.)
A. Linux kernel
B. routing protocol daemon
C. session-based forwarding module
D. separate routing and security planes
Answer: B,C
Explanation:
QUESTION NO: 95
Which IDP policy action closes the connection and sends an RST packet to both the client and the
server?
A. close-connection
B. terminate-connection
C. close-client-and-server
D. terminate-session
Answer: C

Explanation:
QUESTION NO: 96
Which statement describes the UTM licensing model?
A. Install the license key and all UTM features will be enabled for the life of the product.
B. Install one license key per feature and the license key will be enabled for the life of the product.
C. Install one UTM license key, which will activate all UTM features; the license will need to be
renewed when it expires.
D. Install one UTM license key per UTM feature; the licenses will need to be renewed when they
expire.
Answer: D
Explanation:
QUESTION NO: 97
You have configured a UTM profile called Block-Spam, which has the appropriate antispam
configuration to block undesired spam e-mails. Which configuration would protect an SMTP server
in the dmz zone from spam originating in the untrust zone?
A. set security policies from-zone dmz to-zone untrust policy anti-spam then permit application-
services utm-policy Block-Spam
B. set security policies from-zone untrust to-zone dmz policy anti-spam then permit application-
services utm-policy Block-Spam
C. set security policies from-zone untrust to-zone dmz policy anti-spam then permit application-
services anti-spam-policy Block-Spam
D. set security policies from-zone untrust to-zone dmz policy anti-spam then permit application-
services Block-Spam
Answer: B
Explanation:
QUESTION NO: 98
Which two statements about the use of SCREEN options are correct? (Choose two.)

A. SCREEN options offer protection against various attacks.
B. SCREEN options are deployed prior to route and policy processing in first path packet
processing.
C. SCREEN options are deployed at the ingress and egress sides of a packet flow.
D. When you deploy SCREEN options, you must take special care to protect OSPF.
Answer: A,B
Explanation:
QUESTION NO: 99
Given the configuration shown in the exhibit, which protocol(s) are allowed to communicate with
the device on ge-0/0/0.0?
A. RIP
B. OSPF
C. BGP and RIP
D. RIP and PIM
Answer: A

Explanation:
QUESTION NO: 100
Which two statements about static NAT are true? (Choose two.)
A. Static NAT can only be used with destination NAT.

B. Static NAT rules take precedence over overlapping dynamic NAT rules.
C. NAT rules take precedence over overlapping static NAT rules.
D. A reverse mapping is automatically created.
Answer: B,D
Explanation:
Topic 2, Volume B
QUESTION NO: 101
Which three situations will trigger an e-mail to be flagged as spam if a branch SRX Series device
has been properly configured with antispam inspection enabled for the appropriate security policy?
(Choose three.)
A. The server sending the e-mail to the SRX Series device is a known open SMTP relay.
B. The server sending the e-mail to the SRX Series device is running unknown SMTP server
software.
C. The server sending the e-mail to the SRX Series device is on an IP address range that is
known to be dynamically assigned.
D. The e-mail that the server is sending to the SRX Series device has a virus in its attachment.
E. The server sending the e-mail to the SRX Series device is a known spammer IP address.
Answer: A,C,E
Explanation:
QUESTION NO: 102
Which statement is true regarding a session key in the Diffie-Hellman key-exchange process?
A. A session key value is exchanged across the network.

B. A session key never passes across the network.
C. A session key is used as the key for asymmetric data encryption.
D. A session key is used as the key for symmetric data encryption.
Answer: B
Explanation:
QUESTION NO: 103
Which zone type will allow transit-traffic?
A. system
B. security
C. default
D. functional
Answer: B
Explanation:
QUESTION NO: 104
Which two statements are true for a security policy? (Choose two.)
A. It controls inter-zone traffic.

B. It controls intra-zone traffic.
C. It is named with a system-defined name.
D. It controls traffic destined to the device's ingress interface.
Answer: A,B
Explanation:
QUESTION NO: 105
Which CLI command provides a summary of what the content-filtering engine has blocked?
A. show security utm content-filtering statistics

B. show security flow session
C. show security flow statistics

D. show security utm content-filtering summary
Answer: A
Explanation:
QUESTION NO: 106
You are the responder for an IPsec tunnel and you see the error messages shown in the exhibit.
What is the problem?
A. One or more of the phase 1 proposals such as authentication algorithm, encryption algorithm,
or pre-shared key does not match.
B. There is no route for 2.2.2.2.
C. There is no IKE definition in the configuration for peer 2.2.2.2.
D. system services ike is not enabled on the interface with IP 1.1.1.2.
Answer: C
Explanation:
QUESTION NO: 107
Which URL will match the URL pattern www.news.com/asia?
A. www.news.com
B. www.news.com/asia/japan
C. www-1.news.com/asia
D. www.news.asia.com
Answer: B
Explanation:
QUESTION NO: 108

In the exhibit, what is the function of the configuration statements?
A. This section is where you define all chassis clustering configuration.

B. This configuration is required for members of a chassis cluster to talk to each other.
C. You can apply this configuration in the chassis cluster to make configuration easier.
D. This section is where unique node configuration is applied.
Answer: D
Explanation:

QUESTION NO: 109
A network administrator repeatedly receives support calls about network issues. After investigating
the issues, the administrator finds that the source NAT pool is running out of addresses. To be
notified that the pool is close to exhaustion, what should the administrator configure?
A. Use the pool-utilization-alarm raise-threshold under the security nat source stanza.
B. Use a trap-group with a category of services under the SNMP stanza.
C. Use an external script that will run a show command on the SRX Series device to see when the
pool is close to exhaustion.
D. Configure a syslog message to trigger a notification when the pool is close to exhaustion.
Answer: A
Explanation:
QUESTION NO: 110
Which two statements are true when describing the capabilities of integrated Web filtering on
branch SRX Series devices? (Choose two.)
A. Integrated Web filtering can enforce UTM policies on traffic encrypted in SSL.
B. Integrated Web filtering can detect client-side exploits that attack the user's Web browser.
C. Integrated Web filtering can permit or deny access to specific categories of sites.
D. Different integrated Web-filtering policies can be applied on a firewall rule-by-rule basis to allow
different policies to be enforced for different users.
Answer: C,D
Explanation:
QUESTION NO: 111
Which statement is true when express AV detects a virus in TCP session?
A. TCP RST is sent and a session is restarted.

B. TCP connection is closed gracefully and the data content is dropped.
C. TCP traffic is allowed and an SNMP trap is sent.
D. AV scanning is restarted.

Answer: B
Explanation:
QUESTION NO: 112
Which command is needed to change this policy to a tunnel policy for a policy-based VPN?
A. set policy tunnel-traffic then tunnel remote-vpn

B. set policy tunnel-traffic then permit tunnel remote-vpn
C. set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn permit
D. set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn
Answer: D
Explanation:
QUESTION NO: 113
Which two statements describe the difference between Junos software for security platforms and a
traditional router? (Choose two.)
A. Junos software for security platforms supports NAT and PAT; a traditional router does not
support NAT or PAT.
B. Junos software for security platforms does not forward traffic by default; a traditional router
forwards traffic by default.
C. Junos software for security platforms uses session-based forwarding; a traditional router uses
packet-based forwarding.
D. Junos software for security platforms performs route lookup for every packet; a traditional router

performs route lookup only for the first packet.
Answer: B,C
Explanation:
QUESTION NO: 114
Using a policy with the policy-rematch flag enabled, what happens to the existing and new
sessions when you change the policy action from permit to deny?
A. The new sessions matching the policy are denied. The existing sessions are dropped.
B. The new sessions matching the policy are denied. The existing sessions, not being allowed to
carry any traffic, simply timeout.
C. The new sessions matching the policy might be allowed through if they match another policy.
The existing sessions are dropped.
D. The new sessions matching the policy are denied. The existing sessions continue until they are
completed or their timeout is reached.
Answer: A
Explanation:
QUESTION NO: 115
Which two content-filtering features does FTP support? (Choose two.)
A. block extension list

B. block MIME type
C. protocol command list
D. notifications-options
Answer: A,C
Explanation:
QUESTION NO: 116
Which statement is true about a NAT rule action of off?
A. The NAT action of off is only supported for destination NAT rule-sets.

B. The NAT action of off is only supported for source NAT rule-sets.
C. The NAT action of off is useful for detailed control of NAT.
D. The NAT action of off is useful for disabling NAT when a pool is exhausted.
Answer: C
Explanation:
QUESTION NO: 117
You want to create an out-of-band management zone and assign the ge-0/0/0.0 interface to that
zone. From the [edit] hierarchy, which command do you use to configure this assignment?
A. set security zones management interfaces ge-0/0/0.0

B. set zones functional-zone management interfaces ge-0/0/0.0
C. set security zones functional-zone management interfaces ge-0/0/0.0
D. set security zones functional-zone out-of-band interfaces ge-0/0/0.0
Answer: C
Explanation:
QUESTION NO: 118
Host A opens a Telnet connection to Host B. Host A then opens another Telnet connection to Host
B. These connections are the only communication between Host A and Host B. The security policy
configuration permits both connections. How many sessions exist between Host A and Host B?
A. 1
B. 2
C. 3
D. 4
Answer: B
Explanation:
QUESTION NO: 119

A network administrator receives complaints that the application voicecube is timing out after
being idle for 30 minutes. Referring to the exhibit, what is a resolution?
A. [edit]
user@host# set applications application voicecube inactivity-timeout never
B. [edit]
user@host# set applications application voicecube inactivity-timeout 2
C. [edit]
user@host# set applications application voicecube destination-port 5060
D. [edit]
user@host# set security policies from-zone trust to-zone trust policy intrazone then timeout never
Answer: A
Explanation:
QUESTION NO: 120
Which parameters are valid SCREEN options for combating operating system probes?
A. syn-fin, syn-flood, and tcp-no-frag

B. syn-fin, port-scan, and tcp-no-flag
C. syn-fin, fin-no-ack, and tcp-no-frag
D. syn-fin, syn-ack-ack-proxy, and tcp-no-frag
Answer: C
Explanation:
QUESTION NO: 121
You have configured your chassis cluster to include redundancy group 1. Node 0 is configured to
be the primary node for this redundancy group. You need to verify that the redundancy group
failover is successful. Which command do you use to manually test the failover?
A. request chassis cluster manual failover group 1 node 1

B. request cluster failover redundancy-group 1 node 1
C. request chassis cluster manual failover redundancy-group 1 node 1
D. request chassis cluster failover redundancy-group 1 node 1
Answer: D
Explanation:
QUESTION NO: 122
The Junos OS blocks an HTTP request due to its inclusion on the url-blacklist. Which form of Web
filtering on the branch SRX device is fully executed within the device itself?

C. blacklist Web filtering
Answer: D
Explanation:
QUESTION NO: 123
In the Junos OS, which statement is true?

A. vlan.0 belongs to the untrust zone.
B. You must configure Web authentication to allow inbound traffic in the untrust zone.
C. he zone name untrust has no special meaning
D. The untrust zone is not configurable.
Answer: C
Explanation:
QUESTION NO: 124
Which statement is true about SurfControl integrated Web filter solution?
A. The SurfControl server in the cloud provides the SRX device with the category of the URL as
well as the reputation of the URL.
B. The SurfControl server in the cloud provides the SRX device with only the category of the URL.
C. The SurfControl server in the cloud provides the SRX device with only the reputation of the
URL.
D. The SurfControl server in the cloud provides the SRX device with a decision to permit or deny
the URL.
Answer: B
Explanation:
QUESTION NO: 125
Referring to the exhibit, you are not able to telnet to 192.168.10.1 from client PC 192.168.10.10.

What is causing the problem?
A. Telnet is not being permitted by self policy.

B. Telnet is not being permitted by security policy.
C. Telnet is not allowed because it is not considered secure.
D. Telnet is not enabled as a host-inbound service on the zone.
Answer: D
Explanation:
QUESTION NO: 126
Which two statements are true regarding firewall user authentication? (Choose two.)
A. When configured for pass-through firewall user authentication, the user must first open a
connection to the Junos security platform before connecting to a remote network resource.
B. When configured for Web firewall user authentication only, the user must first open a
connection to the Junos security platform before connecting to a remote network resource.
C. If a Junos security device is configured for pass-through firewall user authentication, new
sessions are automatically intercepted to perform authentication.
D. If a Junos security device is configured for Web firewall user authentication, new sessions are
automatically intercepted to perform authentication.
Answer: B,C
Explanation:
QUESTION NO: 127
You want to create a security policy allowing traffic from any host in the Trust zone to
hostb.example.com (172.19.1.1) in the Untrust zone. How do you create this policy?
A. Specify the IP address (172.19.1.1/32) as the destination address in the policy.

B. Specify the DNS entry (hostb.example.com) as the destination address in the policy.
C. Create an address book entry in the Trust zone for the 172.19.1.1/32 prefix and reference this
entry in the policy.
D. Create an address book entry in the Untrust zone for the 172.19.1.1/32 prefix and reference
this entry in the policy.
Answer: D
Explanation:

QUESTION NO: 128
Which three types of content filtering are supported only for HTTP? (Choose three.)
A. block Flash
B. block Java applets
C. block ActiveX
D. block EXE files
E. block MIME type
Answer: B,C,D
Explanation:
QUESTION NO: 129
Which three represent IDP policy match conditions? (Choose three.)
A. protocol
B. source-address
C. port
D. application
E. attacks
Answer: B,D,E
Explanation:
QUESTION NO: 130
Which two statements are true regarding the system-default security policy [edit security policies
default-policy]? (Choose two.)
A. Traffic is permitted from the trust zone to the untrust zone.

B. Intrazone traffic in the trust zone is permitted.
C. All traffic through the device is denied.
D. The policy is matched only when no other matching policies are found.
Answer: C,D

Explanation:
QUESTION NO: 131
Which configuration shows the correct application of a security policy scheduler?

user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn myTunnel;
}
scheduler-name now;
}
}
}
user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn myTunnel;
}
}
}
scheduler-name now;
}
user@host# show
match {

}
then {
permit {
tunnel {
ipsec-vpn myTunnel;
scheduler-name now;
}
}
}
}
user@host# show
match {
scheduler-name now;
}
then {
permit {
tunnel {
ipsec-vpn myTunnel;
}
}
}
scheduler-name now;
}
Answer: B
Explanation:
QUESTION NO: 132
Which three functions are provided by the Junos OS for security platforms? (Choose three.)
A. VPN establishment
B. stateful ARP lookups
C. Dynamic ARP inspection
D. Network Address Translation
E. inspection of packets at higher levels (Layer 4 and above)

Answer: A,D,E
Explanation:
QUESTION NO: 133
Which three options represent IDP policy match conditions? (Choose three.)
A. service
B. to-zone
C. attacks
D. port
E. destination-address
Answer: B,C,E
Explanation:
QUESTION NO: 134
Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by ESP?
(Choose three.)
A. data integrity
B. data confidentiality
C. data authentication
D. outer IP header confidentiality
E. outer IP header authentication
Answer: A,B,C
Explanation:
QUESTION NO: 135
Which two statements apply to policy scheduling? (Choose two.)
A. An individual policy can have only one scheduler applied.

B. You must manually configure system-time updates.
C. Multiple policies can use the same scheduler.
D. Policies that do not have schedulers are not active.

Answer: A,C
Explanation:
QUESTION NO: 136
Which three actions can a branch SRX Series device perform on a spam e-mail message?
(Choose three.)
A. It can drop the connection at the IP address level.

B. It can block the e-mail based upon the sender ID.
C. It can allow the e-mail and bypass all UTM inspection.
D. It can allow the e-mail to be forwarded, but change the intended recipient to a new e-mail
address.
E. It can allow the e-mail to be forwarded to the destination, but tag it with a custom value in the
subject line.
Answer: A,B,E
Explanation:
QUESTION NO: 137
What are three different integrated UTM components available on the branch SRX Series
devices? (Choose three.)
A. antivirus (full AV, express AV)

B. antivirus (desktop AV)
C. Web filtering
D. antispam
E. firewall user authentication
Answer: A,C,D
Explanation:
QUESTION NO: 138
You want to test a configured screen value prior to deploying. Which statement will allow you to
accomplish this?

user@host# show
ids-option untrust-screen {
alarm-test-only;
}
user@host# show
alarm-without-drop;
}
user@host# show
alarm-no-drop;
}
user@host# show
test-without-drop;
}
Answer: B
Explanation:
QUESTION NO: 139
Which three contexts can be used as matching conditions in a source NAT configuration? (Choose
three.)
A. routing-instance
B. zone
C. interface
D. policy
E. rule-set
Answer: A,B,C
Explanation:
QUESTION NO: 140
Which command shows the event and traceoptions file for chassis clusters?

