juniper jn0-531 exam questions & answers · 6/3/2014 · this device will always be master in...

JUNIPER JN0-531 EXAM QUESTIONS & ANSWERS

Number: JN0-531Passing Score: 800Time Limit: 120 minFile Version: 47.7

http://www.gratisexam.com/

JUNIPER JN0-531 EXAM QUESTIONS & ANSWERS

Exam Name: FWV, Specailist(JNCIS-FWV)

Certkey

QUESTION 1You have configured the following on your device.set address trust MyPC 10.1.1.5/32set address untrust CorpNet 10.10.0.0/16set policy from trust to untrust MyPC CorpNet any permitset int tunnel.1 zone untrustset int tunnel.1 ip unnumbered int bgroup1set ike gateway GW address 1.1.1.1 outgoing-interface e0/1 preshare Secret sec-level standardset vpn VPN gateway GW sec-level standardThe VPN is not working properly. What is the problem?

A. The policy needs to have the action tunnel.B. The VPN needs to be bound to the tunnel interface.C. The tunnel interface needs to be associated with the interface in the untrust zone.D. The tunnel interface needs to be placed in the trust zone.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:

QUESTION 2To which three ScreenOS components can a policy-based routing policy be bound? (Choose three.)

A. zoneB. virtual systemC. policyD. interfaceE. virtual router

Correct Answer: ADESection: (none)Explanation


QUESTION 3Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully. In the exhibit, what are twoexplanations for the output shown? (Choose two.)

A. The nsp card needs reseating.B. The routing table requires reconfiguration.C. Packets will be forwarded using the secondary wing as long as the primary is not ready.D. The next hop device is failing to respond.

Correct Answer: BDSection: (none)Explanation


QUESTION 4How many SNMP communities can be created in a ScreenOS device?

A. 1B. 2C. 3D. 8

Correct Answer: CSection: (none)Explanation


QUESTION 5What do you need to change in your VPN configuration to use certificates for authentication?

A. Replace the preshared key with the certificate name.B. Use a custom set of Phase2 proposals, all beginning with rsa-.

C. Select PFS in Phase2, then select the certificate to be used.D. Use a custom set of Phase1 proposals, all beginning with rsa-.

Correct Answer: DSection: (none)Explanation


QUESTION 6You have configured set nsrp vsd-group master-always-exist on your ScreenOS device.What does this do?


A. This device will always be master in the NSRP cluster.B. The vsd-group will always be homed to the master in the NSRP cluster.C. There will always be a master device in the NSRP cluster.D. The NSRP protocol will not initialize without a master.



QUESTION 7Which command allows you to verify active connections when Shared IKE ID is in use?

A. get users activeB. get xauth activeC. get ike xauth usersD. get auth table



QUESTION 8Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully. In the exhibit, your ScreenOSdevice has a VPN configured using a tunnel interface in the untrust zone. The remote gateway is defined usinga FQDN. The tunnel went down and has not reestablished as per the output in the exhibit. Your protectedresources reside in the trust zone.What are two reasons why the tunnel is failing to reestablish? (Choose two.)

A. One of the devices was modified so that the peer ID and local ID no longer match.B. The Phase 1 preshared key was modified in one of the devices.C. The policy used by this VPN was deleted.D. The IP address of the remote peer changed and your DNS table has not updated with the new address.



QUESTION 9From which port can the ScreenOS device send SYSLOG messages?

A. TCP port 22B. TCP port 53C. TCP port 25D. TCP port 161



QUESTION 10What is the maximum number of DSCP bits that can be configured for rewrite by a ScreenOS device?

A. 1B. 6C. 8D. 3



QUESTION 11Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully. Using the ScreenOS CLI output inthe exhibit, which statement can be confirmed?

A. There have been 3,583 session limits configured for source IP addresses on this ScreenOS device.B. There have been 3,583 violations of the source IP address license limitations on this ScreenOS device.C. There have been 3,583 unique hosts that have exceeded the source IP address session limit.D. There have been 3,583 packets from hosts that have exceeded the source IP address session limit.



QUESTION 12What determines which interface is the primary link in a redundant interface group?

A. the lowest numbered interface on the deviceB. the highest numbered interface on the deviceC. the highest MAC addressD. the first interface placed in the groupE. the lowest MAC address



QUESTION 13You have four policies configured for the egress interface with 10 Mbps physical bandwidth. The policies areconfigured as follows:Policy 1 - Highest Priority, 2 Mbps guaranteed, 3 Mbps maximumPolicy 2 - 1st Priority, 3 Mbps guaranteed, 4 Mbps maximumPolicy 3 - 1st Priority, 3 Mbps guaranteed, 3 Mbps maximumPolicy 4 - Highest Priority, 1 Mbps guaranteed, 4 Mbps maximumAssuming the policies are processed in the order shown, which policy will drop traffic first under a full trafficload?

A. Policy 2

B. Policy 4C. Policy 1D. Policy 3



QUESTION 14You have enabled RIP in a hub and spoke VPN environment. You are not receiving routes from one of yourspokes, although the VPN is up. When you run debug on the spoke device, you see regular RIP updates beinggenerated on the tunnel interface. You are receiving and sending routes to the rest of your spokes. What is theproblem?

A. You did not configure passive interface on the spoke device.B. You did not disable split horizon on the spoke device.C. You did not configure a RIP neighbor for the spoke device on the hub.D. You did not configure demand circuit on the spoke device.



QUESTION 15Which commands would you use to create a zone and make it ready to perform IP classification for a VSYS?

A. set zone name Zone1set zone Zone1 sharedset zone Zone1 ip-classification enable

B. set zone name Zone1set zone Zone1 sharedset zone Zone1 ip-classification

C. set zone name Zone1 sharedset zone Zone1 ip-classification

D. set zone name Zone1set zone Zone1 ip-classification



QUESTION 16You are a read/write VSYS administrator. Your configuration requires the use of a DIP.Which statement correctly describes this situation?

A. You can create DIPs on any interface you can see in your interface list, including both private and sharedinterfaces.

B. You can create DIPs only on sub-interfaces within your VSYS. All other DIPs need to be created by the rootlevel VSYS admin.

C. You can create the DIP on any interface imported into your VSYS, but not on shared interfaces.D. DIP creation can only be done by the root administrator, not a VSYS administrator.



QUESTION 17Which two item pairs are exchanged during Phase 2 negotiations? (Choose two.)

A. hash [ID + Key], DH key exchangeB. IKE cookie, SA proposal listC. proxy-id, SA proposal listD. SA proposal list, optional DH key exchange

Correct Answer: CDSection: (none)Explanation


QUESTION 18Which three statements are true regarding IKE Phase 1? (Choose three.)

A. The digital certificate is used to decrypt the session key.B. The proxy-id is used to determine which SA is referenced for the VPN.C. Placing the SA proposal list in message 1 is an option.D. The DH key exchange is used to validate the session key.E. The DH key exchange and digital certificates are both optional.

Correct Answer: ACDSection: (none)Explanation


QUESTION 19Which command will show address translation for sessions that have ended?

A. snoopB. get dbuf streamC. get log trafficD. get session



QUESTION 20You want to create a subinterface in VSYS

A. Which two actions are required? (Choosetwo.)

B. Login as a VSYS level admin.C. Create the subinterface at the root VSYS.D. Import the subinterface.E. Login as root level admin.F. Create the subinterface at the VSYS level.

Correct Answer: DESection: (none)Explanation


QUESTION 21Which policy action is needed to add deep inspection to a policy?

A. inspectB. rejectC. permitD. detect



QUESTION 22Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully.In the exhibit, Phase 1 negotiation is failing.Which two would be related to the problem? (Choose two.)

A. Phase 1 proposal mismatchB. incorrect outgoing interface set on receiverC. incorrect peer address set on initiatorD. incorrect peer address set on receiver

Correct Answer: BD

Section: (none)Explanation


QUESTION 23Which command is used to verify that IGMP is running correctly?

