jn0-332 (2)

Juniper JN0-332

JN0-332 Juniper Networks Certified Internet

Specialist, SEC (JNCIS-SEC)

Practice TestVersion 4.0

Actu

alTe

sts.

com

QUESTION NO: 1

To verify that traffic is being processed by the correct security policy, which CLI command displays

the policy name and the specific traffic processed by the policy?

A. show security flow session

B. show security utm content-filtering statistics

C. show security policies

D. show security status

Answer: A

QUESTION NO: 2

Which command produces the output shown in the exhibit?

A. show security sessions

B. show security flow

C. show security flow session

D. show security session log

Answer: C

QUESTION NO: 3

What does a zone contain?

A. routers

B. interfaces

C. routing tables

D. NAT addresses

Answer: B

QUESTION NO: 4

Which two steps are performed when configuring a zone? (Choose two.)

A. Define a policy for the zone.

Juniper JN0-332: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 2

Actu

alTe

sts.

com

B. Assign logical interfaces to the zone.

C. Assign physical interfaces to the zone.

D. Define the zone as a security or functional zone.

Answer: B,D

QUESTION NO: 5

What are the two types of zones you can configure? (Choose two.)

A. system

B. trusted

C. functional

D. security

Answer: C,D

QUESTION NO: 6

What is the purpose of configuring the host-inbound-traffic command on a zone?

A. to allow inbound Web authentication

B. to allow all outbound traffic on the untrust zone

C. to allow all inbound traffic on the untrust zone

D. to allow specified traffic that terminates on the device

Answer: D

QUESTION NO: 7

which two zones can you add interfaces? (Choose two.)

A. system

B. security

C. functional

D. user

Answer: B,C

QUESTION NO: 8



Actu

alTe

sts.

com

Which statement is true about a logical interface?

A. A logical interface can belong to multiple zones.

B. A logical interface can belong to multiple routing instances.

C. A logical interface can belong to only one routing instance.

D. All logical interfaces in a routing instance must belong to a single zone.

Answer: C

QUESTION NO: 9

What is the purpose of a zone in the Junos OS?

A. A zone defines a group of security devices with a common management.

B. A zone defines the geographic region in which the security device is deployed.

C. A zone defines a group of network segments with similar security requirements.

D. A zone defines a group of network segments with similar class-of-service requirements.

Answer: C

QUESTION NO: 10

Which statement is correct for applying the SCREEN named protect to the Public zone?



Actu

alTe

sts.

com

A. Option 1

B. Option 2

C. Option 3

D. Option 4

Answer: C

QUESTION NO: 11

Where do you configure SCREEN options?

A. zones on which an attack might arrive

B. zones you want to protect from attack

C. interfaces on which an attack might arrive

D. interfaces you want to protect from attack

Answer: A

QUESTION NO: 12



Actu

alTe

sts.

com

What are two types of network reconnaissance attacks? (Choose two.)

A. IP address sweep

B. SYN flood

C. port scanning

D. SNMP polling request

Answer: A,C

QUESTION NO: 13

Which three IP option fields can an attacker exploit to cause problems in a network? (Choose

three.)

A. loose source routing

B. timestamp

C. time-to-live

D. record route

E. DSCP

Answer: A,B,E

QUESTION NO: 14

You want to configure a security policy that allows traffic to a particular host. Which step must you

perform

before committing a configuration with the policy?

A. Define a static route to the host.

B. Ensure that the router can ping the host.

C. Define an address book entry for the host.

D. Ensure that the router has an ARP entry for the host.

Answer: C

QUESTION NO: 15

After a security policy is applied, which CLI command output will display the policy index number?

A. show security policy-id

B. show security flow session summary



Actu

alTe

sts.

com

C. show security monitoring

D. show security policies

Answer: D

QUESTION NO: 16

Which two statements are true for an address book entry? (Choose two.)

A. An address book entry is defined within a security policy.

B. An address book entry is defined within a zone.

C. An address book entry is applied within a security policy.

D. An address book entry is applied within a zone.

Answer: B,C

QUESTION NO: 17

In the Junos OS, which command do you use to reorder security policies?

A. replace

B. rename

C. insert

D. before

Answer: C

QUESTION NO: 18

Which two statements describe the purpose of a security policy? (Choose two.)

A. It enables traffic counting and logging.

B. It enforces a set of rules for transit traffic.

C. It controls host inbound services on a zone.

D. It controls administrator rights to access the device.

Answer: A,B

QUESTION NO: 19



Actu

alTe

sts.

com

Which two security policy actions are valid? (Choose two.)

A. deny

B. discard

C. reject

D. close

Answer: A,C

QUESTION NO: 20

Which three match criteria must each security policy include? (Choose three.)

A. source address

B. source port

C. destination address

D. destination port

E. application

Answer: A,C,E

QUESTION NO: 21

You are creating a destination NAT rule-set. Which two are valid for use with the from clause?

(Choose two.)

A. security policy

B. interface

C. routing-instance

D. IP address

Answer: B,C

QUESTION NO: 22

Which statement is true regarding proxy ARP?

A. Proxy ARP is enabled by default on standalone Junos security devices.

B. Proxy ARP is enabled by default on high-available chassis clusters.

C. Junos security devices can forward ARP requests to a remote device when proxy ARP is

enabled.



Actu

alTe

sts.

com

D. Junos security devices can reply to ARP requests intended for a remote device when proxy

ARP is enabled.

Answer: D

QUESTION NO: 23

Which statement is true about interface-based source NAT?

A. PAT is a requirement.

B. It requires you to configure address entries in the junos-nat zone.

C. It requires you to configure address entries in the junos-global zone.

D. IP addresses being translated must be in the same subnet as the egress interface.

Answer: A

QUESTION NO: 24

Which two statements are true about pool-based destination NAT? (Choose two.)

A. It also supports PAT.

B. PAT is not supported.

C. It allows the use of an address pool.

D. It requires you to configure an address in the junos-global zone.

Answer: A,C

QUESTION NO: 25

Which operational command produces the output shown in the exhibit?

A. show security nat source rule

B. show route forwarding-table

C. show security nat source pool all



Actu

alTe

sts.

com

D. show security nat source summary

Answer: D

QUESTION NO: 26

For a route-based VPN, which statement is true?

A. host-inbound-traffic system services ike must be enabled on the st0.x interface.

B. host-inbound-traffic system services ike must be enabled on both the st0.x interface and the

logical interface

on which ike terminates

C. host-inbound-traffic system services ike must be enabled on the logical interface on which ike

terminates.

D. host-inbound-traffic system services ike is not mandatory for route based VPNs.

Answer: C

QUESTION NO: 27

Which statement is true about the relationship between IKE and IPsec SAs?

A. Two IPsec SAs can map to a single IKE SA.

B. Two IKE SAs can map to a single IPsec SA.

C. When an IKE SA times out, it also tears down the IPsec SA.

D. When an IPsec SA times out, it also tears down the IKE SA.

Answer: A

QUESTION NO: 28

Regarding secure tunnel (st) interfaces, which statement is true?

A. You cannot assign st interfaces to a security zone.

B. You cannot apply static NAT on an st interface logical unit.

C. st interfaces are optional when configuring a route-based VPN

D. A static route can reference the st interface logical unit as the next-hop.

Answer: D



Actu

alTe

sts.

com

QUESTION NO: 29

You want each IPsec SA to be negotiated over a unique set of Diffie-Hellman exchanges so that

even if the IKE

key is compromised, subsequent IPsec SAs cannot be compromised.

Which IPsec feature would you activate?

A. main mode IKE exchange

B. aggressive mode IKE exchange

C. perfect forward secrecy

D. VPN monitor

Answer: C

QUESTION NO: 30

For IKE phase 1 negotiations, when is aggressive mode typically used?

