Professional Documents
Culture Documents
JN0-332
JN0-332
QUESTION NO: 1
Which configuration keyword ensures that all in-progress sessions are re-evaluated upon
committing a security policy change?
A. policy-rematch
B. policy-evaluate
C. rematch-policy
D. evaluate-policy
Answer: A
Explanation:
QUESTION NO: 2
You need to alter the security policy shown in the exhibit to send matching traffic to an IPsec VPN
tunnel. Which command causes traffic to be sent through an IPsec VPN named remote-vpn?
Answer: D
Explanation:
QUESTION NO: 3
Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by AH?
(Choose three.)
A. data integrity
B. data confidentiality
C. data authentication
D. outer IP header confidentiality
E. outer IP header authentication
Answer: A,C,E
Explanation:
QUESTION NO: 4
You must configure a SCREEN option that would protect your router from a session table
flood.Which configuration meets this requirement?
Answer: D
Explanation:
QUESTION NO: 5
Which type of Web filtering by default builds a cache of server actions associated with each URL it
has checked?
Answer: B
Explanation:
QUESTION NO: 6
Which security or functional zone name has special significance to the Junos OS?
A. self
B. trust
C. untrust
D. junos-global
Answer: D
Explanation:
QUESTION NO: 7
Which command do you use to display the status of an antivirus database update?
Answer: A
Explanation:
QUESTION NO: 8
Which statement contains the correct parameters for a route-based IPsec VPN?
Answer: D
Explanation:
QUESTION NO: 9
A. security
B. functional
C. junos-global
D. management
Answer: C
Explanation:
QUESTION NO: 10
You want to allow your device to establish OSPF adjacencies with a neighboring device connected
to interface ge-0/0/3.0. Interface ge-0/0/3.0 is a member of the HR zone. Under which
configuration hierarchy must you permit OSPF traffic?
QUESTION NO: 11
A. IDP cannot be used in conjunction with other Junos security features such as SCREEN options,
zones, and security policy.
B. IDP inspects traffic up to the Application Layer.
C. IDP searches the data stream for specific attack patterns.
D. IDP inspects traffic up to the Presentation Layer.
E. IDP can drop packets, close sessions, prevent future sessions, and log attacks for review by
network administrators when an attack is detected.
Answer: B,C,E
Explanation:
QUESTION NO: 12
Your IKE SAs are up, but the IPsec SAs are not up.Referring to the exhibit, what is the problem?
A. One or more of the phase 2 proposals such as authentication algorithm, encryption algorithm
do not match.
B. The tunnel interface is down.
C. The proxy IDs do not match.
D. The IKE proposals do not match the IPsec proposals.
Answer: C
QUESTION NO: 13
Which two statements regarding symmetric key encryption are true? (Choose two.)
Answer: A,D
Explanation:
QUESTION NO: 14
Regarding content filtering, what are two pattern lists that can be configured in the Junos OS?
(Choose two.)
A. protocol list
B. MIME
C. block list
D. extension
Answer: B,D
Explanation:
QUESTION NO: 15
Which two statements are true about hierarchical architecture? (Choose two.)
Answer: B,D
Explanation:
QUESTION NO: 16
Which two statements regarding external authentication servers for firewall user authentication are
true? (Choose two.)
Answer: B,D
Explanation:
QUESTION NO: 17
Which statement will allow you to rearrange the policies for the DenyTelnet policy to be evaluated
before your Allow policy?
A. insert security policies from-zone A to-zone B policy DenyTelnet before policy Allow
B. set security policies from-zone B to-zone A policy DenyTelnet before policy Allow
C. insert security policies from-zone A to-zone B policy DenyTelnet after policy Allow
D. set security policies from-zone B to-zone A policy Allow after policy DenyTelnet
Answer: A
Explanation:
QUESTION NO: 18
Answer: A
Explanation:
QUESTION NO: 19
System services SSH, Telnet, FTP, and HTTP are enabled on the SRX Series device.
Referring to the configuration shown in the exhibit, which two statements are true? (Choose two.)
Answer: B,C
Explanation:
QUESTION NO: 20
A user wants to establish an HTTP session to a server behind an SRX device but is being pointed
to Web page on the SRX device for additional authentication. Which type of user authentication is
configured?
Answer: C
Explanation: Web authentication is valid for all types of traffic. With Web authentication
configured, users must first directly access the Junos security platform using HTTP. The user
enters the address or hostname of the device into a Web browser and then receives a prompt for
a username and password. If authentication is successful, the user can then access the restricted
resource directly. Subsequent traffic from the same source IP address is automatically allowed
access to the restricted resource, as long as security policy allows for it.
QUESTION NO: 21
A. antispam
B. antivirus (full AV)
C. content filtering
D. Web-filtering redirect
Answer: A,B
Explanation:
QUESTION NO: 22
Which two statements in a source NAT configuration are true regarding addresses, rule-sets, or
rules that overlap? (Choose two.)
Answer: A,B
Explanation:
QUESTION NO: 23
A network administrator has configured source NAT, translating to an address that is on a locally
connected subnet. The administrator sees the translation working, but traffic does not appear to
come back. What is causing the problem?
Answer: C
Explanation:
QUESTION NO: 24
A. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to
deny the traffic.
B. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic
policies to permit the traffic to pass.
C. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic
policies to deny the traffic.
D. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to
permit the traffic to pass.
Answer: B
Explanation:
QUESTION NO: 25
Which three components can be leveraged when defining a local whitelist or blacklist for antispam
on a branch SRX Series device? (Choose three.)
Answer: C,D,E
Explanation:
QUESTION NO: 26
What is the correct syntax for applying node-specific parameters to each node in a chassis
cluster?
Answer: C
Explanation:
QUESTION NO: 27
Answer: A
Explanation:
QUESTION NO: 28
A system administrator detects thousands of open idle connections from the same source.Which
problem can arise from this type of attack?
Answer: C
Explanation:
QUESTION NO: 29
A. [edit security]
B. [edit protocols]
C. [edit firewall]
D. [edit policy-options]
Answer: A
Explanation:
QUESTION NO: 30
You must configure a SCREEN option that would protect your device from a session table flood.
Which configuration meets this requirement?
Answer: D
Explanation:
QUESTION NO: 31
Which three methods of source NAT does the Junos OS support? (Choose three.)
Answer: A,B,C
Explanation:
QUESTION NO: 32
Which three firewall user authentication objects can be referenced in a security policy? (Choose
three.)
A. access profile
B. client group
C. client
D. default profile
Answer: A,B,C
Explanation:
QUESTION NO: 33
A. 1 minute
B. 15 minutes
C. 30 minutes
D. 90 minutes
Answer: C
Explanation:
QUESTION NO: 34
Which three advanced permit actions within security policies are valid? (Choose three.)
Answer: A,C,E
Explanation:
QUESTION NO: 35
QUESTION NO: 36
A. no NAT
B. destination NAT
C. source NAT
D. port address translation (PAT)
Answer: C
Explanation:
QUESTION NO: 37
At which two levels of the Junos CLI hierarchy is the host-inbound-traffic command configured?
(Choose two.)
Answer: B,C
Explanation:
A. mode
B. IKE gateway
C. security proposal
D. Perfect Forward Secrecy
Answer: C,D
Explanation:
QUESTION NO: 39
The SRX device receives a packet and determines that it does not match an existing session.After
SCREEN options are evaluated, what is evaluated next?
A. source NAT
B. destination NAT
C. route lookup
D. zone lookup
Answer: B
Explanation:
QUESTION NO: 40
A. security
B. functional
C. user
D. system
Answer: A
Explanation:
QUESTION NO: 41
A. The Junos OS applies service ALGs only for the first packet of a flow.
B. The Junos OS uses fast-path processing only for the first packet of a flow.
C. The Junos OS performs policy lookup only for the first packet of a flow.
D. The Junos OS applies SCREEN options for both first and consecutive packets of a flow.
Answer: C,D
Explanation:
QUESTION NO: 42
Which Web-filtering technology can be used at the same time as integrated Web filtering on a
single branch SRX Series device?
Answer: B
Explanation:
QUESTION NO: 43
In a chassis cluster with two SRX 5800 devices, the interface ge-13/0/0 belongs to which device?
Answer: C
Explanation:
QUESTION NO: 44
An IPsec tunnel is established on an SRX Series Gateway on an interface whose IP address was
Answer: B,C
Explanation:
QUESTION NO: 45
Which two statements about the use of SCREEN options are correct? (Choose two.)
A. SCREEN options are deployed at the ingress and egress sides of a packet flow.
B. Although SCREEN options are very useful, their use can result in more session creation.
C. SCREEN options offer protection against various attacks at the ingress zone of a packet flow.
D. SCREEN options examine traffic prior to policy processing, thereby resulting in fewer resources
used for malicious packet processing.
Answer: C,D
Explanation:
QUESTION NO: 46
In the exhibit, you decided to change my Hosts addresses. What will happen to the new sessions
matching the policy and in-progress sessions that had already matched the policy?
Answer: A
Explanation:
QUESTION NO: 47
When using UTM features in an HA cluster, which statement is true for installing the licenses on
the cluster members?
A. One UTM cluster license will activate UTM features on both members.
B. Each device will need a UTM license generated for its serial number.
C. Each device will need a UTM license generated for the cluster, but licenses can be applied to
either member.
D. HA clustering automatically comes with UTM licensing, no additional actions are needed.
QUESTION NO: 48
Answer: D
Explanation:
The data plane on Junos security platforms, implemented on IOCs, NPCs, and SPCs for high-end
devices and on CPU cores and PIMs for branch devices, consists of Junos OS packet-handling
modules compounded with a flow engine and session management like that of the ScreenOS
software. Intelligent packet processing ensures that one single thread exists for packet flow
processing associated with a single flow. Real-time processes enable the Junos OS to perform
session-based packet forwarding.
QUESTION NO: 49
Which two functions of the Junos OS are handled by the data plane? (Choose two.)
A. NAT
B. OSPF
C. SNMP
D. SCREEN options
Answer: A,D
Explanation:
QUESTION NO: 50
A. The Junos OS drops any flow that does not match the source address or destination address.
B. All traffic is dropped.
C. All existing sessions continue.
D. The Junos OS does a policy re-evaluation.
Answer: D
Explanation:
QUESTION NO: 51
A. It prevents the HTTP client or server from timing-out during an antivirus update.
B. It prevents the HTTP client or server from timing-out during antivirus scanning.
C. It is an attack.
D. It is used to bypass antivirus scanners.
Answer: B
Explanation:
QUESTION NO: 52
A. a telnet to port 80
B. a TCP packet with the SYN and ACK flags set
C. an SNMP getnext request
D. an ICMP packet larger than 1024 bytes
Answer: D
Explanation:
QUESTION NO: 53
Answer: B
Explanation:
QUESTION NO: 54
A network administrator is using source NAT for traffic from source network 10.0.0.0/8. The
administrator must also disable NAT for any traffic destined to the 202.2.10.0/24 network.Which
configuration would accomplish this task?