A. get route igmpB. exec igmp interface e0/1 queryC. set igmp query interface e0/1D. get igmp query



QUESTION 24Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully. In the exhibit, the route-based VPNon the SSG 5 needs to configured to allow access only from your PC to Server G. The SSG 550 is configuredwith a policy-based VPN from Server G to your PC's host address. Assume the gateways are static.Which proxy-id must be configured?

A. Local: 1.1.1.250/24Remote: 4.4.4.250/24B. Local: 10.0.0.5/24Remote: 20.0.0.5/24C. Local: 10.0.0.5/32Remote: 20.0.0.5/32D. Local: 1.1.1.250/32Remote: 4.4.4.250/32



QUESTION 25Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully.In the exhibit, what would correct the proxy-ID mismatch?

A. The 10.50.0.0 address book entry on the responder needs to be changed to a 24 bit mask.B. The 10.1.0.0 address book entry on the initiator needs to be changed to a 32 bit mask.C. The 10.50.0.0 address book entry on the responder needs to be changed to a 32 bit mask.D. The 10.50.0.0 address book entry on the initiator needs to be changed to a 30 bit mask.

Correct Answer: ASection: (none)Explanation


QUESTION 26You want to configure the NetScreen Remote client to use a preshared key. You select the "My Identity"configuration screen but you cannot find the option. What is causing the problem?

A. This should be configured under the "Authentication" tab.B. You have to set the "ID type" option to Pre-Shared key.C. This should be configured under the "Key Exchange" tab.D. You have to set the "Select Certificate" option to none.



QUESTION 27Which statement about source-based routing is true?

A. Destination-based routes take precedence over source-based routes.B. You can only specify an interface as the next hop.C. You cannot configure source-based routing in the untrust-vr.D. You cannot redistribute source-based routes.



QUESTION 28You have entered the following BGP configuration:set vrouter trust-vr bgp 65530set vrouter trust-vr bgp enableset vrouter trust-vr protocol bgp neighbor 1.1.1.250remote-as 65500set vrouter trust-vr protocol bgp neighbor 1.2.3.250remote-as 65280BGP is not working. What two elements are missing from your configuration? (Choose two.)

A. You have not enabled BGP on the interfaces connecting to the peers.B. You have not enabled EBGP multihop.C. You have not enabled the BGP peers.D. You have not placed the peers in a BGP peer group.

Correct Answer: ACSection: (none)Explanation


QUESTION 29You want to configure routing redundancy over your VPN network, but do not want to deploy a dynamic routingprotocol. What should you do?

A. Configure multiple static routes, setting tags to designate primary and backup routes.B. Configure multiple static routes, adjusting the metric to determine primary and backup routes.C. Configure multiple static routes, adjusting the preference to create floating static routes as backups.D. Configure multiple static routes, adjusting the cost to determine primary and backup routes.



QUESTION 30What must be configured differently for a route-based VPN and a policy-based VPN?

A. remote gateway typeB. binding the tunnel interfaceC. proxy-idD. proposals

Correct Answer: BSection: (none)

Explanation


QUESTION 31When configuring ScreenOS, which three are OSPF area types? (Choose three.)

A. stubB. virtualC. ordinaryD. not-so-stubbyE. normal



QUESTION 32You have configured NSRP Active/Passive using the default vsd-group. You are using OSPF to learn routesfrom adjacent network devices. Which configuration is required to ensure the dynamic routes are available onboth the devices?

A. You have to configure OSPF on the VSI interfaces. All dynamic routes learned on the VSI will be synced tothe backup.

B. Dynamic routes are RTO objects; no additional configuration is required.C. You have to unset nsrp vsd-group id 0 and configure OSPF on the local interfaces of the master device

only.D. You have to unset nsrp vsd-group id 0 and set nsrp vsd-group id 1 for the VSI interface, then configure

OSPF on the local interfaces on both the devices.



QUESTION 33Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully. Given the routing table in theexhibit, which interface will be used to reach the host at 10.1.20.1?

A. ethernet0/4B. tunnel.1C. tunnel.21D. ethernet0/2



QUESTION 34When configuring security proposals with the NetScreen-Remote client, how many Phase 2 proposals areincluded by default when you configure a new connection?

A. 3B. 4C. 1D. 2



QUESTION 35Which two components are required to implement ScreenOS deep inspection? (Choose two.)

A. signature databaseB. policy statementsC. service book group entriesD. IDP action statement

Correct Answer: AB



QUESTION 36A VPN tunnel that uses a CA certificate has failed Phase 1 negotiations. The peer's certificate has beenrejected. What would be causing this problem?

A. The CA certificate has been revoked.B. One of the peering devices are not synced with the NTP server.C. The CRL has been downloaded, but the certificates have a CDP extension thus making them invalid.D. The device certificates were generated before the CRL was downloaded thus making them invalid.



QUESTION 37Which three are valid Connection Security options in the NetScreen-Remote client? (Choose three.)

A. BlockB. PermitC. SecureD. Non-secureE. Tunnel



QUESTION 38You have created a VPN to a dynamic peer. Which two configured parameters must match? (Choose two.)

A. static side IP addressB. dynamic side IP addressC. static side peer-idD. dynamic side local-id



QUESTION 39Which two are valid actions for policy-based routing? (Choose two.)

A. next hop gateway onlyB. next hop virtual router onlyC. next interface onlyD. next hop only



QUESTION 40Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully. In the exhibit, which two statementscan be verified from the debug output? (Choose two.)

A. Traffic is departing using the root virtual system.B. Traffic is arriving from the virtual system CustA.C. The matched policy is from a custom zone to a system-defined zone.D. The routing decision used the default route.

Correct Answer: BCSection: (none)Explanation


QUESTION 41Which item in a virtual system is shared by default?

A. untrust zone in the untrust-vrB. trust zone in the untrust-vrC. untrust zone in the trust-vrD. trust zone in the trust-vr



QUESTION 42Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully. In the exhibit, which two can bedetermined about the VPN? (Choose two.)

A. Phase 1 completed successfully.B. The destination gateway device IP address is 1.1.1.10.C. You are not using PFS.D. Phase 2 completed successfully.

Correct Answer: ABSection: (none)Explanation


QUESTION 43Which two statements are true of preshared keys when configuring dialup VPN group IKE IDs? (Choose two.)

A. VPN Manager automatically generates individual preshared keys for each dialup peer using the same seedvalue for all ScreenOS devices.

B. Preshared keys are automatically generated by the ScreenOS device combining a seed value and ID sentby the client.

C. The preshared keys for each remote user must be stored in the ScreenOS device.D. Some remote clients can calculate the preshared key locally if a seed value is provided.



QUESTION 44Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully. You are troubleshooting theproduction firewall at your corporate headquarters.In the exhibit, which important command is missing?

A. get debug streamB. debug offC. set debugD. set ffilter



QUESTION 45Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully.In the exhibit, which command is missing?

A. debug commandB. filter commandC. undebug commandD. get command


Explanation


QUESTION 46You have correctly changed your NetScreen-Remote client security policy, but it does not seem to be active.Which two actions should you take? (Choose two.)

A. If the policy is already active, select the File menu from the security policy editor and then select "ReloadSecurity Policy"

B. If the policy is not active, select the File menu from the security policy editor and select "Activate SecurityPolicy"

C. If the policy is not active then right click on the NetScreen-Remote icon and select "Activate Security Policy".D. If the policy is already active, right click on the NetScreen-Remote icon and select "Reload Security Policy".



QUESTION 47You are a read/write VSYS administrator. Your configuration requires the use of a MIP.Which statement correctly describes this situation?

A. You can create MIPs on any interface you can see in your interface list, including both private and sharedinterfaces.

B. MIP creation can only be done by the root administrator, not a VSYS administrator.C. You can create MIPs only on sub-interfaces within your VSYS. All other MIPs need to be created by the root

level VSYS admin.D. You can create the MIPs on any interface imported into your VSYS, but not on shared interfaces.