A. when one of the tunnel peers has a dynamic IP address

B. when one of the tunnel peers wants to force main mode to be used

C. when fragmentation of the IKE packet is required between the two peers

D. when one of the tunnel peers wants to specify a different phase 1 proposal

Answer: A

QUESTION NO: 31

You have been tasked with installing two SRX5600 platforms in a high-availability cluster. Which

requirement

must be met for a successful installation?

A. You must enable SPC detect within the configuration.

B. You must enable active-active failover for redundancy.

C. You must ensure all SPCs use the same slot placement.

D. You must configure auto-negotiation on the control ports of both devices.

Answer: C

QUESTION NO: 32

When applying the configuration in the exhibit and initializing a chassis cluster, which statement is

correct?



Actu

alTe

sts.

com

A. Three physical interfaces are redundant.

B. You must define an additional redundancy group.

C. node 0 will immediately become primary for redundancy group 1.

D. You must issue an operational command and reboot the system for the above configuration to

take effect.

Answer: D

QUESTION NO: 33

What are three benefits of using chassis clustering? (Choose three.)

A. Provides stateful session failover for sessions.

B. Increases security capabilities for IPsec sessions.

C. Provides active-passive control and data plane redundancy.

D. Enables automated fast-reroute capabilities.

E. Synchronizes configuration files and session state.

Answer: A,C,E

QUESTION NO: 34

What are two interfaces created when enabling a chassis cluster? (Choose two.)

A. st0

B. fxp1

C. fab0

D. reth0

Answer: C,D



Actu

alTe

sts.

com

QUESTION NO: 35

Which three components can be downloaded and installed directly from Juniper Networks update

server to an

SRX Series device? (Choose three.)

A. signature package

B. PCRE package

C. detector engine

D. policy templates

E. dynamic attack detection package

Answer: A,C,D

QUESTION NO: 36

Which two statements are true regarding IDP? (Choose two.)

A. IDP can be used in conjunction with other Junos security features such as SCREEN options,

zones, and

security policy.

B. IDP cannot be used in conjunction with other Junos security features such as SCREEN options,

zones, and

security policy.

C. IDP inspects traffic up to the Presentation Layer.

D. IDP inspects traffic up to the Application Layer.

Answer: A,D

QUESTION NO: 37

Which two statements are true regarding firewall user authentication? (Choose two.)

A. Firewall user authentication is performed only for traffic that is accepted by a security policy.

B. Firewall user authentication is performed only for traffic that is denied by a security policy.

C. Firewall user authentication provides an additional method of controlling user access to the

Junos security

device itself.

D. Firewall user authentication provides an additional method of controlling user access to remote

networks.

Answer: A,D



Actu

alTe

sts.

com

QUESTION NO: 38

Which two external authentication server types are supported by the Junos OS for firewall user

authentication?

(Choose two.)

A. RADIUS

B. TACAS+

C. LDAP

D. IIS

Answer: A,C

QUESTION NO: 39

Which type of logging is supported for UTM logging to an external syslog server on branch SRX

Series devices?

A. binary syslog

B. CHARGEN

C. WELF (structured) syslog

D. standard (unstructured) syslog

Answer: C

QUESTION NO: 40

Which two statements describe full file-based antivirus protection? (Choose two.)

A. By default, the signature database is updated every 60 minutes.

B. By default, the signature database is updated once daily.

C. The signature database targets only critical viruses and malware.

D. The signature database can detect polymorphic virus types.

Answer: A,D

QUESTION NO: 41

What would the configuration shown in the exhibit enforce?



Actu

alTe

sts.

com

A. All traffic of MIME type video will be scanned.

B. All traffic of MIME type video will not be scanned.

C. All traffic of MIME type video/mpeg will be scanned.

D. All traffic of MIME type video/mpeg will not be scanned.

Answer: C

QUESTION NO: 42

If the policy server becomes unreachable, which two actions are available for connections that

should be

inspected by Web filtering when using integrated or redirect Web filtering?

(Choose two.)

A. Permit connections with logging.



Actu

alTe

sts.

com

B. Drop connections.

C. Redirect connections to a different policy server.

D. Use the existing Web cache.

Answer: A,B

QUESTION NO: 43

Which statement is true about blacklists?

A. Blacklists can be created by creating a url-pattern and then associating the url-pattern with a

url-blacklist.

B. Blacklists can be created by creating a url-pattern and then associating the url-pattern with a

custom-urlcategory

and then associating the custom-url-category with a url-blacklist.

C. Blacklists are defined as a separate list and need not be associated with a URL category.

D. Blacklists can either be associated with either a custom-url-category or a url-pattern.

Answer: C

QUESTION NO: 44

Regarding zone types, which statement is true?

A. You cannot assign an interface to a functional zone.

B. You can specifiy a functional zone in a security policy.

C. Security zones must have a scheduler applied.

D. You can use a security zone for traffic destined for the device itself.

Answer: D

QUESTION NO: 45

Regarding attacks, which statement is correct?

A. Both DoS and propagation attacks exploit and take control of all unprotected network devices.

B. Propagation attacks focus on suspicious packet formation using the DoS SYN-ACK-ACK proxy

flood.

C. DoS attacks are directed at the network protection devices, while propagation attacks are

directed at the servers.

D. DoS attacks are exploits in nature, while propagation attacks use trust relationships to take

control of the devices.



Actu

alTe

sts.

com

Answer: D

QUESTION NO: 46

Click the Exhibit button.

[edit schedulers]

user@host# show

scheduler now {

monday all-day;

tuesday exclude;

wednesday {

start-time 07:00:00 stop-time 18:00:00;

}

thursday {


}}

[edit security policies from-zone Private to-zone External]

user@host# show

policy allowTransit {

match {

source-address PrivateHosts;

destination-address ExtServers;

application ExtApps;

}

then {

permit {

tunnel {

ipsec-vpn myTunnel;

}}}

scheduler-name now;

Based on the configuration shown in the exhibit, what are the actions of the security policy?

A. The policy will always permit transit packets and use the IPsec VPN myTunnel.

B. The policy will permit transit packets only on Monday, and use the IPsec VPN Mytunnel.

C. The policy will permit transit packets and use the IPsec VPN myTunnel all day Monday and

Wednesday 7am to 6pm, and Thursday 7am to 6pm.

D. The policy will always permit transit packets, but will only use the IPsec VPN myTunnel all

day Monday and Wednesday 7am to 6pm, and Thursday 7am to 6pm.

Answer: C



Actu

alTe

sts.

com

QUESTION NO: 47

Which two statements are true regarding proxy ARP? (Choose two.)

A. Proxy ARP is enabled by default.

B. Proxy ARP is not enabled by default.

C. JUNOS security devices can forward ARP requests to a remote device when proxy ARP is

enabled.

D. JUNOS security devices can reply to ARP requests intended for a remote device when

proxy ARP is enabled.

Answer: B,D

QUESTION NO: 48

Which statement regarding the implementation of an IDP policy template is true?

A. IDP policy templates are automatically installed as the active IDP policy.

B. IDP policy templates are enabled using a commit script.

C. IDP policy templates can be downloaded without an IDP license.

D. IDP policy templates are included in the factory-default configuration.

Answer: B

QUESTION NO: 49


[edit groups]

user@host# show

node0 {

system {

host-name NODE0;

}

interfaces {

fxp0 {

unit 0 {

family inet {

address 1.1.1.1/24;

}}}}}

node1 {

system {

host-name NODE1;



Actu

alTe

sts.

com

}

interfaces {

fxp0 {

unit 0 {

family inet {

address 1.1.1.2/24;

}}}}}

In the exhibit, what is the function of the configuration statements?

A. This section is where you define all chassis clustering configuration.

B. This configuration is required for members of a chassis cluster to talk to each other.

C. You can apply this configuration in the chassis cluster to make configuration easier.

D. This section is where unique node configuration is applied.

Answer: D

QUESTION NO: 50

Which two statements describe the difference between JUNOS Software for security

platforms and a traditional router? (Choose two.)