Answer: B
Explanation:
QUESTION NO: 55
The Junos OS blocks an HTTP request due to the category of the URL. Which form of Web
filtering is being used?
Answer: B
Explanation:
QUESTION NO: 56
Which two statements are true with regard to policy ordering? (Choose two.)
Answer: C,D
Explanation:
QUESTION NO: 57
Regarding fast path processing, when does the system perform the policy check?
Answer: B
Explanation:
QUESTION NO: 58
Which URL database do branch SRX Series devices use when leveraging local Web filtering?
A. The SRX Series device will download the database from an online repository to locally inspect
HTTP traffic for Web filtering.
B. The SRX Series device will use an offline database to locally inspect HTTP traffic for Web
filtering.
C. The SRX Series device will redirect local HTTP traffic to an external Websense server for Web
filtering.
D. The SRX Series administrator will define the URLs and their associated action in the local
database to inspect the HTTP traffic for Web filtering.
Answer: D
Explanation:
QUESTION NO: 59
How do you apply UTM enforcement to security policies on the branch SRX series?
Answer: A
Explanation:
QUESTION NO: 60
What are two rule base types within an IPS policy on an SRX Series device? (Choose two.)
A. rulebase-ips
B. rulebase-ignore
C. rulebase-idp
D. rulebase-exempt
Answer: A,D
Explanation:
QUESTION NO: 61
Answer: C
Explanation:
QUESTION NO: 62
A. IDP can be used in conjunction with other Junos security features such as SCREEN options,
zones, and security policy.
B. IDP cannot be used in conjunction with other Junos security features such as SCREEN options,
zones, and security policy.
C. IDP inspects traffic up to the Presentation Layer.
D. IDP inspects traffic up to the Application Layer.
Answer: A,D
Explanation:
QUESTION NO: 63
Answer: C
Explanation: The Junos OS achieves high availability on Junos security platforms using chassis
clustering. Chassis clustering provides network node redundancy by grouping two like devices into
a cluster. The two nodes back each other up with one node acting as the primary and the other as
the secondary node, ensuring the stateful failover of processes and services in the event of
system or hardware failure. A control link between services processing cards (SPCs) or revenue
ports and an Ethernet data link between revenue ports connect two like devices. Junos security
platforms must be the same model, and all SPCs, network processing cards (NPCs), and
input/output cards (IOCs) on high-end platforms must have the same slot placement and hardware
revision.
The chassis clustering feature in the Junos OS is built on the high availability methodology of
Juniper Networks M Series and T Series platforms and the TX Matrix platform, including
multichassis clustering, active-passive Routing Engines (REs) , active-active Packet Forwarding
Engines (PFEs), and graceful RE switchover capability.
QUESTION NO: 64
Which three statements are true when working with high-availability clusters? (Choose three.)
Answer: C,D,E
Explanation:
QUESTION NO: 65
A network administrator wants to permit Telnet traffic initiated from the address book entry
the10net in a zone called UNTRUST to the address book entry Server in a zone called TRUST.
Answer: B
Explanation:
QUESTION NO: 66
Answer: A
Explanation:
QUESTION NO: 67
Which three parameters are configured in the IKE policy? (Choose three.)
A. mode
B. preshared key
C. external interface
D. security proposals
E. dead peer detection settings
Answer: A,B,D
Explanation:
QUESTION NO: 68
Which two statements are true about the relationship between static NAT and proxy ARP?
(Choose two.)
Answer: B,C
Explanation:
QUESTION NO: 69
Which CLI command do you use to block MIME content at the [edit security utm feature-profile]
hierarchy?
Answer: B
Explanation:
QUESTION NO: 70
If both nodes in a chassis cluster initialize at different times, which configuration example will allow
you to ensure that the node with the higher priority will become primary for your RGs other than
RG0?
Answer: A
Explanation:
QUESTION NO: 71
By default, how is traffic evaluated when the antivirus database update is in progress?
Answer: D
Explanation:
QUESTION NO: 72
Answer: B
Explanation:
QUESTION NO: 73
Which command would you use to enable chassis cluster on an SRX device, setting the cluster ID
Answer: C
Explanation:
QUESTION NO: 74
Which three are necessary for antispam to function properly on a branch SRX Series device?
(Choose three.)
A. an antispam license
B. DNS servers configured on the SRX Series device
C. SMTP services on SRX
D. a UTM profile with an antispam configuration in the appropriate security policy
E. antivirus (full or express)
Answer: A,B,D
Explanation:
QUESTION NO: 75
How many IDP policies can be active at one time on an SRX Series device by means of the set
security idp active-policy configuration statement?
A. 1
B. 2
C. 4
D. 8
Answer: A
Explanation:
QUESTION NO: 76
Answer: B,C
Explanation:
QUESTION NO: 77
Your task is to provision the Junos security platform to permit transit packets from the Private zone
to the External zone by using an IPsec VPN and log information at the time of session close.
Which configuration meets this requirement?
Answer: C
Explanation:
QUESTION NO: 78
A user wants to establish an FTP session to a server behind an SRX device but must authenticate
to a Web page on the SRX device for additional authentication. Which type of user authentication
is configured?
A. pass-through
B. WebAuth
C. WebAuth with Web redirect
D. pass-through with Web redirect
Answer: B
Explanation: Web authentication is valid for all types of traffic. With Web authentication
configured, users must first directly access the Junos security platform using HTTP. The user
enters the address or hostname of the device into a Web browser and then receives a prompt for
a username and password. If authentication is successful, the user can then access the restricted
resource directly. Subsequent traffic from the same source IP address is automatically allowed
access to the restricted resource, as long as security policy allows for it.
QUESTION NO: 79
Answer: C
QUESTION NO: 80
A network administrator receives complaints from the engineering group that an application on one
server is not working properly. After further investigation, the administrator determines that source
NAT translation is using a different source address after a random number of flows. Which two
actions can the administrator take to force the server to use one address? (Choose two.)
Answer: B,D
Explanation:
QUESTION NO: 81
A. 30 seconds
B. 1 minute
C. 5 minutes
D. 30 minutes
Answer: B
Explanation:
QUESTION NO: 82
Which two statements about the Diffie-Hellman (DH) key exchange process are correct? (Choose
two.)
A. In the DH key exchange process, the session key is never passed across the network.
B. In the DH key exchange process, the public and private keys are mathematically related using
the DH algorithm.
C. In the DH key exchange process, the session key is passed across the network to the peer for
Answer: A,B
Explanation:
QUESTION NO: 83
You are required to configure a SCREEN option that enables IP source route option detection.
Which two configurations meet this requirement? (Choose two.)
QUESTION NO: 84
What are three configuration objects used to build Junos IDP rules? (Choose three.)
A. zone objects
B. policy objects
C. attack objects
D. alert and notify objects
E. network and address objects
Answer: A,C,E
Explanation:
QUESTION NO: 85
Answer: A,C
Explanation:
QUESTION NO: 86
A. If the destination address of the outer IP header of the ESP packet matches the IP address of
the ingress interface, it will immediately decrypt the packet.
B. If the destination IP address in the outer IP header of ESP does not match the IP address of the
ingress interface, it will discard the packet.
C. If the destination address of the outer IP header of the ESP packet matches the IP address of
the ingress interface, based on SPI match, it will decrypt the packet.
D. If the destination address of the outer IP header of the ESP packet matches the IP address of
the ingress interface, based on SPI match and route lookup of inner header, it will decrypt the
packet.
Answer: C
Explanation:
QUESTION NO: 87
[A] establishes an IPsec tunnel with [B]. The NAT device translates the IP address 1.1.1.1 to
2.1.1.1.On which port is the IKE SA established?
Answer: D
Explanation:
QUESTION NO: 88
What are two valid reasons for the output shown in the exhibit? (Choose two.)
Answer: B,C
Explanation:
QUESTION NO: 89
A. 0
B. 1
C. 4
D. 8
Answer: B
Explanation:
QUESTION NO: 90
Which three features are part of the branch SRX series UTM suite? (Choose three.)
A. antispam
B. antivirus
C. IPS
D. application firewalling
E. Web filtering
Answer: A,B,E
Explanation:
QUESTION NO: 91
What are two TCP flag settings that are considered suspicious? (Choose two.)
Answer: B,D
Explanation:
QUESTION NO: 92
The Junos OS blocks an HTTP request due to a Websense server response. Which form of Web
filtering is being used?
Answer: A
Explanation:
QUESTION NO: 93
Which two statements are true regarding redundancy groups? (Choose two.)
A. When priority settings are equal and the members participating in a cluster are initialized at the
same time, the primary role for redundancy group 0 is assigned to node 0.
B. The preempt option determines the primary and secondary roles for redundancy group 0 during
a failure and recovery scenario.
C. Redundancy group 0 manages the control plane failover between the nodes of a cluster.
D. The primary role can be shared for redundancy group 0 when the active-active option is
enabled.
Answer: A,C
Explanation:
QUESTION NO: 94
What are two components of the Junos software architecture? (Choose two.)
A. Linux kernel
B. routing protocol daemon
C. session-based forwarding module
D. separate routing and security planes
Answer: B,C
Explanation:
QUESTION NO: 95
Which IDP policy action closes the connection and sends an RST packet to both the client and the
server?
A. close-connection
B. terminate-connection
C. close-client-and-server
D. terminate-session
Answer: C
QUESTION NO: 96
A. Install the license key and all UTM features will be enabled for the life of the product.
B. Install one license key per feature and the license key will be enabled for the life of the product.
C. Install one UTM license key, which will activate all UTM features; the license will need to be
renewed when it expires.
D. Install one UTM license key per UTM feature; the licenses will need to be renewed when they
expire.
Answer: D
Explanation:
QUESTION NO: 97
You have configured a UTM profile called Block-Spam, which has the appropriate antispam
configuration to block undesired spam e-mails. Which configuration would protect an SMTP server
in the dmz zone from spam originating in the untrust zone?
A. set security policies from-zone dmz to-zone untrust policy anti-spam then permit application-
services utm-policy Block-Spam
B. set security policies from-zone untrust to-zone dmz policy anti-spam then permit application-
services utm-policy Block-Spam
C. set security policies from-zone untrust to-zone dmz policy anti-spam then permit application-
services anti-spam-policy Block-Spam
D. set security policies from-zone untrust to-zone dmz policy anti-spam then permit application-
services Block-Spam
Answer: B
Explanation:
QUESTION NO: 98
Which two statements about the use of SCREEN options are correct? (Choose two.)
Answer: A,B
Explanation:
QUESTION NO: 99
Given the configuration shown in the exhibit, which protocol(s) are allowed to communicate with
the device on ge-0/0/0.0?
A. RIP
B. OSPF
C. BGP and RIP
D. RIP and PIM
Answer: A
Which two statements about static NAT are true? (Choose two.)
Answer: B,D
Explanation:
Topic 2, Volume B
Which three situations will trigger an e-mail to be flagged as spam if a branch SRX Series device
has been properly configured with antispam inspection enabled for the appropriate security policy?
(Choose three.)
A. The server sending the e-mail to the SRX Series device is a known open SMTP relay.
B. The server sending the e-mail to the SRX Series device is running unknown SMTP server
software.