QUESTION 48What must be enabled to protect Phase 2 key exchanges?

A. Phase 2 3-DESB. Phase 1 PFSC. Phase 2 SHAD. Phase 2 DH key exchange



QUESTION 49Which statement is correct regarding the configuration of basic dialup VPN networks?

A. You can assign an IP address to a remote user when creating an IKE user.B. Creating individual users for basic VPN networks is more secure than using a group ID.C. The WebUI permits only the configuration of FQDN IKE users.D. The number of configured IKE users is platform-specific.



QUESTION 50Which ScreenOS configuration element will influence the application of SCREENs to traffic passing through thedevice?

A. interfacesB. policyC. zonesD. routing



QUESTION 51You have configured NSRP Active/Passive using the default vsd-group. You are using BGP to learn routesfrom adjacent network devices. You want each firewall to establish a BGP peer to different upstream routers.You also want the backup device to learn dynamic routes. Which configuration would ensure you can establisha BGP peer to two different routers?

A. Use the unset nsrp vsd-group id 0 and set nsrp vsd-group id 1 commands for VSI interfaces, then configureBGP peers on the local interfaces, then unset vr untrust-vr nsrp-config-sync.

B. Use the unset vr <vr-name> nsrp-config-sync command and configure BGP peers on the VSI interface.C. Use the unset nsrp vsd-group id 0 and set nsrp vsd-group id 1 commands for the VSI interfaces, then

configure BGP peers on the local interfaces, then unset vr <vr-name> nsrp-config-sync.D. Configure two BGP peers on the same VSI interface, but use a different virtual router on each device.



QUESTION 52Which three events would cause ScreenOS devices to generate SNMP traps? (Choose three.)

A. traffic log eventsB. cold starts

C. self log eventsD. warm rebootsE. traffic alarms

Correct Answer: BDESection: (none)Explanation


QUESTION 53Which CLI command identifies the multicast sources visible to your ScreenOS device?

A. get vrouter trust-vr protocol pimB. get route pimC. exec pim interface all queryD. get igmp source all



QUESTION 54What should you configure to insure an HA cable failure does not result in both devices attempting to becomemaster?

A. secondary pathB. heartbeat thresholdC. monitor thresholdD. failover count



QUESTION 55You have entered the following OSPF configuration:set vrouter trust-vr protocol ospfset vrouter trust-vr protocol ospf area 10set interface e0/0 protocol ospf area 10set interface e0/0 protocol ospf enableset interface e0/1 protocol ospf area 10set interface e0/1 protocol ospf enableOSPF is not working. What is missing from your configuration?

A. You have not configured OSPF neighbors on the interfaces.B. You have not set the costs on the OSPF interfaces.C. You have not enabled OSPF on the virtual router.

D. You have not assigned any interfaces to area 0.



QUESTION 56You are concerned that one of the routes on your ScreenOS device has been flapping. You would like toinvestigate how long this route has been up and when the last outage occurred. Which command will provideyou with this specific information?

A. get route id <x>B. get route ip <x>C. get eventsD. get interface <x>



QUESTION 57As a member of a VSD group, a device may be in which two states? (Choose two.)

A. initB. backupC. inactiveD. passive



QUESTION 58Which three OSPF parameters are interface parameters? (Choose three.)

A. summarizationB. neighbor listC. advertise default routeD. costE. priority



QUESTION 59You have created a virtual router called VSYSA-vr and made it shareable. You then create the VSYS using theWebUI, telling it to use an existing VR and selecting the VR called VSYSA-vr. What is the status of the virtualrouter after you create the VSYS?

A. The router will be the default router and will still have a shareable status.B. The router will be the default router but will no longer be shared.C. The system will not let you use a shared virtual router when you create a new VSYS.

The initial virtual router must be private.D. The system will not create a private vr for the VSYS but will assign the untrust-vr as the default router. The

shared Virtual router will not be the default router.



QUESTION 60What are the three building blocks to create a PBR policy? (Choose three.)

A. session groupsB. action groupsC. extended access groupsD. extended access listsE. match groups



QUESTION 61Which ScreenOS CLI command would be used for importing routes from the untrust-vr to OSPF in the trust-vr?

A. set ospf import vrouter trust-vr address to-trustB. set vrouter untrust-vr protocol ospf import list to-trustC. set import-from vrouter untrust-vr route-map to-trust protocol ospfD. set vrouter trust-vr protocol ospf import distribute-list to-trust



QUESTION 62You have implemented a hub and spoke VPN. On the hub, there are two tunnel interfaces, one to each spoke.Both tunnel interfaces are in the same zone. Which two configuration options will control traffic between thespokes? (Choose two.)

A. Configure each tunnel interface to block intra-zone traffic.B. Configure the common zone to block intra-zone traffic.C. Configure the common zone to block inter-zone traffic.D. Configure one of the tunnel interfaces in a different zone a set policies.



QUESTION 63What will happen if you type the command unset protocol vrouter trust-vr protocol ospf?

A. All OSPF configuration parameters are removed from all interfaces in the vrouter.B. All OSPF configuration parameters are removed from the vrouter only.C. OSPF stops running, but the OSPF configuration is left intact.D. All OSPF configuration parameters are removed from the vrouter and from all interfaces in the vrouter.



QUESTION 64What are three components that make up a redundant VPN configuration? (Choose three.)

A. masterB. targetsC. monitorD. VPN groupsE. backups

Correct Answer: BCDSection: (none)Explanation


QUESTION 65Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully.In the exhibit, what is the control MAC address of the NSRP master?

A. 00:10:db:50:a4:d7B. 00:10:db:50:a3:d8C. 00:10:db:50:a3:d7D. 00:10:db:50:a4:d8



QUESTION 66You create three policies that will send traffic through an interface configured for 1.544 Mbps. All policies areconfigured to have 256 Kbps guaranteed bandwidth and 512 Kbps of maximum bandwidth. Each policy hasbeen assigned the following priorities:Policy 1 = priority 4Policy 2 = priority 5Policy 3 = priority 3Each policy receives a constant stream of 1 Mbps.How much bandwidth will be available for Policy 2?

A. 1.544 MbpsB. 1 MbpsC. 512 KbpsD. 256 Kbps



QUESTION 67During main mode negations a failure has occurred while using IKE certificates. Which message pair would youreview to troubleshoot this failure?

A. messages 3 & 4B. messages 2 & 3C. messages 1 & 2D. messages 5 & 6



QUESTION 68When using NSRP, which command will insure uninterrupted communications for VPNs using certificates forauthentication?

A. set NSRP clusternameB. set NSRP cluster hostnameC. set hostnameD. set NSRP cluster name



QUESTION 69Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully. In the ScreenOS CLI output shown,which configuration step is missing?

A. set policy id 5 screen limit-session inspectB. set interface ethernet0/1 screen limit-session inspectC. set zone trust screen limit-session source-ip-basedD. set zone trust screen limit-session enable



QUESTION 70What are two methods of implementing external antivirus scanning on ScreenOS devices? (Choose two.)

A. Policy-Based RoutingB. VLAN-Based Traffic ClassificationC. IP-Based Traffic ClassificationD. Internet Content Adaptation Protocol

Correct Answer: ADSection: (none)Explanation


QUESTION 71Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully.In the exhibit, the hub and spoke VPN uses route-based VPNs.What is the minimum number of policy rules required to establish full, bi-directional communications betweenall locations?

A. 4B. 0C. 3D. 6



QUESTION 72If you configure 5 Mbps of guaranteed bandwidth for a policy, and you have 10 sessions created for that policy,how much bandwidth is reserved for each session?

A. 10 MbpsB. .5 MbpsC. 5 MbpsD. 2.5 Mbps



QUESTION 73Which statement defines maximum bandwidth?