A. JUNOS Software for security platforms supports NAT and PAT; a traditional router does not

support NAT or PAT.

B. JUNOS Software for security platforms does not forward traffic by default; a traditional router

forwards traffic by default.

C. JUNOS Software for security platforms uses session-based forwarding; a traditional router

uses packet-based forwarding.

D. JUNOS Software for security platforms performs route lookup for every packet; a traditional

router performs route lookup only for the first packet.

Answer: B,C

QUESTION NO: 51

Which two statements describe the difference between JUNOS Software for security

platforms and a traditional router? (Choose two.)

A. JUNOS Software for security platforms supports NAT and PAT; a traditional router does not

support NAT or PAT.

B. JUNOS Software for security platforms secures traffic by default; a traditional router does

not secure traffic by default.



Actu

alTe

sts.

com

C. JUNOS Software for security platforms allows for session-based forwarding; a traditional

router uses packet-based forwarding.

D. JUNOS Software for security platforms separates broadcast domains; a traditional router

does not separate broadcast domains.

Answer: B,C

QUESTION NO: 52

A traditional router is better suited than a firewall device for which function?

A. VPN establishment

B. packet-based forwarding

C. stateful packet processing

D. Network Address Translation

Answer: B

QUESTION NO: 53

Which three functions are provided by JUNOS Software for security platforms? (Choose

three.)

A. VPN establishment

B. stateful ARP lookups

C. Dynamic ARP inspection

D. Network Address Translation

E. inspection of packets at higher levels (Layer 4 and above)

Answer: A,D,E

QUESTION NO: 54

What are two components of the JUNOS Software architecture? (Choose two.)

A. Linux kernel

B. routing protocol daemon

C. session-based forwarding module

D. separate routing and security planes

Answer: B,C



Actu

alTe

sts.

com

QUESTION NO: 55

Which two functions of JUNOS Software are handled by the data plane? (Choose two.)

A. NAT

B. OSPF

C. SNMP

D. SCREEN options

Answer: A,D

QUESTION NO: 56

Host A opens a Telnet connection to Host B. Host A then opens another Telnet connection to Host

B. These connections are the only communication between Host A and Host B. The security policy

configuration permits both connections.

How many flows exist between Host A and Host B?

A. 1

B. 2

C. 3

D. 4

Answer: D

QUESTION NO: 57

Which two statements about JUNOS Software packet handling are correct? (Choose two.)

A. JUNOS Software applies service ALGs only for the first packet of a flow.

B. JUNOS Software uses fast-path processing only for the first packet of a flow.

C. JUNOS Software performs route and policy lookup only for the first packet of a flow.

D. JUNOS Software applies SCREEN options for both first and consecutive packets of a flow.

Answer: C,D

QUESTION NO: 58

In JUNOS Software, which three packet elements can be inspected to determine if a session

already exists? (Choose three.)



Actu

alTe

sts.

com

A. IP protocol

B. IP time-to-live

C. source and destination IP address

D. source and destination MAC address

E. source and destination TCP/UDP port

Answer: A,C,E

QUESTION NO: 59

By default, which condition would cause a session to be removed from the session table?

A. Route entry for the session changed.

B. Security policy for the session changed.

C. The ARP table entry for the source IP address timed out.

D. No traffic matched the session during the timeout period.

Answer: D

QUESTION NO: 60

What is the default session timeout for UDP sessions?

A. 30 seconds

B. 1 minute

C. 5 minutes

D. 30 minutes

Answer: B

QUESTION NO: 61

What is the purpose of a zone in JUNOS Software?

A. A zone defines a group of security devices with a common management.

B. A zone defines the geographic region in which the security device is deployed.

C. A zone defines a group of network segments with similar security requirements.

D. A zone defines a group of network segments with similar class-of-service requirements.

Answer: C



Actu

alTe

sts.

com

QUESTION NO: 62

Users can define policy to control traffic flow between which two components? (Choose

two.)

A. from a zone to the device itself

B. from a zone to the same zone

C. from a zone to a different zone

D. from one interface to another interface

Answer: B,C

QUESTION NO: 63

Which two configurations are valid? (Choose two.)

A. [edit security zones]

user@host# show

security-zone red {

interfaces {

ge-0/0/1.0;

ge-0/0/3.0;

}}

security-zone blue {

interfaces {

ge-0/0/2.0;

ge-0/0/3.102;

}}

B. [edit security zones]

user@host# show

security-zone red {

interfaces {

ge-0/0/1.0;

ge-0/0/2.0;

}}

security-zone blue {

interfaces {

ge-0/0/1.0;

ge-0/0/3.0;

}}

C. [edit routing-instances]

user@host# show

red {



Actu

alTe

sts.

com

interface ge-0/0/3.0;


}

blue {



}

D. [edit routing-instances]

user@host# show

red {



}

blue {



}

Answer: A,D

QUESTION NO: 64

Which two configuration options must be present for IPv4 transit traffic to pass between the ge-

0/0/0.0 and ge-0/0/2.0 interfaces? (Choose two.)

A. family inet

B. a security zone

C. a routing instance

D. host-inbound-traffic

Answer: A,B

QUESTION NO: 65

Which zone is a system-defined zone?

A. null zone

B. trust zone

C. untrust zone

D. management zone



Actu

alTe

sts.

com

Answer: A

QUESTION NO: 66

Which type of zone is used by traffic transiting the device?

A. transit zone

B. default zone

C. security zone

D. functional zone

Answer: C

QUESTION NO: 67

You want to allow your device to establish OSPF adjacencies with a neighboring device

connected to interface ge-0/0/3.0. Interface ge-0/0/3.0 is a member of the HR zone.

Under which configuration hierarchy must you permit OSPF traffic?

A. [edit security policies from-zone HR to-zone HR]

B. [edit security zones functional-zone management protocols]

C. [edit security zones protocol-zone HR host-inbound-traffic]

D. [edit security zones security-zone HR host-inbound-traffic protocols]

Answer: D

QUESTION NO: 68

Which two statements regarding firewall user authentication client groups are true?

(Choose two.)

A. Individual clients are configured under client groups in the configuration hierarchy.

B. Client groups are configured under individual clients in the configuration hierarchy.

C. Client groups are referenced in security policy in the same manner in which individual clients

are referenced.

D. Client groups are used to simplify configuration by enabling firewall user authentication without

security policy.

Answer: B,C



Actu

alTe

sts.

com

QUESTION NO: 69

You want to allow all hosts on interface ge-0/0/0.0 to be able to ping the device's ge-

0/0/0.0 IP address.

Where do you configure this functionality?

A. [edit interfaces]

B. [edit security zones]

C. [edit system services]

D. [edit security interfaces]

Answer: B

QUESTION NO: 70

You want to create an out-of-band management zone and assign the ge-0/0/0.0 interface

to that zone.

From the [edit] hierarchy, which command do you use to configure this assignment?

A. set security zones management interfaces ge-0/0/0.0

B. set zones functional-zone management interfaces ge-0/0/0.0

C. set security zones functional-zone management interfaces ge-0/0/0.0

D. set security zones functional-zone out-of-band interfaces ge-0/0/0.0

Answer: C

QUESTION NO: 71

You are not able to telnet to the interface IP address of your device from a PC on the same

subnet.

What is causing the problem?

A. Telnet is not being permitted by self policy.

B. Telnet is not being permitted by security policy.

C. Telnet is not allowed because it is not considered secure.

D. Telnet is not enabled as a host-inbound service on the zone.

Answer: D

QUESTION NO: 72



Actu

alTe

sts.

com


Referring to the exhibit, you are not able to telnet to 192.168.10.1 from client PC 192.168.10.10.

What is causing the problem?