C. The server sending the e-mail to the SRX Series device is on an IP address range that is
known to be dynamically assigned.
D. The e-mail that the server is sending to the SRX Series device has a virus in its attachment.
E. The server sending the e-mail to the SRX Series device is a known spammer IP address.
Answer: A,C,E
Explanation:
Which statement is true regarding a session key in the Diffie-Hellman key-exchange process?
Answer: B
Explanation:
A. system
B. security
C. default
D. functional
Answer: B
Explanation:
Which two statements are true for a security policy? (Choose two.)
Answer: A,B
Explanation:
Which CLI command provides a summary of what the content-filtering engine has blocked?
Answer: A
Explanation:
You are the responder for an IPsec tunnel and you see the error messages shown in the exhibit.
What is the problem?
A. One or more of the phase 1 proposals such as authentication algorithm, encryption algorithm,
or pre-shared key does not match.
B. There is no route for 2.2.2.2.
C. There is no IKE definition in the configuration for peer 2.2.2.2.
D. system services ike is not enabled on the interface with IP 1.1.1.2.
Answer: C
Explanation:
A. www.news.com
B. www.news.com/asia/japan
C. www-1.news.com/asia
D. www.news.asia.com
Answer: B
Explanation:
Answer: D
Explanation:
A network administrator repeatedly receives support calls about network issues. After investigating
the issues, the administrator finds that the source NAT pool is running out of addresses. To be
notified that the pool is close to exhaustion, what should the administrator configure?
A. Use the pool-utilization-alarm raise-threshold under the security nat source stanza.
B. Use a trap-group with a category of services under the SNMP stanza.
C. Use an external script that will run a show command on the SRX Series device to see when the
pool is close to exhaustion.
D. Configure a syslog message to trigger a notification when the pool is close to exhaustion.
Answer: A
Explanation:
Which two statements are true when describing the capabilities of integrated Web filtering on
branch SRX Series devices? (Choose two.)
A. Integrated Web filtering can enforce UTM policies on traffic encrypted in SSL.
B. Integrated Web filtering can detect client-side exploits that attack the user's Web browser.
C. Integrated Web filtering can permit or deny access to specific categories of sites.
D. Different integrated Web-filtering policies can be applied on a firewall rule-by-rule basis to allow
different policies to be enforced for different users.
Answer: C,D
Explanation:
Which command is needed to change this policy to a tunnel policy for a policy-based VPN?
Answer: D
Explanation:
Which two statements describe the difference between Junos software for security platforms and a
traditional router? (Choose two.)
A. Junos software for security platforms supports NAT and PAT; a traditional router does not
support NAT or PAT.
B. Junos software for security platforms does not forward traffic by default; a traditional router
forwards traffic by default.
C. Junos software for security platforms uses session-based forwarding; a traditional router uses
packet-based forwarding.
D. Junos software for security platforms performs route lookup for every packet; a traditional router
Answer: B,C
Explanation:
Using a policy with the policy-rematch flag enabled, what happens to the existing and new
sessions when you change the policy action from permit to deny?
A. The new sessions matching the policy are denied. The existing sessions are dropped.
B. The new sessions matching the policy are denied. The existing sessions, not being allowed to
carry any traffic, simply timeout.
C. The new sessions matching the policy might be allowed through if they match another policy.
The existing sessions are dropped.
D. The new sessions matching the policy are denied. The existing sessions continue until they are
completed or their timeout is reached.
Answer: A
Explanation:
Answer: A,C
Explanation:
A. The NAT action of off is only supported for destination NAT rule-sets.
Answer: C
Explanation:
You want to create an out-of-band management zone and assign the ge-0/0/0.0 interface to that
zone. From the [edit] hierarchy, which command do you use to configure this assignment?
Answer: C
Explanation:
Host A opens a Telnet connection to Host B. Host A then opens another Telnet connection to Host
B. These connections are the only communication between Host A and Host B. The security policy
configuration permits both connections. How many sessions exist between Host A and Host B?
A. 1
B. 2
C. 3
D. 4
Answer: B
Explanation:
A network administrator receives complaints that the application voicecube is timing out after
being idle for 30 minutes. Referring to the exhibit, what is a resolution?
A. [edit]
user@host# set applications application voicecube inactivity-timeout never
B. [edit]
user@host# set applications application voicecube inactivity-timeout 2
C. [edit]
user@host# set applications application voicecube destination-port 5060
D. [edit]
user@host# set security policies from-zone trust to-zone trust policy intrazone then timeout never
Answer: A
Explanation:
Which parameters are valid SCREEN options for combating operating system probes?
Answer: C
Explanation:
You have configured your chassis cluster to include redundancy group 1. Node 0 is configured to
be the primary node for this redundancy group. You need to verify that the redundancy group
failover is successful. Which command do you use to manually test the failover?
Answer: D
Explanation:
The Junos OS blocks an HTTP request due to its inclusion on the url-blacklist. Which form of Web
filtering on the branch SRX device is fully executed within the device itself?
Answer: D
Explanation:
Answer: C
Explanation:
A. The SurfControl server in the cloud provides the SRX device with the category of the URL as
well as the reputation of the URL.
B. The SurfControl server in the cloud provides the SRX device with only the category of the URL.
C. The SurfControl server in the cloud provides the SRX device with only the reputation of the
URL.
D. The SurfControl server in the cloud provides the SRX device with a decision to permit or deny
the URL.
Answer: B
Explanation:
Referring to the exhibit, you are not able to telnet to 192.168.10.1 from client PC 192.168.10.10.
Answer: D
Explanation:
Which two statements are true regarding firewall user authentication? (Choose two.)
A. When configured for pass-through firewall user authentication, the user must first open a
connection to the Junos security platform before connecting to a remote network resource.
B. When configured for Web firewall user authentication only, the user must first open a
connection to the Junos security platform before connecting to a remote network resource.
C. If a Junos security device is configured for pass-through firewall user authentication, new
sessions are automatically intercepted to perform authentication.
D. If a Junos security device is configured for Web firewall user authentication, new sessions are
automatically intercepted to perform authentication.
Answer: B,C
Explanation:
You want to create a security policy allowing traffic from any host in the Trust zone to
hostb.example.com (172.19.1.1) in the Untrust zone. How do you create this policy?
Answer: D
Explanation:
Which three types of content filtering are supported only for HTTP? (Choose three.)
A. block Flash
B. block Java applets
C. block ActiveX
D. block EXE files
E. block MIME type
Answer: B,C,D
Explanation:
A. protocol
B. source-address
C. port
D. application
E. attacks
Answer: B,D,E
Explanation:
Which two statements are true regarding the system-default security policy [edit security policies
default-policy]? (Choose two.)
Answer: C,D
Answer: B
Explanation:
Which three functions are provided by the Junos OS for security platforms? (Choose three.)
A. VPN establishment
B. stateful ARP lookups
C. Dynamic ARP inspection
D. Network Address Translation
E. inspection of packets at higher levels (Layer 4 and above)
Which three options represent IDP policy match conditions? (Choose three.)
A. service
B. to-zone
C. attacks
D. port
E. destination-address
Answer: B,C,E
Explanation:
Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by ESP?
(Choose three.)
A. data integrity
B. data confidentiality
C. data authentication
D. outer IP header confidentiality
E. outer IP header authentication
Answer: A,B,C
Explanation:
Which three actions can a branch SRX Series device perform on a spam e-mail message?
(Choose three.)
Answer: A,B,E
Explanation:
What are three different integrated UTM components available on the branch SRX Series
devices? (Choose three.)
Answer: A,C,D
Explanation:
You want to test a configured screen value prior to deploying. Which statement will allow you to
accomplish this?
Answer: B
Explanation:
Which three contexts can be used as matching conditions in a source NAT configuration? (Choose
three.)
A. routing-instance
B. zone
C. interface
D. policy
E. rule-set
Answer: A,B,C
Explanation:
Which command shows the event and traceoptions file for chassis clusters?
Answer: C
Explanation:
Answer: A
Explanation:
Interface ge-0/0/2.0 of your device is attached to the Internet and is configured with an IP address
and network mask of 71.33.252.17/24. A Web server with IP address 10.20.20.1 is running an
HTTP service on TCP port 8080. The Web server is attached to the ge-0/0/0.0 interface of your
device. You must use NAT to make the Web server reachable from the Internet using port
translation. Which type of NAT must you configure?
Answer: D
Explanation:
Which two types of attacks are considered to be denial of service? (Choose two.)
Answer: B,D
Explanation:
Which antivirus solution integrated on branch SRX Series devices do you use to ensure maximum
virus coverage for network traffic?
A. express AV
B. full AV
C. desktop AV
D. ICAP
Answer: B
Explanation:
Which two statements are true about the Websense redirect Web filter solution? (Choose two.)
A. The Websense redirect Web filter solution does not require a license on the SRX device.
B. The Websense server provides the SRX device with a category for the URL and the SRX
device then matches the category with its configured polices and decides to permit or deny the
URL.
C. The Websense server provides the SRX device with a decision as to whether the SRX device
permits or denies the URL.
D. When the Websense server does not know the category of the URL, it sends a request back to
the SRX device to validate against the integrated SurfControl server in the cloud.
Answer: A,C
Explanation:
Referring to the exhibit, which statement contains the correct gateway parameters?
Answer: B
Explanation:
Antispam can be leveraged with which two features on a branch SRX Series device to provide
maximum protection from malicious e-mail content? (Choose two.)
Answer: B,C
Explanation:
Content filtering enables traffic to be permitted or blocked based on inspection of which three
types of content? (Choose three.)
A. MIME pattern
B. file extension
C. IP spoofing
D. POP3
Answer: A,B,E
Explanation:
What are three valid Juniper Networks IPS attack object types? (Choose three.)
A. signature
B. anomaly
C. trojan
D. virus
E. chain
Answer: A,B,E
Explanation:
Answer: A,C
Explanation:
Answer: D
Explanation:
A. IOC
B. PIM
C. RE
D. SPC
Answer: C
Explanation:
Which two packet attributes contribute to the identification of a session? (Choose two.)
A. destination port
B. TTL
C. IP options
D. protocol number
Answer: A,D
Explanation:
Which interface is used for RTO synchronization and forwarding traffic between the devices in a
cluster?
A. the st interface
B. the reth interface
C. the fxp1 and fxp0 interfaces
Answer: D
Explanation:
In the configuration shown in the exhibit, you decided to eliminate the junos-ftp application from
the match condition of the policy My Traffic. What will happen to the existing FTP and BGP
sessions?
Answer: B
Explanation:
Given the configuration shown in the exhibit, which configuration object would be used to
associate both Nancy and Walter with firewall user authentication within a security policy?
A. ftp-group
B. ftp-users
C. firewall-user
D. nancy and walter
Answer: A
Explanation:
Which two statements are true about pool-based source NAT? (Choose two.)
What is the maximum number of layers of compression that kaspersky-lab-engine (full AV) can
decompress for the HTTP protocol?