A. show log chassisd
B. show log clusterd
C. show log jsrpd
D. show log messages
Answer: C
Explanation:
QUESTION NO: 141
Which encryption type is used to secure user data in an IPsec tunnel?
A. symmetric key encryption

B. asymmetric key encryption
C. RSA
D. digital certificates
Answer: A
Explanation:
QUESTION NO: 142
Interface ge-0/0/2.0 of your device is attached to the Internet and is configured with an IP address
and network mask of 71.33.252.17/24. A Web server with IP address 10.20.20.1 is running an
HTTP service on TCP port 8080. The Web server is attached to the ge-0/0/0.0 interface of your
device. You must use NAT to make the Web server reachable from the Internet using port
translation. Which type of NAT must you configure?
A. source NAT with address shifting

B. pool-based source NAT
C. static destination NAT
D. pool-based destination NAT
Answer: D
Explanation:
QUESTION NO: 143
Which two types of attacks are considered to be denial of service? (Choose two.)

A. zombie agents
B. SYN flood
C. IP packet fragments
D. WinNuke
Answer: B,D
Explanation:
QUESTION NO: 144
Which antivirus solution integrated on branch SRX Series devices do you use to ensure maximum
virus coverage for network traffic?
A. express AV
B. full AV
C. desktop AV
D. ICAP
Answer: B
Explanation:
QUESTION NO: 145
Which two statements are true about the Websense redirect Web filter solution? (Choose two.)
A. The Websense redirect Web filter solution does not require a license on the SRX device.
B. The Websense server provides the SRX device with a category for the URL and the SRX
device then matches the category with its configured polices and decides to permit or deny the
URL.
C. The Websense server provides the SRX device with a decision as to whether the SRX device
permits or denies the URL.
D. When the Websense server does not know the category of the URL, it sends a request back to
the SRX device to validate against the integrated SurfControl server in the cloud.
Answer: A,C
Explanation:
QUESTION NO: 146

Referring to the exhibit, which statement contains the correct gateway parameters?
A. [edit security ike]

user@host# show
gateway ike-phase1-gateway {
policy ike-policy1;
address 10.10.10.1;
dead-peer-detection {
interval 20;
threshold 5;
}
external-interface ge-1/0/1.0;
}
B. [edit security ike]
user@host# show
ike-policy ike-policy1;
address 10.10.10.1;
interval 20;
threshold 5;
}
}
C. [edit security ike]
user@host# show
policy ike1-policy;
address 10.10.10.1;
interval 20;

threshold 5;
}
}
D. [edit security ike]
user@host# show
ike-policy ike1-policy;
address 10.10.10.1;
interval 20;
threshold 5;
}
}
Answer: B
Explanation:
QUESTION NO: 147
Antispam can be leveraged with which two features on a branch SRX Series device to provide
maximum protection from malicious e-mail content? (Choose two.)

B. full AV
C. IPS
Answer: B,C
Explanation:
QUESTION NO: 148
Content filtering enables traffic to be permitted or blocked based on inspection of which three
types of content? (Choose three.)
A. MIME pattern
B. file extension
C. IP spoofing
D. POP3

E. protocol command
Answer: A,B,E
Explanation:
QUESTION NO: 149
What are three valid Juniper Networks IPS attack object types? (Choose three.)
A. signature
B. anomaly
C. trojan
D. virus
E. chain
Answer: A,B,E
Explanation:
QUESTION NO: 150
Which two statements are true about AH? (Choose two.)
A. AH provides data integrity.

B. AH is identified by IP protocol 50.
C. AH is identified by IP protocol 51.
D. AH cannot work in conjunction with ESP
Answer: A,C
Explanation:
QUESTION NO: 151

Referring to the exhibit, what is the correct proxy-id?
A. local 1.1.1.0/24, remote 2.1.1.0/24

B. local 2.1.1.0/24, remote 1.1.1.0/24

C. local 12.1.1.0/24, remote 11.1.1.0/24
D. local 11.1.1.0/24, remote 12.1.1.0/24
Answer: D
Explanation:
QUESTION NO: 152
On which component is the control plane implemented?
A. IOC
B. PIM
C. RE
D. SPC
Answer: C
Explanation:
QUESTION NO: 153
Which two packet attributes contribute to the identification of a session? (Choose two.)
A. destination port
B. TTL
C. IP options
D. protocol number
Answer: A,D
Explanation:
QUESTION NO: 154
Which interface is used for RTO synchronization and forwarding traffic between the devices in a
cluster?
A. the st interface
B. the reth interface
C. the fxp1 and fxp0 interfaces

D. the fab0 and fab1 interfaces
Answer: D
Explanation:
QUESTION NO: 155
In the configuration shown in the exhibit, you decided to eliminate the junos-ftp application from
the match condition of the policy My Traffic. What will happen to the existing FTP and BGP
sessions?
A. The existing FTP and BGP sessions will continue.

B. The existing FTP and BGP sessions will be re-evaluated and only FTP sessions will be
dropped.
C. The existing FTP and BGP sessions will be re-evaluated and all sessions will be dropped.
D. The existing FTP sessions will continue and only the existing BGP sessions will be dropped.
Answer: B
Explanation:

QUESTION NO: 156
Given the configuration shown in the exhibit, which configuration object would be used to
associate both Nancy and Walter with firewall user authentication within a security policy?
A. ftp-group
B. ftp-users
C. firewall-user
D. nancy and walter
Answer: A
Explanation:
QUESTION NO: 157
Which two statements are true about pool-based source NAT? (Choose two.)
A. PAT is not supported.

B. PAT is enabled by default.
C. It supports the address-persistent configuration option.
D. It supports the junos-global configuration option.

Answer: B,C
Explanation:
QUESTION NO: 158
What is the maximum number of layers of compression that kaspersky-lab-engine (full AV) can
decompress for the HTTP protocol?
A. 1
B. 4
C. 8
D. 16
Answer: B
Explanation:
QUESTION NO: 159
The same Web site is visited for the second time using a branch SRX Series Services Gateway
configured with Surf Control integrated Web filtering. Which statement is true?
A. The SRX device sends the URL to the SurfControl server in the cloud and the SurfControl
server provides the SRX with a category of the URL.
B. The SRX device sends the URL to the SurfControl server in the cloud and the SurfControl
server asks the SRX device to permit the URL as it has been previously visited.
C. The SRX device looks at its local cache to find the category of the URL.
D. The SRX device does not perform any Web filtering operation as the Web site has already
been visited.
Answer: C
Explanation:
QUESTION NO: 160
To determine whether a particular file has a virus by only inspecting a few initial packets before
receiving the entire file, which UTM feature do you enable?
A. URL white lists

B. intelligent pre-screening
C. trickling
D. scan mode extensions
Answer: B
Explanation:
QUESTION NO: 161
Which element occurs first during the first-packet-path processing?
A. destination NAT
B. forwarding lookup
C. route lookup
D. SCREEN options
Answer: D
Explanation:
QUESTION NO: 162
Which statement describes the behavior of source NAT with address shifting?
A. Source NAT with address shifting translates both the source IP address and the source port of
a packet.
B. Source NAT with address shifting defines a one-to-one mapping from an original source IP
address to a translated source IP address.
C. Source NAT with address shifting can translate multiple source IP addresses to the same
translated IP address.
D. Source NAT with address shifting allows inbound connections to be initiated to the static source
pool IP addresses.
Answer: B
Explanation:
QUESTION NO: 163
Which two statements are true about IPsec traffic? (Choose two.)

A. IPsec traffic can be forwarded when no IKE SA is present.
B. IPsec traffic can be forwarded when no IPsec SA is present.
C. For traffic that has to be encrypted, the security policy must be crafted based on the IP
addresses in the inner IP header of the final ESP packet.
D. For traffic that has to be encrypted, the security policy must be crafted based on the IP
addresses in the outer IP header of the final ESP packet.
Answer: A,C
Explanation:
QUESTION NO: 164
You must configure a SCREEN option that will protect your router from a session table flood.

user@host# show
icmp {
}
}
user@host# show
tcp {
syn-flood {
}
}
}
user@host# show
udp {
}
}
user@host# show

limit-session
{
}
}
Answer: D
Explanation:
QUESTION NO: 165
Which two statements are true regarding high-availability chassis clustering? (Choose two.)
A. A chassis cluster consists of two devices.

B. A chassis cluster consists of two or more devices.
C. Devices participating in a chassis cluster can be different models.
D. Devices participating in a chassis cluster must be the same models.
Answer: A,D
Explanation:
QUESTION NO: 166
Which statement is true for interfaces residing outside of redundancy groups?
A. The interfaces cannot be mapped to security zones.

B. Only interfaces that have redundancy can be active in the chassis cluster.
C. All interfaces will be redundant if they reside on a system that is part of a chassis cluster.
D. Interfaces that are not in a redundancy group can still forward traffic, but no redundancy is
available for them.
Answer: D
Explanation:
QUESTION NO: 167
Under which configuration hierarchy is an access profile configured for firewall user

authentication?
A. [edit access]
B. [edit security access]
C. [edit firewall access]
D. [edit firewall-authentication]
Answer: A
Explanation:
QUESTION NO: 168
Which two statements are true about juniper-express-engine (express AV)? (Choose two.)
A. It does not support scan mode by extension.

B. It can detect polymorphic viruses.
C. It cannot decompress a zipped file transmitted using FTP.
D. It cannot decompress a zipped file transmitted using POP3.
Answer: A,C
Explanation:
QUESTION NO: 169
What are two uses of NAT? (Choose two.)
A. enabling network migrations

B. conserving public IP addresses
C. allowing stateful packet inspection
D. preventing unauthorized connections from outside the network
Answer: A,B
Explanation:
QUESTION NO: 170
Which three statements are true when working with high-availability clusters? (Choose three.)

A. The valid cluster-id range is between 0 and 255.
B. Junos OS security devices can belong to more than one cluster if cluster virtualization is
enabled.
C. If the cluster-id value is set to 0 on a Junos security device, the device will not participate in the
cluster.
D. A reboot is required if the cluster-id or node value is changed.
E. Junos OS security devices can belong to one cluster only.
Answer: C,D,E
Explanation:
QUESTION NO: 171
Which security or functional zone name has special significance to the Junos OS?
A. self
B. trust
C. untrust
D. junos-global
Answer: D
Explanation:
QUESTION NO: 172
Which statement is true regarding NAT?
A. NAT is not supported on SRX Series devices.

B. NAT requires special hardware on SRX Series devices.
C. NAT is processed in the control plane.
D. NAT is processed in the data plane.
Answer: D
Explanation:
QUESTION NO: 173
Which statement describes an ALG?

A. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to
deny the traffic.
B. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic
policies to permit the traffic to pass.
C. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic
policies to deny the traffic.
D. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to
permit the traffic to pass.
Answer: B
Explanation:
QUESTION NO: 174
Which UTM feature requires a license to function?

B. local Web filtering
C. redirect Web filtering
Answer: A
Explanation:
QUESTION NO: 175
Which URL will match the URL pattern "www.news.com/asia"?
A. www.news.com
B. www.news.com/asia/japan
C. www-1.news.com/asia
D. www.news.asia.com
Answer: B
Explanation:
QUESTION NO: 176
What are three valid Juniper Networks IPS attack object types? (Choose three.)

A. signature
B. anomaly
C. trojan
D. virus
E. chain
Answer: A,B,E
Explanation:
QUESTION NO: 177
Regarding content filtering, what are two pattern lists that can be configured in the Junos OS?
(Choose two.)
A. protocol list
B. MIME
C. block list
D. extension
Answer: B,D
Explanation:
QUESTION NO: 178
Which three are necessary for antispam to function properly on a branch SRX Series device?
(Choose three.)
A. an antispam license
B. DNS servers configured on the SRX Series device
C. SMTP services on SRX
D. a UTM profile with an antispam configuration in the appropriate security policy
E. antivirus (full or express)
Answer: A,B,D
Explanation:
QUESTION NO: 179
Which three actions can a branch SRX Series device perform on a spam e-mail message?

(Choose three.)
A. It can drop the connection at the IP address level.

B. It can block the e-mail based upon the sender ID.
C. It can allow the e-mail and bypass all UTM inspection.
D. It can allow the e-mail to be forwarded, but change the intended recipient to a new e-mail
address.
E. It can allow the e-mail to be forwarded to the destination, but tag it with a custom value in the
subject line.
Answer: A,B,E
Explanation:
QUESTION NO: 180
You have configured your chassis cluster to include redundancy group 1. Node 0 is configured to
be the primary node for this redundancy group. You need to verify that the redundancy group
failover is successful.
Which command do you use to manually test the failover?
A. request chassis cluster manual failover group 1 node 1

B. request cluster failover redundancy-group 1 node 1
C. request chassis cluster manual failover redundancy-group 1 node 1
D. request chassis cluster failover redundancy-group 1 node 1
Answer: D
Explanation:
QUESTION NO: 181
Which antivirus solution integrated on branch SRX Series devices do you use to ensure maximum
virus coverage for network traffic?
A. express AV
B. full AV
C. desktop AV
D. ICAP
Answer: B

Explanation:
QUESTION NO: 182
Which two statements about static NAT are true? (Choose two.)
A. Static NAT can only be used with destination NAT.

B. Static NAT rules take precedence over overlapping dynamic NAT rules.
C. NAT rules take precedence over overlapping static NAT rules.
D. A reverse mapping is automatically created.
Answer: B,D
Explanation:
QUESTION NO: 183
Which statement is true about zone interface assignment?
A. A logical interface can be assigned to a functional zone.

B. A security zone must contain two or more logical interfaces.
C. A logical interface can be assigned to multiple security zones.
D. A logical interface can be assigned to a functional zone and a security zone simultaneously.
Answer: A
Explanation:
QUESTION NO: 184
You want to ensure end-to-end data connectivity through an IPsec tunnel.
Which feature would you activate?
A. DPD
B. VPN monitor
C. perfect forward secrecy
D. NHTB
Answer: B

Explanation:
QUESTION NO: 185
In which two cases would you consider the TCP flag settings to be suspicious? (Choose two.)
A. Do-Not-Fragment flag is set.

B. Both SYN and FIN flags are set.
C. Both ACK and PSH flags are set.
D. FIN flag is set and ACK flag is not set.
Answer: B,D
Explanation:
QUESTION NO: 186
Which operational mode command displays all active IKE phase 2 security associations?
A. show ike security-associations

B. show ipsec security-associations
C. show security ike security-associations
D. show security ipsec security-associations
Answer: D
Explanation:
QUESTION NO: 187
Antispam can be leveraged with which two features on a branch SRX Series device to provide
maximum protection from malicious e-mail content? (Choose two.)

B. full AV
C. IPS
Answer: B,C
Explanation:

QUESTION NO: 188
Which three security policy actions are valid? (Choose three.)
A. deny
B. allow
C. permit
D. reject
E. discard
Answer: A,C,D
Explanation:
QUESTION NO: 189
Which configuration keyword ensures that all in-progress sessions are re-evaluated upon
committing a security policy change?
A. policy-rematch
B. policy-evaluate
C. rematch-policy
D. evaluate-policy
Answer: A
Explanation:
QUESTION NO: 190
Which URL database do branch SRX Series devices use when leveraging local Web filtering?
A. The SRX Series device will download the database from an online repository to locally inspect
HTTP traffic for Web filtering.
B. The SRX Series device will use an offline database to locally inspect HTTP traffic for Web
filtering.
C. The SRX Series device will redirect local HTTP traffic to an external Websense server for Web
filtering.
D. The SRX Series administrator will define the URLs and their associated action in the local

database to inspect the HTTP traffic for Web filtering.
Answer: D
Explanation:
QUESTION NO: 191
Your task is to provision the Junos security platform to permit transit packets from the Private zone
to the External zone and send them through the IPsec VPN. You must also have the device
generate a log message when the session ends.

user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn VPN;
}
}
log {
session-init;
}
}
}
user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn VPN;

}
}
count {
session-close;
}
}
}
user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn VPN;
}
}
log {
session-close;
}
}
}
user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn VPN;
log;
count session-close;
}
}
}
}
Answer: C
Explanation:

QUESTION NO: 192
Which two statements are true for a security policy? (Choose two.)
A. It controls inter-zone traffic.

B. It controls intra-zone traffic.
C. It is named with a system-defined name.
D. It controls traffic destined to the device's ingress interface.
Answer: A,B
Explanation:
QUESTION NO: 193
Which command would you use to enable chassis clustering on an SRX device, setting the cluster
ID to 1 and node to 0?
A. user@host# set chassis cluster cluster-id 1 node 0 reboot

B. user@host> set chassis cluster id 1 node 0 reboot
C. user@host> set chassis cluster cluster-id 1 node 0 reboot
D. user@host# set chassis cluster id 1 node 0 reboot
Answer: C
Explanation:
QUESTION NO: 194
Which three advanced permit actions within security policies are valid? (Choose three.)
A. Mark permitted traffic for firewall user authentication.

