actualtests.juniper.jn0 520.exam.q.and.a.09.12.06

8/13/2019 ActualTests.juniper.jn0 520.Exam.Q.and.a.09.12.06

1/81

Exam: JN0-520

Title : Juniper Networks Certified InternetAssociate, FWV

Ver : 09.12.2006


2/81

JN0-520

Actualtests.com - The Power of Knowing

QUESTION 1:

Exhibit

What does this icon indicate?A.Logging is enabled on a policyB.Counting is enabled on a policyC.Scheduling is enabled on a policyD.Authentication is enabled on policyE.Address translation is enabled on a policy

Answer: A

Explanation:

QUESTION 2:

What CLI command puts you into the policy configuration sub-mode, allowing you to addadditional entries to the source, destination and/or service fields?A.set policy id xB.set multiple id x


3/81

JN0-520


C.set policy id x multipleD.set policy from trust tountrust 10.10.10.0; 10.10.11.0 anyanypermit

Answer: A

Explanation:Every policy has an ID number, whether you define one or theNetScreendevice automaticallyassigns it. You can only define an ID number for a policy through the set policy command in theCLI:set policy idnumber... After you know the ID number, you can enter the policy context toissue further commands to modify the policy. Forexample :Netscreen-> set policy id 1Netscreen(policy:1)-> setsrc-address host2

QUESTION 3:

Exhibit

In order for this policy to be effective, what order should the policy statementsbein? Thenumber refers to the Policy ID shown in the diagram.A.12345B.34251C.45321D.52134E.53124

Answer: B

Explanation:TheNetScreendevice checks all attempts to traverse the firewall against policies, beginning withthe first one listed in the policy set for the appropriate list and moving through the list. BecausetheNetScreendevice applies the action specified in the policy to the first matching policy in thelist, you must arrange them from the most specific to the most general. Policy ID 3 is the mostspecific policy because theSrc-address andDst-address have asubnetmaskof 32.So only 1 ipaddress for the source and 1 ip address for the destination.

QUESTION 4:

Which policy option allows you to view session addresses that have been translated?A.LoggingB.CountersC.ScheduleD.AuthenticationE.Address translation


4/81

JN0-520


Answer: AExplanations:When you enable logging in a policy, theNetScreendevice logs all connections to which thatparticular policy

applies. You can view the logs through either theWebUIor CLI. Logging is a great feature fortroubleshooting policies on yournetscreendevice.IncorrectAnswers:BWhen you enable counting in a policy, theNetScreendevice counts the total number of bytes oftraffic to which this policy applies and records the information in historical graphs.CBy associating a schedule to a policy, you can determine when the policy is in effect. You canconfigure schedules on a recurring basis and as a one-time event. Schedules provide a powerfultool in controlling the flow of network traffic and in enforcing network security.DSelecting this option requires the auth user at the source address to authenticate his/her identityby supplying a user name and password before traffic is allowed to traverse the firewall or enterthe VPN tunnel. TheNetScreendevice can use the local database or an external RADIUS,SecurID

, or LDAP auth server to perform the authentication check.ENetScreenprovides several mechanisms for applying network address translation (NAT). Theconcept of NAT comprises the translation of the IP address in an IP packet header and,optionally, the translation of the port number in the TCP segment or UDP datagram header. Thetranslation can involve the source address (and optionally the source port number), thedestination address (and optionally the destination port number), or a combination of translatedelements. However you are not able to view translated addresses with this option.

QUESTION 5:

Ac Access Policy must contain which three (3) items?

A.ServiceB.AuthenticationC.Source addressD.Firewall settingsE.Action (permit, deny, tunnel)

Answer: A, C, E

Explanation:A policy permits, denies, or tunnels specified types of trafficunidirectionallybetween two points.The type of traffic (or "service"), the location of the two endpoints, and the invoked actioncompose the basic elements of a policy. Although there can be other components, the requiredelements, which together constitute the core section of a policy, are as follows:Direction - The direction of traffic between two security zones (from a source zone to adestination zone)Source address - The address from which traffic initiatesDestination address - The address to which traffic is sentService - The type of traffic transmittedAction - The action that theNetScreendevice performs when it receives traffic meeting the first


5/81

JN0-520


four criteria: deny, permit, reject, or tunnelFor example, the policy stated in the following CLI command permits FTP traffic from anyaddress in the Trust zone to an FTP server named "server1" in the DMZ zone:setpolicy from trust tountrustany server1 ftp permitDirection:from trust tountrust(that is, from the Trust zone to theUntrustzone)

Source Address:any(that is, any address in the Trust zone. The term "any" stands for apredefinedaddressthat applies to any address in a zone)Destination Address:server1(a user-defined address in theUntrustzone address book)Service:ftp(File Transfer Protocol)Action:permit(thatNetScreendevice permits this traffic to traverse its firewall)

QUESTION 6:

You are trying to remove an address book entry by going to the Address Book -> Listdisplay of the Web UI, but you cannot find the remove option. What would cause this

problem?A.An address book entry can only be deleted from the command line interface. You will need touse the CLI to delete it.B.The address book entry ismisconfigured. You need to correct the address book entry before itwill allow you to deleteC.You cannot remove an address book entry from this screen. You need to use the delete optionfound under the management options screen.D.The address book entry is being used by a policy. You must delete the policy or remove theaddress book entry from the policy before it ban be deleted.

Answer: D

Explanation :Before you can set up many of theNetScreenfirewall, VPN, and traffic shaping features, youneed to defineaddressesin one or more address lists. The address list for a security zone contains the IPaddresses or domainnamesof hosts or subnets whose traffic is either allowed, blocked, encrypted, oruser-authenticated.After you define anaddress.oran address group and associate it with a policy, you cannot changethe address location to another zone (such as from Trust toUntrust). To change its location, youmust first disassociate it from the underlying policy. Also keep the following in mind regardingto addresslists :1.When using the CLI, you must create all of your address book entries before you make yourpolicies.2.You can modify everything about an address book entry except its zone.3.You can not modify an address object from the CLI, you must first delete it and the recreate it.

QUESTION 7:

Addresses Book entries identify devices such as hosts and networks by their location in


6/81

JN0-520


relation to:A.security zonesB.existing access policesC.an interface on the firewallD.a listing of addresses in the ARP table

E.a reachable network (via the routing table)

Answer: A

Explanation:Before you can set up many of theNetScreenfirewall, VPN, and traffic shaping features, youneed to defineaddressesin one or more address lists. The address list for a security zone contains the IPaddresses or domainnames1of hosts or subnets whose traffic is either allowed, blocked, encrypted, or user-authenticated.

On a singleNetScreendevice, you can configure multiple security zones, sectioning the networkinto segments to which you can apply various security options to satisfy the needs of eachsegment. At a minimum, you must define two security zones, basically to protect one area of thenetwork from the other. On someNetScreenplatforms, you can define many security zones,bringing finer granularity to your network security design- and without deploying multiplesecurity appliances to do so.You can identify a security zone because it has an address book and can be referenced inpolicies.

QUESTION 8:

Which are two (2) advanced policy configuration options?A.ScheduleB.Service groupC.AuthenticationD.Source addressE.Action (permit, deny, tunnel)

Answer: A, C

Explanation:ScheduleA schedule is a configurable object that you can associate with one or more policies to definewhen they are ineffect. Through the application of schedules, you can control network traffic flow and enforcenetwork security.The schedule option can be found under the advanced policy section. When you define aschedule, enter values for the following parameters:Schedule Name:The name that appears in the Schedule drop-down list in the PolicyConfiguration dialog


7/81

JN0-520


box. Choose a descriptive name to help you identify the schedule. The name must be unique andis limitedto19 characters.Comment:Any additional information that you want to add.Recurring:Enable this when you want the schedule to repeat on a weekly basis.

Start and End Times:You must configure both a start time and an end time. You can specify uptotwotime periods within the same day.Once:Enable this when you want the schedule to start and end only once.mm/dd/yyyyhh:mm:You must enter both start and stop dates and times.Service GroupServices are objects that identify application protocols using layer4 information such as standardand accepted TCP and UDP port numbers for application services like Telnet, FTP, SMTP, andHTTP. TheScreenOSincludes predefined core Internet services. Additionally, you can definecustom services. You can define policies that specify which services are permitted, denied,encrypted, authenticated, logged, or counted.

AuthenticationSelecting this option requires the auth user at the source address to authenticate his/her identityby supplying a user name and password before traffic is allowed to traverse the firewall or enterthe VPN tunnel. TheNetScreendevice can use the local database or an external RADIUS,SecurID, or LDAP auth server to perform the authentication check. The authentication options can befound under the advanced policy section.NetScreenprovides two authentication schemes:Run-time authentication, in which theNetScreendevice prompts an auth user to log on when itreceivesHTTP, FTP or Telnet traffic matching a policy that has authentication enabledWebAuth, in which a user must authenticate himself or herself before sending traffic throughtheNetScreen

deviceSource AddressYou can apply source address translation (NAT-src) at the policy level. With NAT-src, you cantranslate the source address oneither incoming or outgoing network andVPN traffic. The newsource address can come from either a dynamic IP (DIP) pool or the egress interface. NAT-srcalso supports source port address translation (PAT).ActionAn action is an object that describes what the firewall does to the traffic it receives.Denyblocks the packet from traversing the firewall.Permitallows the packet to pass the firewall.Rejectblocks the packet from traversing the firewall. TheNetScreendevice drops the packetand sends aTCP reset (RST) segment to the source host for TCP traffic3 and an ICMP "destinationunreachable, portunreachable" message (type 3, code 3) for UDP traffic. For types of traffic other than TCP andUDP, theNetScreendevice drops the packet without notifying the source host, which is also what occurswhen theactionis "deny".