A. 1
B. 4
C. 8
D. 16
Answer: B
Explanation:
The same Web site is visited for the second time using a branch SRX Series Services Gateway
configured with Surf Control integrated Web filtering. Which statement is true?
A. The SRX device sends the URL to the SurfControl server in the cloud and the SurfControl
server provides the SRX with a category of the URL.
B. The SRX device sends the URL to the SurfControl server in the cloud and the SurfControl
server asks the SRX device to permit the URL as it has been previously visited.
C. The SRX device looks at its local cache to find the category of the URL.
D. The SRX device does not perform any Web filtering operation as the Web site has already
been visited.
Answer: C
Explanation:
To determine whether a particular file has a virus by only inspecting a few initial packets before
receiving the entire file, which UTM feature do you enable?
Answer: B
Explanation:
A. destination NAT
B. forwarding lookup
C. route lookup
D. SCREEN options
Answer: D
Explanation:
Which statement describes the behavior of source NAT with address shifting?
A. Source NAT with address shifting translates both the source IP address and the source port of
a packet.
B. Source NAT with address shifting defines a one-to-one mapping from an original source IP
address to a translated source IP address.
C. Source NAT with address shifting can translate multiple source IP addresses to the same
translated IP address.
D. Source NAT with address shifting allows inbound connections to be initiated to the static source
pool IP addresses.
Answer: B
Explanation:
Which two statements are true about IPsec traffic? (Choose two.)
Answer: A,C
Explanation:
You must configure a SCREEN option that will protect your router from a session table flood.
Answer: D
Explanation:
Which two statements are true regarding high-availability chassis clustering? (Choose two.)
Answer: A,D
Explanation:
Answer: D
Explanation:
Under which configuration hierarchy is an access profile configured for firewall user
A. [edit access]
B. [edit security access]
C. [edit firewall access]
D. [edit firewall-authentication]
Answer: A
Explanation:
Which two statements are true about juniper-express-engine (express AV)? (Choose two.)
Answer: A,C
Explanation:
Answer: A,B
Explanation:
Which three statements are true when working with high-availability clusters? (Choose three.)
Answer: C,D,E
Explanation:
Which security or functional zone name has special significance to the Junos OS?
A. self
B. trust
C. untrust
D. junos-global
Answer: D
Explanation:
Answer: D
Explanation:
Answer: B
Explanation:
Answer: A
Explanation:
A. www.news.com
B. www.news.com/asia/japan
C. www-1.news.com/asia
D. www.news.asia.com
Answer: B
Explanation:
What are three valid Juniper Networks IPS attack object types? (Choose three.)
Answer: A,B,E
Explanation:
Regarding content filtering, what are two pattern lists that can be configured in the Junos OS?
(Choose two.)
A. protocol list
B. MIME
C. block list
D. extension
Answer: B,D
Explanation:
Which three are necessary for antispam to function properly on a branch SRX Series device?
(Choose three.)
A. an antispam license
B. DNS servers configured on the SRX Series device
C. SMTP services on SRX
D. a UTM profile with an antispam configuration in the appropriate security policy
E. antivirus (full or express)
Answer: A,B,D
Explanation:
Which three actions can a branch SRX Series device perform on a spam e-mail message?
Answer: A,B,E
Explanation:
You have configured your chassis cluster to include redundancy group 1. Node 0 is configured to
be the primary node for this redundancy group. You need to verify that the redundancy group
failover is successful.
Answer: D
Explanation:
Which antivirus solution integrated on branch SRX Series devices do you use to ensure maximum
virus coverage for network traffic?
A. express AV
B. full AV
C. desktop AV
D. ICAP
Answer: B
Which two statements about static NAT are true? (Choose two.)
Answer: B,D
Explanation:
Answer: A
Explanation:
A. DPD
B. VPN monitor
C. perfect forward secrecy
D. NHTB
Answer: B
In which two cases would you consider the TCP flag settings to be suspicious? (Choose two.)
Answer: B,D
Explanation:
Which operational mode command displays all active IKE phase 2 security associations?
Answer: D
Explanation:
Antispam can be leveraged with which two features on a branch SRX Series device to provide
maximum protection from malicious e-mail content? (Choose two.)
Answer: B,C
Explanation:
A. deny
B. allow
C. permit
D. reject
E. discard
Answer: A,C,D
Explanation:
Which configuration keyword ensures that all in-progress sessions are re-evaluated upon
committing a security policy change?
A. policy-rematch
B. policy-evaluate
C. rematch-policy
D. evaluate-policy
Answer: A
Explanation:
Which URL database do branch SRX Series devices use when leveraging local Web filtering?
A. The SRX Series device will download the database from an online repository to locally inspect
HTTP traffic for Web filtering.
B. The SRX Series device will use an offline database to locally inspect HTTP traffic for Web
filtering.
C. The SRX Series device will redirect local HTTP traffic to an external Websense server for Web
filtering.
D. The SRX Series administrator will define the URLs and their associated action in the local
Answer: D
Explanation:
Your task is to provision the Junos security platform to permit transit packets from the Private zone
to the External zone and send them through the IPsec VPN. You must also have the device
generate a log message when the session ends.
Answer: C
Explanation:
Which two statements are true for a security policy? (Choose two.)
Answer: A,B
Explanation:
Which command would you use to enable chassis clustering on an SRX device, setting the cluster
ID to 1 and node to 0?
Answer: C
Explanation:
Which three advanced permit actions within security policies are valid? (Choose three.)
Answer: A,C,E
Explanation:
Which type of Web filtering by default builds a cache of server actions associated with each URL it
has checked?
Answer: B
Explanation:
A. IOC
B. PIM
C. RE
D. SPC
Answer: C
Explanation:
A. If the destination address of the outer IP header of the ESP packet matches the IP address of
the ingress interface, it will immediately decrypt the packet.
B. If the destination IP address in the outer IP header of ESP does not match the IP address of the
ingress interface, it will discard the packet.
C. If the destination address of the outer IP header of the ESP packet matches the IP address of
the ingress interface, based on SPI match, it will decrypt the packet.
D. If the destination address of the outer IP header of the ESP packet matches the IP address of
the ingress interface, based on SPI match and route lookup of inner header, it will decrypt the
Answer: C
Explanation:
You are required to configure a SCREEN option that enables IP source route option detection.
Answer: A,B
Which two statements are true about route-based VPNs? (Choose two.)
Answer: A,D
Explanation:
Answer: C
Explanation:
Topic 3, Volume C
Which two traffic types trigger pass-through firewall user authentication? (Choose two.)
A. SSH
B. ICMP
C. Telnet
Answer: C,D
Explanation:
How does the antivirus feature operate once the antivirus license has expired?
Answer: C
Explanation:
What are two valid match conditions for source NAT? (Choose two.)
A. port range
B. source port
C. source address
D. destination address
Answer: C,D
Explanation:
Which two configuration elements are required for a policy-based VPN? (Choose two.)
A. IKE gateway
B. secure tunnel interface
C. security policy to permit the IKE traffic
D. security policy referencing the IPsec VPN tunnel
Which two statements are true for both express antivirus and full file-based antivirus? (Choose
two.)
Answer: B,D
Explanation:
Answer: A
Explanation:
A. zones
B. policies
C. address book
D. NAT configuration
Answer: A
Answer: B
Explanation:
Answer: C
Explanation:
What are two rulebase types within an IPS policy on an SRX Series device? (Choose two.)
A. rulebase-ips
B. rulebase-ignore
C. rulebase-idp
D. rulebase-exempt
Answer: A,D
Explanation:
Answer: A
Explanation:
-- Exhibit --
Default 0 0
Timeout 0 0
Connectivity 0 0
Too-many-requests 758 0
-- Exhibit --
Which two statements are true about the output shown in the exhibit on the branch SRX device?
(Choose two.)
Answer: B,C
Explanation:
-- Exhibit --
user@host# show
policy two {
match {
source-address subnet_a;
destination-address host_b;
then {
reject;
policy one {
match {
source-address host_a;
destination-address subnet_b;
application any;
then {
permit;
-- Exhibit --
Given the configuration shown in the exhibit, which two statements are true about traffic from
host_a to host_b (Choose two.)?
Answer: B,D
Explanation:
Review Below:
user@host# show
pool A {
address 10.1.10.5/32;
rule-set 1 {
rule 1A {
match {
destination-address 100.0.0.1/32;
then {
destination-nat pool A;
Answer: C
Explanation:
Answer: D
Explanation:
A. Both DoS and propagation attacks exploit and take control of all unprotected network devices.
B. Propagation attacks focus on suspicious packet formation using the DoS SYN-ACK-ACK proxy
flood.
C. DoS attacks are directed at the network protection devices, while propagation attacks are
directed at the servers.
D. DoS attacks are exploits in nature, while propagation attacks use trust relationships to take
control of the devices.
Answer: D
Explanation:
[edit schedulers]
user@host# show
scheduler now {
monday all-day;
tuesday exclude;
wednesday {
thursday {
}}
user@host# show
policy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
then {
permit {
tunnel {
ipsec-vpn myTunnel;
}}}
scheduler-name now;
A. The policy will always permit transit packets and use the IPsec VPN myTunnel.
B. The policy will permit transit packets only on Monday, and use the IPsec VPN Mytunnel.
C. The policy will permit transit packets and use the IPsec VPN myTunnel all day Monday and
Wednesday 7am to 6pm, and Thursday 7am to 6pm.
D. The policy will always permit transit packets, but will only use the IPsec VPN myTunnel all day
Monday and Wednesday 7am to 6pm, and Thursday 7am to 6pm.
Answer: C
Explanation:
Which two statements are true regarding proxy ARP? (Choose two.)
Answer: B,D
Explanation:
Answer: A
Explanation:
A traditional router is better suited than a firewall device for which function?
A. VPN establishment
B. packet-based forwarding
C. stateful packet processing
D. Network Address Translation
Answer: B
Explanation:
Which three functions are provided by JUNOS Software for security platforms? (Choose three.)
A. VPN establishment
B. stateful ARP lookups
C. Dynamic ARP inspection
D. Network Address Translation
E. inspection of packets at higher levels (Layer 4 and above)
Answer: A,D,E
Explanation:
Which two functions of JUNOS Software are handled by the data plane? (Choose two.)
A. NAT
B. OSPF
C. SNMP
D. SCREEN options
Answer: A,D
Explanation:
A. IP protocol
B. IP time-to-live
C. source and destination IP address
D. source and destination MAC address
E. source and destination TCP/UDP port
Answer: A,C,E
Explanation:
By default, which condition would cause a session to be removed from the session table?
Answer: D
Explanation:
Answer: C
Explanation:
Answer: B,C
Explanation:
Answer: A,D
Explanation:
Which two configuration options must be present for IPv4 transit traffic to pass between the ge-
0/0/0.0 and ge-0/0/2.0 interfaces? (Choose two.)
A. family inet
B. a security zone
C. a routing instance
D. host-inbound-traffic
Answer: A,B
Explanation:
A. null zone
B. trust zone
C. untrust zone
D. management zone
A. transit zone
B. default zone
C. security zone
D. functional zone
Answer: C
Explanation:
Which two steps are performed when configuring a zone? (Choose two.)