B. Mark permitted traffic for SCREEN options.
C. Associate permitted traffic with an IPsec tunnel.
D. Associate permitted traffic with a NAT rule.
E. Mark permitted traffic for IDP processing.
Answer: A,C,E
Explanation:

QUESTION NO: 195
Which type of Web filtering by default builds a cache of server actions associated with each URL it
has checked?
A. Websense Redirect Web filtering

C. local Web filtering
D. enhanced Web filtering
Answer: B
Explanation:
QUESTION NO: 196
On which component is the control plane implemented?
A. IOC
B. PIM
C. RE
D. SPC
Answer: C
Explanation:
QUESTION NO: 197
When an SRX series device receives an ESP packet, what happens?
A. If the destination address of the outer IP header of the ESP packet matches the IP address of
the ingress interface, it will immediately decrypt the packet.
B. If the destination IP address in the outer IP header of ESP does not match the IP address of the
ingress interface, it will discard the packet.
C. If the destination address of the outer IP header of the ESP packet matches the IP address of
the ingress interface, based on SPI match, it will decrypt the packet.
D. If the destination address of the outer IP header of the ESP packet matches the IP address of
the ingress interface, based on SPI match and route lookup of inner header, it will decrypt the

packet.
Answer: C
Explanation:
QUESTION NO: 198

user@host# show
ip {
}
}
user@host# show
ip {
}
}
user@host# show
ip {
security-option;
}
}
user@host# show
ip {
}
}
Answer: A,B

Explanation:
QUESTION NO: 199
Which two statements are true about route-based VPNs? (Choose two.)
A. Route-based VPNs cannot be used to configure remote access or dialup VPNs.

B. The from-zone and to-zone, for a security policy to permit traffic over a route-based VPN, are
derived from the zone in which the protected network lies and the zone in which the IKE interface
lies.
C. system services ike must be enabled on the st0.x interface.
D. You cannot re-write the DSCP bits on the inner IP header of an ESP packet that was created or
forwarded using a route-based VPN.
Answer: A,D
Explanation:
QUESTION NO: 200
What is the purpose of an address book?
A. It holds security policies for particular hosts.

B. It holds statistics about traffic to and from particular hosts.
C. It defines the hosts in a zone so they can be referenced by policies.
D. It maps hostnames to IP addresses to serve as a backup to DNS resolution.
Answer: C
Explanation:
Topic 3, Volume C
QUESTION NO: 201
Which two traffic types trigger pass-through firewall user authentication? (Choose two.)
A. SSH
B. ICMP
C. Telnet

D. FTP
Answer: C,D
Explanation:
QUESTION NO: 202
How does the antivirus feature operate once the antivirus license has expired?
A. Any traffic matching a UTM policy will be dropped.

B. Any traffic matching a UTM policy will be permitted.
C. Any traffic matching a UTM policy will be correctly evaluated with the existing set of antivirus
signatures.
D. Any traffic matching a UTM policy will be permitted with a log message of no inspection.
Answer: C
Explanation:
QUESTION NO: 203
What are two valid match conditions for source NAT? (Choose two.)
A. port range
B. source port
C. source address
D. destination address
Answer: C,D
Explanation:
QUESTION NO: 204
Which two configuration elements are required for a policy-based VPN? (Choose two.)
A. IKE gateway
B. secure tunnel interface
C. security policy to permit the IKE traffic
D. security policy referencing the IPsec VPN tunnel

Answer: A,D
Explanation:
QUESTION NO: 205
Which two statements are true for both express antivirus and full file-based antivirus? (Choose
two.)
A. Signature updates of the pattern database are obtained from Symantec.

B. Intelligent prescreening functionality is identical in both express antivirus and full antivirus.
C. Both express antivirus and full file-based antivirus use the same scan engines.
D. The database pattern server is available through both HTTP and HTTPS.
Answer: B,D
Explanation:
QUESTION NO: 206
Which statement is true about interfaces, zones, and routing-instance relationships?
A. All interfaces in a zone must belong to the same routing instance.

B. All interfaces in a routing instance must belong to the same zone.
C. All interfaces in a zone must be in inet.0.
D. Each interface in a VR must belong to a unique security zone.
Answer: A
Explanation:
QUESTION NO: 207
What do you use to group interfaces with similar security requirements?
A. zones
B. policies
C. address book
D. NAT configuration
Answer: A

Explanation:
QUESTION NO: 208
Which statement is true when express AV detects a virus in a TCP session?
A. A TCP RST is sent and the session is restarted.

B. The TCP connection is closed gracefully and the data content is dropped.
C. TCP traffic is allowed and an SNMP trap is sent.
D. AV scanning is restarted.
Answer: B
Explanation:
QUESTION NO: 209
Which statement describes the behavior of a security policy?
A. The implicit default security policy permits all traffic.

B. Traffic destined to the device itself always requires a security policy.
C. Traffic destined to the device's incoming interface does not require a security policy.
D. The factory-default configuration permits all traffic from all interfaces.
Answer: C
Explanation:
QUESTION NO: 210
What are two rulebase types within an IPS policy on an SRX Series device? (Choose two.)
A. rulebase-ips
B. rulebase-ignore
C. rulebase-idp
D. rulebase-exempt
Answer: A,D
Explanation:

QUESTION NO: 211
Which type of source NAT is configured in the exhibit?
A. interface-based source NAT

B. static source NAT
C. pool-based source NAT with PAT
D. pool-based source NAT without PAT
Answer: A
Explanation:
QUESTION NO: 212
-- Exhibit --
user@host> show security utm web-filtering statistics
UTM web-filtering statistics:
Total requests: 298171
white list hit: 0
Black list hit: 0

Queries to server: 17641
Server reply permit: 14103
Server reply block: 3538
Custom category permit: 0
Custom category block: 0
Cache hit permit: 171020
Cache hit block: 109510
Web-filtering sessions in total: 4000
Web-filtering sessions in usE. 0
Fallback: log-and-permit block
Default 0 0
Timeout 0 0
Connectivity 0 0
Too-many-requests 758 0
-- Exhibit --
Which two statements are true about the output shown in the exhibit on the branch SRX device?
(Choose two.)
A. Redirect Web filtering is being used.

B. Integrated Web filtering is being used.
C. At some point the SRX had more than 4000 concurrent Web sessions.
D. Local Web filtering is being used.
Answer: B,C
Explanation:
QUESTION NO: 213
-- Exhibit --

[edit security policies from-zone HR to-zone trust]
user@host# show
policy two {
match {
source-address subnet_a;
destination-address host_b;
application [ junos-telnet junos-ping ];
then {
reject;
policy one {
match {
source-address host_a;
destination-address subnet_b;
application any;
then {
permit;
-- Exhibit --
host_a is in subnet_a and host_b is in subnet_b.
Given the configuration shown in the exhibit, which two statements are true about traffic from
host_a to host_b (Choose two.)?

B. Telnet traffic is denied.
C. SMTP traffic is denied.
D. Ping traffic is denied.
Answer: B,D
Explanation:
QUESTION NO: 214
Review Below:
[edit security nat destination]
user@host# show
pool A {
address 10.1.10.5/32;
rule-set 1 {
from zone untrust;
rule 1A {
match {
then {
destination-nat pool A;
Which type of NAT is configured in the exhibit?
A. static destination NAT

B. static source NAT
C. pool-based destination NAT without PAT
D. pool-based destination NAT with PAT
Answer: C
Explanation:
QUESTION NO: 215
Regarding zone types, which statement is true?
A. You cannot assign an interface to a functional zone.

B. You can specifiy a functional zone in a security policy.
C. Security zones must have a scheduler applied.
D. You can use a security zone for traffic destined for the device itself.
Answer: D
Explanation:
QUESTION NO: 216
Regarding attacks, which statement is correct?
A. Both DoS and propagation attacks exploit and take control of all unprotected network devices.
B. Propagation attacks focus on suspicious packet formation using the DoS SYN-ACK-ACK proxy
flood.
C. DoS attacks are directed at the network protection devices, while propagation attacks are
directed at the servers.
D. DoS attacks are exploits in nature, while propagation attacks use trust relationships to take
control of the devices.
Answer: D
Explanation:
QUESTION NO: 217

[edit schedulers]
user@host# show
scheduler now {
monday all-day;
tuesday exclude;
wednesday {
start-time 07:00:00 stop-time 18:00:00;
thursday {
}}
[edit security policies from-zone Private to-zone External]
user@host# show
match {
then {
permit {
tunnel {
ipsec-vpn myTunnel;
}}}
scheduler-name now;

Based on the configuration shown in the exhibit, what are the actions of the security policy?
A. The policy will always permit transit packets and use the IPsec VPN myTunnel.
B. The policy will permit transit packets only on Monday, and use the IPsec VPN Mytunnel.
C. The policy will permit transit packets and use the IPsec VPN myTunnel all day Monday and
Wednesday 7am to 6pm, and Thursday 7am to 6pm.
D. The policy will always permit transit packets, but will only use the IPsec VPN myTunnel all day
Monday and Wednesday 7am to 6pm, and Thursday 7am to 6pm.
Answer: C
Explanation:
QUESTION NO: 218
Which two statements are true regarding proxy ARP? (Choose two.)
A. Proxy ARP is enabled by default.

B. Proxy ARP is not enabled by default.
C. JUNOS security devices can forward ARP requests to a remote device when proxy ARP is
enabled.
D. JUNOS security devices can reply to ARP requests intended for a remote device when proxy
ARP is enabled.
Answer: B,D
Explanation:
QUESTION NO: 219
For IKE phase 1 negotiations, when is aggressive mode typically used?
A. when one of the tunnel peers has a dynamic IP address

B. when one of the tunnel peers wants to force main mode to be used
C. when fragmentation of the IKE packet is required between the two peers
D. when one of the tunnel peers wants to specify a different phase 1 proposal
Answer: A
Explanation:

QUESTION NO: 220
A traditional router is better suited than a firewall device for which function?
B. packet-based forwarding
C. stateful packet processing
Answer: B
Explanation:
QUESTION NO: 221
Which three functions are provided by JUNOS Software for security platforms? (Choose three.)
B. stateful ARP lookups
C. Dynamic ARP inspection
E. inspection of packets at higher levels (Layer 4 and above)
Answer: A,D,E
Explanation:
QUESTION NO: 222
Which two functions of JUNOS Software are handled by the data plane? (Choose two.)
A. NAT
B. OSPF
C. SNMP
D. SCREEN options
Answer: A,D
Explanation:
QUESTION NO: 223

In JUNOS Software, which three packet elements can be inspected to determine if a session
already exists? (Choose three.)
A. IP protocol
B. IP time-to-live
C. source and destination IP address
D. source and destination MAC address
E. source and destination TCP/UDP port
Answer: A,C,E
Explanation:
QUESTION NO: 224
By default, which condition would cause a session to be removed from the session table?
A. Route entry for the session changed.

B. Security policy for the session changed.
C. The ARP table entry for the source IP address timed out.
D. No traffic matched the session during the timeout period.
Answer: D
Explanation:
QUESTION NO: 225
What is the purpose of a zone in JUNOS Software?
A. A zone defines a group of security devices with a common management.

B. A zone defines the geographic region in which the security device is deployed.
C. A zone defines a group of network segments with similar security requirements.
D. A zone defines a group of network segments with similar class-of-service requirements.
Answer: C
Explanation:
QUESTION NO: 226

Users can define policy to control traffic flow between which two components? (Choose two.)
A. from a zone to the device itself

B. from a zone to the same zone
C. from a zone to a different zone
D. from one interface to another interface
Answer: B,C
Explanation:
QUESTION NO: 227
Which two configurations are valid? (Choose two.)
A. [edit security zones]

user@host# show
security-zone red {
interfaces {
ge-0/0/1.0;
ge-0/0/3.0;
}}
security-zone blue {
interfaces {
ge-0/0/2.0;
ge-0/0/3.102;
}}
B. [edit security zones]
user@host# show
security-zone red {
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
}}
security-zone blue {
interfaces {
ge-0/0/1.0;
ge-0/0/3.0;
}}
C. [edit routing-instances]
user@host# show
red {

}
blue {
}
D. [edit routing-instances]
user@host# show
red {
}
blue {
}
Answer: A,D
Explanation:
QUESTION NO: 228
Which two configuration options must be present for IPv4 transit traffic to pass between the ge-
0/0/0.0 and ge-0/0/2.0 interfaces? (Choose two.)
A. family inet
B. a security zone
C. a routing instance
D. host-inbound-traffic
Answer: A,B
Explanation:
QUESTION NO: 229
Which zone is a system-defined zone?
A. null zone
B. trust zone
C. untrust zone
D. management zone

Answer: A
Explanation:
QUESTION NO: 230
Which type of zone is used by traffic transiting the device?
A. transit zone
B. default zone
C. security zone
D. functional zone
Answer: C
Explanation:
QUESTION NO: 231
Which two steps are performed when configuring a zone? (Choose two.)
A. Define a default policy for the zone.

B. Assign logical interfaces to the zone.
C. Assign physical interfaces to the zone.
D. Define the zone as a security or functional zone.
Answer: B,D
Explanation:
QUESTION NO: 232
You want to allow all hosts on interface ge-0/0/0.0 to be able to ping the device's ge- 0/0/0.0 IP
address.
Where do you configure this functionality?
A. [edit interfaces]
B. [edit security zones]
C. [edit system services]

D. [edit security interfaces]
Answer: B
Explanation:
QUESTION NO: 233
You want to create an out-of-band management zone and assign the ge-0/0/0.0 interface to that
zone.
From the [edit] hierarchy, which command do you use to configure this assignment?
A. set security zones management interfaces ge-0/0/0.0

B. set zones functional-zone management interfaces ge-0/0/0.0
C. set security zones functional-zone management interfaces ge-0/0/0.0
D. set security zones functional-zone out-of-band interfaces ge-0/0/0.0
Answer: C
Explanation:
QUESTION NO: 234
You are not able to telnet to the interface IP address of your device from a PC on the same
subnet.

Answer: D
Explanation:
QUESTION NO: 235

Referring to the exhibit, you are not able to telnet to 192.168.10.1 from client PC 192.168.10.10.

Answer: D
Explanation:
QUESTION NO: 236
Based on the exhibit, client PC 192.168.10.10 cannot ping 1.1.1.2. Which is a potential cause for
this problem?
A. The untrust zone does not have a management policy configured.

B. The trust zone does not have ping enabled as a host-inbound-traffic service.
C. The security policy from the trust zone to the untrust zone does not permit ping.
D. No security policy exists for the ICMP reply packet from the untrust zone to the trust zone.
Answer: C
Explanation:
QUESTION NO: 237
[edit security zones security-zone HR]
user@host# show
host-inbound-traffic {
system-services {

ping;
ssh;
https;
}}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0 {
system-services {
ping;
}}}
ge-0/0/2.0 {
system-services {
ping;
ftp;
}}}
ge-0/0/3.0 {
system-services {
all;
ssh {
except;
}}}
}}
All system services have been enabled.

Given the configuration shown in the exhibit, which interface allows both ping and SSH traffic?
A. ge-0/0/0.0
B. ge-0/0/1.0
C. ge-0/0/2.0
D. ge-0/0/3.0
Answer: A
Explanation:
QUESTION NO: 238
user@host> show interfaces ge-0/0/0.0 | match host-inbound
Allowed host-inbound traffic : bgp ospf
Which configuration would result in the output shown in the exhibit?
A. [edit security zones functional-zone management]

user@host# show
interfaces {
ge-0/0/0.0 {
protocols {
bgp;
ospf;
vrrp;
}}}}
protocols {
all;
vrrp {
except;
}}}
B. [edit security zones functional-zone management]
user@host# show
protocols {
bgp;
ospf;
}}

C. [edit security zones security-zone trust]
user@host# show
interfaces {
ge-0/0/0.0 {
protocols {
ospf;
bgp;
}}}}
D. [edit security zones security-zone trust]
user@host# show
protocols {
bgp;
}}
interfaces {
all {
protocols {
ospf;
}}}}
Answer: C
Explanation:
QUESTION NO: 239
user@host> show interfaces ge-0/0/0.0 | match host-inbound
Allowed host-inbound traffic : ping ssh telnet
Which configuration would result in the output shown in the exhibit?
A. [edit security zones security-zone trust]

user@host# show
system-services {
ping;
telnet;
}}
interfaces {

ge-0/0/0.0 {
system-services {
ssh;
telnet;
}}}}
B. [edit security zones functional-zone management]
user@host# show
interfaces {
all;
}
system-services {
all;
ftp {
except;
}}}
C. [edit security zones functional-zone management]
user@host# show
interfaces {
all {
system-services {
ping;
}}}}
system-services {
telnet;
ssh;
}}
D. [edit security zones security-zone trust]
user@host# show
system-services {
ssh;
ping;
telnet;
}}
interfaces {
ge-0/0/3.0 {
system-services {
ping;
}}}
ge-0/0/0.0;
}

Answer: D
Explanation:
QUESTION NO: 240
[edit security]
user@host# show
zones {
security-zone ZoneA {
tcp-rst;
system-services {
ping;
telnet;
}}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0;
}}
security-zone ZoneB {
interfaces {
ge-0/0/3.0;
}}}
policies {
from-zone ZoneA to-zone ZoneB {
policy A-to-B {

match {
source-address any;
application any;
then {
permit;
}}}}
In the exhibit, a host attached to interface ge-0/0/0.0 sends a SYN packet to open a Telnet
connection to the device's ge-0/0/1.0 IP address.
What does the device do?
A. The device sends back a TCP reset packet.