8/81

JN0-520


Tunnelencapsulates outgoing IP packets anddecapsulatesincoming IP packets. For anIPSecVPNtunnel, specify which VPN tunnel to use. For an L2TP tunnel, specify which L2TP tunnel to use.ForL2TP-over-IPSec, specify both anIPSecVPN tunnel and an L2TP tunnel4.

TheNetScreendevice applies the specified action on traffic that matches the previously presentedcriteria: zones (source and destination), addresses (source and destination), and service.

QUESTION 9:

When adding Address Book entry in aNetScreenfor a range of addresses, which mask canbe used?A.0.0.0.255B.192.168.0.0C.255.255.255.224D.255.255.255.255

Answer: C

Explanation:TheNetScreenScreenOSclassifies the addresses of all other devices by location andnetmask.Each zonepossessesits own list of addresses and address groups. Individual hosts have only a single IPaddress defined and therefore, must have anetmasksetting of 255.255.255.255 (which masks outall but this host).Subnets have an IP address and anetmask(for example, 255.255.255.0 or 255.255.0.0).Before you can configure policies to permit, deny, or tunnel traffic to and from individual hosts

and subnets, you must make entries for them inNetScreenaddress lists, which are organized byzones.You do not have to make address entries for Any..This term automatically applies to all devicesphysicallylocatedwithin their respective zones.

QUESTION 10:

What are the possible options available when defining a custom service?A.Source IP, Destination IP,andprotocolB.Source port, Destination portandprotocolC.Source port range, Destination port range,andprotocolD.Source IP, Source port range, Destination IP , Destination port range,andprotocol

Answer: C

Explanation:Instead of using predefined services, you can easily create custom services. You can assign eachcustom service the following attributes:


9/81

JN0-520


NamesTransport protocolSource and destination port numbers for services using TCP or UDP }Type and code calues for services using ICMPTimeout value

If you create a custom service in a virtual system (vsys) that has the same name as a previouslydefined customservicein the root system, the service in thevsystakes the default timeout for the specifiedtransport protocol (TCP, UDP, or ICMP). To define a custom timeout for a service in avsysthatis different from the default when a custom service with the same name in the root system has itsown timeout, create the custom service in thevsysand root system in the following order:*First, create the custom service with a custom timeout in thevsys.*Then create another custom service with the same name but a different timeout in the rootsystem.

QUESTION 11:

What is the purpose of the 'Permitted IP' address on aNetScreendevice?A.It defines which range of addresses can access devices connected to theNetScreenB.It defines a list of addresses that are trusted to perform management on theNetScreenC.It is used in policy rules to determine which user traffic is allowed through theNetScreenD.It is the address to which an external device connects in order to gain management access to aNetScreenE.It defines a list of devices whose traffic can pass through theNetScreenwithout beingauthenticated

Answer: B

Explanation :You can administerNetScreendevices from one or multiple addresses of a subnet. By default, anyhost on thetrustedinterface can administer aNetScreendevice. To restrict this ability to specificworkstations, you mustconfiguremanagement client IP addresses.Example: Restricting Administration to a Single WorkstationIn this example, the administrator at the workstation with the IP address 172.16.40.42 is the onlyadministratorspecifiedto manage theNetScreendevice.WebUIConfiguration > Admin > PermittedIPs: Enter the following, and then click Add:IP Address /Netmask: 172.16.40.42/32CLIsetadmin manager-ip 172.16.40.42/32saveNote: The assignment of a management client IP address takes effect immediately. If you aremanaging the device via a network connection and your workstation is not included in the


10/81

JN0-520


assignment, theNetScreendevice immediately terminates your current session and you are nolonger able to manage the device from that workstation.

QUESTION 12:

When managing aNetScreendevice via theWebUland performing an image upgrade, fromwhich hardware component can theScreenOSimage be loaded?A.TFTP serverB.PC local disk Internal FlashC.PCMCIA CardD.Compact Flash Card

Answer: B

Explanation:You can upgrade or downgrade theScreenOSin threeways :

Web User Interface (WebUI)Command Line Interface (CLI)Boot Loader orScreenOSLoaderTo use theWebUI, you must have:Root or read-write privileges to theNetScreendeviceNetwork access to theNetScreendevice from your computerAn Internet browser installed on your computerThe newScreenOSfirmware (downloaded from the Juniper Networks Web site and savedlocally on your computer)To use the CLI, you must have:Root or read-write privileges to theNetScreendevice

A console connection or Telnet access to theNetScreendevice from your computerA TFTP server installed on your computerThe newScreenOSfirmware (downloaded from the Juniper Networks Web site and saved to theTFTPserverdirectory on your computer)To upgrade or downgrade through the boot loader, you must have:Root or read-write privileges to theNetScreendeviceA TFTP server installed on your computer or on your local networkAn Ethernet connection from your computer to theNetScreendevice (to transfer data, namelyfrom theTFTP server on your computer)A console connection from your computer to theNetScreendevice (to manage theNetScreendevice)The newScreenOSfirmware saved to the TFTP server directory on your computer

QUESTION 13:

Which statement is correct regarding administrator privileges?A.Any Administrator can change their privileges on an as-needed basis


11/81

JN0-520


B.Administrator privileges can only be established and changed by the Root AdministratorC.Administrator privileges can be established and changed by the Root and All-privilegeAdministratorD.Administrator privileges can only be established by the Root and can be changed by the Rootand All-privilege Administrator

Answer: B

Explanation:NetScreendevices support multiple administrative users. For any configuration changes made byan administrator, theNetScreendevice logs the following information:The name of the administrator making the changeThe IP address from which the change was madeThe time of the changeThere are several levels of administrative user. The availability of some of these levels dependson the model of

yourNetScreendevice. The followingsection listall the admin levels and theprivileges for each level. Theseprivilegesare only accessible to an admin after he or she successfully logs in with a valid username and password.Root AdministratorThe root administrator has complete administrative privileges. There is only one rootadministrator perNetScreendevice. The root administrator has the following privileges:Manages the root system of the NetScreendeviceAdds, removes, and manages all other administratorsEstablishes and manages virtual systems, and assigns physical or logical interfaces to themCreates, removes, and manages virtual routers (VRs)

Adds, removes and manages security zonesAssigns interfaces to security zonesPerform assest recoverySets the device to FIPS modeReset the device to its default settingsUpdates the firmwareLoads configuration filesClears all actives sessions of a specified admin or of all active adminsRead/Write AdministratorThe read/write administrator has the same privileges as the root administrator, but cannot create,modify, or remove other admin users. The read/write administrator has the following privileges:Creates virtual systems and assigns a virtual system administrator for each oneMonitors any virtual systemTracks statistics (a privilegethat cannot be delegatedto a virtual system administrator )Read-Only AdministratorThe read-only administrator has only viewing privileges using theWebUI, and can only issue theget and ping CLI commands. The read-only administrator has the following privileges:Read-only privileges in the root system, using the following four commansd: enter, exit, getand ping


12/81

JN0-520


Read-privileges in virtual systemsVirtual System AdministratorSomeNetScreendevices support virtual systems. Each virtual system (vsys) is a unique securitydomain, which can be managed by virtual system administrators with privileges that apply onlyto thatvsys. Virtual system

administratorsindependently manage virtual systems through the CLI orWebUI. On eachvsys,the virtual system administrator has the following privileges:Creates and edits auth, IKE, L2TP, XAuth, and Manual Key usersCreates and edits servicesCreates and edits policiesCreates and edits addressesCreates and edits VPNsModifies the virtual system administrator login passwordCreates and manages security zonesAdds and removes virtual system read-only administratorsVirtual System Read-Only Administrator

A virtual system read-only administrator has the same set of privileges as a read-onlyadministrator, but onlywithinaspecific virtual system. A virtual system read-only administratorhas viewing privileges for his particularvsysthrough theWebUI, and can only issuethe enter, exit,get, and ping CLI commands within hisvsys.