Answer: B,D
Explanation:
You want to allow all hosts on interface ge-0/0/0.0 to be able to ping the device's ge- 0/0/0.0 IP
address.
A. [edit interfaces]
B. [edit security zones]
C. [edit system services]
Answer: B
Explanation:
You want to create an out-of-band management zone and assign the ge-0/0/0.0 interface to that
zone.
From the [edit] hierarchy, which command do you use to configure this assignment?
Answer: C
Explanation:
You are not able to telnet to the interface IP address of your device from a PC on the same
subnet.
Answer: D
Explanation:
Referring to the exhibit, you are not able to telnet to 192.168.10.1 from client PC 192.168.10.10.
What is causing the problem?
Answer: D
Explanation:
Based on the exhibit, client PC 192.168.10.10 cannot ping 1.1.1.2. Which is a potential cause for
this problem?
Answer: C
Explanation:
user@host# show
host-inbound-traffic {
system-services {
ssh;
https;
}}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
}}}
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
ping;
ftp;
}}}
ge-0/0/3.0 {
host-inbound-traffic {
system-services {
all;
ssh {
except;
}}}
}}
A. ge-0/0/0.0
B. ge-0/0/1.0
C. ge-0/0/2.0
D. ge-0/0/3.0
Answer: A
Explanation:
Answer: C
Explanation:
[edit security]
user@host# show
zones {
security-zone ZoneA {
tcp-rst;
host-inbound-traffic {
system-services {
ping;
telnet;
}}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0;
}}
security-zone ZoneB {
interfaces {
ge-0/0/3.0;
}}}
policies {
policy A-to-B {
source-address any;
destination-address any;
application any;
then {
permit;
}}}}
In the exhibit, a host attached to interface ge-0/0/0.0 sends a SYN packet to open a Telnet
connection to the device's ge-0/0/1.0 IP address.
Answer: B
Explanation:
Which two commands can be used to monitor firewall user authentication? (Choose two.)
Answer: B,D
Explanation:
Which two statements regarding external authentication servers for firewall user authentication are
true? (Choose two.)
Answer: B,D
Explanation:
Which two external authentication server types are supported by JUNOS Software for firewall user
authentication? (Choose two.)
A. RADIUS
B. TACACS+
C. LDAP
D. IIS
Answer: A,C
Explanation:
user@host# show
host-inbound-traffic {
system-services {
all;
interfaces {
ge-0/0/0.0;
Referring to the exhibit, which two traffic types are permitted when the destination is the ge-
0/0/0.0 IP address? (Choose two.)
A. Telnet
B. OSPF
C. ICMP
D. RIP
Answer: A,C
Explanation:
A. DoS
B. exploit
C. propagation
D. port scanning
E. reconnaissance
Answer: B,C,E
Explanation:
An attacker sends a low rate of TCP SYN segments to hosts, hoping that at least one port replies.
Which type of an attack does this scenario describe?
A. DoS
B. SYN flood
C. port scanning
D. IP address sweep
Answer: A
Explanation:
Prior to applying SCREEN options to drop traffic, you want to determine how your configuration
will affect traffic.
Answer: D
Explanation:
You are required to configure a SCREEN option that enables IP source route option detection.
Answer: A,B
Explanation:
Which two statements describe the purpose of a security policy? (Choose two.)
Answer: A,B
Explanation:
Exhibit.
user@host# show
policy AllowHTTP{
match {
source-address HOSTA;
destination-address any;
application junos-ftp;
then {
permit;
}}
policy AllowHTTP2{
match {
source-address any;
destination-address HOSTA;
application junos-http;
then {
permit;
}}
policy AllowHTTP3{
match {
source-address any;
application any;
then {
permit;
}}}
A flow of HTTP traffic needs to go from HOSTA to HOSTB. Assume that traffic will initiate from
HOSTA and that HOSTA is in zone trust and HOSTB is in zone untrust.
What will happen to the traffic given the configuration in the exhibit?
Answer: B
Explanation:
A. deny
B. discard
C. reject
D. close
Answer: A,C
Explanation:
user@host# show
scheduler now {
monday all-day;
tuesday exclude;
wednesday {
thursday {
}}
user@host# show
policy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
then {
permit {
tunnel {
ipsec-vpn myTunnel;
}}}
scheduler-name now;
A. The traffic is permitted through the myTunnel IPsec tunnel only on Tuesdays.
B. The traffic is permitted through the myTunnel IPsec tunnel daily, with the exception of Mondays.
C. The traffic is permitted through the myTunnel IPsec tunnel all day on Mondays and
Wednesdays between 7:00 am and 6:00 pm, and Thursdays between 7:00 am and 6:00 pm.
D. The traffic is permitted through the myTunnel IPsec tunnel all day on Mondays and
Wednesdays between 6:01 pm and 6:59 am, and Thursdays between 6:01 pm and 6:59 am.
Answer: C
Explanation:
user@host# show
policy two {
match {
source-address subnet_a;
destination-address host_b;
then {
reject;
}} policy one {
match {
source-address host_a;
destination-address subnet_b;
application any;
then {
permit;
}}
Given the configuration shown in the exhibit, which statement is true about traffic from host_a to
host_b?
Answer: B
Explanation:
A. PAT is a requirement.
B. It requires you to configure address entries in the junos-nat zone.
C. It requires you to configure address entries in the junos-global zone.
D. The IP addresses being translated must be in the same subnet as the egress interface.
Answer: A
Explanation:
Which two statements are true about pool-based destination NAT? (Choose two.)
Answer: D
Explanation:
Which two statements are true about overflow pools? (Choose two.)
Answer: C,D
Explanation:
Which two are valid for use with the from clause? (Choose two.)
A. security policy
B. interface
C. routing-instance
D. IP address
Answer: B,C
Explanation:
Regarding an IPsec security association (SA), which two statements are true? (Choose two.)
A. IKE SA is bidirectional.
B. IPsec SA is bidirectional.
C. IKE SA is established during phase 2 negotiations.
D. IPsec SA is established during phase 2 negotiations.
Answer: B,C
Explanation:
Which operational mode command displays all active IPsec phase 2 security associations?
Two VPN peers are negotiating IKE phase 1 using main mode. Which message pair in the
negotiation contains the phase 1 proposal for the peers?
A. message 1 and 2
B. message 3 and 4
C. message 5 and 6
D. message 7 and 8
Answer: A
Explanation:
A. proxy-ID
B. preshared key
C. Diffie-Hellman group key
D. main or aggressive mode
Answer: A
Explanation:
A. proxy-ID
B. phase 2 proposal
C. Diffie-Hellman group key
D. security protocol (ESP or AH)
Answer: C
Answer: D
Explanation:
Answer: B
Explanation:
Which two configuration elements are required for a route-based VPN? (Choose two.)
Answer: A,C
Explanation:
[edit security]
user@host# show
ike {
policy ike-policy1 {
mode main;
proposal-set standard;
gateway remote-ike {
ike-policy ike-policy1;
address 172.19.51.170;
external-interface ge-0/0/3.0;
}}
policy vpn-policy1 {
proposal-set standard;
vpn remote-vpn {
ike {
gateway remote-ike;
ipsec-policy vpn-policy1;
}}}
Assuming you want to configure a route-based VPN, which command is required to bind the VPN
to secure tunnel interface st0.0?
Answer: A
Explanation:
Answer: D
Explanation:
Answer: A,C,E
Explanation:
You have been tasked with installing two SRX 5600 platforms in a high-availability cluster. Which
requirement must be met for a successful installation?
Answer: C
Explanation:
[edit chassis]
user@host# show
cluster {
reth-count 3;
redundancy-group 1 {
node 0 priority 1;
When applying the configuration in the exhibit and initializing a chassis cluster, which statement is
correct?
Answer: D
Explanation:
Answer: D
Explanation:
When devices are in cluster mode, which new interfaces are created?
Answer: C
Explanation:
What are two interfaces created when enabling a chassis cluster? (Choose two.)
A. st0
B. fxp1
C. fab0
D. reth0
Answer: B,C
Explanation:
A. The preempt option determines the primary and secondary roles for redundancy group 0 during
a failure and recovery scenario.
B. When priority settings are equal and the members participating in a cluster are initialized at the
same time, the primary role for redundancy group 0 is assigned to node 1.
C. The primary role can be shared for redundancy group 0 when the active-active option is
enabled.
D. Redundancy group 0 manages the control plane failover between the nodes of a cluster.
Answer: D
Explanation:
Which IDP policy action drops a packet before it can reach its destination, but does not close the
connection?
A. discard-packet
B. drop-traffic
C. discard-traffic
D. drop-packet
Answer: D
Explanation:
You have been tasked with performing an update to the IDP attack database. Which three
requirements are included as part of this task? (Choose three.)
Answer: A,C,D
Explanation:
You are implementing an IDP policy template from Juniper Networks. Which three steps are
included in this process? (Choose three.)
Answer: A,D,E
Explanation:
A. IDP policy templates are automatically installed as the active IDP policy.
B. IDP policy templates are enabled using a commit script.
C. IDP policy templates can be downloaded without an IDP license.
D. IDP policy templates are included in the factory-default configuration.
Answer: B
Which two statements are true regarding firewall user authentication? (Choose two.)
A. Firewall user authentication is performed only for traffic that is accepted by a security policy.
B. Firewall user authentication is performed only for traffic that is denied by a security policy.
C. Firewall user authentication provides an additional method of controlling user access to the
JUNOS security device itself.
D. Firewall user authentication provides an additional method of controlling user access to remote
networks.
Answer: A,D
Explanation:
Answer: A
Explanation:
Which two firewall user authentication objects can be referenced in a security policy?
(Choose two.)
A. access profile
B. client group
C. client
Answer: B,C
Explanation:
A. Virtual Chassis
B. VRRP
C. chassis clustering
D. graceful restart
Answer: C
Explanation: The Junos OS achieves high availability on Junos security platforms using chassis
clustering. Chassis clustering providesnetwork node redundancy by grouping two like devices into
a cluster. The two nodes back each other up with one node acting asthe primary and the other as
the secondary node, ensuring the stateful failover of processes and services in the event of
systemor hardware failure. A control link between services processing cards (SPCs) or revenue
ports and an Ethernet data link between revenue ports connect two like devices. Junos security
platforms must be the same model, and all SPCs, network processing cards (NPCs), and
input/output cards (IOCs) on high-end platforms must have the same slot placement and hardware
revision.
The chassis clustering feature in the Junos OS is built on the high availability methodology of
Juniper Networks M Series and T Series platforms and the TX Matrix platform, including
multichassis clustering, active-passive Routing Engines (REs) , active-active Packet Forwarding
Engines (PFEs), and graceful RE switchover capability.
A. a set of rules that controls traffic from a specified source to a specified destination using a
specified service
B. a collection of one or more network segments sharing identical security requirements
C. a method of providing a secure connection across a network
D. a tool to protect against DoS attacks
What is a zone?