A. Telnet is not being permitted by self policy.

B. Telnet is not being permitted by security policy.

C. Telnet is not allowed because it is not considered secure.

D. Telnet is not enabled as a host-inbound service on the zone.

Answer: D

QUESTION NO: 73


Based on the exhibit, client PC 192.168.10.10 cannot ping 1.1.1.2.

Which is a potential cause for this problem?

A. The untrust zone does not have a management policy configured.

B. The trust zone does not have ping enabled as a host-inbound-traffic service.

C. The security policy from the trust zone to the untrust zone does not permit ping.



Actu

alTe

sts.

com

D. No security policy exists for the ICMP reply packet from the untrust zone to the trust zone.

Answer: C

QUESTION NO: 74


[edit security zones security-zone HR]

user@host# show

host-inbound-traffic {

system-services {

ping;

ssh;

https;

}}

interfaces {

ge-0/0/0.0;

ge-0/0/1.0 {


system-services {

ping;

}}}

ge-0/0/2.0 {


system-services {

ping;

ftp;

}}}

ge-0/0/3.0 {


system-services {

all;

ssh {

except;

}}}

}}

All system services have been enabled.

Given the configuration shown in the exhibit, which interface allows both ping and SSH traffic?

A. ge-0/0/0.0

B. ge-0/0/1.0



Actu

alTe

sts.

com

C. ge-0/0/2.0

D. ge-0/0/3.0

Answer: A

QUESTION NO: 75


user@host> show interfaces ge-0/0/0.0 | match host-inbound

Allowed host-inbound traffic : bgp ospf

Which configuration would result in the output shown in the exhibit?

A. [edit security zones functional-zone management]

user@host# show

interfaces {

ge-0/0/0.0 {


protocols {

bgp;

ospf;

vrrp;

}}}}


protocols {

all;

vrrp {

except;

}}}

B. [edit security zones functional-zone management]

user@host# show


protocols {

bgp;

ospf;

}}

C. [edit security zones security-zone trust]

user@host# show

interfaces {

ge-0/0/0.0 {


protocols {

ospf;



Actu

alTe

sts.

com

bgp;

}}}}

D. [edit security zones security-zone trust]

user@host# show


protocols {

bgp;

}}

interfaces {

all {


protocols {

ospf;

}}}}

Answer: C

QUESTION NO: 76


user@host> show interfaces ge-0/0/0.0 | match host-inbound

Allowed host-inbound traffic : ping ssh telnet

Which configuration would result in the output shown in the exhibit?

A. [edit security zones security-zone trust]

user@host# show


system-services {

ping;

telnet;

}}

interfaces {

ge-0/0/0.0 {


system-services {

ssh;

telnet;

}}}}

B. [edit security zones functional-zone management]

user@host# show



Actu

alTe

sts.

com

interfaces {

all;

}


system-services {

all;

ftp {

except;

}}}

C. [edit security zones functional-zone management]

user@host# show

interfaces {

all {


system-services {

ping;

}}}}


system-services {

telnet;

ssh;

}}

D. [edit security zones security-zone trust]

user@host# show


system-services {

ssh;

ping;

telnet;

}}

interfaces {

ge-0/0/3.0 {


system-services {

ping;

}}}

ge-0/0/0.0;

}

Answer: D



Actu

alTe

sts.

com

QUESTION NO: 77


[edit security]

user@host# show

zones {

security-zone ZoneA {

tcp-rst;


system-services {

ping;

telnet;

}}

interfaces {

ge-0/0/0.0;

ge-0/0/1.0;

}}

security-zone ZoneB {

interfaces {

ge-0/0/3.0;

}}}

policies {

from-zone ZoneA to-zone ZoneB {

policy A-to-B {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}}}}

In the exhibit, a host attached to interface ge-0/0/0.0 sends a SYN packet to open a Telnet

connection to the device's ge-0/0/1.0 IP address.

What does the device do?

A. The device sends back a TCP reset packet.

B. The device silently discards the packet.

C. The device forwards the packet out the ge-0/0/1.0 interface.



Actu

alTe

sts.

com

D. The device responds with a TCP SYN/ACK packet and opens the connection.

Answer: B

QUESTION NO: 78

Which two commands can be used to monitor firewall user authentication? (Choose two.)

A. show access firewall-authentication

B. show security firewall-authentication users

C. show security audit log

D. show security firewall-authentication history

Answer: B,D

QUESTION NO: 79

Which two statements regarding external authentication servers for firewall user

authentication are true? (Choose two.)

A. Up to three external authentication server types can be used simultaneously.

B. Only one external authentication server type can be used simultaneously.

C. If the local password database is not configured in the authentication order, and the

configured authentication server is unreachable, authentication is not performed.

D. If the local password database is not configured in the authentication order, and the

configured authentication server rejects the authentication request, authentication is not

performed.

Answer: B,D

QUESTION NO: 80

Which two external authentication server types are supported by JUNOS Software for

firewall user authentication? (Choose two.)

A. RADIUS

B. TACACS+

C. LDAP

D. IIS

Answer: A,C



Actu

alTe

sts.

com

QUESTION NO: 81


[edit security zones security-zone trust]

user@host# show


system-services {

all;

}}

interfaces {

ge-0/0/0.0;

}

Referring to the exhibit, which two traffic types are permitted when the destination is the ge-

0/0/0.0 IP address? (Choose two.)

A. Telnet

B. OSPF

C. ICMP

D. RIP

Answer: A,C

QUESTION NO: 82

Which two statements about the use of SCREEN options are correct? (Choose two.)

A. SCREEN options are deployed at the ingress and egress sides of a packet flow.

B. Although SCREEN options are very useful, their use can result in more session creation.

C. SCREEN options offer protection against various attacks at the ingress zone of a packet

flow.

D. SCREEN options examine traffic prior to policy processing, thereby resulting in fewer

resouces used for malicious packet processing.

Answer: C,D

QUESTION NO: 83

Which two statements about the use of SCREEN options are correct? (Choose two.)



Actu

alTe

sts.

com

A. SCREEN options offer protection against various attacks.

B. SCREEN options are deployed prior to route and policy processing in first path packet

processing.

C. SCREEN options are deployed at the ingress and egress sides of a packet flow.

D. When you deploy SCREEN options, you must take special care to protect OSPF.

Answer: A,B

QUESTION NO: 84

What are three main phases of an attack? (Choose three.)

A. DoS

B. exploit

C. propagation

D. port scanning

E. reconnaissance

Answer: B,C,E

QUESTION NO: 85

An attacker sends a low rate of TCP SYN segments to hosts, hoping that at least one port replies.

Which type of an attack does this scenario describe?

A. DoS

B. SYN flood

C. port scanning

D. IP address sweep

Answer: C

QUESTION NO: 86


profile ftp-users {

client nancy {

firewall-user {

password "$9$lJ8vLNdVYZUHKMi.PfzFcyrvX7"; ## SECRET-DATA

}}

client walter {

firewall-user {



Actu

alTe

sts.

com

password "$9$a1UqfTQnApB36pBREKv4aJUk.5QF"; ## SECRET-DATA

}}

session-options {

client-group ftp-group;

}}

firewall-authentication {

pass-through {

default-profile ftp-users;

ftp {

banner {

login "JUNOS Rocks!";

}}}}

Given the configuration shown in the exhibit, which configuration object would be used to

associate both Nancy and Walter with firewall user authentication within a security policy?

A. ftp-group

B. ftp-users

C. firewall-user

D. nancy and walter

Answer: A

QUESTION NO: 87

Prior to applying SCREEN options to drop traffic, you want to determine how your configuration

will affect traffic.

Which mechanism would you configure to achieve this objective?

A. the log option for the particular SCREEN option

B. the permit option for the particular SCREEN option

C. the SCREEN option, because it does not drop traffic by default

D. the alarm-without-drop option for the particular SCREEN option

Answer: D

QUESTION NO: 88

You must configure a SCREEN option that would protect your device from a session table flood.