QUESTION 14:

Assuming factory default settings, which statement describes the minimum requirementsforWebUImanagement access?A.Connect a PC addressed on the 192.168.1.0 subnet to any interface, open a browser and access192.168.1.1

B.Terminate the boot up sequence from the console device, open a browser on the consoledevice and access 192.168.1.1C.Connect a PC addressed on the 192.168.1.0 subnet to the lowest numbered interface, open abrowser and access 192.168.1.1D.Using the CLI, define an IP address on a physical interface, connect a PC to the interface andopen a browser to the interface addressE.Using the CLI, assign an IP address to the VLAN1 interface, connect a PC to any interface andopen a browser to the VLAN interface address

Answer: C

Explanation:The default IP address for managing the NetScreen-25 device through the Trust zoneinterface(Ethernet port 1) is 192.68.1.1. This is the IP address that you use to manage thedevicethrough a Telnet session or with theWebUImanagement application. If you do notwishto use this default IP address, you need to assign a new one.

QUESTION 15:


13/81

JN0-520


Which statement best describes the 'config rollback' feature?A.Config rollback must be enabled by an administrator. Once enabled, it allows theadministrator to re-apply a previously saved configuration file from FlashB.Config rollback is enabled by default; it allows the administrator to re-apply a previouslysaved configuration file from Flash without rebooting.

C.Config rollback is enabled by default; it allows the administrator to re-apply a previouslysaved configuration file from Flash by rebooting and loading a "last known good" configuration.D.Config rollback allows the administrator to revert to the priorScreenOSimage in the event anupgrade operation aborts.E.Config rollback allows the administrator to revert to the priorScreenOSimage or configurationfile in the event an upgrade operation aborts.

Answer: A

Explanation:In the event that you load a configuration file that causes problems, such as the failure of the

NetScreendevice or remote users losing the ability to manage the device, you can perform aconfiguration rollback to revert to aLast-Known-Good (LKG) configuration file that was saved in flash memory.Before performing a configuration rollback, make sure you have a LKG configuration file savedin flash memory so that theNetScreendevice can revert to it if errors occur. To check for theLKG file, open theNetScreenCLI and then type the get config rollback command. The filenamefor a LKG configuration is $lkg$.cfg. If you do not see this file, then it does not exist so youmust create it. To save a configuration file to flash as the LKG:1. Ensure that the current configuration on theNetScreendevice is good.2. Save the current configuration to flash memory with the save config to last-known-goodcommand. This

commandoverwrites the existing LKG configuration in flash memory with the currentconfiguration file.You can enable theNetScreendevice to revert automatically to the LKG configuration or you canperform therollbackmanually. The automatic configuration rollback feature enables theNetScreendevice torollback to the LKG configuration if there is a problem with a newly loaded configuration. Theautomatic configuration rollback feature is disabled by default. Furthermore, it is disabled afterevery startup, regardless of whether it was enabled or disabled before starting up the device. Toenable automatic configuration rollback,use the exec config rollback enablecommand. To disablethe feature,use the exec config rollback disablecommand.To perform a manual configuration rollback, use the exec config rollback command.

QUESTION 16:

In the command "save config fromtftp1.1.7.250abcd.cfgmerge", what function does the'merge' parameter specify?A.The config file from the TFTP server will replace the configuration in RAMB.The config file from theTFTP server will replace the startup configuration file in FlashC.The `merge` parameter is not valid for TFTP files; it is only valid for configuration files stored


14/81

JN0-520


in Compact FlashD.The config file from the TFTP server will be combined with the configuration file in RAMand the combined result will be saved to FlashE.The config file from the TFTP server will be combined with the configuration file in RAM andthe startup configuration file will remain unchanged

Answer: D

Explanation:Merges the saved configuration with the current configuration to flash.The frominterfaceoptionspecifies thesourceinterface.Example: The following command merges the current configuration with the configuration in afile (input.txt) onaTFTPserver (IP address 172.16.10.10):saveconfig fromtftp172.16.10.10 input.txt merge

QUESTION 17:

By default, from which hardware component is the startup copy of theScreenOSloaded?A.ROMB.NVRAMC.TFTP serverD.Internal FlashE.PCMCIA Card

Answer: D

Explanation:EachNetscreendevice has a similar design for its internal system components. Long-term storageon the device is stored into flash memory. Flash memory is a non-volatilentypeof memory thatretains information after the system is turned off. Some devices have a Personal ComputerMomoryCard International Association (PCMCIA) card slot for external storage. This card isstill just flash memory, but it is removable; the internal flash is not. All of the componentinformation thatNetscreenneeds to store is in flash memory, includingScreenOSlog files, licensekeys, attack databases, and virus definitions.EachNetscreendevice also contains Random Access Memory (RAM). This is a volatile type ofmemory that is lost whenever the system is powered off or reset. When theNetscreendevicepowers on, and after the power on self test (POST) is completed, theScreenOSimage is loadedinto RAM. AfterScreenOSis up and functional, it loads the saved configuration file from flashmemory. The configuration that is stored in RAM is called the running configuration. Whenever


15/81

JN0-520


you make a change to the configuration it is always saved to the running configuration.

QUESTION 18:

What is the default mode for an interface in the Trust zone?A.NATB.routeC.Layer 2D.Layer 3E.transparent

Answer: A

Explanation:Interfaces can operate in three different modes: Network Address Translation (NAT), Route, andTransparent. If an interface bound to a Layer 3 zone has an IP address, you can define theoperational mode for that interface as either NAT or Route. An interface bound to a Layer 2 zone(such as the predefined v1-trust, v1-untrust, and v1-dmz zones, or a user-defined Layer 2zone)must be in Transparent mode. You select an operational mode when you configure an interface.When an ingress interface is in Network Address Translation (NAT) mode, theNetScreendevice,acting like a Layer 3 switch (or router), translates two components in the header of an outgoing

IP packet destined for theUntrustzone: its source IP address and source port number. TheNetScreendevice replaces the source IP address of the originating host with the IP address of theUntrustzone interface. Also, it replaces the source port number with another random port numbergenerated by theNetScreendevice. Remember that the interface that is residing in the trustzone,isdefault in NAT mode.When an interface is in Route mode, theNetScreendevice routes traffic between different zoneswithout performing source NAT (NAT-src); that is, the source address and port number in the IPpacket header remain unchanged as it traverses theNetScreendevice.


16/81

JN0-520


QUESTION 19:

What is a virtual router?A.ANetScreendevice that has been configured for route mode

B.The interconnection between aNetScreendevice and a 3rdparty routerC.The logical separation of one physicalNetScreendevice into multiple separate route tablesD.The physical connection between two separateNetScreendevice into a single logical router

Answer: C

Explanation:ScreenOScan divide its routing component into two or more virtual routers. A virtual router(VR) supports static routing, dynamic routing protocols and multicast routing protocols, whichyou can enable simultaneously in one VR. There are two predefinedVRson Juniper NetworksNetScreendevices:

trust-vr, which by default contains all predefined security zones and any user-defined zonesuntrust-vr, which by default does not contain any security zonesYou cannot delete the trust-vroruntrust-vrVRs. On someNetScreendevices, however, you cancreate andconfigureadditionalVRs. You can configure certain parameters for the predefined and customVRsMultipleVRscan exist, buttrust-vris the default VR. In the VR table an asterisk (*) designatestrust-vras the default VR in the command line interface (CLI). You can view the VR table withthe getvrouterCLI command. To configure zones and interfaces within otherVRs, you must specify the VR by name, such asuntrust-vr.

QUESTION 20:

Exhibit


17/81

JN0-520


IN order for the 208 to have fullreachabilityto all hosts in the network, how many staticroutes need to be added?A.1B.2C.3

D.4E.5

Answer: D

Explanation:To configure a static route, you need to define the following:The virtual router in which you are adding the route.The IP address andnetmaskof the destination network.The next hop for the route, which can be either another virtual router on theNetScreendevice ora gateway

(router)IP address.If you specify another virtual router, make sure that an entry for thedestination networkexistsin the routing table of that virtual router.The interface through which the routed traffic is forwarded. The interface can be anyScreenOS-supportedinterface, such a physical interface (for example, ethernet1/2), or a tunnel interface. You can alsospecifytheNull interface for certain applications.(Optional)Aroute metric is used to select the active route when there are multiple routes to thesamedestinationnetwork, all with the same preference value. The default metric for static routes is 1.

(Optional)Aroute tag is a value that can be used as a filter when redistributing routes. Forexample, you canchooseto import only those routes that contain specified tag values into a virtual router.(Optional)Apreference value for the route. By default, all static routes have the samepreference value thatisset in the virtual router.(Optional) Whether the route is to be kept active even if the forwarding interface is down orthe IP address is removed from the interface.In this scenario we must create four static routes to reach each network. The correct configwouldbe :Set route 192.168.20.0/24 interface e2 gateway 192.168.1.254Set route 10.1.10.0/24 interface e1 gateway 10.1.1.254Set route 1.1.70.0/24 interface e7 gateway 143.45.56.254Set route 200.5.5.5/32 interface e8 gateway 192.168.1.254

QUESTION 21:

What 3 commands below can be used to verify that routing is correctly configured?A.ping


18/81

JN0-520


B.get routeC.trace-routeD.getarpE.get interface

Answer: A, B, C

Explanation:PingUse thepingcommand to check the network connection to another system.Get RouteTheget routecommand displays:The IP address,netmask, interface, gateway, protocol, preference, metric, and ownervsysTheprotocolvalue can be any of the following:-C(Connected)-S(Static)

-A(Auto Exported)-I(Imported; that is, route imported from another virtual router)-iB(internal BGP)-eB(external BGP)-O(OSPF)-E1(OSPF external type 1)-E2(OSPF external type 2)Use theget routecommand to see if theNetScreendevice has a route to the IP address on thecorrect interface.Trace-routeUse thetrace-routecommand to display the route to a host.