A. The total amount of bandwidth (configured in Kbps) that can be used by a policy after all guaranteedbandwidth has been serviced.

B. The additional amount of bandwidth over the guaranteed bandwidth amount (configured in Mbps) that canbe used by a policy after guaranteed bandwidth has been serviced.

C. The total amount of bandwidth (configured in Mbps) that can be used by a policy after guaranteedbandwidth has been serviced.

D. The additional amount of bandwidth over the guaranteed bandwidth amount (configured in Kbps) that canbe used by a policy after guaranteed bandwidth has been serviced.



QUESTION 74Which two statements are true regarding the use of dialup VPNs? (Choose two.)

A. They are configured so that the first IKE message will always have the SA proposal list.B. They can be used as an alternative to connect remote users when a ScreenOS device has reached the

maximum number of LAN-to-LAN tunnels.C. They are initiated only by the remote host PC.D. They can only be connected to the trust zone on a ScreenOS device.



QUESTION 75When adding deep inspection to a policy, when will inspection be performed?

A. after the packet has been permitted

B. after the routing lookupC. before the destination lookupD. before the policy lookup



QUESTION 76Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully. In the exhibit, which statement canbe verified from the debug output?

A. The matched policy is from a custom zone to a system-defined zone.B. Traffic is departing from the root virtual system.C. Traffic is arriving from the virtual system CustA.D. Traffic is departing from the virtual system CustA.



QUESTION 77Which ScreenOS CLI command(s) allow(s) for redistribution of type 1-3 LSAs?

A. set protocol ospf lsa 1 redistributeset protocol ospf lsa 2 redistributeset protocol ospf lsa 3 redistribute

B. set ospf export route externalC. set match route-type internal-ospfD. set redistribute ospf lsa 1

set redistribute ospf lsa 2set redistribute ospf lsa 3



QUESTION 78Which three HTTP components can a ScreenOS device inspect and selectively block? (Choose three.)

A. Java appletsB. .gz filesC. JavaScript appletsD. .zip filesE. .exe files



QUESTION 79You create a policy-based VPN, and select an address group for the source address. What will be the sourcecomponent of the proxy-id seen by the remote security gateway?

A. the subnet that contains all addresses in the address groupB. the first member of the address groupC. the default 0.0.0.0/0D. the last member of the address group



QUESTION 80You have configured a secondary path for the NSRP cluster. Which type of traffic is sent over the secondarypath?

A. configuration sync messagesB. RTO message syncC. NSRP data packet forwardingD. NSRP heartbeats

Correct Answer: D



QUESTION 81When you configure integrated web filtering, which settings are needed on the client's PC?

A. A browser setting to point to the ingress IP address.B. No client IP is needed.C. A browser setting to define a proxy server.D. No settings are needed.



QUESTION 82Which three items do you need to download and install on your ScreenOS device for IKE gateways to be ableto use digital certificates without OCSP? (Choose three.)

A. the SCEP listB. the CRL listC. a local certificateD. the CA private key certificateE. the CA public key certificate

Correct Answer: BCESection: (none)Explanation


QUESTION 83Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully. Users are having difficultiesreaching 10.1.1.25. You execute a get route command and find the results shown in the exhibit.What can you determine from this routing table?

A. A gateway must be assigned to ethernet0/1.B. The ethernet0/1 physical link may be down and needs troubleshooting.C. The preference on route ID 2 must be configured to a higher value.D. The problem is probably at the next hop.



QUESTION 84Which parameter do you adjust on a static route to create a floating static route?

A. weightB. costC. metricD. preference



QUESTION 85You are using NSRP and enable preempt on a device with a priority of 120. The other device has the defaultpriority set. What will be the result of this action?

A. The device will only become master if the device with default priority fails.B. The device will enter a pending state until the next maintenance window and then assume the master role.C. The device will wait the defined holdtime period and then take over as master.

D. The device will be come master immediately.



QUESTION 86Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully. You have enabled OSPF on adevice addressed as shown in the exhibit. You have not configured a router ID.Which address will be used as the router ID?

A. 1.1.1.1B. 10.50.1.1C. 192.168.1.1D. 10.1.1.1



QUESTION 87You have configured NSRP Active/Active with vsd-group 0 as master on device A and vsd-group 1 as masteron device B. Both the devices are active and are masters for their respective VSDs. What will happen to thetraffic for vsd-group 1 if received on device A?

A. The traffic will be dropped on device A.B. The traffic will be handled locally on device A.C. Device A will inform the sender to re-direct traffic to device B.D. The traffic will be forwarded to device B over the HA link.



QUESTION 88Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully. Review the configuration and getnsrp monitor track-ip output in the exhibit. Track-ip has failed on the device, but the device did not failover to thesecond unit in the cluster:Why has failover not occurred?

A. The track-ip address threshold is not sufficient to cause failover.B. The track-ip interval is not sufficient to cause failover.C. The track-ip address weight is not sufficient to cause failover.D. The physical interfaces have not failed.



QUESTION 89Which ScreenOS CLI command is necessary for configuring IGMP on interface ethernet0/1?

A. set interface ethernet0/1 igmp routerB. set multicast interface ethernet0/1C. set igmp interface ethernet0/1D. set igmp interface ethernet0/1 enable



QUESTION 90What is the default action of a ScreenOS device when a configured screening function threshold limit has beenreached?

A. Drop the packet and all further packets matching the attack for up to a configurable maximum of 10seconds.

B. Drop the packet and all further packets matching the attack for up to 1 minute.C. Log the packet but not drop it.D. Drop the packet and all further packets matching the attack for the remainder of the current second plus the

next second.



QUESTION 91Which two methods can the ScreenOS device use to assign traffic to a VSYS? (Choose two.)

A. policy-based classificationB. interface-based classificationC. IP-based classificationD. VLAN-based classification



QUESTION 92Which three elements are required to configure route redistribution on a ScreenOS device? (Choose three.)

A. a filter mapB. a route mapC. an access listD. a redistribution listE. an export rule



QUESTION 93Which command shows the present debugging configuration?

A. get dbufB. get debugC. get confD. debug info


Explanation


QUESTION 94Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully. In the exhibit, what is the source IPaddress of the multicast traffic?

A. 236.1.1.1B. 10.10.10.1C. 20.20.20.200D. 20.20.20.10



QUESTION 95Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully. In the exhibit, you are attempting tosnoop packets destined to 10.84.57.29. Using the information in the output, which command would you enter

next to work toward accomplishing your goal?

A. snoop infoB. snoop onC. set ffilterD. snoop ffilter



QUESTION 96Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully. In the exhibit, you need to configureBGP between devices A and C in AS 65200.Which configuration, if any, will be required only on device B?

A. You need to configure a policy permitting BGP traffic between device A and device C.B. No configuration is required on device B.C. You need to configure IBGP, defining devices A and C as BGP peers.D. You need to enable OSPF on device B and redistribute BGP routes on devices A and C.



QUESTION 97You are creating a DIP pool of 30 addresses. You would like to see how addresses are being allocated todifferent traffic streams. Which command will you use to view this information?

A. get address xlateB. snoopC. get dip allD. get session




QUESTION 98Which three interface types are supported in virtual systems? (Choose three.)

A. VPN interfacesB. subinterfacesC. dedicated InterfacesD. limited InterfacesE. shared Interfaces



QUESTION 99Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully. In the exhibit, which two must youconfigure on the SSG 550 to successfully establish a VPN?

A. local-id of 1.1.2.5B. default routeC. tunnel interface associated with VLAN1D. peer-id of 1.1.1.10



QUESTION 100When enabling RIP over a hub and spoke VPN, what must you configure on the hub device tunnel interface toallow spokes to receive routing updates?

A. disable split-horizon

B. enable demand circuitC. enable passive interfaceD. point to multipoint



QUESTION 101Exhibit:

You work as an administrator at Certkiller .com. Study the exhibit carefully. In the exhibit, which two can bedetermined about the VPN? (Choose two.)