A. a set of rules that controls traffic from a specified source to a specified destination using a
specified service
B. a collection of one or more network segments sharing identical security requirements
C. a method of providing a secure connection across a network
D. a tool to protect against DoS attacks
Answer: B
Explanation:
A zone is a collection of one or more network segments sharing identical security requirements.
To group network segments within a zone, you must assign logical interfaces from the device to a
zone.
Answer: C
Explanation: Historically, the NAT concept was born because of the shortage of public IPv4
addresses. Many organizations moved to deploy so-called private addresses using the IPv4
private addressing space, as identified in RFC 1918. These addresses include the following
ranges:
Which statement correctly describes the default state of a high-end SRX Series Services
Gateway?
Answer: D
Explanation:
Which Junos security feature helps protect against spam, viruses, trojans, and malware?
Answer: D
Explanation: The major features of Unified Threat Management (UTM);
A branch office network in today’s market significantly contributes to the bottom line and is central
to an organization’s success. Branch offices normally include a relatively smaller number of
computing resources when compared to central facilities or headquarters locations. Branch offices
When the first packet in a new flow is received, which high-end SRX component is responsible for
setting up the flow?
A. Routing Engine
B. I/O card
C. network processing card
D. services processing card
Answer: D
Explanation:
Which three elements are contained in a session-close log message? (Choose three.)
A. source IP address
B. DSCP value
C. number of packets transferred
D. policy name
E. MAC address
Answer: A,C,D
Explanation:
Which card performs flow lookup on incoming packets on high-end SRX Series devices?
Answer: A
Explanation:
How is the control plane separated from the data plane on branch SRX Series devices?
Answer: B
Explanation:
Which three parameters does the Junos OS attempt to match against during session lookup?
(Choose three.)
A. session token
B. ingress interface
C. protocol number
D. source port number
E. egress interface
Answer: A,C,D
Explanation:
You have packet loss on an IPsec VPN using the default maximum transmission unit (MTU) where
the packets have the DF-bit (do not fragment) set.
Answer: B
Explanation:
The branch SRX Series Services Gateways implement the data plane on which two components?
(Choose two.)
A. IOCs
B. SPCs
C. CPU cores
D. PIMs
Answer: C,D
Explanation:
Which configuration must be completed to use both packet-based and session-based forwarding
on a branch SRX Series Services Gateway?
A. A stateless firewall filter must be used on the ingress interface to match traffic to be processed
as session based.
B. A security policy rule must be used on the ingress interface to match traffic to be processed as
session based.
C. A global security policy rule must be used on the ingress interface to match traffic to be
processed as packet based.
D. A stateless firewall filter must be used on the ingress interface to match traffic to be processed
as packet based.
Answer: D
Explanation:
Which branch SRX Series Services Gateway model has a hardware-based, modular Routing
Engine?
A. SRX1400
B. SRX650
C. SRX110
D. SRX240
Answer: B
Explanation:
Topic 4, Volume D
Answer: B,D
Explanation:
Answer: B
Explanation:
Which two statements are true when configuring security zones? (Choose two.)
Answer: A,C
Explanation:
A. null zone
B. system zone
C. Junos host zone
D. functional zone
Answer: A,C
Explanation:
Answer: C
Explanation:
Answer: B,C
Explanation:
Which two parameters are configurable under the [edit security zones security-zone zoneA]
stanza? (Choose two.)
Answer: A,C
Explanation:
A. all
B. any-ipv6
C. any-ipv4
D. all-ipv4
Answer: B,C
Explanation:
A. 172.16.3.11/29
B. 172.16.0.0/16
C. 172.16.3.11/32
D. 172.16.3.11/24
Answer: B,C
Explanation:
You want to show interface-specific zone information and statistics. Which operational command
would be used to accomplish this?
Answer: D
Explanation:
Which two statements are correct regarding the security policy parameter policy-rematch?
(Choose two.)
Answer: B,C
Explanation:
An engineer has just created a single policy allowing ping traffic from a host in the Users zone to a
server in the Servers zone.
When the host pings the server, what will happen to the return traffic?
A. The return traffic will match the session and will be permitted.
B. The return traffic will match the new policy and will be permitted.
C. The return traffic will not be permitted; it will need a separate policy.
D. The return traffic will not be permitted; it will match the system default policy.
Answer: A
Explanation:
Following a recent security audit, you find that users are able to ping between the untrust zone
and the trust zone, which is contrary to your organization's current security policy. On examination
of the current security policies, you find no policies that would allow these connections.
What are two reasons why users would be able to ping between these zones? (Choose two.)
Answer: A,C
Explanation:
You must create a security policy for a custom application that requires a longer session timeout
than the default application offers.
A. Set the timeout value in the security forwarding-options section of the CLI.
B. Set the timeout value for the application in the security zone configuration.
Answer: C,D
Explanation:
You need to build a scheduler to apply to a policy that will allow traffic from Monday to Friday only.
What will accomplish this task?
A. [edit schedulers]
user@host# show
scheduler no-weekends {
daily all-day;
sunday exclude;
saturday exclude;
}
B. [edit schedulers]
user@host# show
scheduler no-weekends {
daily except weekends;
}
C. [edit schedulers]
user@host# show
scheduler no-weekends {
daily;
sunday exclude;
saturday exclude;
}
D. [edit schedulers]
user@host# show
scheduler no-weekends {
weekday all-day;
}
Answer: A
Explanation:
You are asked to change the behavior of the system-default policy from the default setting on an
SRX Series device.
Answer: A
Explanation:
You have just added the policy deny-host-a to prevent traffic from Host A that was previously
allowed by the policy permit-all. After committing the changes, you notice that all traffic, including
traffic from Host A, is still allowed.
Which configuration statement will prevent traffic from Host A, while still allowing other hosts to
send traffic?
Answer: D
Explanation:
Answer: C
Explanation:
You want to enable local logging for security policies and have the log information stored in a
separate file on a branch SRX Series device.
Answer: A
You want to authenticate users accessing an internal FTP server using the SRX Series Services
Gateway. You also want to use an internal LDAP server as the authentication server.
Answer: B
Explanation:
Which two settings in the options field of an IP header will Junos Screen options block? (Choose
two.)
A. traceroute
B. record route option
C. timestamp option
D. MTU probe
Answer: B,C
Explanation:
Which two statements are true about the SYN cookie Junos Screen option? (Choose two.)
A. The SYN cookie mechanism is stateless; therefore, the initial three-way handshake can
complete before a session table entry is completed.
B. The SRX device will implement the SYN cookie mechanism on all connections once SYN
Answer: A,C
Explanation:
Which three actions should be used when initially implementing Junos Screen options? (Choose
three.)
Answer: B,C,E
Explanation:
At which step in the packet flow are Junos Screen checks applied?
Answer: B
Explanation:
You need to apply the Junos Screen protect-zone to the public zone.
Answer: A
Explanation:
You need to implement Junos Screen options to protect traffic coming through the ge-0/0/0 and
ge-0/0/1 interfaces which are located in the trust and DMZ zones, respectively.
Answer: A
Explanation:
While reviewing the logs on your SRX240 device, you notice SYN floods coming from multiple
hosts out on the Internet.
Which Junos Screen option would protect against these denial-of-service (DoS) attacks?
Answer: A
Explanation:
You want to protect against attacks on interfaces in ZoneA. You create a Junos Screen option
called no-flood and commit the configuration. In the weeks that follow, the Screen does not appear
to be working; whenever you enter the command show security screen statistics zone ZoneA, all
counters show 0.
Answer: B
Explanation:
While reviewing the logs on your SRX240 device, you notice SYN floods coming from a host out
on the Internet towards several hosts on your trusted network.
Which Junos Screen option would protect against these denial-of-service (DoS) attacks?
Answer: C
Explanation:
During packet flow on an SRX Series device, which two processes occur before route lookup?
(Choose two.)
A. static NAT
B. destination NAT
C. source NAT
D. reverse static NAT
Answer: A,B
Explanation:
A. destination NAT using a pool outside the IP network of the device's interface
B. source NAT using the device's egress interface
C. source NAT using a pool in the same IP network as the device's interface
D. source NAT using a pool outside the IP network of the device's interface
Answer: C
Explanation:
Which three elements are used for matching the traffic direction in the from and to statements?
(Choose three.)
A. routing instance
B. zone
C. source address
D. destination address
E. interface
You have just configured source NAT with a pool of addresses within the same subnet as the
egress interface.
What else must be configured to make the addresses in the pool usable?
A. static NAT
B. destination NAT
C. address persistence
D. proxy ARP
Answer: D
Explanation:
You have just changed a NAT rule and committed the change.
A. Affected sessions remain active and are not updated until the sessions restart.
B. Affected sessions are torn down and are re-initiated as soon as the SRX device receives
matching traffic.
C. Affected sessions are torn down and are immediately re-initiated.
D. Affected sessions are dynamically updated with the configuration change.
Answer: B
Explanation:
Which configuration allows direct access to the 10.10.10.0/24 network without NAT, but uses NAT
for all other traffic from the untrust zone to the egress interface?
Answer: C
Explanation:
Answer: A,C
Explanation:
What are two valid symmetric encryption key types? (Choose two.)
A. DES
B. RSA
C. AES
D. DSA
Answer: A,C
Explanation:
Which two are negotiated during Phase 2 of an IPsec VPN tunnel establishment? (Choose two.)
A. security protocol
B. VPN monitor interval
C. UDP port number
D. proxy IDs
Answer: A,D
Explanation:
Which three algorithms are used by an SRX Series device to validate the integrity of the data
exchanged through an IPsec VPN? (Choose three.)
A. 3DES
B. MD5
C. NHTB
D. SHA1
Answer: B,D,E
Explanation:
You are asked to implement the hashing algorithm that uses the most bits in the calculation on
your Junos security device.
A. SHA-512
B. SHA-256
C. MD5-Plus
D. MD5
Answer: B
Explanation:
You are asked to establish an IPsec VPN to a remote device whose IP address is dynamically
assigned by the ISP.
A. passive
B. aggressive
C. main
D. quick
Answer: B
Explanation:
Which three Diffie-Hellman groups are supported during IKE Phase 1 by the Junos OS? (Choose
A. 1
B. 2
C. 3
D. 4
E. 5
Answer: A,B,E
Explanation:
Answer: A,D
Explanation:
You are asked to establish an IPsec VPN between two sites. The remote device has been
preconfigured.
Which two parameters must be identical to the remote device's parameters when designing the
local IKE proposal? (Choose two.)
A. security protocol
B. Diffie-Hellman group
C. encryption algorithm
D. Perfect Forward Secrecy keys
Answer: B,C
Explanation:
Which two statements are correct about IPsec security associations? (Choose two.)
Answer: B,C
Explanation:
You are deploying a branch site which connects to two hub locations over an IPsec VPN. The
branch SRX Series device should send all traffic to the first hub unless it is unreachable and
should then direct traffic to the second hub. You must use static routes to send traffic towards the
hub site.
Which two technologies should you use to fail over from a primary to a secondary tunnel in less
than 60 seconds? (Choose two.)
Answer: B,D
Explanation:
Which two statements are correct regarding reth interfaces? (Choose two.)