GetarpUse thearpcommands to create, remove, or list interface entries in the Address ResolutionProtocol(ARP) table of theNetScreendevice.Get InterfaceUse theinterfacecommands to define or display interface settings for aNetScreendevice.Name:This field identifies the name of the interface.IP/Netmask:This field identifies the IP address andnetmaskaddress of the interface.Zone:This field identifies the zone to which the interface is bound.Type:This field indicates if the interface type: Layer 2, Layer 3, tunnel, redundant, aggregate,VSI.Link:This field identifies whether the interface is active (Up) or inactive (Down).Configure:This field allows you modify or remove interfaces.

QUESTION 22:

If the inbound interface is configured for NAT mode, which two (2) will be modified by theNetScreenwhen traffic travels from the Trust zone to theUntrustzone?A.Source IP


19/81

JN0-520


B.Source PortC.Destination IPD.Destination Port

Answer: A, B

Explanation:When an ingress interface is in Network Address Translation (NAT) mode, theNetScreendevice,acting like a Layer 3 switch (or router), translates two components in the header of an outgoingIP packet destined for theUntrustzone: its source IP address and source port number. TheNetScreendevice replaces the source IP address of the originating host with the IP address of theUntrustzone interface. Also, it replaces the source port number with another random port numbergenerated by theNetScreendevice.

QUESTION 23:

Exhibit

If Certkiller A initiates a Web browsing session with Certkiller B, and the Trust interface ofthe 5XT is in NAT mode, what could be the source address/port of the packet arriving athost Certkiller B?

A.10.0.0.5/80B.10.0.0.5/1099C.10.0.0.1/1024D.20.0.0.1/1024E.1.1.1.250/1024

Answer: E

Explanation:When an ingress interface (10.0.0.1) is in Network Address Translation (NAT) mode, theNetScreendevice, acting like a Layer 3 switch (or router), translates two components in the

header of an outgoing IP packet destined for theUntrustzone: its source IP address and sourceport number. TheNetScreendevice replaces the source IP address of the originating host with theIP address of theUntrustzone interface (1.1.1.250). Also, it replaces the source port number withanother random port number generated by theNetScreendevice. The port numbers 1 to 1023 arereserved for well known port numbers, so the next available port number could be 1024.

QUESTION 24:


20/81

JN0-520


Exhibit

Review the exhibit. What would be the best routing command to allow host Certkiller A tocommunicate with host Certkiller C?(Assume a route from the 208 to Host Certkiller A'ssubnet already exists.)A.set route 0.0.0.0/0int e 7 gateway 177.11.56.254B.set route 1.1.70.0 interface e 7 gateway 177.11.56.254C.configure route 1.1.70.0/24 gateway 177.11.56.254inte 7D.set route 1.1.70.0/24 interface e 7 gateway 177.11.56.254

Answer: D

Explanation:

To configure a static route, you need to define the following:The virtual router in which you are adding the route.The IP address andnetmaskof the destination network.The next hop for the route, which can be either another virtual router on theNetScreendevice ora gateway(router)IP address.If you specify another virtual router, make sure that an entry for thedestination networkexistsin the routing table of that virtual router.The interface through which the routed traffic is forwarded. The interface can be anyScreenOS-supportedinterface, such a physical interface (for example, ethernet1/2), or a tunnel interface. You can also

specifytheNull interface for certain applications.(Optional)Aroute metric is used to select the active route when there are multiple routes to thesamedestinationnetwork, all with the same preference value. The default metric for static routes is 1.(Optional)Aroute tag is a value that can be used as a filter when redistributing routes. Forexample, you canchooseto import only those routes that contain specified tag values into a virtual router.


21/81

JN0-520


(Optional)Apreference value for the route. By default, all static routes have the samepreference value thatisset in the virtual router.(Optional) Whether the route is to be kept active even if the forwarding interface is down orthe IP address is removed from the interface.

In this scenario we must create four static routes to reach each network. The correct configwouldbe :Set route 192.168.20.0/24 interface e2 gateway 192.168.1.254Set route 10.1.10.0/24 interface e1 gateway 10.1.1.254Set route 1.1.70.0/24 interface e7 gateway 143.45.56.254Set route 200.5.5.5/32 interface e8 gateway 192.168.1.254

QUESTION 25:

Exhibit

Review the exhibit. Which command generated the output shown?A.pingB.get routeC.tracerouteD.get route ipE.get interface

Answer: D

Explanation:PingUse thepingcommand to check the network connection to another system.Get RouteTheget routecommand displays:The IP address,netmask, interface, gateway, protocol, preference, metric, and ownervsysTheprotocolvalue can be any of the following:-C(Connected)-S(Static)-A(Auto Exported)-I(Imported; that is, route imported from another virtual router)

-iB(internal BGP)-eB(external BGP)-O(OSPF)-E1(OSPF external type 1)-E2(OSPF external type 2)Use theget routecommand to see if theNetScreendevice has a route to the IP address on thecorrect interface.Trace-route


22/81

JN0-520


Use thetrace-routecommand to display the route to a host.In this scenario ip 10.1.10.5.Get Route IPDisplays a specific route for the target IP address (ip_addr).Get InterfaceUse theinterfacecommands to define or display interface settings for aNetScreendevice.

Name:This field identifies the name of the interface.IP/Netmask:This field identifies the IP address andnetmaskaddress of the interface.Zone:This field identifies the zone to which the interface is bound.Type:This field indicates if the interface type: Layer 2, Layer 3, tunnel, redundant, aggregate,VSI.Link:This field identifies whether the interface is active (Up) or inactive (Down).Configure:This field allows you modify or remove interfaces.

QUESTION 26:

You are creating route-basedVPNson a NS208. When creating your 101stinterface, you

receive an error message and are prevented from additional tunnel interfaces. What wouldcause this problem?A.There is a limit of 100 tunnel interfaces per zoneB.There is a limit of 100 tunnel interfaces per NS208C.There is a limit of 100 tunnel interfaces per virtual routerD.Acquire a license key to increase the number of tunnel interfaces that can be created.

Answer: B??

Explanation:The configuration of aNetScreendevice for VPN support is particularly flexible. You can create

route-based and policy-based VPN tunnels. Additionally, each type of tunnel can use ManualKey orAutoKeyIKE to manage the keys used for encryption and authentication.With policy-based VPN tunnels, a tunnel is treated as an object (or a building block) thattogether with source,destination, service, and action, comprises a policy that permits VPN traffic. (Actually, the VPNpolicy action istunnel, but the action permit is implied, if unstated). In a policy-based VPN configuration, apolicy specificallyreferencesa VPN tunnel by name.With route-basedVPNs, the policy does not specifically reference a VPN tunnel. Instead, thepolicy references a destination address. When theNetScreendevice does a route lookup to find the interface through which it must send traffic to reach thataddress, it finds a route via a tunnel interface, which is bound to a specific VPN tunnel1. Thus,with a policy-based VPN tunnel, you can consider a tunnel as an element in the construction of apolicy. With a route-based VPN tunnel, you can consider a tunnel as a means for deliveringtraffic, and the policy as a method for either permitting or denying the delivery of that traffic.The number of policy-based VPN tunnels that you can create is limited by the number of policiesthat the device supports. The number of route-based VPN tunnels that you create is limited bythe number of route entries (4096 for a ns208)orthe number of tunnel interfaces that the device


23/81

JN0-520


supports (256 for a ns208) -whichever number is lower.A route-based VPN tunnel configuration is a good choice when you want to conserve tunnelresources while setting granular restrictions on VPN traffic. Although you can create numerouspolicies referencing the same VPN tunnel, each policy creates an individualIPSecsecurityassociation (SA) with the remote peer, each of which counts as an individual VPN tunnel. With a

route-based approach toVPNs, the regulation of traffic is not coupled to the means of itsdelivery. You can configure dozens of policies to regulate traffic flowing through a single VPNtunnel between two sites, and there is just oneIPSecSA at work. Also, a route-based VPNconfiguration allows you to create policies referencing a destination reached through a VPNtunnel in which the action is deny, unlike a policy-based VPN configuration, in which-as statedearlier-the action must be tunnel, implying permit.

QUESTION 27:

Tunnel Binding is accomplished during which part of the VPN configuration process?A.Phase 1

B.Phase 2C.Route CreationD.Reply protectionE.Tunnel Interface Creation

Answer: B

Explanation:The VPN Tunnel (orAutoKeyIKE as it is called in Screen OS) defines the Phase 2 proposals,how the tunnel is to be bound, proxy ids, and the IKE Gateway to be associated with the VPNTunnel.