A. The VPN is active and has 3288 more seconds until reaching its 3600 second timeout.B. This is a route-based VPN.C. The VPN is active and has 312 more seconds until reaching its 3600 second timeout.D. The VPN tunnel is active but the VPN monitor shows the tunnel is down.



QUESTION 102You have four policies configured for the egress interface with 10 Mbps physical bandwidth. The policies areconfigured as follows:Policy 1 - Highest Priority, 1 Mbps guaranteed, 3 Mbps maximumPolicy 2 - 1st Priority, 1 Mbps guaranteed, 4 Mbps maximumPolicy 3 - 1st Priority, 2 Mbps guaranteed, 2 Mbps maximumPolicy 4 - Highest Priority, 2 Mbps guaranteed, 4 Mbps maximumAssuming the policies are processed in the order shown, which policy will drop traffic first under a full load?

A. Policy 2B. Policy 3C. Policy 1D. Policy 4



QUESTION 103Which ScreenOS CLI commands would match the 10.35.89.0/24 subnet for route redistribution?

A. set address Trust harry 10.35.89.0 255.255.255.0set distribution-list harrylist 1set address harry

B. set access-list 20 permit ip 10.35.89.0/24 10set route-map name harry permit 5set match ip 20

C. set access-list 5 permit 10.35.89.0 0.0.0.255set route-map harry permit 10set match ip address 5

D. set address Trust harry 10.35.89.0 255.255.255.0set route-map harry permit 10set ospf export harry



QUESTION 104A partner is attempting a dialup CLI configuration for username John. The following command is being used:set policy from untrust to trust "Dial-up VPN" Corporate any tunnel vpn username-VPN Which statement isaccurate about the command?

A. It will allow the connection of the username John.B. The source should be "any" since the source IP address is unknown.C. It can conflict with existing policies from untrust to trust zones.D. It requires prior configuration of the address books "Dial-up VPN" and Corporate.



QUESTION 105You suspect you are having encryption problems with an IKE VPN. Which two commands would help youdetermine if it is an encryption issue? (Choose two.)

A. get counter flow interface <name>B. get counter policy <policy number>C. get counter screen <zone>D. get counter statistics interface <name>



QUESTION 106You enable run time object (RTO) sync on the NSRP cluster. Which command will provide RTO message synccounters?

A. get nsrp counterB. get nsrp rtoC. get rto counterD. get count stat




You work as an administrator at Certkiller .com. Study the exhibit carefully.You notice that many users are experiencing network problems.Using the information in the exhibit, which command would resolve this problem?

A. set debug optimize 8192kbB. debug flow src-ip 10.35.29.1C. unset filterD. undebug all



QUESTION 108You have entered the following configuration.set vrouter untrust-vr source 1.1.10.0/24 interface tunnel.1 gateway 1.1.1.1 Your source-based route is notworking. What is the problem?

A. You have not enabled source-based routing in the untrust-vr.B. You cannot configure source-based routes in the untrust-vr.C. You cannot use source-based routing with VPNs.D. You have not specified a metric for the source-based route.



QUESTION 109Which statement is correct when using GRE in combination with IPSec?

A. GRE improves the efficiency of IPSec packet handling.B. GRE encapsulation is processed in software, while IPSec is processed in hardware.C. GRE encapsulates IPSec headers to provide legacy support with some VPN vendors.D. GRE allows ScreenOS devices to encapsulate IPX traffic over IPSec.



QUESTION 110A customer wants to restrict the number of simultaneous connections in a VPN dialup configuration using anIKE group. Which statement is true?

A. This is a configurable parameter under the ScreenOS device IKE Phase 2 configuration.B. This is a configurable parameter in the local user database.C. This is accomplished by generating the number of preshare keys required.D. This can only be restricted if certificates are used.




You work as an administrator at Certkiller .com. Study the exhibit carefully.In the output shown, which single command is entered out of order?

A. get dbuf streamB. undebug allC. debug flow basicD. set ffilter



QUESTION 112How is antivirus scanning enabled on a ScreenOS device?

A. Antivirus scanning is implemented in a policy.B. Antivirus scanning is a stand-alone product and manually enabled.C. Antivirus scanning is implemented at the interface.D. Antivirus scanning is enabled by default on some ScreenOS devices.



QUESTION 113Which two statements regarding NHTB are correct? (Choose two.)

A. If the spoke device is not a ScreenOS device, manual configuration of NHTB is required on the hub.B. If the spoke device is not a ScreenOS device, manual configuration of NHTB is required on the spoke.C. When configuring routing on a spoke device with one tunnel interface the route to the tunnel interface does

not require a routing gateway address.D. When configuring routing on a hub device with one tunnel interface terminating multiple VPN spokes, the

route to the tunnel interface does not require a routing gateway address.




You work as an administrator at Certkiller .com. Study the exhibit carefully.In the exhibit, the SSG 5 is using a route-based VPN configuration.Which two are required on the SSG 5 to successfully establish a VPN? (Choose two.)

A. local-id of 1.1.1.10B. IKE Phase 1 aggressive modeC. proxy-idD. peer-id of 1.1.2.5



QUESTION 115You suspect that there has been an increase in the number of multiple user authentication failures. In the logs,which severity level would you search to see this event?

A. WarningB. NotificationsC. AlertD. Critical



QUESTION 116Which command shows the filter applied to snoop captures?

A. get ffilter ip-proto snoopB. get snoopC. get ffilterD. snoop info

Correct Answer: D




You work as an administrator at Certkiller .com. Study the exhibit carefully. In the exhibit, which two would allowyou to exchange traffic between hosts behind the SSG 5 and the SSG 550? (Choose two.)

A. VIPs on both sidesB. MIP on both sidesC. DIPs on both sidesD. a combination of NAT-src and NAT-dst



QUESTION 118A VPN tunnel that uses a CA certificate will not become active. What would be causing this problem?

A. The devices are not synced with the NTP server.B. The device certificates were generated before the CRL was downloaded thus making them invalid.C. The CRL has been downloaded, but the certificates have a CDP extension thus making them invalid.D. The CA certificate has been revoked.




You work as an administrator at Certkiller .com. Study the exhibit carefully.In the exhibit, notice the ScreenOS snoop output.What is the destination IP address of the first packet transmitted from the firewall?

A. 10.223.51.52B. 172.19.243.7C. 10.27.30.45D. 192.168.34.58



QUESTION 120Which two statements are true about redundant interfaces? (Choose two.)

A. All interfaces in the redundant group are active, providing more bandwidth.B. Each interface in the redundant group should be connected to a different L2 device.C. You can place up to four interfaces in a redundant group.D. Only one link in a redundant group is active at a time.



QUESTION 121How many tunnels would need to be created to build a full mesh between 10 VPN devices?

A. 10B. 100C. 20D. 45

Correct Answer: DSection: (none)

Explanation


QUESTION 122Which two statements are correct regarding NHTB? (Choose two.)

A. NHTB is enabled automatically when multiple VPNs are bound to a single tunnel interface.B. The NHTB table can be viewed with the command get nhtb.C. The NHTB table can be viewed with the command get interface <tunnel interface>.D. The NHTB table can be viewed with the command get interface <physical interface>.




You work as an administrator at Certkiller .com. Study the exhibit carefully. Given the routing table in theexhibit, which interface will be used to reach the host at 10.1.20.1?

A. ethernet0/2B. tunnel.21C. ethernet0/4D. tunnel.1



QUESTION 124

Which statement is true about dialup VPN networks using ScreenOS devices?

A. They can provide clientless connections to users using a ScreenOS device.B. They allow users to connect from any IP address behind NAT devices.C. They provide multiple VPNs on a single ScreenOS device as do LAN-to-LAN tunnels.D. They are specifically designed for users connecting using broadband services.




You work as an administrator at Certkiller .com. Study the exhibit carefully. In the exhibit, you want to enableroute summarization for area 10 and advertise only the summary route. Which command will accomplish this?