B. The device silently discards the packet.
C. The device forwards the packet out the ge-0/0/1.0 interface.
D. The device responds with a TCP SYN/ACK packet and opens the connection.
Answer: B
Explanation:
QUESTION NO: 241
Which two commands can be used to monitor firewall user authentication? (Choose two.)
A. show access firewall-authentication

B. show security firewall-authentication users
C. show security audit log
D. show security firewall-authentication history
Answer: B,D
Explanation:

QUESTION NO: 242
Which two statements regarding external authentication servers for firewall user authentication are
true? (Choose two.)
A. Up to three external authentication server types can be used simultaneously.

B. Only one external authentication server type can be used simultaneously.
C. If the local password database is not configured in the authentication order, and the configured
authentication server is unreachable, authentication is not performed.
D. If the local password database is not configured in the authentication order, and the configured
authentication server rejects the authentication request, authentication is not performed.
Answer: B,D
Explanation:
QUESTION NO: 243
Which two external authentication server types are supported by JUNOS Software for firewall user
authentication? (Choose two.)
A. RADIUS
B. TACACS+
C. LDAP
D. IIS
Answer: A,C
Explanation:
QUESTION NO: 244
[edit security zones security-zone trust]
user@host# show
system-services {
all;

}}
interfaces {
ge-0/0/0.0;
Referring to the exhibit, which two traffic types are permitted when the destination is the ge-
0/0/0.0 IP address? (Choose two.)
A. Telnet
B. OSPF
C. ICMP
D. RIP
Answer: A,C
Explanation:
QUESTION NO: 245
What are three main phases of an attack? (Choose three.)
A. DoS
B. exploit
C. propagation
D. port scanning
E. reconnaissance
Answer: B,C,E
Explanation:
QUESTION NO: 246
An attacker sends a low rate of TCP SYN segments to hosts, hoping that at least one port replies.
Which type of an attack does this scenario describe?
A. DoS
B. SYN flood
C. port scanning
D. IP address sweep

Answer: C
Explanation:
QUESTION NO: 247
Where do you configure SCREEN options?
A. zones on which an attack might arrive

B. zones you want to protect from attack
C. interfaces on which an attack might arrive
D. interfaces you want to protect from attack
Answer: A
Explanation:
QUESTION NO: 248
Prior to applying SCREEN options to drop traffic, you want to determine how your configuration
will affect traffic.
Which mechanism would you configure to achieve this objective?
A. the log option for the particular SCREEN option

B. the permit option for the particular SCREEN option
C. the SCREEN option, because it does not drop traffic by default
D. the alarm-without-drop option for the particular SCREEN option
Answer: D
Explanation:
QUESTION NO: 249

user@host# show
ip {
}}
user@host# show
ip {
}}
user@host# show
ip {
security-option;
}}
user@host# show
ip {
}}
Answer: A,B
Explanation:
QUESTION NO: 250
Which two statements describe the purpose of a security policy? (Choose two.)
A. It enables traffic counting and logging.

B. It enforces a set of rules for transit traffic.
C. It controls host inbound services on a zone.
D. It controls administrator rights to access the device.
Answer: A,B
Explanation:

QUESTION NO: 251
Exhibit.
[edit security policies]
user@host# show
from-zone trust to-zone untrust {
policy AllowHTTP{
match {
source-address HOSTA;
application junos-ftp;
then {
permit;
}}
policy AllowHTTP2{
match {
source-address any;
destination-address HOSTA;
application junos-http;
then {
permit;
}}
policy AllowHTTP3{
match {
source-address any;

application any;
then {
permit;
}}}
A flow of HTTP traffic needs to go from HOSTA to HOSTB. Assume that traffic will initiate from
HOSTA and that HOSTA is in zone trust and HOSTB is in zone untrust.
What will happen to the traffic given the configuration in the exhibit?
A. The traffic will be permitted by policy AllowHTTP.

B. The traffic will be permitted by policy AllowHTTP3.
C. The traffic will be permitted by policy AllowHTTP2.
D. The traffic will be dropped as no policy match will be found.
Answer: B
Explanation:
QUESTION NO: 252
Which two security policy actions are valid? (Choose two.)
A. deny
B. discard
C. reject
D. close
Answer: A,C
Explanation:
QUESTION NO: 253

[edit schedulers]
user@host# show
scheduler now {
monday all-day;
tuesday exclude;
wednesday {
thursday {
}}
[edit security policies from-zone Private to-zone External]
user@host# show
match {
then {
permit {
tunnel {
ipsec-vpn myTunnel;
}}}
scheduler-name now;

Based on the configuration shown in the exhibit, what will happen to the traffic matching the
security policy?
A. The traffic is permitted through the myTunnel IPsec tunnel only on Tuesdays.
B. The traffic is permitted through the myTunnel IPsec tunnel daily, with the exception of Mondays.
C. The traffic is permitted through the myTunnel IPsec tunnel all day on Mondays and
Wednesdays between 7:00 am and 6:00 pm, and Thursdays between 7:00 am and 6:00 pm.
D. The traffic is permitted through the myTunnel IPsec tunnel all day on Mondays and
Wednesdays between 6:01 pm and 6:59 am, and Thursdays between 6:01 pm and 6:59 am.
Answer: C
Explanation:
QUESTION NO: 254
[edit security policies from-zone HR to-zone trust]
user@host# show
policy two {
match {
source-address subnet_a;
destination-address host_b;
application [ junos-telnet junos-ping ];
then {
reject;
}} policy one {
match {
source-address host_a;
destination-address subnet_b;
application any;

}
then {
permit;
}}
host_a is in subnet_a and host_b is in subnet_b.
Given the configuration shown in the exhibit, which statement is true about traffic from host_a to
host_b?

B. Telnet traffic is denied.
C. SMTP traffic is denied.
D. Ping traffic is permitted.
Answer: B
Explanation:
QUESTION NO: 255
Which statement is true about interface-based source NAT?
A. PAT is a requirement.
B. It requires you to configure address entries in the junos-nat zone.
C. It requires you to configure address entries in the junos-global zone.
D. The IP addresses being translated must be in the same subnet as the egress interface.
Answer: A
Explanation:
QUESTION NO: 256
Which two statements are true about pool-based destination NAT? (Choose two.)
A. It also supports PAT.

B. PAT is not supported.
C. It allows the use of an address pool.
D. It requires you to configure an address in the junos-global zone.

Answer: A,C
Explanation:
QUESTION NO: 257
Which statement is true about source NAT?
A. Source NAT works only with source pools.

B. Destination NAT is required to translate the reply traffic.
C. Source NAT does not require a security policy to function.
D. The egress interface IP address can be used for source NAT.
Answer: D
Explanation:
QUESTION NO: 258
Which two statements are true about overflow pools? (Choose two.)
A. Overflow pools do not support PAT.

B. Overflow pools can not use the egress interface IP address for NAT.
C. Overflow pools must use PAT.
D. Overflow pools can contain the egress interface IP address or separate IP addresses.
Answer: C,D
Explanation:
QUESTION NO: 259
Which statement is true regarding proxy ARP?
A. Proxy ARP is enabled by default on stand-alone JUNOS security devices.

B. Proxy ARP is enabled by default on chassis clusters.
C. JUNOS security devices can forward ARP requests to a remote device when proxy ARP is
enabled.
D. JUNOS security devices can reply to ARP requests intended for a remote device when proxy
ARP is enabled.

Answer: D
Explanation:
QUESTION NO: 260
You are creating a destination NAT rule-set.
Which two are valid for use with the from clause? (Choose two.)
A. security policy
B. interface
C. routing-instance
D. IP address
Answer: B,C
Explanation:
QUESTION NO: 261
Regarding an IPsec security association (SA), which two statements are true? (Choose two.)
A. IKE SA is bidirectional.
B. IPsec SA is bidirectional.
C. IKE SA is established during phase 2 negotiations.
D. IPsec SA is established during phase 2 negotiations.
Answer: B,C
Explanation:
QUESTION NO: 262
Which operational mode command displays all active IPsec phase 2 security associations?
A. show ike security-associations

B. show ipsec security-associations
C. show security ike security-associations
D. show security ipsec security-associations

Answer: D
Explanation:
QUESTION NO: 263
Two VPN peers are negotiating IKE phase 1 using main mode. Which message pair in the
negotiation contains the phase 1 proposal for the peers?
A. message 1 and 2
B. message 3 and 4
C. message 5 and 6
D. message 7 and 8
Answer: A
Explanation:
QUESTION NO: 264
Which attribute is required for all IKE phase 2 negotiations?
A. proxy-ID
B. preshared key
C. Diffie-Hellman group key
D. main or aggressive mode
Answer: A
Explanation:
QUESTION NO: 265
Which attribute is optional for IKE phase 2 negotiations?
A. proxy-ID
B. phase 2 proposal
C. Diffie-Hellman group key
D. security protocol (ESP or AH)
Answer: C

Explanation:
QUESTION NO: 266
A route-based VPN is required for which scenario?
A. when the remote VPN peer is behind a NAT device

B. when multiple networks need to be reached across the tunnel and GRE cannot be used
C. when the remote VPN peer is a dialup or remote access client
D. when a dynamic routing protocol is required across the VPN and GRE cannot be used
Answer: D
Explanation:
QUESTION NO: 267
A policy-based IPsec VPN is ideal for which scenario?
A. when you want to conserve tunnel resources

B. when the remote peer is a dialup or remote access client
C. when you want to configure a tunnel policy with an action of deny
D. when a dynamic routing protocol such as OSPF must be sent across the VPN
Answer: B
Explanation:
QUESTION NO: 268
Regarding a route-based versus policy-based IPsec VPN, which statement is true?
A. A route-based VPN generally uses less resources than a policy-based VPN.

B. A route-based VPN cannot have a deny action in a policy; a policy-based VPN can have a deny
action.
C. A route-based VPN is better suited for dialup or remote access compared to a policy-based
VPN.
D. A route-based VPN uses a policy referencing the IPsec VPN; a policy-based VPN policy does
not use a policy referencing the IPsec VPN.

Answer: A
Explanation:
QUESTION NO: 269
Which two configuration elements are required for a route-based VPN? (Choose two.)
A. secure tunnel interface

B. security policy to permit the IKE traffic
C. a route for the tunneled transit traffic
D. tunnel policy for transit traffic referencing the IPsec VPN
Answer: A,C
Explanation:
QUESTION NO: 270
[edit security]
user@host# show
ike {
policy ike-policy1 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$GFjm5OBEclM5QCuO1yrYgo"; ## SECRET-DATA
gateway remote-ike {
ike-policy ike-policy1;
address 172.19.51.170;
}}

ipsec {
policy vpn-policy1 {
vpn remote-vpn {
ike {
gateway remote-ike;
ipsec-policy vpn-policy1;
}}}
Assuming you want to configure a route-based VPN, which command is required to bind the VPN
to secure tunnel interface st0.0?
A. set ipsec vpn remote-vpn bind-interface st0.0

B. set ike gateway remote-ike bind-interface st0.0
C. set ike policy ike-policy1 bind-interface st0.0
D. set ipsec policy vpn-policy1 bind-interface st0.0
Answer: A
Explanation:
QUESTION NO: 271
Regarding secure tunnel (st) interfaces, which statement is true?
A. You cannot assign st interfaces to a security zone.

B. You cannot apply static NAT on an st interface logical unit.
C. st interfaces are optional when configuring a route-based VPN.
D. A static route can reference the st interface logical unit as the next-hop.
Answer: D
Explanation:
QUESTION NO: 272

What are three benefits of using chassis clustering? (Choose three.)
A. Provides stateful session failover for sessions.

B. Increases security capabilities for IPsec sessions.
C. Provides active-passive control and data plane redundancy.
D. Enables automated fast-reroute capabilities.
E. Synchronizes configuration files and session state.
Answer: A,C,E
Explanation:
QUESTION NO: 273
You have been tasked with installing two SRX 5600 platforms in a high-availability cluster. Which
requirement must be met for a successful installation?
A. You must enable SPC detect within the configuration.

B. You must enable active-active failover for redundancy.
C. You must ensure all SPCs use the same slot placement.
D. You must configure auto-negotiation on the control ports of both devices.
Answer: C
Explanation:
QUESTION NO: 274
[edit chassis]
user@host# show
cluster {
reth-count 3;
node 0 priority 1;

}}
When applying the configuration in the exhibit and initializing a chassis cluster, which statement is
correct?
A. Three physical interfaces are redundant.

B. You must define an additional redundancy group.
C. node 0 will immediately become primary for redundancy group 1.
D. You must issue an operational command and reboot the system for the above configuration to
take effect.
Answer: D
Explanation:
QUESTION NO: 275
What is a redundancy group in JUNOS Software?
A. a set of chassis clusters that fail over as a group

B. a set of devices that participate in a chassis cluster
C. a set of VRRP neighbors that fail over as a group
D. a set of chassis cluster objects that fail over as a group
Answer: D
Explanation:
QUESTION NO: 276
When devices are in cluster mode, which new interfaces are created?
A. No new interface is created.

B. Only the st interface is created.
C. fxp1, fab0, and fab1 are created.
D. st, fxp1, reth, fab0, and fab1 are created.
Answer: C
Explanation:

QUESTION NO: 277
What are two interfaces created when enabling a chassis cluster? (Choose two.)
A. st0
B. fxp1
C. fab0
D. reth0
Answer: B,C
Explanation:
QUESTION NO: 278
Which statement is true regarding redundancy groups?
A. The preempt option determines the primary and secondary roles for redundancy group 0 during
a failure and recovery scenario.
B. When priority settings are equal and the members participating in a cluster are initialized at the
same time, the primary role for redundancy group 0 is assigned to node 1.
C. The primary role can be shared for redundancy group 0 when the active-active option is
enabled.
D. Redundancy group 0 manages the control plane failover between the nodes of a cluster.
Answer: D
Explanation:
QUESTION NO: 279
Which IDP policy action drops a packet before it can reach its destination, but does not close the
connection?
A. discard-packet
B. drop-traffic
C. discard-traffic
D. drop-packet
Answer: D
Explanation:

QUESTION NO: 280
You have been tasked with performing an update to the IDP attack database. Which three
requirements are included as part of this task? (Choose three.)
A. The IDP security package must be installed after it is downloaded.

B. The device must be rebooted to complete the update.
C. The device must be connected to a network.
D. An IDP license must be installed on your device.
E. You must be logged in as the root user.
Answer: A,C,D
Explanation:
QUESTION NO: 281
You are implementing an IDP policy template from Juniper Networks. Which three steps are
included in this process? (Choose three.)
A. activating a JUNOS Software commit script?

B. configuring an IDP groups statement
C. setting up a chassis cluster
D. downloading the IDP policy templates
E. installing the policy templates
Answer: A,D,E
Explanation:
QUESTION NO: 282
Which statement regarding the implementation of an IDP policy template is true?
A. IDP policy templates are automatically installed as the active IDP policy.
B. IDP policy templates are enabled using a commit script.
C. IDP policy templates can be downloaded without an IDP license.
D. IDP policy templates are included in the factory-default configuration.
Answer: B

Explanation:
QUESTION NO: 283
Which two statements are true regarding firewall user authentication? (Choose two.)
A. Firewall user authentication is performed only for traffic that is accepted by a security policy.
B. Firewall user authentication is performed only for traffic that is denied by a security policy.
C. Firewall user authentication provides an additional method of controlling user access to the
JUNOS security device itself.
D. Firewall user authentication provides an additional method of controlling user access to remote
networks.
Answer: A,D
Explanation:
QUESTION NO: 284
Which statement accurately describes firewall user authentication?
A. Firewall user authentication provides another layer of security in a network.