QUESTION 28:

Your VPN is failing during Phase 2 communication. You check your local event log and donot see anything to indicate why the failure occurred. What action should be taken to fixthe problem?A.View the event log of the destination gatewayB.Configure the peer-id on your local IKE gatewayC.Delete the remoteNetScreenconfiguration and rebuild it correctlyD.Run Debug on the localNetScreento view the error output in the log

Answer: A

Explanation:In configuring the tunnel interface the administrator selects the zone to which the tunnelinterface will bound and the IP address to use. Which zone to use for the tunnel end-pointdepends on the company's specificneeds.Offcourse, problems can arise when setting such atunnel.Thereforyou should check both sides of your tunnel for errors.


24/81

JN0-520


QUESTION 29:

Which is NOT part of the configuration of an IKE Phase 1 gateway?A.Security ZoneB.Security proposal

C.Peer identificationD.Outgoing interface

Answer: A

Explanation:The IKE gateway defines the type of tunnel at the peer location (peer identification), theoutgoing interface to use, the Phase 1 proposals to use, and the key-exchange method (securityproposal).

QUESTION 30:

Which item is different when configuring a route-based VPN gateway than a policy-basedVPN gateway?A.GatewayB.Security ProposalC.Outgoing interfaceD.Binding a tunnel interface

Answer: D

Explanation:

Policy Based1.A Policy Based VPN is a configuration in which a specific VPN tunnel is referenced in apolicy whose action is set as tunnel.2.When a numbered tunnel interface is in a tunnel zone, you cannot bind a VPN tunnel to thetunnel interface. You can only bind a tunnel to the tunnel zone. This allows multiple tunnelinterfaces to link to a single tunnel, or multiple tunnels to link to a single tunnel interface. Insuch cases, you must create a Policy Based VPN configuration.3.Only a numbered tunnel interface (that is, an interface with an IP address andnetmask) cansupport Policy Based VPN.Route Based1.A Route Based VPN is a configuration in which the policy does not reference a specific VPNtunnel. Instead, a VPN tunnel is indirectly referenced by a route that points to a specific tunnelinterface. The tunnel interface may be bound to a VPN tunnel or to a tunnel zone.2.When a tunnel interface is in a security zone, you must bind a VPN tunnel to the tunnelinterface. Doing so allows you to create a routing- based VPN configuration. The tunnelinterface can be numbered or unnumbered. If it is unnumbered, the tunnel interface borrows theIP address from the security zone interface.3.You can consider a tunnel as a means for delivering traffic between points A and B, and apolicy as a method for either permitting or denying the delivery of that traffic. Simply put,


25/81

JN0-520


ScreenOSallows you the freedom to separate the regulation of traffic from the means of itsdelivery.4.If the tunnel interface does not need to support Policy Based NAT, and your configurationdoes not require the tunnel interface to be bound to a tunnel zone, you can specify the interfaceas unnumbered. You must bind and unnumbered tunnel interface to a security zone; you cannot

bind it to a tunnel zone. You must also specify an interface bound to that security zone whose IPaddress the unnumbered tunnel interface borrows.

QUESTION 31:

What three (3) are major concerns when sending private data over a public medium?A.IntegrityB.AuthorityC.CapacityD.ConfidentialityE.Authentication

Answer: A, D, E

Explanation:Authentication-Authentication ensures that digital data transmissions are delivered to theintended receiver. Authentication also assures the receiver of the integrity of the message and itssource (where or whom it came from). The simplest form of authentication requires a user nameand password to gain access to a particular account. Authentication protocols can also be basedon encryption, such as DES or 3DES, or on public-key systems using digital signatures.Integrity- While it is important that your data is encrypted over a public network, it is just asimportant to verify that it hasn't been changed while in transit. For example,IPSechas a

mechanism to ensure that the encrypted portion of the packet, or the entire header and dataportion of the packet, has not been tampered with. If tampering is detected, the packet isdropped. Data integrity can also involve authenticating the remote peer.Confidentiality- This is perhaps the most important service provided by any VPNimplementation. Since your private data is traveling over a public network, data confidentiality isvital and can be attained by encrypting the data. This is the process of taking all the data that onecomputer is sending to another and encoding it into a form that only the other computer will beable to decode.

QUESTION 32:

Which is NOT a component of tunnel interface configuration?A.zoneB.virtual routerC.subnet maskD.IP addressing

Answer: BIn configuring the tunnel interface the administrator selects the zone to which the tunnel


26/81

JN0-520


interface will bound and the IP address to use. Which zone to use for the tunnel end-pointdepends on the company's specificneeds.

QUESTION 33:

You are looking at the event log of the responding device and it saysRejected an initial Phase 1 packet from an unrecognized peer gatewayWhich is NOT likely reason for the failure?A.Local IDmisconfiguredB.Gateway addressmisconfiguredC.Outing InterfacemisconfiguredD.Security proposalsmisconfigured

Answer: D

Explanation:

According to junipers knowledgebasethere are several possible causes for this:*This can be an indication thatthe IKE ID of theNetScreen-Remote client does not match the IKE ID of the Dial Up Userconfiguration on theNetScreengateway.Resolution:Verify the IKE ID of bothNetScreen-Remoteclient and DialUpVPN User, and make sure the two match*Peer gateway addressmisconfiguredwhen configuring the IKE Gateway.Resolution:Correct thegateway address on the remote side*Peer IDmisconfigured.The ifremote end has a dynamic IPaddress, then the peer ID ismisconfigured. Basically, the peer id that was received in the phase 1negotiation does not match the peer id in theikeconfiguration.Resolution:Modify the peer id onthe local device and the local id on the remote device so they are the same*Wrong outgoinginterface defined in the IKE Phase 1 gateway.Resolution: Modify the outgoing interface in phase1 so it matches the interface that the IKE negotiation will be going out of.

QUESTION 34:

Exhibit

Review the exhibit. You need to make a bi-directional VPN between the 5XT and the 208.What gateway address will you configure on the 208 for the VPN?A.10.0.0.1B.20.0.0.1C.1.1.1.250D.4.4.4.250

Answer: C


27/81

JN0-520


Explanation:To configure a bi-directional VPN between the 5XT and the 208, you will need toconfigure :IP 1.1.1.250 as gateway address for the ns 208 and IP 4.4.4.250 as gateway address for the 5XT.

QUESTION 35:

What is the purpose of the sequence number in the ESP or AH header?A.Provide protection for missing packets that have been encryptedB.Provide protection from someone trying to reply captured data later in the sessionC.Provide protection from hackers changing the sequence number in the layer 4 headerD.Provide protection from someone trying toresequencethe packets to try and crash the system

Answer: B

Explanation:

IPsecuses two different protocols - AH and ESP - to ensure the authentication, integrity andconfidentiality of the communication. It can protect either the entire IP datagram or only theupper-layer protocols. Theappropiatemodes are called tunnel mode and transport mode. In tunnelmode the IP datagram is fully encapsulated by a new IP datagram using theIPsecprotocol. Intransport mode only the payload of the IP datagram is handled by theIPsecprotocol inserting theIPsecheader between the IP header and the upper-layer protocol header. The 32 bitSequenceNumberprotects against replay attacks.

QUESTION 36:

You have created your tunnel interface in theUntrustzone. Traffic from the Trust zone is

able to enter the tunnel and pass to the destination. However traffic from a differentinterface in theUntrustzone is not able to pass traffic through the tunnel. You are using a single virtual router.What could be causing this problem?A.Two virtual routers need to be configuredB.A policy is needed since intra-zone blocking is on by default in theUntrustzone.C.The tunnel is configured with a proxy id that does not include the address from theUntrustinterface.D.The routing tables are not correctly configured to allow the traffic from theUntrustsource to bedelivered to the destination.