A. set vrouter trust-vr protocol ospf area 10 range 10.50.1.0/20 advertiseB. set vrouter trust-vr protocol ospf area 10 range 10.50.1.0/20 no-advertiseC. set interface e0/3 protocol ospf area 10 range 10.50.1.0/20 no-advertiseD. set vrouter trust-vr protocol ospf summary-range 10.50.1.0/20



QUESTION 126Which three VSYS features can only be created by the root administrator? (Choose three.)

A. subinterfacesB. VSYS read/write AdminC. policies

D. VPNsE. dedicated interfaces

Correct Answer: ABESection: (none)Explanation


QUESTION 127Which description about an Active/Active configuration is accurate?

A. Both ScreenOS devices are operational. NSRP provides for a virtual device MAC address. If one device orport fails the other device continues the traffic flow immediately.

B. Both ScreenOS devices are passing traffic. If one device fails completely the other one will carry traffic forboth devices. If a monitored interface fails the other device will carry the traffic just for that interface.

C. Both ScreenOS devices are passing traffic. If one device fails, or if a monitored interface fails, all traffic willfail over to the other device.

D. Both ScreenOS devices are turned on, but only one carries traffic. The second device listens to traffic andbuilds all session tables, VPN, SA, and ARP table entries to take over in event of a failure.



QUESTION 128You need to investigate some physical layer problems. Which command will provide you with information thatyou can use to analyze these types of problems?

A. get counter screen e0/0B. get log eventC. get counter flow interface e0/0D. get counter statistics interface e0/0



QUESTION 129You have created a NAT-src policy that runs between the Private zone and the Public zone. When looking at asession in debug output, the translated address is not what you expected. What are two explanations? (Choosetwo.)

A. The source interface is in NAT mode overriding your NAT-src policy.B. A MIP defined on the egress interface is overriding your NAT.C. Your source IP address is outside the range of your IP shift pool.D. A VIP defined on the egress interface is overriding your NAT.

Correct Answer: BC



QUESTION 130Which feature minimizes OSPF routing exchanges and hello traffic over VPN links?

A. point-to-multipoint interfaceB. demand circuitC. passive interfaceD. inter-area route summarization



QUESTION 131Which two are correct statements about Group IKE ID and XAUTH configurations? (Choose two.)

A. XAUTH scales Group IKE ID configurations.B. XAUTH and Group IKE ID allow individual user authentication using external servers.C. XAUTH can be enabled using the same Group IKE ID for multiple users.D. XAUTH is configured in the VPN advanced settings page in the WebUI.



QUESTION 132When enabling OSPF over a hub and spoke VPN, what must you configure on the hub device tunnel interfaceto allow spokes to receive routing updates?

A. point to multipointB. enable demand circuitC. disable split-horizonD. enable passive interface




You work as an administrator at Certkiller .com. Study the exhibit carefully. In the exhibit, what can bedetermined using the ScreenOS CLI output?

A. This firewall is in an Active/Passive NSRP pair.B. This firewall is in an Active/Active NSRP pair.C. This firewall is isolated from its NSRP partner.D. This firewall is in an NSRP-lite pair.



QUESTION 134Which statement is correct about the configuration of GRE?

A. It can be enabled by going to the advanced AutoKey IKE options.B. It requires matching keep-alive settings on both sides of the tunnel.C. It can be enabled on any tunnel interface.D. It can provide simple encryption by enabling a key option.



QUESTION 135Which two statements are correct when manage-ip and manager-ip settings are configured properly? (Choosetwo.)

A. manage-ip limits who can manage a ScreenOS device.

B. manager-ip limits who can manage a ScreenOS device.C. manage-ip is configured for each zone.D. manage-ip hides the address used to manage the device.



QUESTION 136Which three steps comprise the basic NSRP configuration? (Choose three.)

A. Configure cluster settings.B. Establish the HA link.C. Activate NSRP protocol.D. Configure interfaces.E. Adjust VSD settings.




You work as an administrator at Certkiller .com. Study the exhibit carefully. In the exhibit, which commandwould be used to correct the mistake shown in the output?

A. debug sessionB. set ffilter ip-proto

C. set debug permissionsD. set stream cap




You work as an administrator at Certkiller .com. Study the exhibit carefully. In the exhibit, you need to providecommunication from the hosts connected to the SSG 5 to the servers connected to the SSG 550 using a VPN.Which three configuration elements will allow this communication? (Choose three.)

A. Configure a DIP on e0/0 on the SSG 5.B. Configure a policy from untrust to trust on the SSG 550 using a MIP.C. Configure a DIP on the tunnel interface on the SSG 5.D. Configure a policy from trust to untrust on the SSG 5.E. Configure a policy from trust to untrust on the SSG 550 using a MIP.

Correct Answer: BCDSection: (none)Explanation


QUESTION 139You notice an unusually high number of emergency, alert and critical events being handled inefficiently. Youwant the NetScreen device to send an email sent to three managers anytime a message of this level occurs.What statement best reflects how you can accomplish your goals?

A. You can only configure a single e-mail recipient on the NetScreen device. You cannot achieve your goal.B. You can only configure two e-mail recipients on the NetScreen device. You cannot achieve your goal.C. You can configure up to five e-mail recipients on the NetScreen device. You can achieve your goal.D. You can only configure two e-mail recipients on the NetScreen device. If one of the names is a distribution

list on the e-mail server you can have all people contacted and achieve your goal.


Explanation/Reference:Explanation:E-mail and Log SettingsE-mail messages can be used to alert administrators when an event is taking place on a NetScreen device. Inorder to configure e-mail settings through the WebUI, access Configuration | Report Settings | E-mail

Enable E-mail Notification for Alarms Enable this option to turn on support for e-mail alarms.Include Traffic Log Traffic log information can also be sent to an email address.SMTP Server Name The hostname or address of the SMTP (Simple MailTransfer Protocol) server that will be used to send alerts.E-mail Address 1 and 2 Two addresses can be added for users to be notified. The following exampleconfigures the options displayed in Figure 15.7 using the command line.set admin mail alertset admin mail server-name mail.test.localset admin mail mail-addr1 [email protected] , we can only input 2 email addresses in email setting .

QUESTION 140What two(2) statements are correct when manage-ip and manager-ip seting are configured properly?

A. manage-ip is configured for each zoneB. manager-ip is configured for each zoneC. manage-ip limits who can manage a NetScreen deviceD. manager-ip limits who can manage a NetScreen deviceE. manage-ip is never used as a source address for traffic imitated by the NetScreen device



QUESTION 141You suspect that there has been an increase in the number of multiple user authentication failures. WhatSeverity level would you search for in the logs to see this event?

A. AlertB. CriticalC. Warning

D. EmergencyE. Notifications


Explanation/Reference:Explanation:Security Levels:Emergency Includes attacks like SYN Attacks, Ping of Death, and Teardrop attacks.Alert Multiple user authentication errors and attacks not classified as emergency.Critical Traffic alarms, changes to high availability status, blocked URLs (Uniform Resource Locators).Error Events like admin name and password changes.Warning Logon failures, authentication failures, administrators that have logged on.Notification Changes to link status and traffic logs.Information Events not included in other categories.Debugging Logs associated with debugging.www.syngress.com

QUESTION 142You suspect you are having encryption problems with an IKE VPN. Which commands will allow you to seefailed encryption attempts?

A. get counter screen <zone>B. get counter flow interface<name>C. get counter policy<policy number>D. get counter statistics interface <name>



QUESTION 143What three(3) steps should be taken to secure management access to the NetScreen device?

A. Set ping offB. Enable SSH/SSLC. Define Permitted IPD. Set WebAuth valuesE. Change name and password on the root administrator account


Explanation/Reference:Explanation:Management Services:WebUI: Select this option to enable management through the Web user interface (WebUI).SNMP: Select this option to enable the use of SNMP. The NetScreen device supports the SNMPv1 protocol(described in RFC-1157) and all relevant MIB II (Management Information Base II) groups defined in RFC-1213.