B. Firewall user authentication provides a means for accessing a JUNOS Software-based security
device.
C. Firewall user authentication enables session-based forwarding.
D. Firewall user authentication is used as a last resort security method in a network.
Answer: A
Explanation:
QUESTION NO: 285
Which two firewall user authentication objects can be referenced in a security policy?
(Choose two.)
A. access profile
B. client group
C. client

D. default profile
Answer: B,C
Explanation:
QUESTION NO: 286
Which high availability feature is supported only on Junos security platforms?
A. Virtual Chassis
B. VRRP
C. chassis clustering
D. graceful restart
Answer: C
Explanation: The Junos OS achieves high availability on Junos security platforms using chassis
clustering. Chassis clustering providesnetwork node redundancy by grouping two like devices into
a cluster. The two nodes back each other up with one node acting asthe primary and the other as
the secondary node, ensuring the stateful failover of processes and services in the event of
systemor hardware failure. A control link between services processing cards (SPCs) or revenue
ports and an Ethernet data link between revenue ports connect two like devices. Junos security
platforms must be the same model, and all SPCs, network processing cards (NPCs), and
input/output cards (IOCs) on high-end platforms must have the same slot placement and hardware
revision.
The chassis clustering feature in the Junos OS is built on the high availability methodology of
Juniper Networks M Series and T Series platforms and the TX Matrix platform, including
multichassis clustering, active-passive Routing Engines (REs) , active-active Packet Forwarding
Engines (PFEs), and graceful RE switchover capability.
QUESTION NO: 287
What is a security policy?
A. a set of rules that controls traffic from a specified source to a specified destination using a
specified service
B. a collection of one or more network segments sharing identical security requirements
C. a method of providing a secure connection across a network
D. a tool to protect against DoS attacks

Answer: A
Explanation: A security policy is a set of statements that controls traffic from a specified source to
a specified destination using a specified service. If a packet arrives that matches those
specifications, the SRX Series device performs the action specified in the policy.
QUESTION NO: 288
What is a zone?
A. a set of rules that controls traffic from a specified source to a specified destination using a
specified service
B. a collection of one or more network segments sharing identical security requirements
C. a method of providing a secure connection across a network
D. a tool to protect against DoS attacks
Answer: B
Explanation:
A zone is a collection of one or more network segments sharing identical security requirements.
To group network segments within a zone, you must assign logical interfaces from the device to a
zone.
QUESTION NO: 289
What is the function of NAT?
A. It performs Layer 3 routing.

B. It evaluates and redirects matching traffic into secure tunnels.
C. It provides translation between public and private IP addresses.
D. It performs Layer 2 switching.
Answer: C
Explanation: Historically, the NAT concept was born because of the shortage of public IPv4
addresses. Many organizations moved to deploy so-called private addresses using the IPv4
private addressing space, as identified in RFC 1918. These addresses include the following
ranges:

• 10.0.0.0–10.255.255.255 (10.0.0.0/8 prefix);
• 172.16.0.0–172.31.255.255 (172.16.0.0/12 prefix); and
• 192.168.0.0–192.168.255.255 (192.168.0.0/16 prefix).
Because private addresses are not routable within the public domain, edge network devices can
deploy the NAT feature to replace private, nonroutable addresses with public addresses prior to
sending traffic to the public network and vice versa. Translation consists of replacing the IP
address (NAT), port numbers (PAT), or both, depending on the configuration.
While primarily deployed to translate private addresses to public addresses, NAT can translate
from any address to any other address, including public to public and private to private addresses.
QUESTION NO: 290
Which statement correctly describes the default state of a high-end SRX Series Services
Gateway?
A. It forwards all traffic.

B. It selectively forwards traffic based on default security policies.
C. It selectively restricts traffic based on default security policies.
D. It forwards no traffic.
Answer: D
Explanation:
QUESTION NO: 291
Which Junos security feature helps protect against spam, viruses, trojans, and malware?
A. session-based stateful firewall

B. IPsec VPNs
C. security policies
D. Unified Threat Management
Answer: D
Explanation: The major features of Unified Threat Management (UTM);
A branch office network in today’s market significantly contributes to the bottom line and is central
to an organization’s success. Branch offices normally include a relatively smaller number of
computing resources when compared to central facilities or headquarters locations. Branch offices

are typically located where customer interactions occur, which means there is increased demand
for supporting applications and assuring application performance, an increased demand for
security. General security vulnerabilities exist for every branch office network. These vulnerabilities
include spam and phishing attacks, viruses, trojans and spyware infected files, unapproved
website access, and unapproved content.
QUESTION NO: 292
When the first packet in a new flow is received, which high-end SRX component is responsible for
setting up the flow?
A. Routing Engine
B. I/O card
C. network processing card
D. services processing card
Answer: D
Explanation:
QUESTION NO: 293
Which three elements are contained in a session-close log message? (Choose three.)
A. source IP address
B. DSCP value
C. number of packets transferred
D. policy name
E. MAC address
Answer: A,C,D
Explanation:
QUESTION NO: 294
Which card performs flow lookup on incoming packets on high-end SRX Series devices?

A. Network Processing Card (NPC)
B. Services Processing Card (SPC)
C. Switch Control Board (SCB)
D. Routing Engine (RE)
Answer: A
Explanation:
QUESTION NO: 295
How is the control plane separated from the data plane on branch SRX Series devices?
A. by running separate kernels inside the Junos OS

B. by dedicating a separate CPU core for the control plane
C. by using separate CPUs for the control plane and data plane
D. by offloading control plane traffic to the SPC
Answer: B
Explanation:
QUESTION NO: 296
Which three parameters does the Junos OS attempt to match against during session lookup?
(Choose three.)
A. session token
B. ingress interface
C. protocol number
D. source port number
E. egress interface
Answer: A,C,D
Explanation:
QUESTION NO: 297
You have packet loss on an IPsec VPN using the default maximum transmission unit (MTU) where
the packets have the DF-bit (do not fragment) set.

Which configuration solves this problem?
A. Set an increased MTU value on the physical interface.

B. Set a reduced MSS value for VPN traffic under the [edit security flow tcp-mss] hierarchy.
C. Set a reduced MTU value for VPN traffic under the [edit security flow] hierarchy.
D. Set an increased MSS value on the st0 interface.
Answer: B
Explanation:
QUESTION NO: 298
The branch SRX Series Services Gateways implement the data plane on which two components?
(Choose two.)
A. IOCs
B. SPCs
C. CPU cores
D. PIMs
Answer: C,D
Explanation:
QUESTION NO: 299
Which configuration must be completed to use both packet-based and session-based forwarding
on a branch SRX Series Services Gateway?
A. A stateless firewall filter must be used on the ingress interface to match traffic to be processed
as session based.
B. A security policy rule must be used on the ingress interface to match traffic to be processed as
session based.
C. A global security policy rule must be used on the ingress interface to match traffic to be
processed as packet based.
D. A stateless firewall filter must be used on the ingress interface to match traffic to be processed
as packet based.
Answer: D
Explanation:

QUESTION NO: 300
Which branch SRX Series Services Gateway model has a hardware-based, modular Routing
Engine?
A. SRX1400
B. SRX650
C. SRX110
D. SRX240
Answer: B
Explanation:
Topic 4, Volume D
QUESTION NO: 301
Which two statements are true about zones? (Choose two.)
A. Null zones accept all traffic to and from an interface.

B. Security zones filter transit traffic and traffic destined for the device itself.
C. Functional zones filter transit traffic and traffic destined for the device itself.
D. Functional zones do not pass transit traffic and allow only management access to the device.
Answer: B,D
Explanation:
QUESTION NO: 302
Which statement is true about factory-default zones?
A. High-end SRX devices have trust and untrust zones.

B. Branch SRX devices have trust and untrust zones.
C. High-end SRX devices have only a trust zone.
D. Branch SRX devices have no zones.
Answer: B
Explanation:

QUESTION NO: 303
Which two statements are true when configuring security zones? (Choose two.)
A. You can assign one or more logical interfaces to a zone.

B. You can assign a logical interface to multiple zones.
C. You can assign one or more logical interfaces to a routing instance.
D. You can assign a logical interface to multiple routing instances.
Answer: A,C
Explanation:
QUESTION NO: 304
What are two system-defined zones? (Choose two.)
A. null zone
B. system zone
C. Junos host zone
D. functional zone
Answer: A,C
Explanation:
QUESTION NO: 305
Which statement is correct about zone and interface dependencies?
A. A logical interface can be assigned to multiple zones.

B. A zone can be assigned to multiple routing instances.
C. Logical interfaces are assigned to a zone.
D. A logical interface can be assigned to multiple routing instances.
Answer: C
Explanation:

QUESTION NO: 306
What are two functions of the junos-host zone? (Choose two.)
A. storing global address book entries

B. controlling self-generated traffic
C. controlling host inbound traffic
D. controlling global Junos Screen settings
Answer: B,C
Explanation:
QUESTION NO: 307
Which two parameters are configurable under the [edit security zones security-zone zoneA]
stanza? (Choose two.)
A. the TCP RST feature

B. the security policies for intrazone communication
C. the zone-specific address book
D. the default policy action for firewall rules in this zone
Answer: A,C
Explanation:
QUESTION NO: 308
What are two predefined address-book entries? (Choose two.)
A. all
B. any-ipv6
C. any-ipv4
D. all-ipv4
Answer: B,C
Explanation:
QUESTION NO: 309

What are two valid network prefixes in address books? (Choose two.)
A. 172.16.3.11/29
B. 172.16.0.0/16
C. 172.16.3.11/32
D. 172.16.3.11/24
Answer: B,C
Explanation:
QUESTION NO: 310
You want to show interface-specific zone information and statistics. Which operational command
would be used to accomplish this?
A. show security zones detail

B. show interfaces ge-0/0/3.0
C. show interfaces terse
D. show interfaces ge-0/0/3.0 extensive
Answer: D
Explanation:
QUESTION NO: 311
Which two statements are correct regarding the security policy parameter policy-rematch?
(Choose two.)
A. Configuration changes to existing policies do not impact current sessions.

B. Configuration changes to existing policies cause re-evaluation of current sessions.
C. Configuration changes to the action field of a policy from permit to either deny or reject cause
all existing sessions to drop.
D. Configuration changes to the action field of a policy from permit to either deny or reject cause
all existing sessions to continue.
Answer: B,C
Explanation:

QUESTION NO: 312
An engineer has just created a single policy allowing ping traffic from a host in the Users zone to a
server in the Servers zone.
When the host pings the server, what will happen to the return traffic?
A. The return traffic will match the session and will be permitted.
B. The return traffic will match the new policy and will be permitted.
C. The return traffic will not be permitted; it will need a separate policy.
D. The return traffic will not be permitted; it will match the system default policy.
Answer: A
Explanation:
QUESTION NO: 313
Following a recent security audit, you find that users are able to ping between the untrust zone
and the trust zone, which is contrary to your organization's current security policy. On examination
of the current security policies, you find no policies that would allow these connections.
What are two reasons why users would be able to ping between these zones? (Choose two.)
A. The default policy has been modified to permit all traffic.

B. There is a hidden policy that permits all traffic from untrust to trust.
C. A firewall filter has been configured that places traffic into packet mode.
D. ICMP traffic is not subject to policy inspection.
Answer: A,C
Explanation:
QUESTION NO: 314
You must create a security policy for a custom application that requires a longer session timeout
than the default application offers.
Which two actions are valid? (Choose two.)
A. Set the timeout value in the security forwarding-options section of the CLI.
B. Set the timeout value for the application in the security zone configuration.

C. Alter a built-in application and set the timeout value under the application-protocol section of the
CLI.
D. Create a custom application and set the timeout value under the application-protocol section of
the CLI.
Answer: C,D
Explanation:
QUESTION NO: 315
You need to build a scheduler to apply to a policy that will allow traffic from Monday to Friday only.
What will accomplish this task?
A. [edit schedulers]
user@host# show
scheduler no-weekends {
daily all-day;
sunday exclude;
saturday exclude;
}
B. [edit schedulers]
user@host# show
daily except weekends;
}
C. [edit schedulers]
user@host# show
daily;
sunday exclude;
saturday exclude;
}
D. [edit schedulers]
user@host# show
weekday all-day;
}
Answer: A
Explanation:

QUESTION NO: 316
You want to silently drop HTTP traffic.
Which action will accomplish this task?
A. [edit security policies from-zone untrust to-zone trust policy drop-http]

user@host# show
match {
source-address any;
}
then {
deny;
}
B. [edit security policies from-zone untrust to-zone trust policy drop-http]
user@host# show
match {
source-address any;
}
then {
reject;
}
C. [edit security policies from-zone untrust to-zone trust policy drop-http]
user@host# show
match {
source-address any;
}
then {
block;
}
D. [edit security policies from-zone untrust to-zone trust policy drop-http]
user@host# show
match {
source-address any;
}
then {
terminate;
}

Answer: A
Explanation:
QUESTION NO: 317
You are asked to change the behavior of the system-default policy from the default setting on an
SRX Series device.
What would be the result of this change?
A. Traffic matching the default policy will be permitted.

B. Traffic matching the default policy will be denied.
C. Traffic matching the default policy will be rejected.
D. Traffic matching the default policy will be queued.
Answer: A
Explanation:
QUESTION NO: 318
You have just added the policy deny-host-a to prevent traffic from Host A that was previously
allowed by the policy permit-all. After committing the changes, you notice that all traffic, including
traffic from Host A, is still allowed.
Which configuration statement will prevent traffic from Host A, while still allowing other hosts to
send traffic?
A. activate security policies from-zone trust to-zone untrust policy deny-host-a

B. deactivate security policies from-zone trust to-zone untrust policy permit-all
C. delete security policies from-zone trust to-zone untrust policy permit-all
D. insert security policies from-zone trust to-zone untrust policy deny-host-a before policy permit-
all
Answer: D
Explanation:
QUESTION NO: 319

You are troubleshooting a security policy. The operational command show security flow session
does not show any sessions for this policy.
Which statement is correct?
A. Logging on session initialization has not been enabled in the policy.

B. Logging on session closure has not been enabled in the policy.
C. The traffic is not being matched by the policy.
D. The security monitoring performance session command should be used to show sessions.
Answer: C
Explanation:
QUESTION NO: 320
You want to enable local logging for security policies and have the log information stored in a
separate file on a branch SRX Series device.
Which configuration will accomplish this task?
A. [edit system syslog]

user@host# show
file sec-pol-log {
user info;
}
B. [edit system syslog]
user@host# show
host 192.168.1.1 {
user info;
}
C. [edit system syslog]
user@host# show
file sec-pol-log {
any any;
}
D. [edit system syslog]
user@host# show
file sec-pol-log {
security info;
}
Answer: A

Explanation:
QUESTION NO: 321
You want to authenticate users accessing an internal FTP server using the SRX Series Services
Gateway. You also want to use an internal LDAP server as the authentication server.
What will satisfy this requirement?
A. a security policy with authentication redirection

B. pass-through firewall user authentication
C. captive portal
D. Web firewall user authentication
Answer: B
Explanation:
QUESTION NO: 322
Which two settings in the options field of an IP header will Junos Screen options block? (Choose
two.)
A. traceroute
B. record route option
C. timestamp option
D. MTU probe
Answer: B,C
Explanation:
QUESTION NO: 323
Which two statements are true about the SYN cookie Junos Screen option? (Choose two.)
A. The SYN cookie mechanism is stateless; therefore, the initial three-way handshake can
complete before a session table entry is completed.
B. The SRX device will implement the SYN cookie mechanism on all connections once SYN

cookies are enabled.
C. The SYN cookie mechanism uses a cryptographic hash, which can detect spoofed source
addresses.
D. SYN cookie protection can stop UDP floods as well as TCP floods.
Answer: A,C
Explanation:
QUESTION NO: 324
Which three actions should be used when initially implementing Junos Screen options? (Choose
three.)
A. Deploy Junos Screen options only in functional zones.

B. Deploy Junos Screen options only in vulnerable security zones.
C. Understand the behavior of legitimate applications.
D. Use the limit-session option.
E. Use the alarm-without-drop option.
Answer: B,C,E
Explanation:
QUESTION NO: 325
At which step in the packet flow are Junos Screen checks applied?
A. prior to the route lookup

B. prior to security policy processing
C. after ALG services are applied
D. after source NAT services are applied
Answer: B
Explanation:
QUESTION NO: 326
You need to apply the Junos Screen protect-zone to the public zone.