Answer: B

Explanation:To control traffic that traverses the same zone, a zone level option is available -- "BlockIntra-zone Traffic". This option can be set through theWebUIor the CLI.WebUIselect: Network -> Zones -> Edit CLI:set zone blockThis is an "All or Nothing" feature that is disabled by default on all zonesin the Trust-VR, except


28/81

JN0-520


for theUntrustzone (where it is enabled by default). When the option is set or the check box isselected, all traffic between interfaces within the specified zone will be blocked. This holds trueEXCEPT when there is an Intra-zone policy configured. Intra-zone policies will take precedenceover or override thezone blocking setting

QUESTION 37:

How is theDiffieHellmankey exchange referred to when it is used in IKE phase 2?A.PFAB.PFSC.SCSD.SFS

Answer: B

Explanation:

ADiffie-Hellmanexchange allows the participants to produce a shared secret value. The strengthof the technique is that it allows the participants to create the secret value over an unsecuredmedium without passing the secret value through the wire. There are fiveDiffie-Hellman(DH)groups (NetScreensupports groups 1, 2, and 5). The size of the prime modulus used in eachgroup's calculation differs as follows:DH Group 1: 768-bit modulus4DH Group 2: 1024-bit modulusDH Group 5: 1536-bit modulusThe larger the modulus, the more secure the generated key is considered to be; however, thethelonger the key-generation process takes. Because the modulus for each DH group is adifferent size, the

participantsmust agree to use the same group5.After the participants have established a secure and authenticated channel, they proceed throughPhase 2, in which they negotiate theSAsto secure the data to be transmitted through theIPSectunnel.Like the process for Phase 1, the participants exchange proposals to determine which securityparameters toemployin the SA. A Phase 2 proposal also includes a security protocol-either EncapsulatingSecurity Payload(ESP) or Authentication Header (AH), and selected encryption and authentication algorithms.The proposal can also specify aDiffie-Hellmangroup, if Perfect Forward Secrecy (PFS) isdesired.Perfect Forward Secrecy (PFS) is a method for deriving Phase 2 keys independent from andunrelated to theprecedingkeys. Alternatively, the Phase 1 proposal creates the key (theSKEYID_dkey) fromwhich all Phase 2keysare derived. TheSKEYID_dkey can generate Phase 2 keys with a minimum of CPUprocessing.Unfortunately, if an unauthorized party gains access to theSKEYID_dkey, all your encryption


29/81

JN0-520


keys arecompromised. PFS addresses this security risk by forcing a newDiffie-Hellmankey exchange tooccur for each Phase 2 tunnel. Using PFS is thus more secure, although therekeyingprocedure inPhase 2 might take slightly longer with PFS enabled.

QUESTION 38:

By default, what attack signature group severity level is reported for an attack attemptingto crash the system?A.HighB.CriticalC.MediumD.Emergency

Answer: B

Explanation:Predefined attack object groups contain attack objects for a specific protocol. For each protocol,the groups areseparatedinto protocol anomalies andstatefulsignatures, and then roughly organized by severity.The three attack object group severity levels are critical, high, and medium:Critical:Contains attack objects matching exploits that attempt to evade detection, cause anetwork device to crash, or gain system-level privileges.High:Contains attack objects matching exploits that attempt to disrupt a service, gain user-levelaccess to anetworkdevice, or activate a Trojan horse previously loaded on a device.Medium:Contains attackobjects matching exploitsthat detect reconnaissance efforts attempting

to access vital information through directory traversal or information leaks.Low:Contains attack objects matching exploits that attempt to obtain non-critical information orscan a networkwithascanning tool.Info:Contains attack objects matching normal, harmless traffic containing URLs, DNS lookupfailures, SNMP public community strings, and Peer-to-Peer (P2P) parameters. You can useinformational attack objects to obtain information about your network.

QUESTION 39:

While reviewing the config file you see the command "Set attack-db mode check". What isthe purpose for this command?A.To insure all traffic is checked regardless of policyB.To Enable Deep Inspection functionality in theNetscreenfirewallC.To make sure that only traffic checked by a policy will be evaluated by the Deep InspectionD.To insure you will be notified by a message when the Attack database needs to be updated

Answer: D

Explanation:


30/81

JN0-520


This command will insure you will be notified by a message when the Attack database needs tobe updated.

QUESTION 40:

TheNetScreenDeep Inspection function performs analysis and action up to what layer ofthe OSI model?A.2B.3C.4D.7

Answer: D

Explanation:Deep Inspection (DI) is a mechanism for filtering the traffic permitted by theNetScreenfirewall.

Deep Inspection examines Layer 3 and 4 packet headers and Layer 7 application content andprotocol characteristics in an effort to detect and prevent any attacks or anomalous behavior thatmight be present.When theNetScreendevice receives the first packet of a session, it inspects the source anddestination IPaddressesin the IP packet header (Layer 3 inspection) and the source and destination portnumbers and protocol in the TCP segment or UDP datagram header (Layer 4 inspection). If theLayer 3 and 4 components match the criteria specified in a policy, theNetScreendevice thenperforms the specified action on the packet-permit, deny, or tunnel2. When theNetScreendevicereceives a packet for an established session, it compares it with the state information maintainedin the session table to determine if it indeed belongs to the session.

If you have enabled Deep Inspection in the policy that applies to this packet and the policyaction is "permit" or"tunnel", then theNetScreendevice further inspects it and its associated data stream for attacks. Itscans the packet for patterns that match those defined in one or more groups of attack objects.Attack objects can be attack signatures or protocol anomalies, which you can either defineyourself or download to theNetScreendevice from an attack object database server.

QUESTION 41:

What are the two (2) components required for theNetScreenDeep Inspectionimplementation?A.Policy StatementsB.Signature databaseC.IDP Action StatementD.Service Book Group EntriesE.Address Book Group Entries

Answer: A, B


31/81

JN0-520


Explanation:Deep Inspection (DI) is a mechanism for filtering the traffic permitted by theNetScreenfirewall.Deep Inspection examines Layer 3 and 4 packet headers and Layer 7 application content andprotocol characteristics in an effort to detect and prevent any attacks or anomalous behavior thatmight be present.

When theNetScreendevice receives the first packet of a session, it inspects the source anddestination IPaddressesin the IP packet header (Layer 3 inspection) and the source and destination portnumbers and protocol in the TCP segment or UDP datagram header (Layer 4 inspection). If theLayer 3 and 4 components match the criteria specified in a policy, theNetScreendevice thenperforms the specified action on the packet-permit, deny, or tunnel2. When theNetScreendevicereceives a packet for an established session, it compares it with the state information maintainedin the session table to determine if it indeed belongs to the session.If you have enabled Deep Inspection in the policy that applies to this packet and the policyaction is "permit" or"tunnel", then theNetScreendevice further inspects it and its associated data stream for attacks. It

scans the packet for patterns that match those defined in one or more groups of attack objects.Attack objects can be attack signatures or protocol anomalies, which you can either defineyourself or download to theNetScreendevice from an attack object database server.

QUESTION 42:

Place the Antivirus configuration elements into the recommended configuration order:1)AddAVto policy2)Configures Scan Manager3)SetWebmailoptions4)Configure Global Settings

A.1,2,3,4B.2,3,4,1C.2,4,3,1D.4,2,3,1E.4,3,2,1

Answer: D

Explanation:The correct procedure to configure antivirus on anetscreendeviceis :1.Configure Global Settings2.Configures Scan Manager3.SetWebmailoptions4.AddAVto policyhttp://200.support.netscreen.safeharbor.com/knowbase/root/public/ns10300.pdf

QUESTION 43:

How is AntivirusScanningenabled on aNetScreendevice?


32/81

JN0-520


A.Antivirus Scanning is implemented via policyB.Antivirus Scanning is implemented at the interfaceC.Antivirus scanning is a stand alone product and manually enabled.D.Antivirus scanning is turned on by zone- like Screening and Malicious URLs

Answer: A

Explanation:A virus is an executable code that infects or attaches itself to other executable code so that it canreproduce itself. Some viruses are malicious, erasing files or locking up systems. Others presenta problem merely in the act of infecting other files, as their propagation may overwhelm theinfected host or network with excessive amounts of bogus data. SelectNetScreendevices supportan internal antivirus (AV) scan engine (AV scanner) that provides AV scanning for specificapplication-layer transactions1. You can configure the scanner to examine network traffic thatuses the following protocols:File Transfer Protocol (FTP)

Hypertext Transfer Protocol (HTTP)Internet Mail Access Protocol (IMAP)Post Office Protocol, version 3 (POP3)Simple Mail Transfer Protocol (SMTP)To apply AV protection, you must reference the internal scanner in security policies. When theNetScreendevice receives traffic to which a policy requiring AV scanning applies, it directs the content itreceives to its internal scanner. After verifying that it has received the entire content of an FTP,HTTP, IMAP, POP3, or SMTP packet, the scanner examines the data for viruses. It does this byreferencing a virus pattern file2 to identify virus signatures. When the scanner detects a virus, theNetScreendevice drops the content and sends a message to the client indicating that the content

is infected. If the scanner does not detect a virus, theNetScreendevice forwards the content to itsintended destination.

QUESTION 44:

Which three (3) screening options are detected only on physical interfaces?A.Limit SessionB.DenySynAttackC.Deny UDP FloodD.DenySynFragmentE.DenyPingof Death Attack

Answer: A, B, C

QUESTION 45:

Exhibit


33/81

JN0-520


Refer to the exhibit. If you configure NAT-srcfrom the Corporate zone to the Internetzone, and do not specify a DIP, which address will be used as the outbound source addressof packets destined for the Internet?A.143.45.56.1B.143.45.56.254C.the original source addressD.NAT-srcwill not work without a DIP

Answer: A

Explanation:

When an ingress interface is in Network Address Translation (NAT) mode, theNetScreendevice,acting like a Layer 3 switch (or router), translates two components in the header of an outgoingIP packet destined for theUntrustzone: its source IP address and source port number. TheNetScreendevice replaces the source IP address of the originating host with the IP address of theUntrustzone interface (143.45.56.1). Also, it replaces the source port number with anotherrandom port number generated by theNetScreendevice. The port numbers 1 to 1023 are reservedfor well known port numbers, so the next available port number could be 1024.