Telnet: Select this option to allow management through a terminal emulation program for TCP/IP networkssuch as the Internet. Telnet is a common way to remotely control a network device.SSL: Select this option to allow the interface to receive HTTPS traffic for secure management of the NetScreendevice via the WebUI.SSH: Select this option to enable management using a secure command shell (SCS). You can administer theNetScreen device from an Ethernet connection or a dial-in modem using SCS (which is SSH-compatible). Todo this, you must have an SCS client that is compatible with Version 1.5 of the SSH protocol. These clients areavailable for Windows 95, Windows 98, Windows NT, Linux, and UNIX. The NetScreen device communicateswith the SCS client through its built-in SCS server, which provides device configuration and managementservices.NSM: Select this option to allow the interface to receive NetScreen-Security Manager 2004 (NSM) traffic.Other Services:Ping: Select this option to allow the NetScreen device to respond to ICMP echo requests, or "pings". Ping is autility that determines whether a specific IP address is accessible or not.Ident-reset: Services like Mail and FTP send identification requests. If they receive no acknowledgment, theysend the request again. While the request is processing, there is no user access. An ident-reset restoresaccess that has been blocked by an unacknowledged identification request.WebAuth: (Appears only when you enter and save a static IP address and netmask.) Select this option toenable WebAuth authentication through this interface. Enter the IP address of the WebAuth server performingthe authentication.

QUESTION 144You want to be able to monitor traffic directed at the Netscreen device itself. Once you configure this option,what command will allow you to view the log information?

A. get eventB. get log selfC. get log eventD. get log traffic



QUESTION 145NetScreen devices generate SNMP traps when which events occur? (Select three(3) answer)

A. cold startsB. traffic alarmsC. warm rebootsD. traffic log eventsE. self log events occur

Correct Answer: ABCSection: (none)Explanation

Explanation/Reference:Explanation:Simple Network Management Protocol allowsremote administrators to view data statistics on a NetScreendevice. It also allows a NetScreen device to send information to a central server. NetScreen firewalls supportSNMPv1 and SNMPv2c. It also supports the MIB II, or Management Information Base two standard groups.TheSNMP agent supports sending the following traps:Cold Start Trap

Trap for SNMP Authentication FailureTraps for System AlarmsTraps for Traffic AlarmsBy default, the SNMP manager has no configuration.This prevents unauthorized viewing of the system basedupon default parameters.To configure your NetScreen device for SNMP you must configure community strings,SNMP host addresses, and permissions. In our configuration example we will first set up the basic systeminformation, then we will create a new community.This can be done from both the WebUI and the CLI.You cancreate up to three communities with up to eight IP ranges in each. An IP range can consist of a single host or anetwork. If you configure a network those defined IP addresses can only poll the device and not

QUESTION 146Which three (3) elements are required to build a route-based VPN?

A. CREATE ROUTESB. CREATE POLICIESC. CREATE TUNNEL INTERFACESD. CREATE ADDRESS BOOK ENTRIESE. BIND VPN TO TUNNEL INTERFACES

Correct Answer: ACESection: (none)Explanation

Explanation/Reference:Explanation:Route-based VPNsRoute-based VPNs, like policy-based VPNs, can also use either manual key or autokey IKE, but are configuredand function somewhat differently. Route-based VPNs do not make reference to a tunnel object, but rather thedestination address of the traffic. When the NetScreen appliance performs a route lookup to see whichinterface it should use to send the traffic, it sees there is a route through a tunnel interface that is bound to aVPN tunnel and uses that interface to deliver the traffic.There are some advantages to using a route-based VPN. Using route-based VPNs is a good way to conservesystem resources. Unlike policy-based VPNs, you can configure multiple policies that allow or deny specifictraffic to flow through a route-based VPN, and all of these policies will use a single security association. Route-based VPNs also offer the ability to exchange dynamic routing information, such as border gateway protocol(BGP), on the tunnel interface.Route-based VPNs allow you to create policies that have an action of deny, unlike policy-based VPNs. Route-based VPNs also have different limitations than policy-based VPNs.With route-based VPNs, you are limited byone of two things: the number of route entries your appliance supports, or the number of tunnel interfaces yourappliance supports, whichever of the two is the least.

QUESTION 147What must be configured differently for a IKE Phase 1 gateway used by a route-based VPN than an IKE Phase1 gateway for a policy-based VPN?

A. ProposalsB. Pre-shared keyC. Remote gateway typeD. Binding the tunnel interfaceE. There are no differences in building a route based IKE gateway and a Policy based IKE gateway

Correct Answer: ESection: (none)Explanation

Explanation/Reference:Explanation:

Policy-based VPNsPolicy-based VPNs are VPNs that route traffic based on specific policies within a NetScreen appliance. Policy-based VPNs can be either manual key or autokey IKE. A policy-based VPN works based on specific criteria thata packet matches as it reaches the gateway. First, before you can create a policy-based VPN you mustconfigure the VPN tunnel. After creating the VPN tunnel you then create a policy, choose the action Tunnel, andselect the VPN object you configured earlier.The action Tunnel works very similar to the Permit option, except it requires you to select a tunnel object thatyou have previously created so that it can properly handle the traffic. A policy-based VPN tunnel always permitsthe traffic so long as it matches all the criteria of the rule.With policy-based VPNs, each separate traffic policywill create its own security association, so using multiple policy-based VPNs will result in using more systemresources.This is true even if the destination tunnel is the same for multiple policies.Policy-based VPNs are best used in the following situations:[1] When you do not need to filter specific traffic on the tunnel.[1] When you are not using any dynamic routing protocols.[1] When there is no need for conserving IPSec tunnels and security associations. [1] When you are using theVPN tunnel in conjunction with a dialup VPN client. With policy-based VPNs, you are limited in the number oftunnels you can create, depending on the number of tunnels the device can support. A sample of a configuredpolicy using a VPN is shown in Figure 11.5.

Creating a Policy-Based Site-to-Site VPNSuppose your company has two offices and wants to share resources among the two via a VPN. Let's create apolicy-based site-to-site VPN that does just that. Before we can begin, we need information about the sites.Site1 uses the network 192.168.0.0/24 and has a NetScreen appliance with a static address of 4.4.4.4. Site2uses the network 10.10.10.0/24 and has a NetScreen appliance with a static address of 5.5.5.5.We will beusing autokey IKE and the pre-shared key will bedgL-I2G#U438^*gyG(6t!. We also want to use Diffie-Hellman Group 2, AES-128, and SHA-1 for our encryption.Now that we have the necessary information, we can start to build our VPN tunnel.First and foremost, we need to define our networks at each end of the tunnel.This can be done by accessingObjects | Address | List. Select New from the top of the screen. Choose a name for the address object, such asSite2, and then add the IP address, netmask, and zone.We also need to create an address object for the localnetwork. Let's name it Trusted LAN (192.168.0.x).Figure 11.6 shows the configuration page for the Site1 firewall.The configuration

for Site2 would also be completed as shown here, substituting the network address for Site1's local network infor the IP address. Like Site1, Site2's firewall would also contain an address object defining the local network.Once we have added the addresses to the address book, we can configure our VPN gateways.To do this,select VPNS | AutoKey Advanced | Gateway. Select New from the top of the screen. Enter a name for thegateway. Choose Custom for the Security Level, since we will be using pre-g2-aes128-sha. Later, we willconfigure this on the Advanced page of the gateway configuration. Since we know that Site2 has a static IPaddress of 5.5.5.5, we choose the default setting Static IP, and enter 5.5.5.5 in the available field. Now, enterthe preshared key into the field labeled Preshared Key.We have completed the basic configuration for this endof the VPN tunnel, but we still need to set the correct proposals to be used. Click on the Advanced button toshow the Advanced configuration page. Under Phase 1 Proposal, select pre-g2-aes128-sha. Because bothendpoints have static IP addresses, we should leave our Mode set to Main.Once you have selected the correct proposal, scroll to the bottom of the page and select Return to go back tothe basic configuration page. Once back at the basic configuration page, select OK to save the new gateway.Figures 11.7 and

11.8 show the basic and advanced configuration pages completed with our settings.