A. [edit security zones security-zone public]

user@host# show
address-book {
address host-1 192.168.1.1/32;
}
screen protect-zone;
system-services {
all;
}
}
interfaces {
ge-0/0/0.0;
}
B. [edit security zones security-zone public]
user@host# show
address-book {
address host-1 192.168.1.1/32;
}
screen protect-zone;
system-services {
all;
}
}
interfaces {
ge-0/0/0.0;
}
C. [edit security zones security-zone public]
user@host# show
address-book {
address host-1 192.168.1.1/32;
}
system-services {
all;
}
}
interfaces {
ge-0/0/0.0;
screen-protect-zone;
}
D. [edit security zones security-zone public]
user@host# show

address-book {
address host-1 192.168.1.1/32;
}
screen all;
system-services {
all;
}
}
interfaces {
ge-0/0/0.0;
}
Answer: A
Explanation:
QUESTION NO: 327
You need to implement Junos Screen options to protect traffic coming through the ge-0/0/0 and
ge-0/0/1 interfaces which are located in the trust and DMZ zones, respectively.
Where would you enable the Junos Screen options?
A. in the trust and DMZ zone settings

B. on the ge-0/0/0 and ge-0/0/1 interfaces
C. in a security policy
D. in the global security zone settings
Answer: A
Explanation:
QUESTION NO: 328
While reviewing the logs on your SRX240 device, you notice SYN floods coming from multiple
hosts out on the Internet.
Which Junos Screen option would protect against these denial-of-service (DoS) attacks?

user@host# show
ids-option no-flood {

limit-session {
}
}
user@host# show
tcp {
syn-fin;
}
}
user@host# show
limit-session {
}
}
user@host# show
icmp {
flood threshold 10;
}
}
Answer: A
Explanation:
QUESTION NO: 329
You want to protect against attacks on interfaces in ZoneA. You create a Junos Screen option
called no-flood and commit the configuration. In the weeks that follow, the Screen does not appear
to be working; whenever you enter the command show security screen statistics zone ZoneA, all
counters show 0.
What would solve this problem?
A. user@host> clear security screen no-flood statistics

B. [edit security zones security-zone ZoneA]
user@host# set screen no-flood
C. user@host> clear security screen statistics zone ZoneA
D. [edit security zones]

user@host# set screen no-flood
Answer: B
Explanation:
QUESTION NO: 330
While reviewing the logs on your SRX240 device, you notice SYN floods coming from a host out
on the Internet towards several hosts on your trusted network.
Which Junos Screen option would protect against these denial-of-service (DoS) attacks?

user@host# show
limit-session {
}
}
user@host# show
tcp {
syn-fin;
}
}
user@host# show
limit-session {
}
}
user@host# show
icmp {
flood threshold 10;
}
}
Answer: C
Explanation:

QUESTION NO: 331
During packet flow on an SRX Series device, which two processes occur before route lookup?
(Choose two.)
A. static NAT
B. destination NAT
C. source NAT
D. reverse static NAT
Answer: A,B
Explanation:
QUESTION NO: 332
Which Junos NAT implementation requires the use of proxy ARP?
A. destination NAT using a pool outside the IP network of the device's interface
B. source NAT using the device's egress interface
C. source NAT using a pool in the same IP network as the device's interface
D. source NAT using a pool outside the IP network of the device's interface
Answer: C
Explanation:
QUESTION NO: 333
You are configuring source NAT.
Which three elements are used for matching the traffic direction in the from and to statements?
(Choose three.)
A. routing instance
B. zone
C. source address
D. destination address
E. interface

Answer: A,B,E
Explanation:
QUESTION NO: 334
You have just configured source NAT with a pool of addresses within the same subnet as the
egress interface.
What else must be configured to make the addresses in the pool usable?
A. static NAT
B. destination NAT
C. address persistence
D. proxy ARP
Answer: D
Explanation:
QUESTION NO: 335
You have just changed a NAT rule and committed the change.
Which statement is true?
A. Affected sessions remain active and are not updated until the sessions restart.
B. Affected sessions are torn down and are re-initiated as soon as the SRX device receives
matching traffic.
C. Affected sessions are torn down and are immediately re-initiated.
D. Affected sessions are dynamically updated with the configuration change.
Answer: B
Explanation:
QUESTION NO: 336
Which configuration allows direct access to the 10.10.10.0/24 network without NAT, but uses NAT
for all other traffic from the untrust zone to the egress interface?

A. [edit security nat source rule-set internal]
user@host# show
from zone trust;
to zone untrust;
rule internet-access {
match {
}
then {
source-nat interface;
}
}
rule server-access {
match {
}
then {
source-nat off;
}
}
B. [edit security nat source rule-set internal]
user@host# show
from zone trust;
to zone untrust;
match {
}
then {
}
}
match {
}
then {
source-nat off;
}
}
C. [edit security nat source rule-set internal]
user@host# show
from zone trust;
to zone untrust;
match {

}
then {
source-nat off;
}
}
match {
}
then {
}
}
D. [edit security nat source rule-set internal]
user@host# show
from zone trust;
to zone untrust;
match {
}
then {
accept;
}
}
match {
}
then {
reject;
}
}
Answer: C
Explanation:
QUESTION NO: 337
Which two actions occur during IKE Phase 1? (Choose two.)
A. A secure channel is established between two peers.

B. The proxy ID is used to identify which security association is referenced for the VPN.
C. The Diffie-Hellman key exchange algorithm establishes a shared key for encryption.

D. The security association is identified by a unique security parameter index value.
Answer: A,C
Explanation:
QUESTION NO: 338
What are two valid symmetric encryption key types? (Choose two.)
A. DES
B. RSA
C. AES
D. DSA
Answer: A,C
Explanation:
QUESTION NO: 339
Which two are negotiated during Phase 2 of an IPsec VPN tunnel establishment? (Choose two.)
A. security protocol
B. VPN monitor interval
C. UDP port number
D. proxy IDs
Answer: A,D
Explanation:
QUESTION NO: 340
Which three algorithms are used by an SRX Series device to validate the integrity of the data
exchanged through an IPsec VPN? (Choose three.)
A. 3DES
B. MD5
C. NHTB
D. SHA1

E. SHA2
Answer: B,D,E
Explanation:
QUESTION NO: 341
You are asked to implement the hashing algorithm that uses the most bits in the calculation on
your Junos security device.
Which algorithm should you use?
A. SHA-512
B. SHA-256
C. MD5-Plus
D. MD5
Answer: B
Explanation:
QUESTION NO: 342
You are asked to establish an IPsec VPN to a remote device whose IP address is dynamically
assigned by the ISP.
Which IKE Phase 1 mode must you use?
A. passive
B. aggressive
C. main
D. quick
Answer: B
Explanation:
QUESTION NO: 343
Which three Diffie-Hellman groups are supported during IKE Phase 1 by the Junos OS? (Choose

three.)
A. 1
B. 2
C. 3
D. 4
E. 5
Answer: A,B,E
Explanation:
QUESTION NO: 344
A security association is uniquely identified by which two values? (Choose two.)
A. security parameter index value

B. security association ID
C. tunnel source address
D. security protocol
Answer: A,D
Explanation:
QUESTION NO: 345
You are asked to establish an IPsec VPN between two sites. The remote device has been
preconfigured.
Which two parameters must be identical to the remote device's parameters when designing the
local IKE proposal? (Choose two.)
A. security protocol
B. Diffie-Hellman group
C. encryption algorithm
D. Perfect Forward Secrecy keys
Answer: B,C
Explanation:

QUESTION NO: 346
Which two statements are correct about IPsec security associations? (Choose two.)
A. established during IKE Phase 1 negotiations

B. security associations are unidirectional
C. established during IKE Phase 2 negotiations
D. security associations are bidirectional
Answer: B,C
Explanation:
QUESTION NO: 347
You are deploying a branch site which connects to two hub locations over an IPsec VPN. The
branch SRX Series device should send all traffic to the first hub unless it is unreachable and
should then direct traffic to the second hub. You must use static routes to send traffic towards the
hub site.
Which two technologies should you use to fail over from a primary to a secondary tunnel in less
than 60 seconds? (Choose two.)
A. dead peer detection

B. VPN monitoring
C. floating static routes
D. IP monitoring
Answer: B,D
Explanation:
QUESTION NO: 348
Which two statements are correct regarding reth interfaces? (Choose two.)
A. Child interfaces must be in the same slot on both nodes

B. Child interfaces do not need to be in the same slot on both nodes.
C. Child interfaces must be the same Ethernet interface type.
D. Child interfaces can be a mixture of Ethernet interface types.
Answer: B,C

Explanation:
QUESTION NO: 349
Which two statements are correct about establishing a chassis cluster with IPv6? (Choose two.)
A. Only an active/passive cluster can be deployed.

B. Dual-stacked interface addresses are allowed.
C. IPsec site-to-site VPNs over IPv6 are supported.
D. IPv6 address book entries can be used.
Answer: B,D
Explanation:
QUESTION NO: 350
You are asked to set up a chassis cluster between your SRX Series devices. You must ensure
that the solution provides both dual redundant links per node and node redundancy.
Which setting should you use?
A. aggregated Ethernet
B. redundant Ethernet
C. aggregated Ethernet LAG
D. redundant Ethernet LAG
Answer: D
Explanation:
QUESTION NO: 351
What is supported on the fabric link?
A. jumbo frames
B. filters
C. fragmentation
D. policies

Answer: A
Explanation:
QUESTION NO: 352
You are asked to establish a chassis cluster between two SRX Series devices. You must ensure
that end-to-end connectivity is monitored and that the redundancy group will fail over to the other
node if the remote device becomes unreachable.
What would ensure this behavior?
A. Bidirectional Forwarding Detection

B. real-time performance monitoring
C. remote interface monitoring
D. remote IP address monitoring
Answer: D
Explanation:
QUESTION NO: 353
When using chassis clustering, which link is responsible for configuration synchronization?
A. fxp0
B. fxp1
C. fab0
D. fab1
Answer: B
Explanation:
QUESTION NO: 354
Redundant Ethernet interfaces (reths) have a virtual MAC address based on which two attributes?
(Choose two.)
A. interface ID of the reth

B. MAC of member interfaces
C. redundancy group ID
D. cluster ID
Answer: A,D
Explanation:
QUESTION NO: 355
You are asked to establish a chassis cluster between two branch SRX Series devices. You must
ensure that no single point of failure exists.
What would prevent a single point of failure?
A. dual data plane links

B. redundant routing tables
C. redundant cluster IDs
D. dual control plane links
Answer: A
Explanation:
QUESTION NO: 356
Which two statements are correct regarding the cluster ID? (Choose two.)
A. You can have up to 15 unique cluster IDs on a single chassis cluster device.
B. The cluster ID value of 0 indicates that this is the primary chassis cluster on this device.
C. The cluster ID is used to calculate the reth interface's virtual MAC addresses.
D. You must reboot both nodes if you change the cluster ID value.
Answer: C,D
Explanation:
QUESTION NO: 357
Which statement is true about real-time objects in an SRX chassis cluster?

A. Real-time objects are exchanged over the fxp1 link to provide highly accurate time
synchronization.
B. Real-time objects are exchanged over the fxp1 link to synchronize IPsec security associations.
C. Real-time objects are exchanged over the fab links to provide configuration file synchronization.
D. Real-time objects are exchanged over the fab links to synchronize session table entries.
Answer: D
Explanation:
QUESTION NO: 358
When using chassis clustering, which action is taken by the Junos OS if the control link or the
fabric link suffers a loss of keepalives or heartbeat messages?
A. Both nodes become primary.

B. Both nodes are placed in a disabled state.
C. The secondary node is placed in a disabled state.
D. The primary node fails over and is placed in a disabled state.
Answer: C
Explanation:
QUESTION NO: 359
You are configuring the SRX Series Services Gateway in chassis cluster mode.
What is a valid way to configure Redundancy Groups (RGs) 1 and 2 for active/active redundancy?
A. Configure RG 1 primary for Node 0 and RG 2 primary for Node 1

B. Configure RG 1 and RG 2 primary for Node 0
C. Configure RG 1 and RG 2 primary for Node 1
D. Configure RG 0 primary for Node 0
Answer: A
Explanation:
QUESTION NO: 360

You have just manually failed over Redundancy Group 0 on Node 0 to Node 1. You notice Node 0
is now in a secondary-hold state.
A. The previous primary node moves to the secondary-hold state because an issue occurred
during failover. It stays in that state until the issue is resolved.
B. The previous primary node moves to the secondary-hold state and stays there until manually
reset, after which it moves to the secondary state.
C. The previous primary node moves to the secondary-hold state and stays there until the hold-
down interval expires, after which it moves to the secondary state.
D. The previous primary node moves to the secondary-hold state and stays there until manually
failed back to the primary node.
Answer: C
Explanation:
QUESTION NO: 361
Which three Unified Threat Management features require a license? (Choose three.)
A. antivirus
B. surf control Web filtering
C. Websense Web filtering
E. antispam
Answer: A,B,E
Explanation:
QUESTION NO: 362
Which global UTM configuration parameter contains lists, such as MIME patterns, filename
extensions, and URL patterns, that can be used across all UTM features?
A. custom objects
B. feature profile
C. UTM policy
D. address sets

Answer: A
Explanation:
QUESTION NO: 363
Your SRX Series device is configured so that all inbound traffic from the Internet is examined by
the UTM content filtering feature.
As inbound traffic arrives at the SRX device, which packet processing component is responsible
for sending the packets for UTM processing?
A. zone
B. security policy
C. Junos Screen options
D. forwarding lookup
Answer: B
Explanation:
QUESTION NO: 364
Which three UTM features require a license? (Choose three.)
A. local list Web filtering

B. express antivirus
C. e-mail filtering
D. antispam
E. enhanced Web filtering
Answer: B,D,E
Explanation:
QUESTION NO: 365
Which two SRX platforms support UTM features? (Choose two.)
A. SRX240 with base memory

B. SRX100 with high memory

C. SRX650 with base memory
D. SRX1400 with base memory
Answer: B,C
Explanation:
QUESTION NO: 366
Which antivirus protection feature uses the first several packets of a file to determine if the file
contains malicious code?
A. express scanning
B. intelligent prescreening
C. full file-based
D. Kaspersky
Answer: B
Explanation:
QUESTION NO: 367
Which antivirus protection feature uses virus patterns and a malware database that are located on
external servers?
A. full file-based
B. Kaspersky
C. Sophos
D. express scan
Answer: C
Explanation:
QUESTION NO: 368
You have implemented Integrated SurfControl Web filtering on an SRX Series device. You have
also created a whitelist and a blacklist on the SRX device. One particular Web site is matching all
three the whitelist, blacklist, and Surfcontrol policy.

A. Access is not allowed because the blacklist is processed first.

B. Access is allowed because the whitelist is processed first.
C. Access will be controlled by the SurfControl policy, because it is processed first.
D. Access is based on the priority of each policy as defined in the fallback settings in the UTM
policy.
Answer: A
Explanation:
QUESTION NO: 369
You have deployed enhanced Web filtering on an SRX Series device. A user requests a URL that
is not in the URL filtering cache.
What happens?
A. The request is permitted immediately but the SRX device then requests the category from the
configured server and caches the response for use with subsequent requests.
B. The request is blocked immediately but the SRX device then requests the category from the
configured server and caches the response for use with subsequent requests.
C. The SRX device requests the category from the configured server. Once the response is
received, the SRX device processes the request against the policy based on the information
received and caches the response.
D. The SRX device will either permit or deny the request immediately depending on the
configuration in the UTM policy. The SRX device then requests the category from the central
server and caches the response for use with subsequent requests.
Answer: C
Explanation:
QUESTION NO: 370
You are configuring a blacklist for Web filtering on a branch SRX Series device.
Which two URL patterns are valid? (Choose two.)
A. http://www.company.com/*

B. http://*.company.com
C. www.company.com
D. 1.2.3.4
Answer: B,D
Explanation:
QUESTION NO: 371
Which two criteria does the enhanced Web filtering solution use to make decisions? (Choose two.)
A. site reputation
B. keyword in the document
C. results of antivirus scan
D. category
Answer: A,D
Explanation:
QUESTION NO: 372
-- Exhibit --
[edit interfaces]
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
[edit vlans]

vlan-trust {
vlan-id 3;
l3-interface vlan.0;
-- Exhibit --
Referring to the exhibit, you need to allow ping traffic into interface ge-0/0/1.
Which configuration step will accomplish this task?
A. set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services

ping
B. set security zones security-zone trust interfaces ge-0/0/1 host-inbound-traffic system-services
ping
C. set security zones security-zone trust interfaces vlan-trust host-inbound-traffic system-services
ping
D. set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services
ping
Answer: D
Explanation:
QUESTION NO: 373
-- Exhibit –

-- Exhibit --

Referring to the exhibit, which two services are allowed on the ge-0/0/2.0 interface? (Choose two.)
A. Ping
B. DNS
C. Telnet
D. SSH
Answer: B,C
Explanation:
QUESTION NO: 374
-- Exhibit --
[edit security policies from-zone untrust to-zone junos-host]
user@host# show
policy allow-management {
match {
source-address any;
application any;
then {
permit;
[edit security zones security-zone untrust]
user@host# show
protocols {

ospf;
interfaces {
ge-0/0/0.0;
-- Exhibit --
Referring to the exhibit, you want to be able to manage your SRX Series device from the Internet
using SSH. You have created a security policy to allow the traffic to flow into the SRX device.
Which additional configuration step is required?
A. Define the junos-host zone and add the SSH service to it.
B. Add the SSH service to the untrust zone.
C. Define the junos-host zone, add the SSH service and the loopback interface to it.
D. Rewrite the security policy to allow SSH traffic from the untrust zone to the global zone.
Answer: B
Explanation:
QUESTION NO: 375
-- Exhibit --
security {
policies {
policy hosts-allow {
match {
source-address hosts;

application any;
then {
permit;
scheduler-name block-hosts;
policy allow {
match {
source-address any;
then {
permit;
policy deny {
match {
source-address any;
application any;
then {
deny;

}
schedulers {
scheduler block-hosts {
daily {
-- Exhibit --
Referring to the exhibit, you have configured a scheduler to allow hosts access to the Internet
during specific times. You notice that hosts are still accessing the Internet during times outside of
the scheduler's parameters.
What is allowing hosts to access the Internet?
The policy allow is allowing hosts access during unscheduled hours.
A. The policy hosts-allow should have a then statement of deny.