QUESTION 46:

You are looking at your policies via the Web UI and you notice that the green permit policy

has turned blue. What would cause this?A.The policy is currently inactiveB.The policy is configured to support a MIPC.That the policy is configured for unidirectional NATD.The Policy has failed to pass permitted traffic due to a virusE.The policy is currently passing traffic beyond its traffic limits and it is currently in alarm

Answer: C


34/81

JN0-520


Explanation:

QUESTION 47:

By default, what type of NAT is performed when you implement interface-based NAT?A.Src-IP address translationB.Dst-IP address translation

C.Src-IP and port address translationD.Dst-IP and port address translation

Answer: C

Explanation:Interfaces can operate in three different modes: Network Address Translation (NAT), Route, andTransparent. If an interface bound to a Layer 3 zone has an IP address, you can define theoperational mode for that interface as either NAT or Route. An interface bound to a Layer 2 zone(such as the predefined v1-trust, v1-untrust, and v1-dmz zones, or a user-defined Layer 2zone)must be in Transparent mode. You select an operational mode when you configure an interface.

When an ingress interface is in Network Address Translation (NAT) mode, theNetScreendevice,acting like a Layer 3 switch (or router), translates two components in the header of an outgoingIP packet destined for theUntrustzone: its source IP address and source port number. TheNetScreendevice replaces the source IP address of the originating host with the IP address of theUntrustzone interface. Also, it replaces the source port number with another random port numbergenerated by theNetScreendevice. Remember that the interface that is residing in the trustzone,isdefault in NAT mode.When an interface is in Route mode, theNetScreendevice routes traffic between different zones


35/81

JN0-520


without performing source NAT (NAT-src); that is, the source address and port number in the IPpacket header remain unchanged as it traverses theNetScreendevice.

QUESTION 48:

You enter the following commandsetint38mip1.1.8.32 host 10.1.10.32netmask255.255.255.248How many MIP address translations have you just configured?A.1B.6C.8D.30E.32

Answer: C

Explanation:This question requires a bit ofsubnetting. An excellent resource to learn this ishttp://www.learntosubnet.com.Now the part we have to look into is thesubnetmask255.255.255.248. Thesubnetmaskdefineswhich hosts are in the same subnet or not. In this case we look at 248. First we must convert thisdecimal number do the binary format. 248 decimalis :11111000 in binary. As you can see thefirst 5 bits are1's ,so we have 3 bits left for our hosts. So we can 000 till 111 for our hosts.Letsconvert that back to decimal 000 = 0 and 111 = 7 in decimal format. In this scenario we countfrom 0 to 7 so that will be 8 hosts.

QUESTION 49:

You enter the following commandsetinte8 dip 5 shift-from 10.1.1.5 1.1.10.2 1.1.10.40What will be the source IP address of the egress packet for the second user requesting anaddress from the DIP pool, if the source address of that user is 10.1.1.7?A.1.1.10.2B.1.1.10.3C.1.1.10.4D.1.1.10.40

Answer: C

Explanation:You can define a one-to-one mapping from an original source IP address to a translated sourceIP address for arangeof IP addresses. Such a mapping ensures that theNetScreendevice always translates aparticular source IP address from within that range to the same translated address within a DIPpool. There can be any number ofaddressesin the range. You can even map one subnet to another subnet, with a consistent


36/81

JN0-520


one-to-one mapping of each original address in one subnet to its translated counterpart in theother subnet.In this question, you define DIP pool 5 on ethernet8, an interface bound to theUntrustzone. You want totranslateaddressesfrom 10.1.1.5 to addresses between 1.1.10.2 and 1.1.10.40,and you want the relationship between each original and translated address to be consistent.

Now the first IP 10.1.1.5 will be translated to 1.1.10.2. The second IP 10.1.1.6willbetranslated to1.1.10.3.And the third IP 10.1.1.7wilbe translated to 1.1.10.4.

QUESTION 50:

Exhibit

One which interface would youconfigurea VIP for translating inbound traffic destined forthe partner servers?A.E1B.E2C.E7D.E8E.You cannot use a VIP in this environment aVIP must be configured in theUntrustzone.

Answer: E

Explanation:A virtual IP (VIP) address maps traffic received at one IP address to another address based onthe destination port number in the TCP or UDP segment header.TheNetScreendevice forwards incoming traffic destined for a VIP to the host with the address towhich the VIP points (destination address). You need the following information to define a


37/81

JN0-520


Virtual IP:The IP address for the VIP must be in the same subnet as an interface in theUntrustzone or-onsomeNetScreendevices-can even be the same address as that interface13The IP addresses for the servers that process the requests

The type of service you want theNetScreendevice to forward from the VIP to the IP address ofthe hostIn this scenario Certkiller D cannot be configured because it resides behind theuntrustinterface.

QUESTION 51:

Exhibit

Review the exhibit. Which two forms of address translation could have generated theoutput shown?A.MIPB.Interface-based translationC.NAT-srcwith a DIP, fixed-port enabledD.NAT-srcwith a DIP, fixed-port disabled

Answer: B, D

Explanation:As we can see in the exhibit, it uses NAT-srcbecause we can see 10.1.10.5 with port 1936 being

translated to 200.5.5.5 port 80. The NAT mechanisms that use NAT-srcare DIP andinterface-based translation.We can also see in the exhibit that traffic is translated back to port1025,therefore we can assumethat the fix-port command is not being used.

QUESTION 52:

You have a host that is assigned an IP from a private address space, but needs to accesssystems within the public address space. What form of NAT should you use to minimizeconfiguration requirements?A.VIP

B.MIPC.NAT-dstD.NAT-src

Answer: D

Explanation:Interfaces can operate in three different modes: Network Address Translation (NAT), Route, and


38/81

JN0-520


Transparent. If an interface bound to a Layer 3 zone has an IP address, you can define theoperational mode for that interface as either NAT or Route. An interface bound to a Layer 2 zone(such as the predefined v1-trust, v1-untrust, and v1-dmz zones, or a user-defined Layer 2zone)must be in Transparent mode. You select an operational mode when you configure an interface.When an ingress interface is in Network Address Translation (NAT) mode, theNetScreendevice,

acting like a Layer 3 switch (or router), translates two components in the header of an outgoingIP packet destined for theUntrustzone: its source IP address and source port number. TheNetScreendevice replaces the source IP address of the originating host with the IP address of theUntrustzone interface. Also, it replaces the source port number with another random port numbergenerated by theNetScreendevice. Remember that the interface that is residing in the trustzone,is default in NAT mode.When an interface is in Route mode, theNetScreendevice routes traffic between different zoneswithout performing source NAT (NAT-src); that is, the source address and port number in the IPpacket header remain unchanged as it traverses theNetScreendevice.

QUESTION 53:

Select the three (3) options below that would allow for proper function of NAT-dst.A.The default address book entry of"any" in the internal zoneB.The default address book entry of"any" in the external zoneC.A secondary address on an interface in the internal zone, configured with the public addressD.A loopback interface in the internal zone, configured with the public addressE.A static route to the public subnet using an interface in the internal zone as the outboundinterface

Answer: B, D, E

Explanation:WithNat_Dsttraffic could be coming from any external IP address, you'renattingfrom External toInternal, Any on Internal doesn't make sense.For proper functioning of NAT-dstwe can use:1.The default address book entry of"any" in the external zone2.A loopback interface in the internal zone, configured with the public address3.A static route to the public subnet using an interface in the internal zone as the outboundinterfaceYou cannot have a secondary address with a public address on the internal zone becausetherecan be no subnet address overlap between any two secondary IP addresses. In addition, there canbe no subnet address overlap between a secondary IP and any existing subnet on theNetScreendevice.

QUESTION 54:

In transparent mode, you can create policies between which zones?A.V1-Trust andUntrustB.Private and L2-PublicC.V1-Global and V1-Global


39/81

JN0-520


D.V1-Trust and Private (L2)E.V1=Untrustand L2-Private

Answer: E

Explanation:With transparent mode, theNetScreenfirewall is converted from a layer 3deviceto one thatoperates at layer 2, essentially becoming a layer 2 bridge. By doing so, the device can bedeployed into existing infrastructures without requiring the readdressing that would be requiredfor a routedsolution.TheIP addresses of thephysicalinterfaces are set to 0.0.0.0/0 and truly make the deployment invisible to the user.By default,ScreenOScreates one function zone, the VLAN zone, and three L2 security zones:V1-Trust, V1-Untrust, and V1-DMZ. ANetScreendevice operating at Layer 2 (L2) does notpermit any inter-zone or intra-zone traffic unless there is a policy configured on the device.Please note that a custom zone must start with a L2- prefix.

QUESTION 55:

Which three (3) statements are true in regards to aNetScreendevice in transparent mode?A.All interfaces belong to VLAN1 zone for managementB.VPNscan terminate to the VLAN1 interface IP addressC.Static routes must be configured if multiple virtual routers are going to be usedD.It can be installed in a network without the requirement to reconfigure ip addressing schemesE.You must use the console port to manage the device as you cannot manage the device via anEthernet port.