Which configuration meets this requirement?



Actu

alTe

sts.

com

A. [edit security screen]

user@hostl# show

ids-option protectFromFlood {

icmp {

ip-sweep threshold 5000;

flood threshold 2000;

}}

B. [edit security screen]

user@hostl# show


tcp {

syn-flood {

attack-threshold 2000;

destination-threshold 2000;

}}}

C. [edit security screen]

user@hostl# show


udp {

flood threshold 5000;

}}

D. [edit security screen]

user@hostl# show


limit-session {

source-ip-based 1200;

destination-ip-based 1200;

}}

Answer: D

QUESTION NO: 89

You are required to configure a SCREEN option that enables IP source route option

detection.

Which two configurations meet this requirement? (Choose two.)

A. [edit security screen]

user@host# show


ip {

loose-source-route-option;



Actu

alTe

sts.

com

strict-source-route-option;

}}

B. [edit security screen]

user@host# show


ip {

source-route-option;

}}

C. [edit security screen]

user@host# show


ip {

record-route-option;

security-option;

}}

D. [edit security screen]

user@host# show


ip {

strict-source-route-option;

record-route-option;

}}

Answer: A,B

QUESTION NO: 90

Which parameters are valid SCREEN options for combating operating system probes?

A. syn-fin, syn-flood, and tcp-no-frag

B. syn-fin, port-scan, and tcp-no-flag

C. syn-fin, fin-no-ack, and tcp-no-frag

D. syn-fin, syn-ack-ack-proxy, and tcp-no-frag

Answer: C

QUESTION NO: 91

Which two firewall user authentication objects can be referenced in a security policy?

(Choose two.)



Actu

alTe

sts.

com

A. access profile

B. client group

C. client

D. default profile

Answer: B,C

QUESTION NO: 92

Which statement describes the behavior of a security policy?

A. The implicit default security policy permits all traffic.

B. Traffic destined to the device itself always requires a security policy.

C. Traffic destined to the device's incoming interface does not require a security policy.

D. The factory-default configuration permits all traffic from all interfaces.

Answer: C

QUESTION NO: 93

A network administrator wants to permit Telnet traffic initiated from the address book entry

the10net in a zone called UNTRUST to the address book entry Server in a zone called TRUST.

However, the administrator does not want the server to be able to initiate any type of traffic

from the TRUST zone to the UNTRUST zone.

Which configuration would correctly accomplish this task?

A. from-zone UNTRUST to-zone TRUST {

policy DenyServer {

match {

source-address any;


application any;

}

then {

deny;

}}}

from-zone TRUST to-zone UNTRUST {

policy AllowTelnetin {

match {

source-address the10net;

destination-address Server;

application junos-telnet;



Actu

alTe

sts.

com

}

then {

permit;

}}}

B. from-zone TRUST to-zone UNTRUST {

policy DenyServer {

match {

source-address Server;


application any;

}

then {

deny;

}

}}

from-zone UNTRUST to-zone TRUST {


match {




}

then {

permit;

}}}

C. from-zone UNTRUST to-zone TRUST {


match {



application junos-ftp;

}

then {

permit;

}}}

D. from-zone TRUST to-zone UNTRUST {

policy DenyServer {

match {

source-address Server;


application any;

}



Actu

alTe

sts.

com

then {

permit;

}}}

from-zone UNTRUST to-zone TRUST {


match {




}

then {

permit;

}}}

Answer: B

QUESTION NO: 94


[edit security policies]

user@host# show

from-zone trust to-zone untrust {

policy AllowHTTP{

match {

source-address HOSTA;


application junos-ftp;

}

then {

permit;

}}

policy AllowHTTP2{

match {

source-address any;

destination-address HOSTA;

application junos-http;

}

then {

permit;

}}

policy AllowHTTP3{

match {



Actu

alTe

sts.

com

source-address any;


application any;

}

then {

permit;

}}}

A flow of HTTP traffic needs to go from HOSTA to HOSTB. Assume that traffic will initiate from

HOSTA and that HOSTA is in zone trust and HOSTB is in zone untrust.

What will happen to the traffic given the configuration in the exhibit?

A. The traffic will be permitted by policy AllowHTTP.

B. The traffic will be permitted by policy AllowHTTP3.

C. The traffic will be permitted by policy AllowHTTP2.

D. The traffic will be dropped as no policy match will be found.

Answer: B

QUESTION NO: 95

Which three advanced permit actions within security policies are valid? (Choose three.)

A. Mark permitted traffic for firewall user authentication.

B. Mark permitted traffic for SCREEN options.

C. Associate permitted traffic with an IPsec tunnel.

D. Associate permitted traffic with a NAT rule.

E. Mark permitted traffic for IDP processing.

Answer: A,C,E

QUESTION NO: 96

Under which configuration hierarchy is an access profile configured for firewall user

authentication?

A. [edit access]

B. [edit security access]

C. [edit firewall access]

D. [edit firewall-authentication]

Answer: A



Actu

alTe

sts.

com

QUESTION NO: 97

Your task is to provision the JUNOS security platform to permit transit packets from the

Private zone to the External zone by using an IPsec VPN and log information at the time of

session close.

Which configuration meets this requirement?

A. [edit security policies from-zone Private to-zone External]

user@host# show


match {




}

then {

permit {

tunnel {

ipsec-vpn VPN;

}

}

log {

session-init;

}}}

B. [edit security policies from-zone Private to-zone External]

user@host# show


match {




}

then {

permit {

tunnel {

ipsec-vpn VPN;

}}

count {

session-close;

}}}

C. [edit security policies from-zone Private to-zone External]

user@host# show




Actu

alTe

sts.

com

match {




}

then {

permit {

tunnel {

ipsec-vpn VPN;

}}

log {

session-close;

}}}

D. [edit security policies from-zone Private to-zone External]

user@host# show


match {




}

then {

permit {

tunnel {

ipsec-vpn VPN;

log;

count session-close;

}}}}

Answer: C

QUESTION NO: 98

You want to create a security policy allowing traffic from any host in the Trust zone to

hostb.example.com (172.19.1.1) in the Untrust zone.

How do you create this policy?

A. Specify the IP address (172.19.1.1/32) as the destination address in the policy.

B. Specify the DNS entry (hostb.example.com.) as the destination address in the policy.

C. Create an address book entry in the Trust zone for the 172.19.1.1/32 prefix and reference

this entry in the policy.



Actu

alTe

sts.

com

D. Create an address book entry in the Untrust zone for the 172.19.1.1/32 prefix and reference

this entry in the policy.

Answer: D

QUESTION NO: 99

What is the purpose of an address book?

A. It holds security policies for particular hosts.

B. It holds statistics about traffic to and from particular hosts.

C. It defines hosts in a zone so they can be referenced by policies.

D. It maps hostnames to IP addresses to serve as a backup to DNS resolution.

Answer: C

QUESTION NO: 100


[edit schedulers]

user@host# show

scheduler now {

monday all-day;

tuesday exclude;

wednesday {


}

thursday {


}}

[edit security policies from-zone Private to-zone External]

user@host# show


match {




}

then {

permit {

tunnel {

ipsec-vpn myTunnel;



Actu

alTe

sts.

com

}}}

scheduler-name now;

}

Based on the configuration shown in the exhibit, what will happen to the traffic matching the

security policy?

A. The traffic is permitted through the myTunnel IPsec tunnel only on Tuesdays.

B. The traffic is permitted through the myTunnel IPsec tunnel daily, with the exception of Mondays.

C. The traffic is permitted through the myTunnel IPsec tunnel all day on Mondays and

Wednesdays between 7:00 am and 6:00 pm, and Thursdays between 7:00 am and 6:00 pm.

D. The traffic is permitted through the myTunnel IPsec tunnel all day on Mondays and

Wednesdays between 6:01 pm and 6:59 am, and Thursdays between 6:01 pm and 6:59 am.

Answer: C

QUESTION NO: 101

Which configuration keyword ensures that all in-progress sessions are re-evaluated upon

committing a security policy change?

A. policy-rematch

B. policy-evaluate

C. rematch-policy

D. evaluate-policy

Answer: A

QUESTION NO: 102



user@host# show

from-zone Private to-zone External {

policy MyTraffic {

match {

source-address myHosts;


application [ junos-ftp junos-bgp ];

}

then {

permit {



Actu

alTe

sts.

com

tunnel {

ipsec-vpn vpnTunnel;

}}}}}

policy-rematch;

In the exhibit, you decided to change myHosts addresses.

What will happen to the new sessions matching the policy and in-progress sessions that had

already matched the policy?

A. New sessions will be evaluated. In-progress sessions will be re-evaluated.

B. New sessions will be evaluated. All in-progress sessions will continue.

C. New sessions will be evaluated. All in-progress sessions will be dropped.

D. New sessions will halt until all in-progress sessions are re-evaluated. In-progress sessions will

be re-evaluated and possibly dropped.

Answer: A

QUESTION NO: 103

Using a policy with the policy-rematch flag enabled, what happens to the existing and new

sessions when you change the policy action from permit to deny?

A. The new sessions matching the policy are denied. The existing sessions are dropped.

B. The new sessions matching the policy are denied. The existing sessions, not being allowed to

carry any traffic, simply timeout.

C. The new sessions matching the policy might be allowed through if they match another

policy. The existing sessions are dropped.

D. The new sessions matching the policy are denied. The existing sessions continue until they

are completed or their timeout is reached.

Answer: A

QUESTION NO: 104



user@hostl# show

from-zone Private to-zone External {

policy MyTraffic {

match {

source-address myHosts;




Actu

alTe

sts.

com

application [ junos-ftp junos-bgp ];

}

then {

permit {

tunnel {

ipsec-vpn vpnTunnel;

}}}}}

policy-rematch;

In the configuration shown in the exhibit, you decided to eliminate the junos-ftp application

from the match condition of the policy MyTraffic.

What will happen to the existing FTP and BGP sessions?

A. The existing FTP and BGP sessions will continue.

B. The existing FTP and BGP sessions will be re-evaluated and only FTP sessions will be

dropped.

C. The existing FTP and BGP sessions will be re-evaluated and all sessions will be dropped.

D. The existing FTP sessions will continue and only the existing BGP sessions will be dropped.

Answer: B

QUESTION NO: 105


[edit security policies from-zone HR to-zone trust]

user@host# show

policy two {

match {

source-address subnet_a;

destination-address host_b;

application [ junos-telnet junos-ping ];

}

then {

reject;

}} policy one {

match {

source-address host_a;

destination-address subnet_b;

application any;

}

then {

permit;

}}



Actu

alTe

sts.

com

host_a is in subnet_a and host_b is in subnet_b.

Given the configuration shown in the exhibit, which statement is true about traffic from host_a

to host_b?

A. DNS traffic is denied.

B. Telnet traffic is denied.

C. SMTP traffic is denied.

D. Ping traffic is permitted.

Answer: B

QUESTION NO: 106


[edit security policies from-zone HR to-zone trust]

user@host# show

policy one {

match {

source-address any;


application [ junos-http junos-ftp ];

}

then {

permit;

}}

policy two {

match {

source-address host_a;

destination-address host_b;

application [ junos-http junos-smtp ];

}

then {

deny;

}}

Assume the default-policy has not been configured.

Given the configuration shown in the exhibit, which two statements about traffic from host_a in the

HR zone to host_b in the trust zone are true? (Choose two.)

A. DNS traffic is denied.

B. HTTP traffic is denied.



Actu

alTe

sts.

com

C. FTP traffic is permitted.

D. SMTP traffic is permitted.

Answer: A,C

QUESTION NO: 107

What are two uses of NAT? (Choose two.)

A. conserving public IP addresses

B. allowing stateful packet inspection

C. preventing unauthorized connections from outside the network

D. allowing networks with overlapping private address space to communicate

Answer: A,D

QUESTION NO: 108

Which two are uses of NAT? (Choose two.)

A. enabling network migrations

B. conserving public IP addresses

C. allowing stateful packet inspection

D. preventing unauthorized connections from outside the network

Answer: A,B

QUESTION NO: 109

Which three methods of source NAT does JUNOS Software support? (Choose three.)

A. interface-based source NAT

B. source NAT with address shifting

C. source NAT using static source pool

D. interface-based source NAT without PAT

E. source NAT with address shifting and PAT

Answer: A,B,C

QUESTION NO: 110



Actu

alTe

sts.

com

Which statement describes the behavior of source NAT with address shifting?

A. Source NAT with address shifting translates both the source IP address and the source port of

a packet.

B. Source NAT with address shifting defines a one-to-one mapping from an original source IP

address to a translated source IP address.

C. Source NAT with address shifting can translate multiple source IP addresses to the same

translated IP address.

D. Source NAT with address shifting allows inbound connections to be initiated to the static source

pool IP addresses.

Answer: B

QUESTION NO: 111

What are three configuration objects used to build JUNOS IDP rules? (Choose three.)

A. zone objects

B. policy objects

C. attack objects

D. detect objects?

E. application objects?

Answer: A,C,E

QUESTION NO: 112

Which two statements are true regarding firewall user authentication? (Choose two.)

A. When configured for pass-through firewall user authentication, the user must first open a

connection to the JUNOS security platform before connecting to a remote network resource.

B. When configured for Web firewall user authentication only, the user must first open a

connection to the JUNOS security platform before connecting to a remote network resource.

C. If a JUNOS security device is configured for pass-through firewall user authentication, new

sessions are automatically intercepted to perform authentication.

D. If a JUNOS security device is configured for Web firewall user authentication, new sessions are

automatically intercepted to perform authentication.

Answer: B,C



Actu

alTe

sts.

com

QUESTION NO: 113

Interface ge-0/0/2.0 of your device is attached to the Internet and is configured with an IP address

and network mask of 71.33.252.17/24. A webserver with IP address 10.20.20.1 is running an

HTTP service on TCP port 8080. The webserver is attached to the ge-0/0/0.0 interface of your

device. You must use NAT to make the webserver reachable from the Internet using port

translation.

Which type of NAT must you configure?

A. source NAT with address shifting

B. pool-based source NAT

C. static destination NAT

D. pool-based destination NAT

Answer: D

QUESTION NO: 114

Which two statements about static NAT are true? (Choose two.)

A. Static NAT can only be used with destination NAT.

B. Static NAT rules take precedence over overlapping dynamic NAT rules.

C. Dynamic NAT rules take precedence over overlapping static NAT rules.

D. A reverse mapping is automatically created.

Answer: B,D

QUESTION NO: 115

Which statement is true about source NAT?

A. Source NAT works only with source pools.

B. Destination NAT is required to translate the reply traffic.

C. Source NAT does not require a security policy to function.

D. The egress interface IP address can be used for source NAT.

Answer: D

QUESTION NO: 116



Actu

alTe

sts.

com

Which two statements are true about overflow pools? (Choose two.)

A. Overflow pools do not support PAT.

B. Overflow pools can not use the egress interface IP address for NAT.

C. Overflow pools must use PAT.

D. Overflow pools can contain the egress interface IP address or separate IP addresses.

Answer: C,D

QUESTION NO: 117

Which statement is true regarding proxy ARP?

A. Proxy ARP is enabled by default on stand-alone JUNOS security devices.

B. Proxy ARP is enabled by default on chassis clusters.

C. JUNOS security devices can forward ARP requests to a remote device when proxy ARP is

enabled.

D. JUNOS security devices can reply to ARP requests intended for a remote device when proxy

ARP is enabled.

Answer: D

QUESTION NO: 118

Which configuration shows a pool-based source NAT without PAT'?

A. [edit security nat source]

user@host# show

pool A {

address { 207.17.137.1/32 to 207.17.137.254/32;

}}

rule-set 1A {

from zone trust;

to zone untrust;

rule 1 {

match {

source-address 10.1.10.0/24;

}

then {

source-nat pool A;

port no-translation;

}}



Actu

alTe

sts.

com

}

B. [edit security nat source]

user@host# show

pool A {

address { 207.17.137.1/32 to 207.17.137.254/32;

}

overflow-pool interface;

}

rule-set 1A {

from zone trust;

to zone untrust;

rule 1 {

match {


}

then {

source-nat pool A;


}}}

C. [edit security nat source]

user@host# show

pool A {

address {207.17.137.1/32 to 207.17.137.254/32;

}


}

rule-set 1A {

from zone trust;

to zone untrust;

rule 1 {

match {


}

then {

source-nat pool A;

}}}

D. [edit security nat source]

user@host# show

pool A {

address {207.17.137.1/32 to 207.17.137.254/32;

}

overflow-pool interface;



Actu

alTe

sts.

com

}

rule-set 1A {

from zone trust;

to zone untrust;

rule 1 {

match {


}

then {

source-nat pool A;

}}}

Answer: C

QUESTION NO: 119


[edit security nat source]

user@host# show

rule-set 1 {

from interface ge-0/0/2.0;

to zone untrust;

rule 1A {

match {

destination-address 1.1.70.0/24;

}

then {

source-nat interface;

}}}

Which type of source NAT is configured in the exhibit?

A. interface-based source NAT

B. static source NAT

C. pool-based source NAT with PAT

D. pool-based source NAT without PAT

Answer: A

QUESTION NO: 120


[edit security nat destination]



Actu

alTe

sts.

com

user@host# show

pool A {

address 10.1.10.5/32;

}

rule-set 1 {

from zone untrust;

rule 1A {

match {

destination-address 100.0.0.1/32;

}

then {

destination-nat pool A;

}}}

Which type of source NAT is configured in the exhibit?

A. static destination NAT

B. static source NAT

C. pool-based destination NAT without PAT

D. pool-based destination NAT with PAT

Answer: C

QUESTION NO: 121

Which statement is true about a NAT rule action of off?

A. The NAT action of off is only supported for destination NAT rule-sets.

B. The NAT action of off is only supported for source NAT rule-sets.

C. The NAT action of off is useful for detailed control of NAT.

D. The NAT action of off is useful for disabling NAT when a pool is exhausted.

Answer: C

QUESTION NO: 122

Which statement accurately describes firewall user authentication?

A. Firewall user authentication provides another layer of security in a network.

B. Firewall user authentication provides a means for accessing a JUNOS Software-based security

device.

C. Firewall user authentication enables session-based forwarding.



Actu

alTe

sts.

com

D. Firewall user authentication is used as a last resort security method in a network.

Answer: A

QUESTION NO: 123

Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by ESP?

(Choose three.)

A. data integrity

B. data confidentiality

C. data authentication

D. outer IP header confidentiality

E. outer IP header authentication

Answer: A,B,C

QUESTION NO: 124

Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by

AH? (Choose three.)

A. data integrity

B. data confidentiality

C. data authentication

D. outer IP header confidentiality

E. outer IP header authentication

Answer: A,C,E

QUESTION NO: 125

Which two statements regarding asymmetric key encryption are true? (Choose two.)

A. The same key is used for encryption and decryption.

B. It is commonly used to create digital certificate signatures.

C. It uses two keys: one for encryption and a different key for decryption.

D. An attacker can decrypt data if the attacker captures the key used for encryption.

Answer: B,C



Actu

alTe

sts.

com

QUESTION NO: 126

Which two statements about the Diffie-Hellman (DH) key exchange process are correct?

(Choose two.)

A. In the DH key exchange process, the session key is never passed across the network.

B. In the DH key exchange process, the public and private keys are mathematically related using

the DH algorithm.

C. In the DH key exchange process, the session key is passed across the network to the peer for

confirmation.

D. In the DH key exchange process, the public and private keys are not mathematically related,

ensuring higher security.

Answer: A,B

QUESTION NO: 127

Which two statements about the Diffie-Hellman (DH) key exchange process are correct?

(Choose two.)

A. In the DH key exchange process, the public key values are exchanged across the network.

B. In the DH key exchange process, the private key values are exchanged across the network.

C. In the DH key exchange process, each device creates unique public and private keys that

are mathematically related by the DH algorithm.

D. In the DH key exchange process, each device creates a common public and a unique

private key that are mathematically related by the DH algorithm.

Answer: A,B

QUESTION NO: 128

Which three parameters are configured in the IKE policy? (Choose three.)

A. mode

B. preshared key

C. external interface

D. security proposals

E. dead peer detection settings

Answer: A,B,D



Actu

alTe

sts.

com

QUESTION NO: 129

Which two parameters are configured in IPsec policy? (Choose two.)

A. mode

B. IKE gateway

C. security proposal

D. Perfect Forward Secrecy

Answer: C,D

QUESTION NO: 130

Regarding an IPsec security association (SA), which two statements are true? (Choose

two.)

A. IKE SA is bidirectional.

B. IPsec SA is bidirectional.

C. IKE SA is established during phase 2 negotiations.

D. IPsec SA is established during phase 2 negotiations.

Answer: A,C

QUESTION NO: 131

Which operational mode command displays all active IPsec phase 2 security associations?

A. show ike security-associations

B. show ipsec security-associations

C. show security ike security-associations

D. show security ipsec security-associations

Answer: D

QUESTION NO: 132

Two VPN peers are negotiating IKE phase 1 using main mode.

Which message pair in the negotiation contains the phase 1 proposal for the peers?

A. message 1 and 2

B. message 3 and 4

C. message 5 and 6



Actu

alTe

sts.

com

D. message 7 and 8

Answer: A

QUESTION NO: 133

Which attribute is required for all IKE phase 2 negotiations?

A. proxy-ID

B. preshared key

C. Diffie-Hellman group key

D. main or aggressive mode

Answer: A

QUESTION NO: 134

Which attribute is optional for IKE phase 2 negotiations?

A. proxy-ID

B. phase 2 proposal

C. Diffie-Hellman group key

D. security protocol (ESP or AH)

Answer: C

QUESTION NO: 135

A route-based VPN is required for which scenario?

A. when the remote VPN peer is behind a NAT device

B. when multiple networks need to be reached across the tunnel and GRE cannot be used

C. when the remote VPN peer is a dialup or remote access client

D. when a dynamic routing protocol is required across the VPN and GRE cannot be used

Answer: D

QUESTION NO: 136

A policy-based IPsec VPN is ideal for which scenario?



Actu

alTe

sts.

com

A. when you want to conserve tunnel resources

B. when the remote peer is a dialup or remote access client

C. when you want to configure a tunnel policy with an action of deny

D. when a dynamic routing protocol such as OSPF must be sent across the VPN

Answer: B

QUESTION NO: 137

Regarding a route-based versus policy-based IPsec VPN, which statement is true?

A. A route-based VPN generally uses less resources than a policy-based VPN.

B. A route-based VPN cannot have a deny action in a policy; a policy-based VPN can have a deny

action.

C. A route-based VPN is better suited for dialup or remote access compared to a policy-based

VPN.

D. A route-based VPN uses a policy referencing the IPsec VPN; a policy-based VPN policy does

not use a policy referencing the IPsec VPN.

Answer: A

QUESTION NO: 138

Which two configuration elements are required for a route-based VPN? (Choose two.)

A. secure tunnel interface

B. security policy to permit the IKE traffic

C. a route for the tunneled transit traffic

D. tunnel policy for transit traffic referencing the IPsec VPN

Answer: A,C

QUESTION NO: 139

Which two configuration elements are required for a policy-based VPN? (Choose two.)

A. IKE gateway

B. secure tunnel interface

C. security policy to permit the IKE traffic

D. security policy referencing the IPsec VPN tunnel



Actu

alTe

sts.

com

Answer: A,D

QUESTION NO: 140


[edit security policies from-zone trust to-zone untrust]

user@host# show

policy tunnel-traffic {

match {

source-address local-net;

destination-address remote-net;

application any;

then {

permit;

}}

You need to alter the security policy shown in the exhibit to send matching traffic to an IPsec

VPN tunnel. Which command causes traffic to be sent through an IPsec VPN named remotevpn?

A. [edit security policies from-zone trust to-zone untrust]

user@host# set policy tunnel-traffic then tunnel remote-vpn

B. [edit security policies from-zone trust to-zone untrust]

user@host# set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn

C. [edit security policies from-zone trust to-zone untrust]

user@host# set policy tunnel-traffic then permit ipsec-vpn remote-vpn

D. [edit security policies from-zone trust to-zone untrust]

user@host# set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn

Answer: D

QUESTION NO: 141


[edit security policies from-zone trust to-zone untrust]

user@host# show

policy tunnel-traffic {

match {

source-address local-net;

destination-address remote-net;

application any;

then {

permit;



Actu

alTe

sts.

com

}}

Which command is needed to change this policy to a tunnel policy for a policy-based VPN?

A. set policy tunnel-traffic then tunnel remote-vpn

B. set policy tunnel-traffic then permit tunnel remote-vpn

C. set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn permit

D. set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn

Answer: D

QUESTION NO: 142


[edit security]

user@host# show

ike {

policy ike-policy1 {

mode main;

proposal-set standard;

pre-shared-key ascii-text "$9$GFjm5OBEclM5QCuO1yrYgo"; ## SECRET-DATA

}

gateway remote-ike {

ike-policy ike-policy1;

address 172.19.51.170;

external-interface ge-0/0/3.0;

}}

ipsec {

policy vpn-policy1 {

proposal-set standard;

}

vpn remote-vpn {

ike {

gateway remote-ike;

ipsec-policy vpn-policy1;

}}}

Assuming you want to configure a route-based VPN, which command is required to bind the VPN

to secure tunnel interface st0.0?

A. set ipsec vpn remote-vpn bind-interface st0.0

B. set ike gateway remote-ike bind-interface st0.0



Actu

alTe

sts.

com

C. set ike policy ike-policy1 bind-interface st0.0

D. set ipsec policy vpn-policy1 bind-interface st0.0

Answer: A

QUESTION NO: 143

Which two traffic types trigger pass-through firewall user authentication? (Choose two.)

A. SSH

B. Telnet

C. ICMP

D. OSPF

E. HTTP

Answer: B,E

QUESTION NO: 144

Which IDP policy action drops a packet before it can reach its destination, but does not close the

connection?

A. discard-packet

B. drop-traffic

C. discard-traffic

D. drop-packet

Answer: D

QUESTION NO: 145

Which two statements are true regarding high-availability chassis clustering? (Choose

two.)

A. A chassis cluster consists of two devices.

B. A chassis cluster consists of two or more devices.

C. Devices participating in a chassis cluster can be different models.

D. Devices participating in a chassis cluster must be the same models.

Answer: A,D



Actu

alTe

sts.

com

QUESTION NO: 146

You are implementing an IDP policy template from Juniper Networks.

Which three steps are included in this process? (Choose three.)

A. activating a JUNOS Software commit script?

B. configuring an IDP groups statement

C. setting up a chassis cluster

D. downloading the IDP policy templates

E. installing the policy templates

Answer: A,D,E

QUESTION NO: 147

Which three statements are true when working with high-availability clusters? (Choose

three.)

A. The valid cluster-id range is between 0 and 255.

B. JUNOS security devices can belong to more than one cluster if cluster virtualization is

enabled.

C. If the cluster-id value is set to 0 on a JUNOS security device, the device will not participate

in the cluster.

D. A reboot is required if the cluster-id or node value is changed.

E. JUNOS security devices can belong to one cluster only.

Answer: C,D,E

QUESTION NO: 148

You have been tasked with performing an update to the IDP attack database.

Which three requirements are included as part of this task? (Choose three.)

A. The IDP security package must be installed after it is downloaded.

B. The device must be rebooted to complete the update.

C. The device must be connected to a network.

D. An IDP license must be installed on your device.

E. You must be logged in as the root user.

Answer: A,C,D



Actu

alTe

sts.

com

QUESTION NO: 149

What is a redundancy group in JUNOS Software?

A. a set of chassis clusters that fail over as a group

B. a set of devices that participate in a chassis cluster

C. a set of VRRP neighbors that fail over as a group

D. a set of chassis cluster objects that fail over as a group

Answer: D

QUESTION NO: 150

What is the functionality of redundant interfaces (reth) in a chassis cluster?

A. reth interfaces are used only for VRRP.

B. reth interfaces are the same as physical interfaces.

C. reth interfaces are pseudo-interfaces that are considered the parent interface for two physical

interfaces.

D. Each cluster member has a reth interface that can be used to share session state information

with the other cluster members.

Answer: C

QUESTION NO: 151

When devices are in cluster mode, which new interfaces are created?

A. No new interface is created.

B. Only the st interface is created.

C. fxp1, fab0, and fab1 are created.

D. st, fxp1, reth, fab0, and fab1 are created.

Answer: C

QUESTION NO: 152

In a chassis cluster with two SRX 5800 devices, the interface ge-13/0/0 belongs to which device?

A. This interface is a system-created interface.

B. This interface belongs to node 0 of the cluster.

C. This interface belongs to node 1 of the cluster.



Actu

alTe

sts.

com

D. This interface will not exist because SRX 5800 devices have only 12 slots.

Answer: C

QUESTION NO: 153

Which IDP policy action closes the connection and sends an RST packet to both the client and the

server?

A. close-connection

B. terminate-connection

C. close-client-and-server

D. terminate-session

Answer: C

QUESTION NO: 154

Which statement is true regarding redundancy groups?

A. The preempt option determines the primary and secondary roles for redundancy group 0 during

a failure and recovery scenario.

B. When priority settings are equal and the members participating in a cluster are initialized at the

same time, the primary role for redundancy group 0 is assigned to node 1.

C. The primary role can be shared for redundancy group 0 when the active-active option is

enabled.

D. Redundancy group 0 manages the control plane failover between the nodes of a cluster.

Answer: D

QUESTION NO: 155

Which two statements are true regarding redundancy groups? (Choose two.)

A. When priority settings are equal and the members participating in a cluster are initialized at the

same time, the primary role for redundancy group 0 is assigned to node 0.

B. The preempt option determines the primary and secondary roles for redundancy group 0 during

a failure and recovery scenario.

C. Redundancy group 0 manages the control plane failover between the nodes of a cluster.

D. The primary role can be shared for redundancy group 0 when the active-active option is

enabled.



Actu

alTe

sts.

com

Answer: A,C

QUESTION NO: 156

Which three options represent IDP policy match conditions? (Choose three.)

A. service

B. to-zone

C. attacks

D. port

E. destination-address

Answer: B,C,E

QUESTION NO: 157

Which three options represent IDP policy match conditions? (Choose three.)

A. protocol

B. source-address

C. port

D. application

E. attacks

Answer: B,D,E

QUESTION NO: 158

What are three configuration objects used to build JUNOS IDP rules? (Choose three.)

A. zone objects

B. policy objects

C. attack objects

D. alert and notify objects

E. network and address objects

Answer: A,C,E



jn0-332 (2)

Documents

security answer

security status answer

c question

single zone

functional zone

public zone

security policiesd

security sessionsb