B. The policy hosts-allow should have an application of junos-http.
C. The policy deny should have the scheduler applied.
Answer: A
Explanation:
QUESTION NO: 376
-- Exhibit --
security {
policies {

policy allow-all {
match {
source-address any;
application any;
then {
deny;
policy allow-hosts {
match {
source-address hosts;
then {
permit;
scheduler-name block-hosts;
policy deny {
match {
source-address any;
application any;

}
then {
deny;
schedulers {
scheduler block-hosts {
daily {
-- Exhibit --
Referring to the exhibit, you have configured a scheduler to allow hosts access to the Internet
during specific times. You notice that hosts are unable to access the Internet.
What is blocking hosts from accessing the Internet?
A. The policy allow-all should have the scheduler applied.

B. The policy allow-hosts should match on source-address any.
C. The policy allow-hosts should have an application of any.
D. The policy allow-all should have a then statement of permit.
Answer: D
Explanation:

QUESTION NO: 377
-- Exhibit –
-- Exhibit --
Referring to the exhibit, which policy will allow traffic from Host 1, Host 2, and Host 3 to the
Internet?
A. [edit security policies]

user@host# show
global {
policy allow-internet {
match {
source-address [ host-1 host-2 host-3 ];
application any;
}
then permit;
B. [edit security policies]
user@host# show
from-zone all to-zone all {

match {
application any;
}
then permit;
C. [edit security policies]
user@host# show
default {
match {
application any;
}
then permit;
D. [edit security policies]
user@host# show
from-zone any to-zone any {
match {
application any;
}
then permit;
Answer: A
Explanation:
QUESTION NO: 378
-- Exhibit --
[edit security policies]
user@host# show
from-zone hr to-zone internet {
policy internet-access {
match {
source-address any;

application any;
then {
permit;
policy clean-up {
match {
source-address any;
application any;
then {
deny;
-- Exhibit --
You want to permit access to the Internet from the hr zone during a specified time.
Which configuration will accomplish this task?
A. Configure a scheduler, apply it to a new policy, and insert it after internet-access to permit
Internet access.
B. Configure a scheduler and apply it to the policy internet-access to deny Internet access.
C. Configure a scheduler and apply it to the policy internet-access to permit Internet access.
D. Configure a scheduler, apply it to a new policy, and insert it before internet-access to permit

Internet access.
Answer: C
Explanation:
QUESTION NO: 379
-- Exhibit –
-- Exhibit --
You are asked to configure a hub-and-spoke VPN. All the VPN components have been
configured, and you are able to ping the remote tunnel interfaces at Site 1 and Site 2 from the Hub
site as shown in the exhibit. The Hub site's external interface is in security zone untrust and the
st0 interfaces from each site are in security zone DMZ. Users in Site 2 are unable to connect to a
Web server in Site 1.
Which additional step is required at the hub site for users to access the Web server?

A. Configure a VPN between Site 1 and Site 2.
B. Configure a policy in the untrust zone that allows traffic between the sites.
C. Configure a policy in the VPN zone that allows traffic between the sites.
D. Configure a policy between the VPN and untrust zones.
Answer: C
Explanation:
QUESTION NO: 380
-- Exhibit –
-- Exhibit --
Referring to the exhibit, you need to allow FTP traffic from the Internet to the FTP server in the
Trust zone. You have built a custom application so that you can modify the timeout value for FTP
sessions and have configured a policy to allow FTP traffic from Untrust to Trust, but the traffic still
does not flow. The current status of the FTP ALG is disabled.
A. The FTP ALG has not been enabled in the security policy.
B. The FTP ALG has not been enabled in the security zones.
C. The FTP ALG has been disabled on the device.
D. The FTP ALG has not been set in the custom application definition.
Answer: C
Explanation:

QUESTION NO: 381
-- Exhibit –
-- Exhibit --
A server in the DMZ of your company is under attack. The attacker is opening a large number of
TCP connections to your server which causes resource utilization problems on the server. All of
the connections from the attacker appear to be coming from a single IP address.
Referring to the exhibit, which Junos Screen option should you enable to limit the effects of the
attack while allowing legitimate traffic?
A. Apply the Junos Screen option limit-session source-based-ip to the Untrust security zone.
B. Apply the Junos Screen option limit-session source-based-ip to the DMZ security zone.
C. Apply the Junos Screen option limit-session destination-based-ip to the Untrust security zone.
D. Apply the Junos Screen option limit-session destination-based-ip to the DMZ security zone.

Answer: A
Explanation:
QUESTION NO: 382
-- Exhibit –
-- Exhibit --
Referring to the exhibit, you want to use source NAT to translate the Web server's IP address to
the IP address of ge-0/0/2.
Which source NAT type accomplishes this task and always performs PAT?
A. source NAT with address shifting

B. standard pool-based NAT
C. interface-based source NAT
D. reverse source NAT
Answer: C
Explanation:
QUESTION NO: 383
-- Exhibit --
user@srx> show security flow session

Session ID. 10702, Policy name: default-permit/4, Timeout: 1794, Valid
In: 2.3.4.5/5000 --> 10.1.2.3/22;tcp, IF. fe-0/0/6.0, Pkts: 88444, Bytes: 7009392
Out: 10.1.2.3/22 --> 10.1.1.1/5000;tcp, IF. .local..0, Pkts: 81672, Bytes: 6749337
-- Exhibit --
The output of show security flow sessions is shown in the exhibit.
From this output, which type of NAT is configured?
A. interface source NAT

B. static destination NAT
C. static source NAT
D. pool-based source NAT with PAT
Answer: C
Explanation:
QUESTION NO: 384
-- Exhibit --
[edit security nat source]
user@srx# show
pool A {
address {
172.16.52.94/32;
rule-set 1A {
from zone trust;
to zone untrust;

rule 1 {
match {
then {
source-nat {
pool {
A;
-- Exhibit --
Referring to the exhibit, which two statements are true? (Choose two.)
A. PAT is enabled.
B. PAT is disabled.
C. Address persistence is enabled.
D. Address persistence is disabled.
Answer: A,D
Explanation:
QUESTION NO: 385
-- Exhibit --
[edit security nat]
user@host# show source

pool pool-one {
address {
68.183.13.0/24;
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule pool-nat {
match {
then {
source-nat {
pool {
pool-one;
rule no-nat {
match {
then {
source-nat {
off;

}
-- Exhibit --
You have implemented source NAT using a source pool for address translation. However, traffic
destined for 192.150.2.140 should not have NAT applied to it. The configuration shown in the
exhibit is not working correctly.
Which change is needed to correct this problem?
A. Insert no-nat before pool-nat.

B. The no-nat rule should be in a separate rule-set.
C. Destination NAT should be used to exclude the traffic destined for 192.150.2.140.
D. Proxy ARP needs to be applied on the 192.150.2.140 address for the rule to function.
Answer: A
Explanation:
QUESTION NO: 386
-- Exhibit –
-- Exhibit --
A PC in the trust zone is trying to ping a host in the untrust zone.
Referring to the exhibit, which type of NAT is configured?

A. source NAT
B. destination NAT
C. static NAT
D. NAT pool
Answer: A
Explanation:
QUESTION NO: 387
-- Exhibit --
[edit security nat source]
user@host# show
pool snat-pool {
address {
10.10.10.10/32;
10.10.10.11/32;
pool-utilization-alarm raise-threshold 50 clear-threshold 40;
rule-set user-nat {
from zone trust;
to zone untrust;
rule snat {
match {
then {
source-nat {
pool {

snat-pool;
-- Exhibit --
Your network management station has generated an alarm regarding NAT utilization based on an
SNMP trap received from an SRX Series device.
Referring to the exhibit, which statement is correct about the alarm?
A. The network management station will require manual intervention to clear the alarm.
B. Once utilization is below 40 percent, the Junos OS will send an SNMP trap to the network
management station to clear the alarm.
C. Once utilization is below 50 percent, the Junos OS will send an SNMP trap to the network
D. Once utilization is below 80 percent, the Junos OS will send an SNMP trap to the network
Answer: B
Explanation:
QUESTION NO: 388
-- Exhibit –

-- Exhibit --
Referring to the exhibit, which three statements are correct? (Choose three.)
A. Source NAT is configured.

B. Address shifting is configured.
C. Interface-based NAT is configured.
D. Pool-based NAT is configured.
E. IPv6 is configured to bypass NAT.

Answer: A,C,E
Explanation:
QUESTION NO: 389
-- Exhibit –
-- Exhibit --
You are troubleshooting an IPsec VPN connection between a local SRX Series device using IP
address 192.168.1.100 and a remote SRX device using IP address 192.168.2.100. A VPN
connection cannot be established. Referring to the exhibit, you examine the kmd log file.
A. The Phase 2 proposal is invalid.

B. The Phase 1 proposal is invalid.
C. The Phase 1 gateway is invalid.
D. The Phase 2 gateway is invalid.
Answer: B
Explanation:
QUESTION NO: 390

-- Exhibit –
-- Exhibit --
Referring to the exhibit, which statement is correct about the IPsec configuration?
A. The IPsec tunnel endpoint does not have a static IP address.

B. IKE Phase 2 is established immediately from the hub.
C. Protocol AH is used with IKE Phase 2.
D. IKE Phase 2 uses a standard proposal.
Answer: A
Explanation:
QUESTION NO: 391
-- Exhibit –

-- Exhibit --
Referring to the exhibit, which statement is correct about the IPsec configuration?
A. Policy-based implementation is used.

B. Dynamic VPN implementation is used.
C. Route-based implementation is used.
D. Hub-and-spoke implementation is used.
Answer: C
Explanation:

QUESTION NO: 392
-- Exhibit –
-- Exhibit --
Referring to the exhibit, you are setting up the hub in a hub-and-spoke IPsec VPN. You have
verified that all configured parameters are correct at all sites, but your IPsec VPN is not
establishing to both sites.

Which configuration parameter is missing at the hub to complete the configuration?
A. A different external-interface is needed for vpn1.

B. A different st0 logical interface is needed for vpn2.
C. Establish-tunnels immediately must be configured for vpn1.
D. Multipoint needs to be configured under the st0.0 interface.
Answer: D
Explanation:
QUESTION NO: 393
-- Exhibit --
security {
ike {
policy IKE-STANDARD {
mode aggressive;
pre-shared-key ascii-text "XXXXXX";
gateway GW-HUB {
ike-policy IKE-STANDARD;
dynamic hostname site1.company.com;
ipsec {
policy IPSEC-STANDARD {

vpn VPN-HUB {
bind-interface st0.0;
ike {
gateway GW-HUB;
ipsec-policy IPSEC-STANDARD;
zones {
security-zone untrust {
system-services {
ping;
ike;
interfaces {
ge-0/0/0.0;
security-zone trust {
system-services {
ping;
interfaces {
ge-0/0/1.0;

}
-- Exhibit --
You are implementing a new route-based IPsec VPN on an SRX Series device and the tunnel will
not establish.
What needs to be modified in the configuration shown in the exhibit?
A. Change the bind-interface from st0.0 to ge-0/0/0.0.

B. Add st0.0 to a security zone.
C. Add esp under host-inbound-traffic on zone untrust.
D. Add ike under host-inbound-traffic on zone trust.
Answer: B
Explanation:
QUESTION NO: 394
-- Exhibit --
user@host> show security ike security-associations 1.1.1.2
Index Remote Address State Initiator cookie Responder cookie Mode
8 1.1.1.2 UP 3a895f8a9f620198 9040753e66d700bb Main
user@host> show security ipsec security-associations
Total active tunnels: 0
user@host> show route
inet.0: 7 destinations, 7 routes (6 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:00:25

> to 2.2.2.1 via ge-0/0/0.0
2.2.2.0/24 *[Direct/0] 00:00:25
> via ge-0/0/0.0
2.2.2.2/32 *[Local/0] 00:00:25
Local via ge-0/0/0.0
10.1.1.0/30 *[Direct/0] 00:06:06
> via st0.0
10.1.1.1/32 *[Local/0] 00:06:06
Local via st0.0
10.12.1.0/24 *[Direct/0] 00:06:06
> via ge-0/0/1.0
10.12.1.1/32 *[Local/0] 00:06:06
Local via ge-0/0/1.0
10.128.64.0/24 *[Static/5] 00:00:25
> to 2.2.2.1 via ge-0/0/0.0
user@host> show security policies
Default policy: deny-all
From zone: trust, To zone: vpn
Policy: permit-all, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
-- Exhibit --
You have created an IPsec VPN on an SRX Series device. You believe the tunnel is configured

correctly, but traffic from a host with the IP address of 10.12.1.10 cannot reach a remote device
over the tunnel with an IP address of 10.128.64.132. The ge-0/0/1.0 interface is in the trust zone
and the st0.0 interface is in the vpn zone. The output of four show commands is shown in the
exhibit.
What is the configuration problem with the tunnel?
A. Only one IKE tunnel exists so there is no path for return IKE traffic. You need to allow IKE
inbound on interface ge-0/0/0.0.
B. Because there are no IPsec security associations, the problem is in the IPsec proposal settings.
C. The static route created to reach the remote host is incorrect.
D. The VPN settings are correct, the traffic is being blocked by a security policy.
Answer: C
Explanation:
QUESTION NO: 395
-- Exhibit --
user@host> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<131073 ESP:3des/sha1 ac23df79 2532/ unlim - root 4500 1.1.1.1
>131073 ESP:3des/sha1 cbc9281a 2532/ unlim - root 4500 1.1.1.1
user@host> show security ipsec security-associations detail
Virtual-system: root
Local Gateway: 1.0.0.1, Remote Gateway: 1.1.1.1
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear
Direction: inbound, SPI: ac23df79, AUX-SPI: 0

, VPN Monitoring: -
Hard lifetime. Expires in 3186 seconds
Lifesize Remaining: Unlimited
Soft lifetime. Expires in 2578 seconds
Mode. Tunnel, Type. dynamic, State. installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service. counter-based enabled, Replay window size. 64
Direction: outbound, SPI: cbc9281a, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime. Expires in 3186 seconds
Lifesize Remaining: Unlimited
Soft lifetime. Expires in 2578 seconds
Mode. Tunnel, Type. dynamic, State. installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service. counter-based enabled, Replay window size. 64
-- Exhibit --
The exhibit shows output from two show commands.
What are two conclusions about the VPN tunnel from the output? (Choose two.)
A. VPN monitoring is enabled.