Answer: B,C
Which two statements are correct about establishing a chassis cluster with IPv6? (Choose two.)
Answer: B,D
Explanation:
You are asked to set up a chassis cluster between your SRX Series devices. You must ensure
that the solution provides both dual redundant links per node and node redundancy.
A. aggregated Ethernet
B. redundant Ethernet
C. aggregated Ethernet LAG
D. redundant Ethernet LAG
Answer: D
Explanation:
A. jumbo frames
B. filters
C. fragmentation
D. policies
You are asked to establish a chassis cluster between two SRX Series devices. You must ensure
that end-to-end connectivity is monitored and that the redundancy group will fail over to the other
node if the remote device becomes unreachable.
Answer: D
Explanation:
When using chassis clustering, which link is responsible for configuration synchronization?
A. fxp0
B. fxp1
C. fab0
D. fab1
Answer: B
Explanation:
Redundant Ethernet interfaces (reths) have a virtual MAC address based on which two attributes?
(Choose two.)
Answer: A,D
Explanation:
You are asked to establish a chassis cluster between two branch SRX Series devices. You must
ensure that no single point of failure exists.
Answer: A
Explanation:
Which two statements are correct regarding the cluster ID? (Choose two.)
A. You can have up to 15 unique cluster IDs on a single chassis cluster device.
B. The cluster ID value of 0 indicates that this is the primary chassis cluster on this device.
C. The cluster ID is used to calculate the reth interface's virtual MAC addresses.
D. You must reboot both nodes if you change the cluster ID value.
Answer: C,D
Explanation:
Answer: D
Explanation:
When using chassis clustering, which action is taken by the Junos OS if the control link or the
fabric link suffers a loss of keepalives or heartbeat messages?
Answer: C
Explanation:
You are configuring the SRX Series Services Gateway in chassis cluster mode.
What is a valid way to configure Redundancy Groups (RGs) 1 and 2 for active/active redundancy?
Answer: A
Explanation:
A. The previous primary node moves to the secondary-hold state because an issue occurred
during failover. It stays in that state until the issue is resolved.
B. The previous primary node moves to the secondary-hold state and stays there until manually
reset, after which it moves to the secondary state.
C. The previous primary node moves to the secondary-hold state and stays there until the hold-
down interval expires, after which it moves to the secondary state.
D. The previous primary node moves to the secondary-hold state and stays there until manually
failed back to the primary node.
Answer: C
Explanation:
Which three Unified Threat Management features require a license? (Choose three.)
A. antivirus
B. surf control Web filtering
C. Websense Web filtering
D. content filtering
E. antispam
Answer: A,B,E
Explanation:
Which global UTM configuration parameter contains lists, such as MIME patterns, filename
extensions, and URL patterns, that can be used across all UTM features?
A. custom objects
B. feature profile
C. UTM policy
D. address sets
Your SRX Series device is configured so that all inbound traffic from the Internet is examined by
the UTM content filtering feature.
As inbound traffic arrives at the SRX device, which packet processing component is responsible
for sending the packets for UTM processing?
A. zone
B. security policy
C. Junos Screen options
D. forwarding lookup
Answer: B
Explanation:
Answer: B,D,E
Explanation:
Answer: B,C
Explanation:
Which antivirus protection feature uses the first several packets of a file to determine if the file
contains malicious code?
A. express scanning
B. intelligent prescreening
C. full file-based
D. Kaspersky
Answer: B
Explanation:
Which antivirus protection feature uses virus patterns and a malware database that are located on
external servers?
A. full file-based
B. Kaspersky
C. Sophos
D. express scan
Answer: C
Explanation:
You have implemented Integrated SurfControl Web filtering on an SRX Series device. You have
also created a whitelist and a blacklist on the SRX device. One particular Web site is matching all
three the whitelist, blacklist, and Surfcontrol policy.
Answer: A
Explanation:
You have deployed enhanced Web filtering on an SRX Series device. A user requests a URL that
is not in the URL filtering cache.
What happens?
A. The request is permitted immediately but the SRX device then requests the category from the
configured server and caches the response for use with subsequent requests.
B. The request is blocked immediately but the SRX device then requests the category from the
configured server and caches the response for use with subsequent requests.
C. The SRX device requests the category from the configured server. Once the response is
received, the SRX device processes the request against the policy based on the information
received and caches the response.
D. The SRX device will either permit or deny the request immediately depending on the
configuration in the UTM policy. The SRX device then requests the category from the central
server and caches the response for use with subsequent requests.
Answer: C
Explanation:
You are configuring a blacklist for Web filtering on a branch SRX Series device.
A. http://www.company.com/*
Answer: B,D
Explanation:
Which two criteria does the enhanced Web filtering solution use to make decisions? (Choose two.)
A. site reputation
B. keyword in the document
C. results of antivirus scan
D. category
Answer: A,D
Explanation:
-- Exhibit --
[edit interfaces]
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
[edit vlans]
vlan-id 3;
l3-interface vlan.0;
-- Exhibit --
Referring to the exhibit, you need to allow ping traffic into interface ge-0/0/1.
Answer: D
Explanation:
-- Exhibit –
-- Exhibit --
Referring to the exhibit, which two services are allowed on the ge-0/0/2.0 interface? (Choose two.)
A. Ping
B. DNS
C. Telnet
D. SSH
Answer: B,C
Explanation:
-- Exhibit --
user@host# show
policy allow-management {
match {
source-address any;
destination-address any;
application any;
then {
permit;
user@host# show
host-inbound-traffic {
protocols {
interfaces {
ge-0/0/0.0;
-- Exhibit --
Referring to the exhibit, you want to be able to manage your SRX Series device from the Internet
using SSH. You have created a security policy to allow the traffic to flow into the SRX device.
A. Define the junos-host zone and add the SSH service to it.
B. Add the SSH service to the untrust zone.
C. Define the junos-host zone, add the SSH service and the loopback interface to it.
D. Rewrite the security policy to allow SSH traffic from the untrust zone to the global zone.
Answer: B
Explanation:
-- Exhibit --
security {
policies {
policy hosts-allow {
match {
source-address hosts;
destination-address any;
then {
permit;
scheduler-name block-hosts;
policy allow {
match {
source-address any;
destination-address any;
application junos-http;
then {
permit;
policy deny {
match {
source-address any;
destination-address any;
application any;
then {
deny;
schedulers {
scheduler block-hosts {
daily {
-- Exhibit --
Referring to the exhibit, you have configured a scheduler to allow hosts access to the Internet
during specific times. You notice that hosts are still accessing the Internet during times outside of
the scheduler's parameters.
Answer: A
Explanation:
-- Exhibit --
security {
policies {
policy allow-all {
match {
source-address any;
destination-address any;
application any;
then {
deny;
policy allow-hosts {
match {
source-address hosts;
destination-address any;
application junos-http;
then {
permit;
scheduler-name block-hosts;
policy deny {
match {
source-address any;
destination-address any;
application any;
then {
deny;
schedulers {
scheduler block-hosts {
daily {
-- Exhibit --
Referring to the exhibit, you have configured a scheduler to allow hosts access to the Internet
during specific times. You notice that hosts are unable to access the Internet.
Answer: D
Explanation:
-- Exhibit –
-- Exhibit --
Referring to the exhibit, which policy will allow traffic from Host 1, Host 2, and Host 3 to the
Internet?
Answer: A
Explanation:
-- Exhibit --
user@host# show
policy internet-access {
match {
source-address any;
application any;
then {
permit;
policy clean-up {
match {
source-address any;
destination-address any;
application any;
then {
deny;
-- Exhibit --
You want to permit access to the Internet from the hr zone during a specified time.
A. Configure a scheduler, apply it to a new policy, and insert it after internet-access to permit
Internet access.
B. Configure a scheduler and apply it to the policy internet-access to deny Internet access.
C. Configure a scheduler and apply it to the policy internet-access to permit Internet access.
D. Configure a scheduler, apply it to a new policy, and insert it before internet-access to permit
Answer: C
Explanation:
-- Exhibit –
-- Exhibit --
You are asked to configure a hub-and-spoke VPN. All the VPN components have been
configured, and you are able to ping the remote tunnel interfaces at Site 1 and Site 2 from the Hub
site as shown in the exhibit. The Hub site's external interface is in security zone untrust and the
st0 interfaces from each site are in security zone DMZ. Users in Site 2 are unable to connect to a
Web server in Site 1.
Which additional step is required at the hub site for users to access the Web server?
Answer: C
Explanation:
-- Exhibit –
-- Exhibit --
Referring to the exhibit, you need to allow FTP traffic from the Internet to the FTP server in the
Trust zone. You have built a custom application so that you can modify the timeout value for FTP
sessions and have configured a policy to allow FTP traffic from Untrust to Trust, but the traffic still
does not flow. The current status of the FTP ALG is disabled.
A. The FTP ALG has not been enabled in the security policy.
B. The FTP ALG has not been enabled in the security zones.
C. The FTP ALG has been disabled on the device.
D. The FTP ALG has not been set in the custom application definition.
Answer: C
Explanation:
-- Exhibit –
-- Exhibit --
A server in the DMZ of your company is under attack. The attacker is opening a large number of
TCP connections to your server which causes resource utilization problems on the server. All of
the connections from the attacker appear to be coming from a single IP address.
Referring to the exhibit, which Junos Screen option should you enable to limit the effects of the
attack while allowing legitimate traffic?
A. Apply the Junos Screen option limit-session source-based-ip to the Untrust security zone.
B. Apply the Junos Screen option limit-session source-based-ip to the DMZ security zone.
C. Apply the Junos Screen option limit-session destination-based-ip to the Untrust security zone.
D. Apply the Junos Screen option limit-session destination-based-ip to the DMZ security zone.
-- Exhibit –
-- Exhibit --
Referring to the exhibit, you want to use source NAT to translate the Web server's IP address to
the IP address of ge-0/0/2.
Which source NAT type accomplishes this task and always performs PAT?
Answer: C
Explanation:
-- Exhibit --
In: 2.3.4.5/5000 --> 10.1.2.3/22;tcp, IF. fe-0/0/6.0, Pkts: 88444, Bytes: 7009392
Out: 10.1.2.3/22 --> 10.1.1.1/5000;tcp, IF. .local..0, Pkts: 81672, Bytes: 6749337
-- Exhibit --
Answer: C
Explanation:
-- Exhibit --
user@srx# show
pool A {
address {
172.16.52.94/32;
rule-set 1A {
to zone untrust;
match {
source-address 192.168.233.0/24;
then {
source-nat {
pool {
A;
-- Exhibit --
Referring to the exhibit, which two statements are true? (Choose two.)
A. PAT is enabled.
B. PAT is disabled.
C. Address persistence is enabled.
D. Address persistence is disabled.
Answer: A,D
Explanation:
-- Exhibit --
address {
68.183.13.0/24;
rule-set trust-to-untrust {
to zone untrust;
rule pool-nat {
match {
source-address 10.10.10.1/24;
then {
source-nat {
pool {
pool-one;
rule no-nat {
match {
destination-address 192.150.2.140/32;
then {
source-nat {
off;
-- Exhibit --
You have implemented source NAT using a source pool for address translation. However, traffic
destined for 192.150.2.140 should not have NAT applied to it. The configuration shown in the
exhibit is not working correctly.