Answer: A, B, D

Explanation:When an interface is inTransparentmode, theNetScreendevice filters packets traversing thefirewall withoutmodifyingany of the source or destination information in the IP packet header. All interfacesbehave as though they are part of the same network, with theNetScreendevice acting much like aLayer 2 switch or bridge. In Transparent mode, the IP addresses of interfaces are set at 0.0.0.0,making the presence of theNetScreendevice invisible, or "transparent," to users. By default,ScreenOScreates one function zone, the VLAN zone, and three L2 security zones: V1-Trust,V1-Untrust, and V1-DMZ.When theNetScreendevice is inTransparentmode, you use the VLAN1 interface for managingthe device and terminating VPN traffic. Transparent mode is a convenient means for protectingWeb servers, or any other kind of server that mainly receives traffic fromuntrustedsources. UsingTransparentmode offers the following benefits:No need to reconfigure the IP settings of routers or protected serversNo need to create Mapped or Virtual IP addresses for incoming traffic to reach protected servers

QUESTION 56:


40/81

JN0-520


What is the purpose of the VLAN1 interface?A.It provides policy-based NAT for 802.1Q VLANsB.It provides an interface that can be used with all 802.1q VLANs in transparent modeC.It provides theNetScreenwith a routable IP address while operating in route modeD.It provides an interface that can be used to remotely manage theNetScreenwhile operating in

transparent mode

Answer: D

Explanation:When an interface is inTransparentmode, theNetScreendevice filters packets traversing thefirewall withoutmodifyingany of the source or destination information in the IP packet header. All interfacesbehave as though they are part of the same network, with theNetScreendevice acting much like aLayer 2 switch or bridge. In Transparent mode, the IP addresses of interfaces are set at 0.0.0.0,making the presence of theNetScreendevice invisible, or "transparent," to users. By default,

ScreenOScreates one function zone, the VLAN zone, and three L2 security zones: V1-Trust,V1-Untrust, and V1-DMZ.When theNetScreendevice is inTransparentmode, you use the VLAN1 interface for managingthe device and terminating VPN traffic. Transparent mode is a convenient means for protectingWeb servers, or any other kind of server that mainly receives traffic fromuntrustedsources. UsingTransparentmode offers the following benefits:No need to reconfigure the IP settings of routers or protected serversNo need to create Mapped or Virtual IP addresses for incoming traffic to reach protectedservers

QUESTION 57:

What must be configured to remotely manage aNetScreendevice operating in transparentmode?A.An IP address must be configured for VLAN1B.The telnet management service must be enabled on the VLAN1 interface onlyC.An IP address must be configured for the VLAN zoneD.The V1-Trust interface needs to have management services enabledE.The public SNMP community string must be configured

Answer: A

Explanation:When an interface is inTransparentmode, theNetScreendevice filters packets traversing thefirewall withoutmodifyingany of the source or destination information in the IP packet header. All interfacesbehave as though they are part of the same network, with theNetScreendevice acting much like aLayer 2 switch or bridge. In Transparent mode, the IP addresses of interfaces are set at 0.0.0.0,making the presence of theNetScreendevice invisible, or "transparent," to users. By default,ScreenOScreates one function zone, the VLAN zone, and three L2 security zones: V1-Trust,


41/81

JN0-520


V1-Untrust, and V1-DMZ.When theNetScreendevice is inTransparentmode, you use the VLAN1 interface for managingthe device and terminating VPN traffic. Transparent mode is a convenient means for protectingWeb servers, or any other kind of server that mainly receives traffic fromuntrustedsources. UsingTransparentmode offers the following benefits:

No need to reconfigure the IP settings of routers or protected serversNo need to create Mapped or Virtual IP addresses for incoming traffic to reach protectedservers

QUESTION 58:

You want to configure theNetScreenRemote client to use apresharedkey. You select the"My Identity" configuration screen but you cannot find the option. What could be causingthe problem?A.You have to set the "Select Certificate" option to noneB.You have to set the "ID type" option to Pre-Shared key

C.NetScreenRemote does not support the use of Pre-Shared keyD."My identity" is not the right tab. It needs to be configured under the Security ProposalSection

Answer: A

Explanation:The correct procedure to create a pre-shared key is the following:1.Double-click theNetScreen-Remoteicon, located on the Windows taskbar, to open theSecurity Policy Editor. (My Identity and Security Policy icons appear in the Network SecurityPolicy list.)

*ClickMy Identity. (The My Identity and Internet Interface areas appear to the right of theNetworkSecurity Policy list, as shown below.)


42/81

JN0-520


*In the My Identity area, selectNonefrom the Select Certificate drop-down list.*ClickPre-Shared Key. (The Pre-Shared Key dialog box appears, as shown below.)

*ClickEnter Keyto make the Pre-Shared Key field available.*Type a key with a length between 8 and 58 characters. A longer key length results in strongerencryption.1.ClickOKto save the entry.

QUESTION 59:

When configuring security proposals with theNetScreenRemote Client, how many phase 2proposals are included by default when you configure a new connection?A.1B.2C.3


43/81

JN0-520


D.4

Answer: AExplanations:By default there will be only 1 proposal.

QUESTION 60:

Which three (3) items are valid Connection Security options in theNetScreenRemoteclient?A.BlockB.PermitC.TunnelD.SecureE.Non-secure

Answer: A, D, E

Explanation:The Network Security Policy list displays a hierarchically ordered list of connections and theirassociated proposals. My Connections define the connection(s) that you create. The lastconnection in the list is Other Connections that tells theNetScreen-Remote what to do with allconnections not specifically defined. Connections are read in a top-down order similar to firewallrules.There are three methods that you can use for connection security. You can use the secure methodwhichrequiresthe traffic to be secured. Secondly you can do non-secure which just allows that traffic topass.


44/81

JN0-520


Lastly you can choose block, this blocks the traffic in the connection.

QUESTION 61:

What are two (2) benefits of configuring theNetScreenin transparent mode?A.There is no need for IP addresses even for remote managementB.There is no need to reconfigure the IP addresses of routers or protected serversC.There is no need to create Mapped or VirtualIPsfor incoming traffic to reach protected serversD.Policies are easier to crate since you do not have to include Source and Destination IPaddressesE.The product can support moreVPNs and obtain greater throughput because there is less overheadto manage

Answer: B, C

Explanation:

When an interface is inTransparentmode, theNetScreendevice filters packets traversing thefirewall withoutmodifyingany of the source or destination information in the IP packet header. All interfacesbehave as though they are part of the same network, with theNetScreendevice acting much like aLayer 2 switch or bridge. In Transparent mode, the IP addresses of interfaces are set at 0.0.0.0,making the presence of theNetScreendevice invisible, or "transparent," to users. By default,ScreenOScreates one function zone, the VLAN zone, and three L2 security zones: V1-Trust,V1-Untrust, and V1-DMZ.When theNetScreendevice is inTransparentmode, you use the VLAN1 interface for managingthe device and terminating VPN traffic. Transparent mode is a convenient means for protectingWeb servers, or any other kind of server that mainly receives traffic fromuntrustedsources. Using

Transparentmode offers the following benefits:No need to reconfigure the IP settings of routers or protected serversNo need to create Mapped or Virtual IP addresses for incoming traffic to reach protectedservers

QUESTION 62:

You are configuring aNetScreendevice in transparent mode and want to provide additional


45/81

JN0-520


administrative security. Which two (2) options would you set?A.setintvlan1ident-resetB.setintvlan1 broadcastarpC.setintvlan1 broadcast floodD.set adminmanag-ip

E.setintvlan1 ip manage-ip

Answer: B, C

Explanation:When a host or any kind of network device does not know the MAC address associated with theIP address of another device, it uses the Address Resolution Protocol (ARP) to obtain it. Therequestor broadcasts an ARP query (arp-q) to all the other devices on the same subnet.Only the device with the specified IP address returns anarp-r. After a device matches an IPaddress with a MAC address, it stores the information in its ARP cache.The situation can arise when a device sends aunicastpacket with a destination MAC address,

which it has in its ARP cache, but which theNetScreendevice does not have in its forwardingtable.When aNetScreendevice inTransparentmode receives aunicastpacket for which it has no entry inits forwarding table, it can follow one of two courses:After doing a policy lookup to determine the zones to which traffic from the source address ispermitted, flood the initial packet out the interfaces bound to those zones, and then continueusing whichever interface receives a reply. This is the Flood option, which is enabled by default.Drop the initial packet, flood ARP queries (and, optionally, trace-route packets, which areICMP echo requests with the time-to-live value set to 1) out all interfaces (except the interface atwhich the packet arrived), and then send subsequent packets through whichever interfacereceives an ARP (or trace-route) reply from the router or host whose MAC address matches the

destination MAC address in the initial packet. The trace-route option allows theNetScreendeviceto discover the destination MAC address when the destination IP address is in a nonadjacentsubnet.

QUESTION 63:

When configuring aNetScreendevice in transparent mode, what is required to forwa

actualtests.juniper.jn0 520.exam.q.and.a.09.12.06

Documents