B. There is a device performing NAT between the two VPN endpoints.
C. 3DES is the encryption protocol.
D. Traffic with the DF-bit set that exceeds the MTU will be dropped.
Answer: B,C
Explanation:

QUESTION NO: 396
-- Exhibit –
-- Exhibit --
Server A is communicating with Server B directly over the Internet. The servers now must begin
exchanging additional information through an unencrypted protocol. To protect this new data
exchange, you want to establish a VPN tunnel between the two sites that will encrypt just the
unencrypted data while leaving the existing communications directly over the Internet.
Which statement would achieve the desired results?
A. Configure a route-based VPN and use filter-based forwarding to direct traffic into the VPN
tunnel.
B. Configure a route-based VPN tunnel with traffic engineering to direct traffic into the VPN tunnel.
C. Configure a policy-based VPN with a security policy that matches the unencrypted traffic and
directs it into the VPN tunnel.
D. Configure a policy-based VPN tunnel and use filter-based forwarding to direct the unencrypted
traffic into interface st0.0.
Answer: C
Explanation:
QUESTION NO: 397
-- Exhibit --
user@host# set interfaces ge-0/0/5 gigether-options redundant-parent reth1
user@host# set interfaces ge-5/0/5 gigether-options redundant-parent reth1
user@host# set interfaces reth1.0 family inet address 192.168.1.100/30

user@host# commit
[edit interfaces reth1]
'unit 0'
reth1 needs to be associated with a non-zero redundancy-group
error: configuration check-out failed
-- Exhibit --
Referring to the exhibit, you have built a chassis cluster, set up a reth, and put interfaces into the
reth. However, when you try to commit the configuration, you receive the error shown in the
exhibit.
Which configuration command will correct this error?
A. Set chassis cluster reth-count 2

B. Set chassis cluster redundancy-group 1 interface-monitor reth1
C. Set interfaces reth1 redundant-ether-options redundancy-group 1
D. Set chassis cluster redundancy-group 0 interface-monitor reth1
Answer: C
Explanation:
QUESTION NO: 398
-- Exhibit –

-- Exhibit --
Referring to the exhibit, failover to Node 0 occurred for Redundancy Group 2 because of an
interface failure. The interface has since been restored, but Node 0 is still the primary node for
Redundancy Group 2.
Which two actions will restore Node 1 as the primary node for Redundancy Group 2? (Choose
two.)
A. Decrease the priority of Node 1 to 100.

B. Increase the priority of Node 1 to 255.
C. Configure preempt under Redundancy Group 2.
D. Manually fail over to Redundancy Group 2.
Answer: C,D
Explanation:
QUESTION NO: 399
-- Exhibit --
user@host# show chassis cluster
reth-count 2;
interface-monitor {
ge-0/0/5 weight 85;
ge-0/0/6 weight 85;
ge-0/0/7 weight 85;
ge-0/0/8 weight 85;
ge-5/0/5 weight 85;
ge-5/0/6 weight 85;

ge-5/0/7 weight 85;
ge-5/0/8 weight 85;
-- Exhibit --
Referring to the exhibit, you have two SRX Series devices in a chassis cluster, and Node 0 is
currently the primary node. You want to ensure that traffic using those interfaces fails over to Node
1 if one interface goes down.
Which configuration change should be made to ensure failover to Node 1?
A. Decrease the weight of the interfaces to 1.

B. Increase the weight of the interfaces to 255.
C. Increase the weight of the interfaces to between 128 and 254.
D. Decrease the weight of the interfaces to between 1 and 64.
Answer: B
Explanation:
QUESTION NO: 400
-- Exhibit --
user@host# show chassis cluster
reth-count 2;
interface-monitor {
ge-0/0/5 weight 85;
ge-0/0/6 weight 85;

ge-0/0/7 weight 85;
ge-0/0/8 weight 85;
ge-5/0/5 weight 85;
ge-5/0/6 weight 85;
ge-5/0/7 weight 85;
ge-5/0/8 weight 85;
-- Exhibit --
Referring to the exhibit, you have two SRX Series devices in a chassis cluster, and Node 0 is
currently the primary node. You want to ensure that traffic, using those interfaces, fails over to
Node 1 when all interfaces go down.
Which configuration change should be made to ensure failover to Node 1?
A. Decrease the weight of the interfaces to 1.

B. Increase the weight of the interfaces to 255.
C. Increase the weight of the interfaces to between 86 and 128.
D. Decrease the weight of the interfaces to between 64 and 84.
Answer: D
Explanation:
QUESTION NO: 401
-- Exhibit –

-- Exhibit --
Referring to the exhibit, with Node 0 as primary for Redundancy Group (RG) 1, which action will
the Junos OS chassis cluster take if interface ge-1/0/0 goes down?
A. RG 1 will remain primary on Node 0.

B. RG 1 will become primary to Node 1.
C. RG 1 will become disabled.
D. RG 1 will remove the interface from the redundancy group.
Answer: A
Explanation:
QUESTION NO: 402
-- Exhibit –

-- Exhibit --
You have configured antispam on your SRX Series device as shown in the exhibit.
Assuming the antispam profile has been properly applied, what happens when an e-mail message
arrives at the SRX device from bob@domain-xyz.net at IP address 150.10.10.10?
A. The message matches the whitelist and is forwarded to the destination.

B. The message matches the blacklist and is blocked.
C. The message matches the blacklist and is forwarded to the destination with "SPAM:"
automatically appended to the beginning of the e-mail subject line.
D. The message matches both lists and is blocked because the SRX device defaults to the more
restrictive setting.
Answer: B
Explanation:
QUESTION NO: 403
-- Exhibit –

-- Exhibit --
You have configured antispam on your SRX Series device as shown in the exhibit.
Assuming the antispam profile has been properly applied, what happens when an e-mail message
arrives at the SRX device from mary@domain-abc.net at IP address 150.150.150.10?
A. The message matches the whitelist and is forwarded to the destination.

B. The message matches the blacklist and is blocked.
C. The message matches the blacklist and is forwarded to the destination with "SPAM:"
automatically appended to the beginning of the e-mail subject line.
D. The message matches both lists and is blocked because the device defaults to the more
restrictive setting.
Answer: A
Explanation:
QUESTION NO: 404
-- Exhibit –

-- Exhibit --
Referring to the exhibit, you have just committed the UTM configuration.
A. Intelligent prescreening is not configured.

B. Sophos scanning is configured.
C. Kaspersky scanning is configured.
D. Intelligent prescreening is configured.
Answer: D
Explanation:

QUESTION NO: 405
-- Exhibit --
[edit security utm feature-profile content-filtering]
user@host# show
profile profileA {
block-content-type {
exe;
zip;
notification-options {
type message;
custom-message "Not permitted. illegal file type";
-- Exhibit --
Your SRX Series device includes the content filtering configuration shown in the exhibit.
Assuming the content filtering profile has been properly applied, what happens when a user
attempts to send a zip file through the SRX device using FTP?
A. The file is blocked and silently dropped.

B. The file is blocked and a message is sent back to the user.
C. The file is permitted and forwarded to its destination, and a message is sent back to the user.
D. The file is permitted and forwarded to its destination.
Answer: D
Explanation:

QUESTION NO: 406
-- Exhibit --
[edit security utm]
user@host# show
custom-objects {
url-pattern {
permit {
value http://www.domain-abc.net;
deny {
value http://www.domain-abc.net/movies;
custom-url-category {
whitelist {
value permit;
blacklist {
value deny;
feature-profile {
web-filtering {
url-whitelist whitelist;

url-blacklist blacklist;
type juniper-local;
juniper-local {
profile profileA {
default block;
custom-block-message "Website access not permitted";
-- Exhibit --
Your SRX Series device includes the Web filtering configuration shown in the exhibit.
Assuming the Web filtering profile has been properly applied, what happens when a user attempts
to access the Web site www.juniper.net through the SRX device?
A. The HTTP request is blocked and the user's Web browser eventually times out.
B. The HTTP request is blocked and a message is sent back to the user.
C. The HTTP request is intercepted and the URL is sent to the Websense server. The SRX device
permits or blocks the request based on the information it receives back from the server.
D. The HTTP request is permitted and forwarded to the Web server.
Answer: B
Explanation:
QUESTION NO: 407
What does a zone contain?
A. Routers

B. Interfaces
C. Routing tables
D. NAT Address
Answer: B
Explanation:
QUESTION NO: 408
Referring to the exhibit, which two statements are correct? (choose two)
[edit security zones] user@host#show security-zone untrust {
screen untrust-screen
system-services
{ ssh; ping;
Interfaces {
ge-0/0/1.0
ge-0/0/3.0{ host-inboun
d-traffic{ protocols {
ospf; } } }
A. An OSPF adjacency can e established on interface ge-0/0/3.

B. AN OSPF adjacency can be established on both interfaces
C. SSH can connect on interface ge-0/0/1
D. Ping is not allowed on either interface
Answer: A,C
Explanation:

QUESTION NO: 409
Which statement is true about a logical interface?
A. A logical interface can belong to multiple zones

B. A logical interface can belong to multiple routing instances
C. A logical interface can belong to only one routing instance
D. All logical interfaces in a routing instance must belong to a single zone
Answer: C
Explanation:
QUESTION NO: 410
You want to configure a security policy that allows traffic to a particular host.
Which step must you perform before committing a configuration with the policy?
A. Define a static route to the host

B. Ensure that the router can ping the host
C. Define an address book entry for the host
D. Ensure that the router has an ARP entry for the host
Answer: C
Explanation:
QUESTION NO: 411
Which three match criteria must each security policy include? (Choose three.)
A. source address
B. source port
C. destination address
D. destination port
E. application
Answer: A,C,E
Explanation:

QUESTION NO: 412
Which three IP option fields can an attacker exploit to cause problems in a network? (Choose
three.)
A. loose source routing

B. timestamp
C. time-to-live
D. record route
E. DSCP
Answer: A,B,D
Explanation:
QUESTION NO: 413
Which statement is true about implementing IP spoofing protection as a Junos Screen option?
A. It ensures that the active route to the source has the same egress interface as the ingress
interface for the packet.
B. It ensures that a route, active or not, to the source exists with the same egress interface as the
ingress interface of the packet
C. It ensures that the active route to the source has the same egress zone as the ingress zone for
the packet
D. It ensure that a route, active or not, to the source exists with the same egress zone as the
ingress zone for the packet.
Answer: A
Explanation:
QUESTION NO: 414
A PC in the trust zone is trying to ping a host in the untrust zone. Referring to the exhibit, which
type of NAT is configured?
A. source NAT
B. destination NAT

C. static NAT
D. NAT pool
Answer: A
Explanation:
QUESTION NO: 415
Which operational command produces the output shown in the exhibit?
A. show security nat source rule

B. show route forwarding-table
C. show security nat source pool all
D. show security nat source summary
Answer: D
Explanation:
QUESTION NO: 416
For a route-based VPN, which statement is true?
A. host-inbound-traffic system services ike must be enabled on the st0.x interface

B. host-inbound-traffic system services ike must be enabled on both the st0.x interface and the
logical interface on which ike terminates
C. host-inbound-traffic system services ike must be enabled on the logical interface on which ike
terminates.
D. host-inbound-traffic system services ike is not mandatory for route based VPNs.
Answer: C
Explanation:

QUESTION NO: 417
Which function does Diffie-Hellman exchange perform for IPsec VPN?
A. It encrypts end-user traffic between the two VPN peers.

B. It securely exchanges the pre-shared keys over the network.
C. It negotiates IPsec Phase 2 parameters with the VPN peer
D. It exchanges static routes with the VPN peer.
Answer: B
Explanation:
QUESTION NO: 418
Referring to the exhibit, which two statements are correct about IPsec configuration? (choose two)
A. IKE Phase 2 establishes when payload traffic flows

B. IKE Phase 2 establishes immediately
C. Protocol ESP is used
D. Protocol AH is used
Answer: B,C
Explanation:
QUESTION NO: 419
Which three components can be downloaded and installed directly from Juniper Networks update
server to an SRX Series device? (Choose three.)
A. signature package
B. PCRE package
C. detector engine
D. policy templates
E. dynamic attack detection package
Answer: A,C,D
Explanation:

QUESTION NO: 420
You have a chassis cluster established between two SRX Series devices. You re monitoring the
status of the cluster and notice that some redundancy groups show disabled.
What are two explanations for this behavior? (choose two)
A. The fxp0 interface is down

B. The fxp1 interface is down
C. The fab interface is down
D. The swfab interface is down.
Answer: B,C
Explanation:
QUESTION NO: 421
Referring to the exhibit, you see that Node 0 is currently primary for redundancy Group 0. You
have not yet configured any chassis cluster parameters. You want to ensure that Node 1 is always
the primary node for this redundancy group if both nodes reboot at same time.
Which configuration step would accomplish this task?
user@host>show chassis cluster status
cluster ID: 1
Node Priority Status Preempt Manual Failover
Redundancy group: 0 ,Failover count: 1
Node0 1 primary no no
Node1 1 secondary no no
A. user@host# set chassis cluster redundancy-group 0 node 1 priority 1

B. user@host# set chassis cluster redundancy-group 0 node 1
C. user@host# set chassis cluster redundancy-group 0 preempt
D. user@host# set chassis cluster redundancy-group 0 node 0 priority 255
E. user@host# set chassis cluster redundancy-group 0 node 1 priority 254
Answer: E
Explanation:

QUESTION NO: 422
Referring to the exhibit, you have just committed the UTM antivirus configuration. You notice that
the SRX Series device shows that Kaspersky scanning is being used instead of express scanning.
What must you do to resolve this problem?
A. You must configure the antivirus type to use express scanning

B. You must configure the antivirus type to disable Kaspersky
C. You must update the antivirus signatures
D. You must wait until the next pattern update
Answer: A
Explanation:
QUESTION NO: 423
Which type of logging is supported for UTM logging to an external syslog server on branch SRX
Series devices?
A. Binary syslog
B. CHARGEN
C. WELF (structured) syslog
D. standard (unstructured) syslog
Answer: C
Explanation:
QUESTION NO: 424
To which depth of compressed (Zip) files can the Junos full antivirus feature scan?
A. 1 layer of compression
B. 2 layer of compression
C. 3 layer of compression
D. 4 layer of compression
Answer: D

Explanation:
QUESTION NO: 425
Which two statements describe full file-based antivirus protection? (Choose two.)
A. By default, the signature database is updated every 60 minutes.

B. By default, the signature database is updated once daily.
C. The signature database targets only critical viruses and malware.
D. The signature database can detect polymorphic virus types.
Answer: A,D
Explanation:

JN0-332

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

JN0-332

Uploaded by

Copyright:

Available Formats

Juniper JN0-332

Juniper Networks Certified Internet Specialist, SEC

Click the Exhibit button.

A. [edit security policies from-zone trust to-zone untrust]

"Pass Any Exam. Any Time." - www.actualtests.com 2

A. [edit security screen]

"Pass Any Exam. Any Time." - www.actualtests.com 3

A. Websense Redirect Web filtering

"Pass Any Exam. Any Time." - www.actualtests.com 4

A. show security utm anti-virus status

A. [edit security ipsec]

"Pass Any Exam. Any Time." - www.actualtests.com 5

"Pass Any Exam. Any Time." - www.actualtests.com 6

Which zone is system-defined?

A. [edit security policies from-zone HR to-zone HR]

"Pass Any Exam. Any Time." - www.actualtests.com 7

Which three statements are true regarding IDP? (Choose three.)

Click the Exhibit button.

"Pass Any Exam. Any Time." - www.actualtests.com 8

A. The same key is used for encryption and decryption.

A. You can assign a logical interface to multiple zones.

"Pass Any Exam. Any Time." - www.actualtests.com 9

A. Up to three external authentication server types can be used simultaneously.

Click the Exhibit button.

"Pass Any Exam. Any Time." - www.actualtests.com 10

Which UTM feature requires a license to function?

A. integrated Web filtering

Click the Exhibit button.

"Pass Any Exam. Any Time." - www.actualtests.com 11

A. A user can use SSH to interface ge-0/0/0.0 and ge-0/0/1.0.

A. pass-through with Web redirect

"Pass Any Exam. Any Time." - www.actualtests.com 12

Which two UTM features require a license to be activated? (Choose two.)

A. Addresses used for NAT pools should never overlap.

"Pass Any Exam. Any Time." - www.actualtests.com 13

A. The host needs to open the telnet port.

Which statement describes an ALG?

A. spam assassin filtering score

"Pass Any Exam. Any Time." - www.actualtests.com 14

A. set apply-groups node$

Which statement describes a security zone?

A. A security zone can contain one or more interfaces.

A. It enables an attacker to perform an IP sweep of devices.

"Pass Any Exam. Any Time." - www.actualtests.com 15

Under which Junos hierarchy level are security policies configured?

A. [edit security screen]

"Pass Any Exam. Any Time." - www.actualtests.com 16

A. interface-based source NAT

"Pass Any Exam. Any Time." - www.actualtests.com 17

What is the default session timeout for TCP sessions?

A. Mark permitted traffic for firewall user authentication.

Which statement is true regarding the Junos OS for security platforms?

A. SRX Series devices can store sessions in a session table.

"Pass Any Exam. Any Time." - www.actualtests.com 18

Click the Exhibit button.

Which type of NAT is being used in the exhibit?

A. [edit security idp]

"Pass Any Exam. Any Time." - www.actualtests.com 19

Which two parameters are configured in IPsec policy? (Choose two.)

Which zone type can be specified in a policy?

"Pass Any Exam. Any Time." - www.actualtests.com 20

A. Websense redirect Web filtering

A. This interface is a system-created interface.

"Pass Any Exam. Any Time." - www.actualtests.com 21