Answer: A
Explanation:
-- Exhibit –
-- Exhibit --
Answer: A
Explanation:
-- Exhibit --
user@host# show
pool snat-pool {
address {
10.10.10.10/32;
10.10.10.11/32;
rule-set user-nat {
to zone untrust;
rule snat {
match {
source-address 0.0.0.0/0;
then {
source-nat {
pool {
-- Exhibit --
Your network management station has generated an alarm regarding NAT utilization based on an
SNMP trap received from an SRX Series device.
A. The network management station will require manual intervention to clear the alarm.
B. Once utilization is below 40 percent, the Junos OS will send an SNMP trap to the network
management station to clear the alarm.
C. Once utilization is below 50 percent, the Junos OS will send an SNMP trap to the network
management station to clear the alarm.
D. Once utilization is below 80 percent, the Junos OS will send an SNMP trap to the network
management station to clear the alarm.
Answer: B
Explanation:
-- Exhibit –
-- Exhibit --
Referring to the exhibit, which three statements are correct? (Choose three.)
-- Exhibit –
-- Exhibit --
You are troubleshooting an IPsec VPN connection between a local SRX Series device using IP
address 192.168.1.100 and a remote SRX device using IP address 192.168.2.100. A VPN
connection cannot be established. Referring to the exhibit, you examine the kmd log file.
Answer: B
Explanation:
-- Exhibit --
Referring to the exhibit, which statement is correct about the IPsec configuration?
Answer: A
Explanation:
-- Exhibit –
-- Exhibit --
Referring to the exhibit, which statement is correct about the IPsec configuration?
Answer: C
Explanation:
-- Exhibit –
-- Exhibit --
Referring to the exhibit, you are setting up the hub in a hub-and-spoke IPsec VPN. You have
verified that all configured parameters are correct at all sites, but your IPsec VPN is not
establishing to both sites.
Answer: D
Explanation:
-- Exhibit --
security {
ike {
policy IKE-STANDARD {
mode aggressive;
proposal-set standard;
gateway GW-HUB {
ike-policy IKE-STANDARD;
external-interface ge-0/0/0.0;
ipsec {
policy IPSEC-STANDARD {
proposal-set standard;
bind-interface st0.0;
ike {
gateway GW-HUB;
ipsec-policy IPSEC-STANDARD;
zones {
security-zone untrust {
host-inbound-traffic {
system-services {
ping;
ike;
interfaces {
ge-0/0/0.0;
security-zone trust {
system-services {
ping;
interfaces {
ge-0/0/1.0;
-- Exhibit --
You are implementing a new route-based IPsec VPN on an SRX Series device and the tunnel will
not establish.
Answer: B
Explanation:
-- Exhibit --
Applications: any
Action: permit
-- Exhibit --
You have created an IPsec VPN on an SRX Series device. You believe the tunnel is configured
A. Only one IKE tunnel exists so there is no path for return IKE traffic. You need to allow IKE
inbound on interface ge-0/0/0.0.
B. Because there are no IPsec security associations, the problem is in the IPsec proposal settings.
C. The static route created to reach the remote host is incorrect.
D. The VPN settings are correct, the traffic is being blocked by a security policy.
Answer: C
Explanation:
-- Exhibit --
Virtual-system: root
Version: IKEv1
DF-bit: clear
, VPN Monitoring: -
-- Exhibit --
What are two conclusions about the VPN tunnel from the output? (Choose two.)
Answer: B,C
Explanation:
-- Exhibit –
-- Exhibit --
Server A is communicating with Server B directly over the Internet. The servers now must begin
exchanging additional information through an unencrypted protocol. To protect this new data
exchange, you want to establish a VPN tunnel between the two sites that will encrypt just the
unencrypted data while leaving the existing communications directly over the Internet.
A. Configure a route-based VPN and use filter-based forwarding to direct traffic into the VPN
tunnel.
B. Configure a route-based VPN tunnel with traffic engineering to direct traffic into the VPN tunnel.
C. Configure a policy-based VPN with a security policy that matches the unencrypted traffic and
directs it into the VPN tunnel.
D. Configure a policy-based VPN tunnel and use filter-based forwarding to direct the unencrypted
traffic into interface st0.0.
Answer: C
Explanation:
-- Exhibit --
'unit 0'
-- Exhibit --
Referring to the exhibit, you have built a chassis cluster, set up a reth, and put interfaces into the
reth. However, when you try to commit the configuration, you receive the error shown in the
exhibit.
Answer: C
Explanation:
-- Exhibit –
Referring to the exhibit, failover to Node 0 occurred for Redundancy Group 2 because of an
interface failure. The interface has since been restored, but Node 0 is still the primary node for
Redundancy Group 2.
Which two actions will restore Node 1 as the primary node for Redundancy Group 2? (Choose
two.)
Answer: C,D
Explanation:
-- Exhibit --
reth-count 2;
redundancy-group 1 {
interface-monitor {
-- Exhibit --
Referring to the exhibit, you have two SRX Series devices in a chassis cluster, and Node 0 is
currently the primary node. You want to ensure that traffic using those interfaces fails over to Node
1 if one interface goes down.
Answer: B
Explanation:
-- Exhibit --
reth-count 2;
redundancy-group 1 {
interface-monitor {
-- Exhibit --
Referring to the exhibit, you have two SRX Series devices in a chassis cluster, and Node 0 is
currently the primary node. You want to ensure that traffic, using those interfaces, fails over to
Node 1 when all interfaces go down.
Answer: D
Explanation:
-- Exhibit –
-- Exhibit --
Referring to the exhibit, with Node 0 as primary for Redundancy Group (RG) 1, which action will
the Junos OS chassis cluster take if interface ge-1/0/0 goes down?
Answer: A
Explanation:
-- Exhibit –
-- Exhibit --
You have configured antispam on your SRX Series device as shown in the exhibit.
Assuming the antispam profile has been properly applied, what happens when an e-mail message
arrives at the SRX device from bob@domain-xyz.net at IP address 150.10.10.10?
Answer: B
Explanation:
-- Exhibit –
-- Exhibit --
You have configured antispam on your SRX Series device as shown in the exhibit.
Assuming the antispam profile has been properly applied, what happens when an e-mail message
arrives at the SRX device from mary@domain-abc.net at IP address 150.150.150.10?
Answer: A
Explanation:
-- Exhibit –
-- Exhibit --
Referring to the exhibit, you have just committed the UTM configuration.
Answer: D
Explanation:
-- Exhibit --
user@host# show
profile profileA {
block-content-type {
exe;
zip;
notification-options {
type message;
-- Exhibit --
Your SRX Series device includes the content filtering configuration shown in the exhibit.
Assuming the content filtering profile has been properly applied, what happens when a user
attempts to send a zip file through the SRX device using FTP?
Answer: D
Explanation:
-- Exhibit --
user@host# show
custom-objects {
url-pattern {
permit {
value http://www.domain-abc.net;
deny {
value http://www.domain-abc.net/movies;
custom-url-category {
whitelist {
value permit;
blacklist {
value deny;
feature-profile {
web-filtering {
url-whitelist whitelist;
type juniper-local;
juniper-local {
profile profileA {
default block;
-- Exhibit --
Your SRX Series device includes the Web filtering configuration shown in the exhibit.
Assuming the Web filtering profile has been properly applied, what happens when a user attempts
to access the Web site www.juniper.net through the SRX device?
A. The HTTP request is blocked and the user's Web browser eventually times out.
B. The HTTP request is blocked and a message is sent back to the user.
C. The HTTP request is intercepted and the URL is sent to the Websense server. The SRX device
permits or blocks the request based on the information it receives back from the server.
D. The HTTP request is permitted and forwarded to the Web server.
Answer: B
Explanation:
A. Routers
Answer: B
Explanation:
Referring to the exhibit, which two statements are correct? (choose two)
screen untrust-screen
host-inbound-traffic {
system-services
{ ssh; ping;
Interfaces {
ge-0/0/1.0
ge-0/0/3.0{ host-inboun
d-traffic{ protocols {
ospf; } } }
Answer: A,C
Explanation:
Answer: C
Explanation:
You want to configure a security policy that allows traffic to a particular host.
Which step must you perform before committing a configuration with the policy?
Answer: C
Explanation:
Which three match criteria must each security policy include? (Choose three.)
A. source address
B. source port
C. destination address
D. destination port
E. application
Answer: A,C,E
Explanation:
Which three IP option fields can an attacker exploit to cause problems in a network? (Choose
three.)
Answer: A,B,D
Explanation:
Which statement is true about implementing IP spoofing protection as a Junos Screen option?
A. It ensures that the active route to the source has the same egress interface as the ingress
interface for the packet.
B. It ensures that a route, active or not, to the source exists with the same egress interface as the
ingress interface of the packet
C. It ensures that the active route to the source has the same egress zone as the ingress zone for
the packet
D. It ensure that a route, active or not, to the source exists with the same egress zone as the
ingress zone for the packet.
Answer: A
Explanation:
A PC in the trust zone is trying to ping a host in the untrust zone. Referring to the exhibit, which
type of NAT is configured?
A. source NAT
B. destination NAT
Answer: A
Explanation:
Answer: D
Explanation:
Answer: C
Explanation:
Answer: B
Explanation:
Referring to the exhibit, which two statements are correct about IPsec configuration? (choose two)
Answer: B,C
Explanation:
Which three components can be downloaded and installed directly from Juniper Networks update
server to an SRX Series device? (Choose three.)
A. signature package
B. PCRE package
C. detector engine
D. policy templates
E. dynamic attack detection package
Answer: A,C,D
Explanation:
You have a chassis cluster established between two SRX Series devices. You re monitoring the
status of the cluster and notice that some redundancy groups show disabled.
Answer: B,C
Explanation:
Referring to the exhibit, you see that Node 0 is currently primary for redundancy Group 0. You
have not yet configured any chassis cluster parameters. You want to ensure that Node 1 is always
the primary node for this redundancy group if both nodes reboot at same time.
cluster ID: 1
Node0 1 primary no no
Node1 1 secondary no no
Answer: E
Explanation:
Referring to the exhibit, you have just committed the UTM antivirus configuration. You notice that
the SRX Series device shows that Kaspersky scanning is being used instead of express scanning.
What must you do to resolve this problem?
Answer: A
Explanation:
Which type of logging is supported for UTM logging to an external syslog server on branch SRX
Series devices?
A. Binary syslog
B. CHARGEN
C. WELF (structured) syslog
D. standard (unstructured) syslog
Answer: C
Explanation:
To which depth of compressed (Zip) files can the Junos full antivirus feature scan?
A. 1 layer of compression
B. 2 layer of compression
C. 3 layer of compression
D. 4 layer of compression
Answer: D
Which two statements describe full file-based antivirus protection? (Choose two.)
Answer: A,D
Explanation: