juniper jn0-332 v6

8/22/2019 Juniper JN0-332 v6

1/103

Juniper JN0-332

Juniper Networks Certified Internet Specialist, SEC

(JNCIS-SEC)Version: 6.0

8/22/2019 Juniper JN0-332 v6

2/103

QUESTION NO: 1

Which configuration keyword ensures that all in-progress sessions are re-evaluated upon

committing a security policy change?

A. policy-rematch

B. policy-evaluateC. rematch-policy

D. evaluate-policy

Answer: A

Explanation:

QUESTION NO: 2

Click the Exhibit button.

You need to alter the security policy shown in the exhibit to send matching traffic to an IPsec VPN

tunnel. Which command causes traffic to be sent through an IPsec VPN named remote-vpn?

A. [edit security policies from-zone trust to-zone untrust]

user@host# set policy tunnel-traffic then tunnel remote-vpnB. [edit security policies from-zone trust to-zone untrust]

user@host# set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn

C. [edit security policies from-zone trust to-zone untrust]

user@host# set policy tunnel-traffic then permit ipsec-vpn remote-vpn

D. [edit security policies from-zone trust to-zone untrust]

user@host# set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn

Answer: D

Explanation:

Juniper JN0-332 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 2

8/22/2019 Juniper JN0-332 v6

3/103

QUESTION NO: 3

Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by AH?

(Choose three.)

A. data integrity

B. data confidentialityC. data authentication

D. outer IP header confidentiality

E. outer IP header authentication

Answer: A,C,E

Explanation:

QUESTION NO: 4

You must configure a SCREEN option that would protect your router from a session table

flood.Which configuration meets this requirement?

A. [edit security screen]

user@host# show

ids-option protectFromFlood {

icmp {

ip-sweep threshold 5000;

flood threshold 2000;

}

}

B. [edit security screen]

user@host# show


tcp {

syn-flood {attack-threshold 2000;

destination-threshold 2000;

}

}

}

C. [edit security screen]

user@host# show


udp {flood threshold 5000;

}



8/22/2019 Juniper JN0-332 v6

4/103

}

D. [edit security screen]

user@host# show


limit-session {

source-ip-based 1200;

destination-ip-based 1200;}

}

Answer: D

Explanation:

QUESTION NO: 5

Which type of Web filtering by default builds a cache of server actions associated with each URL it

has checked?

A. Websense Redirect Web filtering

B. integrated Web filtering

C. local Web filtering

D. enhanced Web filtering

Answer: B

Explanation:

QUESTION NO: 6

Which security or functional zone name has special significance to the Junos OS?

A. self

B. trust

C. untrust

D.junos-global

Answer: D

Explanation:



8/22/2019 Juniper JN0-332 v6

5/103

QUESTION NO: 7

Which command do you use to display the status of an antivirus database update?

A. show security utm anti-virus status

B. show security anti-virus database status

C. show security utm anti-virus databaseD. show security utm anti-virus update

Answer: A

Explanation:

QUESTION NO: 8

Which statement contains the correct parameters for a route-based IPsec VPN?

A. [edit security ipsec]

user@host# show

proposal ike1-proposal {

protocol esp;

authentication-algorithm hmac-md5-96;

encryption-algorithm 3des-cbc;

lifetime-seconds 3200;

}

policy ipsec1-policy {

perfect-forward-secrecy {

keys group2;

}

proposals ike1-proposal;

}

vpn VpnTunnel {

interface ge-0/0/1.0;ike {

gateway ike1-gateway;

ipsec-policy ipsec1-policy;

}

establish-tunnels immediately;

}

B. [edit security ipsec]

user@host# show

proposal ike1-proposal {protocol esp;




8/22/2019 Juniper JN0-332 v6

6/103



}

policy ipsec1-policy {


keys group2;

}proposals ike1-proposal;

}

vpn VpnTunnel {

interface st0.0;

ike {



}


}

C. [edit security ipsec]

user@host# show


protocol esp;




}

policy ipsec1-policy {perfect-forward-secrecy {

keys group2;

}


}

vpn VpnTunnel {

bind-interface ge-0/0/1.0;

ike {

gateway ike1-gateway;ipsec-policy ipsec1-policy;

}


}

D. [edit security ipsec]

user@host# show


protocol esp;




}policy ipsec1-policy {



8/22/2019 Juniper JN0-332 v6

7/103


keys group2;

}


}

vpn VpnTunnel {

bind-interface st0.0;ike {



}


}

Answer: D

Explanation:

QUESTION NO: 9

Which zone is system-defined?

A. security

B. functionalC.junos-global

D. management

Answer: C

Explanation:

QUESTION NO: 10

You want to allow your device to establish OSPF adjacencies with a neighboring device connected

to interface ge-0/0/3.0. Interface ge-0/0/3.0 is a member of the HR zone.Under which configuration

hierarchy must you permit OSPF traffic?

A. [edit security policies from-zone HR to-zone HR]

B. [edit security zones functional-zone management protocols]

C. [edit security zones protocol-zone HR host-inbound-traffic]

D. [edit security zones security-zone HR host-inbound-traffic protocols]

Answer: D



8/22/2019 Juniper JN0-332 v6

8/103

Explanation:

QUESTION NO: 11

Which three statements are true regarding IDP? (Choose three.)

A. IDP cannot be used in conjunction with other Junos security features such as SCREEN options,

zones, and security policy.

B. IDP inspects traffic up to the Application Layer.

C. IDP searches the data stream for specific attack patterns.

D. IDP inspects traffic up to the Presentation Layer.

E. IDP can drop packets, close sessions, prevent future sessions, and log attacks for review by

network administrators when an attack is detected.

Answer: B,C,E

Explanation:

QUESTION NO: 12


Your IKE SAs are up, but the IPsec SAs are not up.Referring to the exhibit, what is the problem?

A. One or more of the phase 2 proposals such as authentication algorithm, encryption algorithm

do not match.

B. The tunnel interface is down.

C. The proxy IDs do not match.

D. The IKE proposals do not match the IPsec proposals.

Answer: C

Explanation:



8/22/2019 Juniper JN0-332 v6

9/103

QUESTION NO: 13

Which two statements regarding symmetric key encryption are true? (Choose two.)

A. The same key is used for encryption and decryption.

B. It is commonly used to create digital certificate signatures.

C. It uses two keys: one for encryption and a different key for decryption.

D. An attacker can decrypt data if the attacker captures the key used for encryption.

Answer: A,D

Explanation:

QUESTION NO: 14

Regarding content filtering, what are two pattern lists that can be configured in the Junos OS?

(Choose two.)

A. protocol list

B. MIMEC. block list

D. extension

Answer: B,D

Explanation:

QUESTION NO: 15

Which two statements are true about hierarchical architecture? (Choose two.)

A. You can assign a logical interface to multiple zones.

B. You cannot assign a logical interface to multiple zones.

C. You can assign a logical interface to multiple routing instances.

D. You cannot assign a logical interface to multiple routing instances.

Answer: B,DExplanation:



8/22/2019 Juniper JN0-332 v6

10/103

QUESTION NO: 16

Which two statements regarding external authentication servers for firewall user authentication are

true? (Choose two.)

A. Up to three external authentication server types can be used simultaneously.

B. Only one external authentication server type can be used simultaneously.

C. If the local password database is not configured in the authentication order, and the configured

authentication server is unreachable, authentication is bypassed.

D. If the local password database is not configured in the authentication order, and the configured

authentication server rejects the authentication request, authentication is rejected.

Answer: B,D

Explanation:

QUESTION NO: 17




8/22/2019 Juniper JN0-332 v6

11/103

In the exhibit, a new policy named DenyTelnet was created. You notice that Telnet traffic is still

allowed.

Which statement will allow you to rearrange the policies for the DenyTelnet policy to be evaluated

before your Allow policy?

A. insert security policies from-zone A to-zone B policy DenyTelnet before policy Allow

B. set security policies from-zone B to-zone A policy DenyTelnet before policy Allow

C. insert security policies from-zone A to-zone B policy DenyTelnet after policy Allow

D. set security policies from-zone B to-zone A policy Allow after policy DenyTelnet

Answer: A

Explanation:

QUESTION NO: 18

Which UTM feature requires a license to function?

A. integrated Web filtering

B. local Web filtering

C. redirect Web filtering

D. content filtering

Answer: A

Explanation:

QUESTION NO: 19




8/22/2019 Juniper JN0-332 v6

12/103

System services SSH, Telnet, FTP, and HTTP are enabled on the SRX Series device.

Referring to the configuration shown in the exhibit, which two statements are true? (Choose two.)

A. A user can use SSH to interface ge-0/0/0.0 and ge-0/0/1.0.

B. A user can use FTP to interface ge-0/0/0.0 and ge-0/0/1.0.

C. A user can use SSH to interface ge-0/0/0.0.

D. A user can use SSH to interface ge-0/0/1.0.

Answer: B,C

Explanation:

QUESTION NO: 20

A user wants to establish an HTTP session to a server behind an SRX device but is being pointed

to Web page on the SRX device for additional authentication. Which type of user authentication is

configured?

A. pass-through with Web redirect

B. WebAuth with HTTP redirect

C. WebAuth



8/22/2019 Juniper JN0-332 v6

13/103

D. pass-through

Answer: A

Explanation:

QUESTION NO: 21

Which two UTM features require a license to be activated? (Choose two.)

A. antispam

B. antivirus (full AV)

C. content filtering

D. Web-filtering redirect

Answer: A,B

Explanation:

QUESTION NO: 22

Which two statements in a source NAT configuration are true regarding addresses, rule-sets, or

rules that overlap? (Choose two.)

A. Addresses used for NAT pools should never overlap.

B. If more than one rule-set matches traffic, the rule-set with the most specific context takes

precedence.

C. If traffic matches two rules within the same rule-set, both rules listed in the configuration are

applied.

D. Dynamic source NAT rules take precedence over static source NAT rules.

Answer: A,B

Explanation:

QUESTION NO: 23

A network administrator has configured source NAT, translating to an address that is on a locally

connected subnet. The administrator sees the translation working, but traffic does not appear tocome back. What is causing the problem?



8/22/2019 Juniper JN0-332 v6

14/103

A. The host needs to open the telnet port.

B. The host needs a route for the translated address.

C. The administrator must use a proxy-arp policy for the translated address.

D. The administrator must use a security policy, which will allow communication between the

zones.

Answer: CExplanation:

QUESTION NO: 24

Which statement describes an ALG?

A. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to

deny the traffic.

B. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic

policies to permit the traffic to pass.

C. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic

policies to deny the traffic.

D. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to

permit the traffic to pass.

Answer: BExplanation:

QUESTION NO: 25

Which three components can be leveraged when defining a local whitelist or blacklist for antispam

on a branch SRX Series device? (Choose three.)

A. spam assassin filtering score

B. sender country

C. sender IP address

D. sender domain

E. sender e-mail address

Answer: C,D,E

Explanation:



8/22/2019 Juniper JN0-332 v6

15/103

QUESTION NO: 26

What is the correct syntax for applying node-specific parameters to each node in a chassis

cluster?

A. set apply-groups node$

B. set apply-groups (node)C. set apply-groups $(node)

D. set apply-groups (node)all

Answer: C

Explanation:

QUESTION NO: 27

Which statement describes a security zone?

A. A security zone can contain one or more interfaces.

B. A security zone can contain interfaces in multiple routing instances.

C. A security zone must contain two or more interfaces.

D. A security zone must contain bridge groups.

Answer: D

Explanation:

QUESTION NO: 28

A system administrator detects thousands of open idle connections from the same source.Which

problem can arise from this type of attack?

A. It enables an attacker to perform an IP sweep of devices.

B. It enables a hacker to know which operating system the system is running.

C. It can overflow the session table to its limit, which can result in rejection of legitimate traffic.

D. It creates a ping of death and can cause the entire network to be infected with a virus.

Answer: C

Explanation:



8/22/2019 Juniper JN0-332 v6

16/103

QUESTION NO: 29

Under which Junos hierarchy level are security policies configured?

A. [edit security]

B. [edit protocols]

C. [edit firewall]D. [edit policy-options]

Answer: B

Explanation:

QUESTION NO: 30

You must configure a SCREEN option that would protect your device from a session table flood.

Which configuration meets this requirement?


user@host# show


icmp {

ip-sweep threshold 5000;


}

}


user@host# show


tcp {

syn-flood {

attack-threshold 2000;

destination-threshold 2000;}

}

}


user@host# show


udp {


}}




8/22/2019 Juniper JN0-332 v6

17/103

user@host# show


limit-session {

source-ip-based 1200;

destination-ip-based 1200;

}

}

Answer: D

Explanation:

QUESTION NO: 31

Which three methods of source NAT does the Junos OS support? (Choose three.)

A. interface-based source NAT

B. source NAT with address shifting

C. source NAT using static source pool

D. interface-based source NAT without PAT

E. source NAT with address shifting and PAT

Answer: A,B,C

Explanation:

QUESTION NO: 32

Which three firewall user authentication objects can be referenced in a security policy? (Choose

three.)

A. access profile

B. client group

C. client

D. default profile

E. external

Answer: A,B,C

Explanation:



8/22/2019 Juniper JN0-332 v6

18/103

QUESTION NO: 33

What is the default session timeout for TCP sessions?

A. 1 minute

B. 15 minutes

C. 30 minutesD. 90 minutes

Answer: C

Explanation:

QUESTION NO: 34

Which three advanced permit actions within security policies are valid? (Choose three.)

A. Mark permitted traffic for firewall user authentication.

B. Mark permitted traffic for SCREEN options.

C. Associate permitted traffic with an IPsec tunnel.

D. Associate permitted traffic with a NAT rule.

E. Mark permitted traffic for IDP processing.

Answer: A,C,E

Explanation:

QUESTION NO: 35

Which statement is true regarding the Junos OS for security platforms?

A. SRX Series devices can store sessions in a session table.

B. SRX Series devices accept all traffic by default.

C. SRX Series devices must operate only in packet-based mode.

D. SRX Series devices must operate only in flow-based mode.

Answer: C

Explanation:

QUESTION NO: 36



8/22/2019 Juniper JN0-332 v6

19/103


Which type of NAT is being used in the exhibit?

A. no NAT

B. destination NAT

C. source NAT

D. port address translation (PAT)

Answer: C

Explanation:

QUESTION NO: 37

At which two levels of the Junos CLI hierarchy is the host-inbound-traffic command configured?

(Choose two.)

A. [edit security idp]

B. [edit security zones security-zone trust interfaces ge-0/0/0.0]

C. [edit security zones security-zone trust]


Answer: B,C

Explanation:

QUESTION NO: 38

Which two parameters are configured in IPsec policy? (Choose two.)

A. mode

B. IKE gateway

C. security proposal

D. Perfect Forward Secrecy

Answer: C,D



8/22/2019 Juniper JN0-332 v6

20/103

Explanation:

QUESTION NO: 39

The SRX device receives a packet and determines that it does not match an existing session.AfterSCREEN options are evaluated, what is evaluated next?

A. source NAT

B. destination NAT

C. route lookup

D. zone lookup

Answer: B

Explanation:

QUESTION NO: 40

Which zone type can be specified in a policy?

A. securityB. functional

C. user

D. system

Answer: A

Explanation:

QUESTION NO: 41

Which two statements about Junos software packet handling are correct? (Choose two.)

A. The Junos OS applies service ALGs only for the first packet of a flow.

B. The Junos OS uses fast-path processing only for the first packet of a flow.

C. The Junos OS performs policy lookup only for the first packet of a flow.

D. The Junos OS applies SCREEN options for both first and consecutive packets of a flow.

Answer: C,D

Explanation:



8/22/2019 Juniper JN0-332 v6

21/103

QUESTION NO: 42

Which Web-filtering technology can be used at the same time as integrated Web filtering on a

single branch SRX Series device?

A. Websense redirect Web filtering

B. local Web filtering (blacklist or whitelist)

C. firewall user authentication

D. ICAP

Answer: B

Explanation:

QUESTION NO: 43

In a chassis cluster with two SRX 5800 devices, the interface ge-13/0/0 belongs to which device?

A. This interface is a system-created interface.

B. This interface belongs to node 0 of the cluster.C. This interface belongs to node 1 of the cluster.

D. This interface will not exist because SRX 5800 devices have only 12 slots.

Answer: C

Explanation:

QUESTION NO: 44

An IPsec tunnel is established on an SRX Series Gateway on an interface whose IP address was

obtained using DHCP. Which two statements are true? (Choose two.)

A. Only main mode can be used for IKE negotiation.

B. A local-identity must be defined.

C. It must be the initiator for IKE.

D. A remote-identity must be defined.

Answer: B,C

Explanation:



8/22/2019 Juniper JN0-332 v6

22/103

QUESTION NO: 45

Which two statements about the use of SCREEN options are correct? (Choose two.)

A. SCREEN options are deployed at the ingress and egress sides of a packet flow.

B. Although SCREEN options are very useful, their use can result in more session creation.

C. SCREEN options offer protection against various attacks at the ingress zone of a packet flow.

D. SCREEN options examine traffic prior to policy processing, thereby resulting in fewer resources

used for malicious packet processing.

Answer: C,D

Explanation:

QUESTION NO: 46


In the exhibit, you decided to change my Hosts addresses. What will happen to the new sessions

matching the policy and in-progress sessions that had already matched the policy?



8/22/2019 Juniper JN0-332 v6

23/103

A. New sessions will be evaluated. In-progress sessions will be re-evaluated.

B. New sessions will be evaluated. All in-progress sessions will continue.

C. New sessions will be evaluated. All in-progress sessions will be dropped.

D. New sessions will halt until all in-progress sessions are re-evaluated. In-progress sessions will

be re-evaluated and possibly dropped.

Answer: AExplanation:

QUESTION NO: 47

When using UTM features in an HA cluster, which statement is true for installing the licenses on

the cluster members?

A. One UTM cluster license will activate UTM features on both members.

B. Each device will need a UTM license generated for its serial number.

C. Each device will need a UTM license generated for the cluster, but licenses can be applied to

either member.

D. HA clustering automatically comes with UTM licensing, no additional actions are needed.

Answer: B

Explanation:

QUESTION NO: 48

Which statement is true regarding NAT?

A. NAT is not supported on SRX Series devices.

B. NAT requires special hardware on SRX Series devices.C. NAT is processed in the control plane.

D. NAT is processed in the data plane.

Answer: D

Explanation:

QUESTION NO: 49

Which two functions of the Junos OS are handled by the data plane? (Choose two.)



8/22/2019 Juniper JN0-332 v6

24/103

A. NAT

B. OSPF

C. SNMP

D. SCREEN options

Answer: A,D

Explanation:

QUESTION NO: 50

After applying the policy-rematch statement under the security policies stanza, what would happen

to an existing flow if the policy source address or the destination address is changed and

committed?

A. The Junos OS drops any flow that does not match the source address or destination address.

B. All traffic is dropped.

C. All existing sessions continue.

D. The Junos OS does a policy re-evaluation.

Answer: D

Explanation:

QUESTION NO: 51

Which statement is correct about HTTP trickling?

A. It prevents the HTTP client or server from timing-out during an antivirus update.

B. It prevents the HTTP client or server from timing-out during antivirus scanning.

C. It is an attack.D. It is used to bypass antivirus scanners.

Answer: B

Explanation:

QUESTION NO: 52

For which network anomaly does Junos provide a SCREEN?



8/22/2019 Juniper JN0-332 v6

25/103

A. a telnet to port 80

B. a TCP packet with the SYN and ACK flags set

C. an SNMP getnext request

D. an ICMP packet larger than 1024 bytes

Answer: D

Explanation:

QUESTION NO: 53

What is the proper sequence of evaluation for the SurfControl integrated Web filter solution?

A. whitelists, blacklists, SurfControl categories

B. blacklists, whitelists, SurfControl categories

C. SurfControl categories, whitelists, blacklists

D. SurfControl categories, blacklists, whitelists

Answer: B

Explanation:

QUESTION NO: 54

A network administrator is using source NAT for traffic from source network 10.0.0.0/8. The

administrator must also disable NAT for any traffic destined to the 202.2.10.0/24 network.Which

configuration would accomplish this task?

A. [edit security nat source rule-set test]

user@host# show

from zone trust;to zone untrust;

rule A {

match {

source-address 202.2.10.0/24;

}

then {

source-nat {

pool {

A;

}

}

}



8/22/2019 Juniper JN0-332 v6

26/103

}

rule B {

match {

destination-address 10.0.0.0/8;

}

then {

source-nat {off;

}

}

}

B. [edit security nat source]

user@host# show rule-set test

from zone trust;

to zone untrust;

rule 1 {

match {


}

then {

source-nat {

off;

}

}

}

rule 2 {match {


}

then {

source-nat {

pool {

A;

}

}}

}

C. [edit security nat source rule-set test]

user@host# show

from zone trust;

to zone untrust;

rule A {

match {


}

then {

source-nat {



8/22/2019 Juniper JN0-332 v6

27/103

pool {

A;

}

}

}

}

rule B {match {


}

then {

source-nat {

off;

}

}

}

D. [edit security nat source rule-set test]

user@host# show

from zone trust;

to zone untrust;

rule A {

match {


}

then {

source-nat {pool {

A;

}

}

}

}

Answer: B

Explanation:

QUESTION NO: 55

The Junos OS blocks an HTTP request due to the category of the URL. Which form of Web

filtering is being used?

A. redirect Web filtering


C. categorized Web filtering



8/22/2019 Juniper JN0-332 v6

28/103

D. local Web filtering

Answer: B

Explanation:

QUESTION NO: 56

Which two statements are true with regard to policy ordering? (Choose two.)

A. The last policy is the default policy, which allows all traffic.

B. The order of policies is not important.

C. New policies are placed at the end of the policy list.

D. The insert command can be used to change the order.

Answer: C,D

Explanation:

QUESTION NO: 57

Regarding fast path processing, when does the system perform the policy check?

A. The policy is determined after the SCREEN options check.

B. The policy is determined only during the first packet path, not during fast path.

C. The policy is determined after the zone check.

D. The policy is determined after the SYN TCP flag.

Answer: B

Explanation:

QUESTION NO: 58

Which URL database do branch SRX Series devices use when leveraging local Web filtering?

A. The SRX Series device will download the database from an online repository to locally inspect

HTTP traffic for Web filtering.

B. The SRX Series device will use an offline database to locally inspect HTTP traffic for Webfiltering.

C. The SRX Series device will redirect local HTTP traffic to an external Websense server for Web



8/22/2019 Juniper JN0-332 v6

29/103

filtering.

D. The SRX Series administrator will define the URLs and their associated action in the local

database to inspect the HTTP traffic for Web filtering.

Answer: D

Explanation:

QUESTION NO: 59

How do you apply UTM enforcement to security policies on the branch SRX series?

A. UTM profiles are applied on a security policy by policy basis.

B. UTM profiles are applied at the global policy level.

C. Individual UTM features like anti-spam or anti-virus are applied directly on a security policy by

policy basis.

D. Individual UTM features like anti-spam or anti-virus are applied directly at the global policy

level.

Answer: A

Explanation:

QUESTION NO: 60

What are two rule base types within an IPS policy on an SRX Series device? (Choose two.)

A. rulebase-ips

B. rulebase-ignore

C. rulebase-idp

D. rulebase-exempt

Answer: A,D

Explanation:

QUESTION NO: 61

Which configuration shows a pool-based source NAT without PAT?

A. [edit security nat source]



8/22/2019 Juniper JN0-332 v6

30/103

user@host# show

pool A {

address {

207.17.137.1/32 to 207.17.137.254/32;

}

}

rule-set 1A {from zone trust;

to zone untrust;

rule 1 {

match {


}

then {

source-nat pool A;

port no-translation;

}

}

}

B. [edit security nat source]

user@host# show

pool A {

address {

207.17.137.1/32 to 207.17.137.254/32;

}

overflow-pool interface;}

rule-set 1A {

from zone trust;

to zone untrust;

rule 1 {

match {


}

then {source-nat pool A;


}

}

}

C. [edit security nat source]

user@host# show

pool A {

address {

207.17.137.1/32 to 207.17.137.254/32;

}




8/22/2019 Juniper JN0-332 v6

31/103

}

rule-set 1A {

from zone trust;

to zone untrust;

rule 1 {

match {

source-address 10.1.10.0/24;}

then {

source-nat pool A;

}

}

}

D. [edit security nat source].

user@host# show

pool A {

address {

207.17.137.1/32 to 207.17.137.254/32;

}

overflow-pool interface;

}

rule-set 1A

{

from zone trust;

to zone untrust;

rule 1 {match {


}

then {

source-nat pool A;

}

}

}

Answer: C

Explanation:

QUESTION NO: 62

Which two statements are true regarding IDP? (Choose two.)

A. IDP can be used in conjunction with other Junos security features such as SCREEN options,




8/22/2019 Juniper JN0-332 v6

32/103

B. IDP cannot be used in conjunction with other Junos security features such as SCREEN options,


C. IDP inspects traffic up to the Presentation Layer.

D. IDP inspects traffic up to the Application Layer.

Answer: A,D

Explanation:

QUESTION NO: 63

What is the purpose of a chassis cluster?

A. Chassis clusters are used to aggregate routes.

B. Chassis clusters are used to create aggregate interfaces.

C. Chassis clusters are used to group two chassis into one logical chassis.

D. Chassis clusters are used to group all interfaces into one cluster interface.

Answer: A

Explanation:

QUESTION NO: 64

Which three statements are true when working with high-availability clusters? (Choose three.)

A. The valid cluster-id range is between 0 and 255.

B. Junos OS security devices can belong to more than one cluster if cluster virtualization is

enabled.

C. If the cluster-id value is set to 0 on a Junos security device, the device will not participate in the

cluster.D. A reboot is required if the cluster-id or node value is changed.

E. Junos OS security devices can belong to one cluster only.

Answer: C,D,E

Explanation:

QUESTION NO: 65

A network administrator wants to permit Telnet traffic initiated from the address book entry

the10net in a zone called UNTRUST to the address book entry Server in a zone called TRUST.



8/22/2019 Juniper JN0-332 v6

33/103

However, the administrator does not want the server to be able to initiate any type of traffic from

the TRUST zone to the UNTRUST zone.Which configuration statement would correctly

accomplish this task?

A. from-zone UNTRUST to-zone TRUST {

policy DenyServer {

match {source-address any;

destination-address any;

application any;

}

then {

deny;

}

}

}from-zone TRUST to-zone UNTRUST {

policy AllowTelnetin {

match {

source-address the10net;

destination-address Server;

application junos-telnet;

}

then {

permit;}

}

}

B. from-zone TRUST to-zone UNTRUST {

policy DenyServer {

match {

source-address Server;


application any;

}

then {

deny;

}

}

}

from-zone UNTRUST to-zone TRUST {


match {

source-address the10net;destination-address Server;

application junos-telnet;



8/22/2019 Juniper JN0-332 v6

34/103

}

then {

permit;

}

}

}

C. from-zone UNTRUST to-zone TRUST {policy AllowTelnetin {

match {


destination-address Server;

application junos-ftp;

}

then {

permit;

}

}

}

D. from-zone TRUST to-zone UNTRUST {

policy DenyServer {

match {

source-address Server;


application any;

}

then {permit;

}

}

}

from-zone UNTRUST to-zone TRUST {


match {


destination-address Server;application junos-telnet;

}

then {

permit;

}

}

}

Answer: B

Explanation:



8/22/2019 Juniper JN0-332 v6

35/103

QUESTION NO: 66

Which command do you use to manually remove antivirus patterns?

A. request security utm anti-virus juniper-express-engine pattern-delete

B. request security utm anti-virus juniper-express-engine pattern-reload

C. request security utm anti-virus juniper-express-engine pattern-remove

D. delete security utm anti-virus juniper-express-engine antivirus-pattern

Answer: A

Explanation:

QUESTION NO: 67

Which three parameters are configured in the IKE policy? (Choose three.)

A. mode

B. preshared key

C. external interface

D. security proposalsE. dead peer detection settings

Answer: A,B,D

Explanation:

QUESTION NO: 68

Which two statements are true about the relationship between static NAT and proxy ARP?

(Choose two.)

A. It is necessary to forward ARP requests to remote hosts.

B. It is necessary when translated traffic belongs to the same subnet as the ingress interface.

C. It is not automatic and you must configure it.

D. It is enabled by default and you do not need to configure it.

Answer: B,CExplanation:



8/22/2019 Juniper JN0-332 v6

36/103

QUESTION NO: 69

Which CLI command do you use to block MIME content at the [edit security utm feature-profile]

hierarchy?

A. set content-filtering profile permit-command block-mime

B. set content-filtering profile block-mime

C. set content-filtering block-content-type block-mime

D. set content-filtering notifications block-mime

Answer: B

Explanation:

QUESTION NO: 70

If both nodes in a chassis cluster initialize at different times, which configuration example will allow

you to ensure that the node with the higher priority will become primary for your RGs other than

RG0?

A. [edit chassis cluster]user@host# show

redundancy-group 1 {

node 0 priority 200;


preempt;

}

B. [edit chassis cluster]

user@host# show




monitoring;

}

C. [edit chassis cluster]

user@host# show




control-link-recovery;}

D. [edit chassis cluster]



8/22/2019 Juniper JN0-332 v6

37/103

user@host# show




strict-priority;

}

Answer: A

Explanation:

QUESTION NO: 71

By default, how is traffic evaluated when the antivirus database update is in progress?

A. Traffic is scanned against the old database.

B. Traffic is scanned against the existing portion of the currently downloaded database.

C. All traffic that requires antivirus inspection is dropped and a log message generated displaying

the traffic endpoints.

D. All traffic that requires antivirus inspection is forwarded with no antivirus inspection and a log

message generated displaying the traffic endpoints.

Answer: D

Explanation:

QUESTION NO: 72

Which statement is true regarding IPsec VPNs?

A. There are five phases of IKE negotiation.B. There are two phases of IKE negotiation.

C. IPsec VPN tunnels are not supported on SRX Series devices.

D. IPsec VPNs require a tunnel PIC in SRX Series devices.

Answer: C

Explanation:

QUESTION NO: 73

Which command would you use to enable chassis cluster on an SRX device, setting the cluster ID



8/22/2019 Juniper JN0-332 v6

38/103

to 1 and node to 0?

A. user@host# set chassis cluster cluster-id 1 node 0 reboot

B. user@host> set chassis cluster id 1 node 0 reboot

C. user@host> set chassis cluster cluster-id 1 node 0 reboot

D. user@host# set chassis cluster id 1 node 0 reboot

Answer: C

Explanation:

QUESTION NO: 74

Which three are necessary for antispam to function properly on a branch SRX Series device?

(Choose three.)

A. an antispam license

B. DNS servers configured on the SRX Series device

C. SMTP services on SRX

D. a UTM profile with an antispam configuration in the appropriate security policy

E. antivirus (full or express)

Answer: A,B,D

Explanation:

QUESTION NO: 75

How many IDP policies can be active at one time on an SRX Series device by means of the set

security idp active-policy configuration statement?

A. 1

B. 2

C. 4

D. 8

Answer: A

Explanation:

QUESTION NO: 76



8/22/2019 Juniper JN0-332 v6

39/103

Which two statements regarding firewall user authentication client groups are true? (Choose two.)

A. A client group is a list of clients associated with a group.

B. A client group is a list of groups associated with a client.

C. Client groups are referenced in security policy in the same manner in which individual clients

are referenced.D. Client groups are used to simplify configuration by enabling firewall user authentication without

security policy.

Answer: B,C

Explanation:

QUESTION NO: 77

Your task is to provision the Junos security platform to permit transit packets from the Private zone

to the External zone by using an IPsec VPN and log information at the time of session close.

Which configuration meets this requirement?

A. [edit security policies from-zone Private to-zone External]

user@host# show

policy allowTransit {

match {

source-address PrivateHosts;

destination-address ExtServers;

application ExtApps;

}

then {

permit {

tunnel {

ipsec-vpn VPN;

}}

log {

session-init;

}

}

}

B. [edit security policies from-zone Private to-zone External]

user@host# show

policy allowTransit {match {




8/22/2019 Juniper JN0-332 v6

40/103



}

then {

permit {

tunnel {

ipsec-vpn VPN;}

}

count {

session-close;

}

}

}

C. [edit security policies from-zone Private to-zone External]

user@host#

showpolicy allowTransit {

match {




}

then {

permit {

tunnel {

ipsec-vpn VPN;}

}

log {

session-close;

}

}

}

D. [edit security policies from-zone Private to-zone External]

user@host# showpolicy allowTransit {

match {




}

then {

permit {

tunnel {

ipsec-vpn VPN;

log;

count session-close;



8/22/2019 Juniper JN0-332 v6

41/103

}

}

}

}

Answer: C

Explanation:

QUESTION NO: 78

A user wants to establish an FTP session to a server behind an SRX device but must authenticate

to a Web page on the SRX device for additional authentication. Which type of user authentication

is configured?

A. pass-through

B. WebAuth

C. WebAuth with Web redirect

D. pass-through with Web redirect

Answer: B

Explanation:

QUESTION NO: 79

What is the functionality of redundant interfaces (reth) in a chassis cluster?

A. reth interfaces are used only for VRRP.

B. reth interfaces are the same as physical interfaces.

C. reth interfaces are pseudo-interfaces that are considered the parent interface for two physicalinterfaces.

D. Each cluster member has a reth interface that can be used to share session state information

with the other cluster members.

Answer: C

Explanation:

QUESTION NO: 80

A network administrator receives complaints from the engineering group that an application on one



8/22/2019 Juniper JN0-332 v6

42/103

server is not working properly. After further investigation, the administrator determines that source

NAT translation is using a different source address after a random number of flows. Which two

actions can the administrator take to force the server to use one address? (Choose two.)

A. Use the custom application feature.

B. Configure static NAT for the host.

C. Use port address translation (PAT).D. Use the address-persistent option.

Answer: B,D

Explanation:

QUESTION NO: 81

What is the default session timeout for UDP sessions?

A. 30 seconds

B. 1 minute

C. 5 minutes

D. 30 minutes

Answer: B

Explanation:

QUESTION NO: 82

Which two statements about the Diffie-Hellman (DH) key exchange process are correct? (Choose

two.)

A. In the DH key exchange process, the session key is never passed across the network.

B. In the DH key exchange process, the public and private keys are mathematically related using

the DH algorithm.

C. In the DH key exchange process, the session key is passed across the network to the peer for

confirmation.

D. In the DH key exchange process, the public and private keys are not mathematically related,

ensuring higher security.

Answer: A,BExplanation:



8/22/2019 Juniper JN0-332 v6

43/103

QUESTION NO: 83

You are required to configure a SCREEN option that enables IP source route option detection.

Which two configurations meet this requirement? (Choose two.)


user@host# show


ip {

loose-source-route-option;

strict-source-route-option;

}

}

B. [edit security screen]user@host# show


ip {

source-route-option;

}

}


user@host# show

ids-option protectFromFlood {ip {

record-route-option;

security-option;

}

}


user@host# show


ip {strict-source-route-option;

record-route-option;

}

}

Answer: A,B

Explanation:

QUESTION NO: 84



8/22/2019 Juniper JN0-332 v6

44/103

What are three configuration objects used to build Junos IDP rules? (Choose three.)

A. zone objects

B. policy objects

C. attack objects

D. alert and notify objects

E. network and address objects

Answer: A,C,E

Explanation:

QUESTION NO: 85


Assume the default-policy has not been configured. Given the configuration shown in the exhibit,

which two statements about traffic from host_a in the HR zone to host_b in the trust zone are true?

(Choose two.)

A. DNS traffic is denied.

B. HTTP traffic is denied.



8/22/2019 Juniper JN0-332 v6

45/103

C. FTP traffic is permitted.

D. SMTP traffic is permitted.

Answer: A,C

Explanation:

QUESTION NO: 86

When an SRX series device receives an ESP packet, what happens?

A. If the destination address of the outer IP header of the ESP packet matches the IP address of

the ingress interface, it will immediately decrypt the packet.

B. If the destination IP address in the outer IP header of ESP does not match the IP address of the

ingress interface, it will discard the packet.

C. If the destination address of the outer IP header of the ESP packet matches the IP address of

the ingress interface, based on SPI match, it will decrypt the packet.

D. If the destination address of the outer IP header of the ESP packet matches the IP address of

the ingress interface, based on SPI match and route lookup of inner header, it will decrypt the

packet.

Answer: C

Explanation:

QUESTION NO: 87


[A] establishes an IPsec tunnel with [B]. The NAT device translates the IP address 1.1.1.1 to

2.1.1.1.On which port is the IKE SA established?

A. TCP 500

B. UDP 500

C. TCP 4500

D. UDP 4500

Answer: D



8/22/2019 Juniper JN0-332 v6

46/103

Explanation:

QUESTION NO: 88


What are two valid reasons for the output shown in the exhibit? (Choose two.)

A. The local Web-filtering daemon is not enabled or is not running.

B. The integrated Web-filtering policy server is not reachable.

C. No DNS is configured on the SRX Series device.

D. No security policy is configured to use Web filtering.

Answer: B,C

Explanation:

QUESTION NO: 89

What is the maximum number of layers of decompression that juniper-express-engine (express

AV) can decompress for the HTTP protocol?

A. 0

B. 1

C. 4

D. 8

Answer: B

Explanation:

QUESTION NO: 90

Which three features are part of the branch SRX series UTM suite? (Choose three.)



8/22/2019 Juniper JN0-332 v6

47/103

A. antispam

B. antivirus

C. IPS

D. application firewalling

E. Web filtering

Answer: A,B,EExplanation:

QUESTION NO: 91

What are two TCP flag settings that are considered suspicious? (Choose two.)

A. Do-Not-Fragment flag is set.

B. Both SYN and FIN flags are set.

C. Both ACK and PSH flags are set.

D. FIN flag is set and ACK flag is not set.

Answer: B,D

Explanation:

QUESTION NO: 92

The Junos OS blocks an HTTP request due to a Websense server response. Which form of Web

filtering is being used?



C. categorized Web filteringD. local Web filtering

Answer: A

Explanation:

QUESTION NO: 93

Which two statements are true regarding redundancy groups? (Choose two.)



8/22/2019 Juniper JN0-332 v6

48/103

A. When priority settings are equal and the members participating in a cluster are initialized at the

same time, the primary role for redundancy group 0 is assigned to node 0.

B. The preempt option determines the primary and secondary roles for redundancy group 0 during

a failure and recovery scenario.

C. Redundancy group 0 manages the control plane failover between the nodes of a cluster.

D. The primary role can be shared for redundancy group 0 when the active-active option is

enabled.

Answer: A,C

Explanation:

QUESTION NO: 94

What are two components of the Junos software architecture? (Choose two.)

A. Linux kernel

B. routing protocol daemon

C. session-based forwarding module

D. separate routing and security planes

Answer: B,C

Explanation:

QUESTION NO: 95

Which IDP policy action closes the connection and sends an RST packet to both the client and the

server?

A. close-connectionB. terminate-connection

C. close-client-and-server

D. terminate-session

Answer: C

Explanation:

QUESTION NO: 96

Which statement describes the UTM licensing model?



8/22/2019 Juniper JN0-332 v6

49/103

A. Install the license key and all UTM features will be enabled for the life of the product.

B. Install one license key per feature and the license key will be enabled for the life of the product.

C. Install one UTM license key, which will activate all UTM features; the license will need to be

renewed when it expires.

D. Install one UTM license key per UTM feature; the licenses will need to be renewed when they

expire.

Answer: D

Explanation:

QUESTION NO: 97

You have configured a UTM profile called Block-Spam, which has the appropriate antispam

configuration to block undesired spam e-mails. Which configuration would protect an SMTP serverin the dmz zone from spam originating in the untrust zone?

A. set security policies from-zone dmz to-zone untrust policy anti-spam then permit application-

services utm-policy Block-Spam

B. set security policies from-zone untrust to-zone dmz policy anti-spam then permit application-

services utm-policy Block-Spam

C. set security policies from-zone untrust to-zone dmz policy anti-spam then permit application-

services anti-spam-policy Block-Spam

D. set security policies from-zone untrust to-zone dmz policy anti-spam then permit application-services Block-Spam

Answer: B

Explanation:

QUESTION NO: 98

Which two statements about the use of SCREEN options are correct? (Choose two.)

A. SCREEN options offer protection against various attacks.

B. SCREEN options are deployed prior to route and policy processing in first path packet

processing.

C. SCREEN options are deployed at the ingress and egress sides of a packet flow.

D. When you deploy SCREEN options, you must take special care to protect OSPF.

Answer: A,B

Explanation:



8/22/2019 Juniper JN0-332 v6

50/103

QUESTION NO: 99


Given the configuration shown in the exhibit, which protocol(s) are allowed to communicate with

the device on ge-0/0/0.0?

A. RIP

B. OSPF

C. BGP and RIP

D. RIP and PIM

Answer: A

Explanation:

QUESTION NO: 100

Which two statements about static NAT are true? (Choose two.)

A. Static NAT can only be used with destination NAT.



8/22/2019 Juniper JN0-332 v6

51/103

B. Static NAT rules take precedence over overlapping dynamic NAT rules.

C. NAT rules take precedence over overlapping static NAT rules.

D. A reverse mapping is automatically created.

Answer: B,D

Explanation:

QUESTION NO: 101

Which three situations will trigger an e-mail to be flagged as spam if a branch SRX Series device

has been properly configured with antispam inspection enabled for the appropriate security policy?

(Choose three.)

A. The server sending the e-mail to the SRX Series device is a known open SMTP relay.

B. The server sending the e-mail to the SRX Series device is running unknown SMTP server

software.

C. The server sending the e-mail to the SRX Series device is on an IP address range that is

known to be dynamically assigned.

D. The e-mail that the server is sending to the SRX Series device has a virus in its attachment.

E. The server sending the e-mail to the SRX Series device is a known spammer IP address.

Answer: A,C,E

Explanation:

QUESTION NO: 102

Which statement is true regarding a session key in the Diffie-Hellman key-exchange process?

A. A session key value is exchanged across the network.B. A session key never passes across the network.

C. A session key is used as the key for asymmetric data encryption.

D. A session key is used as the key for symmetric data encryption.

Answer: B

Explanation:

QUESTION NO: 103

Which zone type will allow transit-traffic?



8/22/2019 Juniper JN0-332 v6

52/103

A. system

B. security

C. default

D. functional

Answer: B

Explanation:

QUESTION NO: 104

Which two statements are true for a security policy? (Choose two.)

A. It controls inter-zone traffic.

B. It controls intra-zone traffic.

C. It is named with a system-defined name.

D. It controls traffic destined to the device's ingress interface.

Answer: A,B

Explanation:

QUESTION NO: 105

Which CLI command provides a summary of what the content-filtering engine has blocked?

A. show security utm content-filtering statistics

B. show security flow session

C. show security flow statistics

D. show security utm content-filtering summary

Answer: A

Explanation:

QUESTION NO: 106




8/22/2019 Juniper JN0-332 v6

53/103

You are the responder for an IPsec tunnel and you see the error messages shown in the exhibit.

What is the problem?

A. One or more of the phase 1 proposals such as authentication algorithm, encryption algorithm,

or pre-shared key does not match.

B. There is no route for 2.2.2.2.

C. There is no IKE definition in the configuration for peer 2.2.2.2.D. system services ike is not enabled on the interface with IP 1.1.1.2.

Answer: C

Explanation:

QUESTION NO: 107

Which URL will match the URL pattern www.news.com/asia?

A. www.news.com

B. www.news.com/asia/japan

C. www-1.news.com/asia

D. www.news.asia.com

Answer: B

Explanation:

QUESTION NO: 108




8/22/2019 Juniper JN0-332 v6

54/103

In the exhibit, what is the function of the configuration statements?

A. This section is where you define all chassis clustering configuration.

B. This configuration is required for members of a chassis cluster to talk to each other.

C. You can apply this configuration in the chassis cluster to make configuration easier.

D. This section is where unique node configuration is applied.

Answer: D

Explanation:



8/22/2019 Juniper JN0-332 v6

55/103

QUESTION NO: 109

A network administrator repeatedly receives support calls about network issues. After investigating

the issues, the administrator finds that the source NAT pool is running out of addresses. To be

notified that the pool is close to exhaustion, what should the administrator configure?

A. Use the pool-utilization-alarm raise-threshold under the security nat source stanza.B. Use a trap-group with a category of services under the SNMP stanza.

C. Use an external script that will run a show command on the SRX Series device to see when the

pool is close to exhaustion.

D. Configure a syslog message to trigger a notification when the pool is close to exhaustion.

Answer: A

Explanation:

QUESTION NO: 110

Which two statements are true when describing the capabilities of integrated Web filtering on

branch SRX Series devices? (Choose two.)

A. Integrated Web filtering can enforce UTM policies on traffic encrypted in SSL.

B. Integrated Web filtering can detect client-side exploits that attack the user's Web browser.

C. Integrated Web filtering can permit or deny access to specific categories of sites.

D. Different integrated Web-filtering policies can be applied on a firewall rule-by-rule basis to allow

different policies to be enforced for different users.

Answer: C,D

Explanation:

QUESTION NO: 111

Which statement is true when express AV detects a virus in TCP session?

A. TCP RST is sent and a session is restarted.

B. TCP connection is closed gracefully and the data content is dropped.

C. TCP traffic is allowed and an SNMP trap is sent.

D. AV scanning is restarted.

Answer: B

Explanation:



8/22/2019 Juniper JN0-332 v6

56/103

QUESTION NO: 112


Which command is needed to change this policy to a tunnel policy for a policy-based VPN?

A. set policy tunnel-traffic then tunnel remote-vpn

B. set policy tunnel-traffic then permit tunnel remote-vpn

C. set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn permit

D. set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn

Answer: D

Explanation:

QUESTION NO: 113

Which two statements describe the difference between Junos software for security platforms and atraditional router? (Choose two.)

A. Junos software for security platforms supports NAT and PAT; a traditional router does not

support NAT or PAT.

B. Junos software for security platforms does not forward traffic by default; a traditional router

forwards traffic by default.

C. Junos software for security platforms uses session-based forwarding; a traditional router uses

packet-based forwarding.

D. Junos software for security platforms performs route lookup for every packet; a traditional router

performs route lookup only for the first packet.



8/22/2019 Juniper JN0-332 v6

57/103

Answer: B,C

Explanation:

QUESTION NO: 114

Using a policy with the policy-rematch flag enabled, what happens to the existing and new

sessions when you change the policy action from permit to deny?

A. The new sessions matching the policy are denied. The existing sessions are dropped.

B. The new sessions matching the policy are denied. The existing sessions, not being allowed to

carry any traffic, simply timeout.

C. The new sessions matching the policy might be allowed through if they match another policy.

The existing sessions are dropped.

D. The new sessions matching the policy are denied. The existing sessions continue until they are

completed or their timeout is reached.

Answer: A

Explanation:

QUESTION NO: 115

Which two content-filtering features does FTP support? (Choose two.)

A. block extension list

B. block MIME type

C. protocol command list

D. notifications-options

Answer: A,CExplanation:

QUESTION NO: 116

Which statement is true about a NAT rule action of off?

A. The NAT action of off is only supported for destination NAT rule-sets.

B. The NAT action of off is only supported for source NAT rule-sets.

C. The NAT action of off is useful for detailed control of NAT.



8/22/2019 Juniper JN0-332 v6

58/103

D. The NAT action of off is useful for disabling NAT when a pool is exhausted.

Answer: C

Explanation:

QUESTION NO: 117

You want to create an out-of-band management zone and assign the ge-0/0/0.0 interface to that

zone. From the [edit] hierarchy, which command do you use to configure this assignment?

A. set security zones management interfaces ge-0/0/0.0

B. set zones functional-zone management interfaces ge-0/0/0.0

C. set security zones functional-zone management interfaces ge-0/0/0.0

D. set security zones functional-zone out-of-band interfaces ge-0/0/0.0

Answer: C

Explanation:

QUESTION NO: 118

Host A opens a Telnet connection to Host B. Host A then opens another Telnet connection to Host

B. These connections are the only communication between Host A and Host B. The security policy

configuration permits both connections. How many sessions exist between Host A and Host B?

A. 1

B. 2

C. 3

D. 4

Answer: B

Explanation:

QUESTION NO: 119




8/22/2019 Juniper JN0-332 v6

59/103

A network administrator receives complaints that the application voicecube is timing out after

being idle for 30 minutes. Referring to the exhibit, what is a resolution?

A. [edit]

user@host# set applications application voicecube inactivity-timeout never

B. [edit]

user@host# set applications application voicecube inactivity-timeout 2

C. [edit]

user@host# set applications application voicecube destination-port 5060

D. [edit]

user@host# set security policies from-zone trust to-zone trust policy intrazone then timeout never

Answer: A

Explanation:

QUESTION NO: 120

Which parameters are valid SCREEN options for combating operating system probes?

A. syn-fin, syn-flood, and tcp-no-frag



8/22/2019 Juniper JN0-332 v6

60/103

B. syn-fin, port-scan, and tcp-no-flag

C. syn-fin, fin-no-ack, and tcp-no-frag

D. syn-fin, syn-ack-ack-proxy, and tcp-no-frag

Answer: C

Explanation:

QUESTION NO: 121

You have configured your chassis cluster to include redundancy group 1. Node 0 is configured to

be the primary node for this redundancy group. You need to verify that the redundancy group

failover is successful. Which command do you use to manually test the failover?

A. request chassis cluster manual failover group 1 node 1

B. request cluster failover redundancy-group 1 node 1

C. request chassis cluster manual failover redundancy-group 1 node 1

D. request chassis cluster failover redundancy-group 1 node 1

Answer: D

Explanation:

QUESTION NO: 122

The Junos OS blocks an HTTP request due to its inclusion on the url-blacklist. Which form of Web

filtering on the branch SRX device is fully executed within the device itself?



C. blacklist Web filteringD. local Web filtering

Answer: D

Explanation:

QUESTION NO: 123

In the Junos OS, which statement is true?



8/22/2019 Juniper JN0-332 v6

61/103

A. vlan.0 belongs to the untrust zone.

B. You must configure Web authentication to allow inbound traffic in the untrust zone.

C. he zone name untrust has no special meaning

D. The untrust zone is not configurable.

Answer: C

Explanation:

QUESTION NO: 124

Which statement is true about SurfControl integrated Web filter solution?

A. The SurfControl server in the cloud provides the SRX device with the category of the URL as

well as the reputation of the URL.

B. The SurfControl server in the cloud provides the SRX device with only the category of the URL.

C. The SurfControl server in the cloud provides the SRX device with only the reputation of the

URL.

D. The SurfControl server in the cloud provides the SRX device with a decision to permit or deny

the URL.

Answer: B

Explanation:

QUESTION NO: 125


Referring to the exhibit, you are not able to telnet to 192.168.10.1 from client PC

192.168.10.10.What is causing the problem?



8/22/2019 Juniper JN0-332 v6

62/103

A. Telnet is not being permitted by self policy.

B. Telnet is not being permitted by security policy.

C. Telnet is not allowed because it is not considered secure.

D. Telnet is not enabled as a host-inbound service on the zone.

Answer: D

Explanation:

QUESTION NO: 126

Which two statements are true regarding firewall user authentication? (Choose two.)

A. When configured for pass-through firewall user authentication, the user must first open a

connection to the Junos security platform before connecting to a remote network resource.

B. When configured for Web firewall user authentication only, the user must first open a

connection to the Junos security platform before connecting to a remote network resource.

C. If a Junos security device is configured for pass-through firewall user authentication, new

sessions are automatically intercepted to perform authentication.

D. If a Junos security device is configured for Web firewall user authentication, new sessions are

automatically intercepted to perform authentication.

Answer: B,C

Explanation:

QUESTION NO: 127

You want to create a security policy allowing traffic from any host in the Trust zone to

hostb.example.com (172.19.1.1) in the Untrust zone. How do you create this policy?

A. Specify the IP address (172.19.1.1/32) as the destination address in the policy.

B. Specify the DNS entry (hostb.example.com) as the destination address in the policy.

C. Create an address book entry in the Trust zone for the 172.19.1.1/32 prefix and reference this

entry in the policy.

D. Create an address book entry in the Untrust zone for the 172.19.1.1/32 prefix and reference

this entry in the policy.

Answer: D

Explanation:



8/22/2019 Juniper JN0-332 v6

63/103

QUESTION NO: 128

Which three types of content filtering are supported only for HTTP? (Choose three.)

A. block Flash

B. block Java applets

C. block ActiveXD. block EXE files

E. block MIME type

Answer: B,C,D

Explanation:

QUESTION NO: 129

Which three represent IDP policy match conditions? (Choose three.)

A. protocol

B. source-address

C. port

D. application

E. attacks

Answer: B,D,E

Explanation:

QUESTION NO: 130

Which two statements are true regarding the system-default security policy [edit security policies

default-policy]? (Choose two.)

A. Traffic is permitted from the trust zone to the untrust zone.

B. Intrazone traffic in the trust zone is permitted.

C. All traffic through the device is denied.

D. The policy is matched only when no other matching policies are found.

Answer: C,D

Explanation:



8/22/2019 Juniper JN0-332 v6

64/103

QUESTION NO: 131

Which configuration shows the correct application of a security policy scheduler?

A. [edit security policies from-zone Private to-zone External]

user@host# show

policy allowTransit {match {




}

then {

permit {

tunnel {

ipsec-vpn myTunnel;}

scheduler-name now;

}

}

}

B. [edit security policies from-zone Private to-zone External]

user@host# show


match {




}

then {

permit {

tunnel {

ipsec-vpn myTunnel;

}

}}

scheduler-name now;

}

C. [edit security policies from-zone Private to-zone External]

user@host# show


match {


destination-address ExtServers;application ExtApps;

}



8/22/2019 Juniper JN0-332 v6

65/103

then {

permit {

tunnel {

ipsec-vpn myTunnel;

scheduler-name now;

}

}}

}

D. [edit security policies from-zone Private to-zone External]

user@host# show


match {




scheduler-name now;

}

then {

permit {

tunnel {

ipsec-vpn myTunnel;

}

}

}

scheduler-name now;}

Answer: B

Explanation:

QUESTION NO: 132

Which three functions are provided by the Junos OS for security platforms? (Choose three.)

A. VPN establishment

B. stateful ARP lookups

C. Dynamic ARP inspection

D. Network Address Translation

E. inspection of packets at higher levels (Layer 4 and above)

Answer: A,D,E

Explanation:



8/22/2019 Juniper JN0-332 v6

66/103

QUESTION NO: 133

Which three options represent IDP policy match conditions? (Choose three.)

A. service

B. to-zone

C. attacks

D. port

E. destination-address

Answer: B,C,E

Explanation:

QUESTION NO: 134

Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by ESP?

(Choose three.)

A. data integrity

B. data confidentialityC. data authentication

D. outer IP header confidentiality

E. outer IP header authentication

Answer: A,B,C

Explanation:

QUESTION NO: 135

Which two statements apply to policy scheduling? (Choose two.)

A. An individual policy can have only one scheduler applied.

B. You must manually configure system-time updates.

C. Multiple policies can use the same scheduler.

D. Policies that do not have schedulers are not active.

Answer: A,C

Explanation:



8/22/2019 Juniper JN0-332 v6

67/103

QUESTION NO: 136

Which three actions can a branch SRX Series device perform on a spam e-mail message?

(Choose three.)

A. It can drop the connection at the IP address level.

B. It can block the e-mail based upon the sender ID.

C. It can allow the e-mail and bypass all UTM inspection.

D. It can allow the e-mail to be forwarded, but change the intended recipient to a new e-mail

address.

E. It can allow the e-mail to be forwarded to the destination, but tag it with a custom value in the

subject line.

Answer: A,B,E

Explanation:

QUESTION NO: 137

What are three different integrated UTM components available on the branch SRX Series

devices? (Choose three.)

A. antivirus (full AV, express AV)

B. antivirus (desktop AV)

C. Web filtering

D. antispam

E. firewall user authentication

Answer: A,C,D

Explanation:

QUESTION NO: 138

You want to test a configured screen value prior to deploying. Which statement will allow you to

accomplish this?


user@host# show



8/22/2019 Juniper JN0-332 v6

68/103

ids-option untrust-screen {

alarm-test-only;

}


user@host# show


alarm-without-drop;}


user@host# show


alarm-no-drop;

}


user@host# show


test-without-drop;

}

Answer: B

Explanation:

QUESTION NO: 139

Which three contexts can be used as matching conditions in a source NAT configuration? (Choose

three.)

A. routing-instance

B. zone

C. interface

D. policy

E. rule-set

Answer: A,B,C

Explanation:

QUESTION NO: 140

Which command shows the event and traceoptions file for chassis clusters?

A. show log chassisd



8/22/2019 Juniper JN0-332 v6

69/103

B. show log clusterd

C. show log jsrpd

D. show log messages

Answer: C

Explanation:

QUESTION NO: 141

Which encryption type is used to secure user data in an IPsec tunnel?

A. symmetric key encryption

B. asymmetric key encryption

C. RSA

D. digital certificates

Answer: A

Explanation:

QUESTION NO: 142

Interface ge-0/0/2.0 of your device is attached to the Internet and is configured with an IP address

and network mask of 71.33.252.17/24. A Web server with IP address 10.20.20.1 is running an

HTTP service on TCP port 8080. The Web server is attached to the ge-0/0/0.0 interface of your

device. You must use NAT to make the Web server reachable from the Internet using port

translation. Which type of NAT must you configure?

A. source NAT with address shifting

B. pool-based source NATC. static destination NAT

D. pool-based destination NAT

Answer: D

Explanation:

QUESTION NO: 143

Which two types of attacks are considered to be denial of service? (Choose two.)



8/22/2019 Juniper JN0-332 v6

70/103

A. zombie agents

B. SYN flood

C. IP packet fragments

D. WinNuke

Answer: B,D

Explanation:

QUESTION NO: 144

Which antivirus solution integrated on branch SRX Series devices do you use to ensure maximum

virus coverage for network traffic?

A. express AV

B. full AV

C. desktop AV

D. ICAP

Answer: B

Explanation:

QUESTION NO: 145

Which two statements are true about the Websense redirect Web filter solution? (Choose two.)

A. The Websense redirect Web filter solution does not require a license on the SRX device.

B. The Websense server provides the SRX device with a category for the URL and the SRX

device then matches the category with its configured polices and decides to permit or deny the

URL.C. The Websense server provides the SRX device with a decision as to whether the SRX device

permits or denies the URL.

D. When the Websense server does not know the category of the URL, it sends a request back to

the SRX device to validate against the integrated SurfControl server in the cloud.

Answer: A,C

Explanation:

QUESTION NO: 146



8/22/2019 Juniper JN0-332 v6

71/103


Referring to the exhibit, which statement contains the correct gateway parameters?

A. [edit security ike]

user@host# show

gateway ike-phase1-gateway {

policy ike-policy1;

address 10.10.10.1;

dead-peer-detection {

interval 20;

threshold 5;}

external-interface ge-1/0/1.0;

}

B. [edit security ike]

user@host# show


ike-policy ike-policy1;

address 10.10.10.1;


interval 20;

threshold 5;

}


}

C. [edit security ike]

user@host# show


policy ike1-policy;

address 10.10.10.1;dead-peer-detection {

interval 20;



8/22/2019 Juniper JN0-332 v6

72/103

threshold 5;

}


}

D. [edit security ike]

user@host# show

gateway ike-phase1-gateway {ike-policy ike1-policy;

address 10.10.10.1;


interval 20;

threshold 5;

}


}

Answer: B

Explanation:

QUESTION NO: 147

Antispam can be leveraged with which two features on a branch SRX Series device to provide

maximum protection from malicious e-mail content? (Choose two.)

A. integrated Web filtering

B. full AV

C. IPS

D. local Web filtering

Answer: B,C

Explanation:

QUESTION NO: 148

Content filtering enables traffic to be permitted or blocked based on inspection of which three

types of content? (Choose three.)

A. MIME pattern

B. file extension

C. IP spoofing

D. POP3



8/22/2019 Juniper JN0-332 v6

73/103

E. protocol command

Answer: A,B,E

Explanation:

QUESTION NO: 149

What are three valid Juniper Networks IPS attack object types? (Choose three.)

A. signature

B. anomaly

C. trojan

D. virus

E. chain

Answer: A,B,E

Explanation:

QUESTION NO: 150

Which two statements are true about AH? (Choose two.)

A. AH provides data integrity.

B. AH is identified by IP protocol 50.

C. AH is identified by IP protocol 51.

D. AH cannot work in conjunction with ESP

Answer: A,C

Explanation:

QUESTION NO: 151




8/22/2019 Juniper JN0-332 v6

74/103

Referring to the exhibit, what is the correct proxy-id?

A. local 1.1.1.0/24, remote 2.1.1.0/24

B. local 2.1.1.0/24, remote 1.1.1.0/24



8/22/2019 Juniper JN0-332 v6

75/103

C. local 12.1.1.0/24, remote 11.1.1.0/24

D. local 11.1.1.0/24, remote 12.1.1.0/24

Answer: D

Explanation:

QUESTION NO: 152

On which component is the control plane implemented?

A. IOC

B. PIM

C. RE

D. SPC

Answer: C

Explanation:

QUESTION NO: 153

Which two packet attributes contribute to the identification of a session? (Choose two.)

A. destination port

B. TTL

C. IP options

D. protocol number

Answer: A,D

Explanation:

QUESTION NO: 154

Which interface is used for RTO synchronization and forwarding traffic between the devices in a

cluster?

A. the st interfaceB. the reth interface

C. the fxp1 and fxp0 interfaces



8/22/2019 Juniper JN0-332 v6

76/103

D. the fab0 and fab1 interfaces

Answer: D

Explanation:

QUESTION NO: 155


In the configuration shown in the exhibit, you decided to eliminate the junos-ftp application from

the match condition of the policy My Traffic. What will happen to the existing FTP and BGP

sessions?

A. The existing FTP and BGP sessions will continue.

B. The existing FTP and BGP sessions will be re-evaluated and only FTP sessions will be

dropped.

C. The existing FTP and BGP sessions will be re-evaluated and all sessions will be dropped.

D. The existing FTP sessions will continue and only the existing BGP sessions will be dropped.

Answer: B

Explanation:



8/22/2019 Juniper JN0-332 v6

77/103

QUESTION NO: 156


Given the configuration shown in the exhibit, which configuration object would be used to

associate both Nancy and Walter with firewall user authentication within a security policy?

A. ftp-group

B. ftp-users

C. firewall-user

D. nancy and walter

Answer: A

Explanation:

QUESTION NO: 157

Which two statements are true about pool-based source NAT? (Choose two.)

A. PAT is not supported.

B. PAT is enabled by default.

C. It supports the address-persistent configuration option.D. It supports the junos-global configuration option.



8/22/2019 Juniper JN0-332 v6

78/103

Answer: B,C

Explanation:

QUESTION NO: 158

What is the maximum number of layers of compression that kaspersky-lab-engine (full AV) can

decompress for the HTTP protocol?

A. 1

B. 4

C. 8

D. 16

Answer: B

Explanation:

QUESTION NO: 159

The same Web site is visited for the second time using a branch SRX Series Services Gateway

configured with Surf Control integrated Web filtering. Which statement is true?

A. The SRX device sends the URL to the SurfControl server in the cloud and the SurfControl

server provides the SRX with a category of the URL.

B. The SRX device sends the URL to the SurfControl server in the cloud and the SurfControl

server asks the SRX device to permit the URL as it has been previously visited.

C. The SRX device looks at its local cache to find the category of the URL.

D. The SRX device does not perform any Web filtering operation as the Web site has already

been visited.

Answer: C

Explanation:

QUESTION NO: 160

To

juniper jn0-332 v6

Documents