To configure Site2's VPN gateway, we would use the same steps we just completed, substituting the address4.4.4.4 as the Static IP.Now that we've created the VPN Gateway, we need to create an AutoKey IKE entry that uses our gateway, andconfigure the security proposals for phase 2.

To do this, select VPNs | AutoKey IKE and select New from the top of the screen. Let's give the VPN adescriptive name, such as VPN To Site2. Again, we choose Custom as our security level. Access the drop-down menu to the right of Remote Gateway and choose the gateway we previously configured,To Site2. Clickthe Advanced button to bring up the advanced options for our IKE entry. Use the Phase 2 Proposal drop-downlist to select g2-esp-aes128-sha. Click the Return button to go back to the basic configuration page. ChooseOK to save the new IKE entry. Figures 11.9 and 11.10 show the basic and

advanced configuration pages for creating an AutoKey IKE entry.Once we've completed the above steps, we need to create a policy allowing traffic to use the VPN. ClickPolicies. At the top of the page choose the options From:Trust To:Untrust and click New. Name the policy To / From Site2. Use the Source Address drop-down list to select thelocal network address book entry we defined earlier. Choose Site2 as the Destination Address from the drop-down menu. Since we want to allow all traffic to flow between the two sites, we will leave the Service as ANY.Choose the action Tunnel and select the IKE entry that we created earlier, VPN to Site2. Enable the Check thebox to Modify matching bidirectional VPN policy. Also enable the Position at Top option. Figure 11.11 showswhat our policy should look like once completed.

Keep in mind that the configuration for the other end of our tunnel can be completed as outlined above, butusing Site1's network information in place of Site2's. Once both ends of the tunnel have been configured, thetwo NetScreen devices will negotiate security associations and establish a VPN tunnel.To the users, thisprocess is transparent. In fact, most users only know they can use resources located at the other site; theyhave no clue as to what process allows them to do so.

QUESTION 148Which statement is most correct in explaining weights and their use in this redundant VPN configuration?Member 1 weight 3Member 2 weight 2Member 3 weight 1

A. Weight is not a valid configuration option for Redundant VPNs.B. Weight is a distribution factor, Member 2 will carry 10 times the traffic of Member .C. Weight is used to determine which VPN in the Group carries traffic, Member 2 will carry the traffic.D. Weight is used to determine which VPN in the group carries traffic, member 1 will carry the traffic.E. Weight is distribution value,Member 1 will carry the most traffic, while member 2 will carry 1/10 that amount.



QUESTION 149Your VPN device has a dynamic address, and does not use an FQDN. Which three (3) do you need toconfigure on your device for a successful Phase I connection to your peer?

A. DNS

B. Peer idC. Local idD. Main modeE. Aggressive modeF. Static-ip of remote IKE peer

Correct Answer: CEFSection: (none)Explanation

Explanation/Reference:Explanation:C localID for identificationE Aggressive mode to use peerID and LocalID identificationF Static-IP of remote IKE peer is used to define "Remote Gateway type" as static IP address

QUESTION 150Which two (2) statements regarding Certificate Revocation Lists are correct?

A. The CRL is time stamped to identify revoked certificatesB. CRLs are maintained by independent agents to insure accuracyC. A CRL ontains the names and IP addresses of Certificates that have been revoked by the CAD. New CRLs are issued on a regular, periodic basis, which could be hourtly, daily, weekly



QUESTION 151Which parameter is exchanged during Phase 2 negotiations?

A. Proxy-idB. CertificatesC. Pre shared keyD. NAT-Trnsversal DataE. Asymmetric Private Keys


Explanation/Reference:Explanation:Proxy-IDsOne of the most important yet overlooked aspects of a successful VPN setup is the proxy-ID.The proxy-ID determines which networks and services are permitted through the VPN. A proxy-ID is made upof the local network, remote network and service. Both end points of the VPN exchange their proxy-ID whichneeds to match for the Phase 2 negotiation to be complete. A proxy-ID can be extracted from a security policy ifa Policy-based VPN is being used as the necessary proxy-ID information resides in the policy (source,destination and service). When a Route-based VPN is configured, a policy may not be necessary, and if so,may not necessarily contain the correct information in which to create the proxy-ID. As a result, the proxy-IDmust always be manually entered when configuring Route-based VPNs.!! Manually specifying a proxy-ID in a Policy-based VPN scenario will overwrite the proxy-ID automatically

obtain from the security policy.Phase 1From our previous discussion you already know that phase 1 negotiations consist of exchanging proposals onhow to authenticate and secure thecommunications channel. Phase 1 exchanges can be done in two modes: main mode or aggressive mode. Inmain mode, three two-way exchanges, or six total messages, are exchanged. During a main modeconversation, the following is accomplished:_ First exchange Encryption and authentication algorithms for communications are proposed and accepted. _Second exchange A Diffie-Hellman exchange is done. Each party exchanges a randomly generated number, ornonce. _ Third exchange Identities of each party are exchanged and verified.NOTEIn the third exchange, identities are not passed in the clear. The identities are protected by the encryptionalgorithm agreed upon in the exchange of thefirst two sets of messages.In aggressive mode, the same principle objectives are completed, but are done so in a much shorterconversation. Phase 1 negotiations in aggressivemode only require that two exchanges be made, and that a total of three messages are exchanged. Anaggressive mode conversation follows thefollowing pattern:_ First message The initiating party proposes the security association, starts a Diffie-Hellman exchange, andsends its nonce and IKE identity to theintended recipient._ Second message During the second message, the recipient accepts the proposed security association,authenticates the initiating party, sends itsgenerated nonce, IKE identity, and its certificate if certificates are being used. _ Third message During the thirdmessage, the initiator authenticates the recipient, confirms the exchange, and if using certificates, sends itscertificate.In an aggressive mode exchange, the identities of communicating parties are not protected.This is because theidentities are sent during the first twomessages exchanged prior to the tunnel being secured. It is also important to note that a dialup VPN user mustuse aggressive mode to establish an IKEtunnel.Notes from the Underground...What is Diffie-Hellman?The Diffie-Hellman (DH) key exchange protocol, invented in 1976 by Whitfield Diffie and Martin Hellman, is aprotocol allowing two parties togenerate shared secrets and exchange communications over an insecure medium without having any priorshared secrets. The Diffie- Hellman protocol isconsists of five groups of varying strength modulus. Most VPN gateways support DH Groups 1 and 2.NetScreen appliances, however, support groups 1,2, and 5. The Diffie-Hellman protocol alone is susceptible to man-in-the-middle attacks, however. Although therisk of an attack is low, it isrecommended that you enable Perfect Forward Secrecy (PFS) as added security when defining VPN tunnelson your NetScreen appliance. For moreinformation on the Diffie-Hellman protocol, see www.rsasecurity.com/rsalabs/node.asp?id=2248 and RFC 2631at ftp://ftp.rfc-editor.org/in-notes/rfc2631.txtPhase 2Once phase 1 negotiations have been completed and a secure tunnel has been established, phase 2negotiations begin. During phase 2, negotiation ofsecurity associations of how to secure the data being transmitted across the tunnel is completed.Phase 2 negotiations always involve the exchange of three messages.Phase 2 proposals include encryption and authentication algorithms, as well as a security protocol.The securityprotocol can either be ESP or AH. Phase2 proposals can also specify whether or not to use PFS and a Diffie-Hellman group to employ. PFS is a methodused to derive keys that have no relationto any previous keys.Without PFS, phase 2 keys are generally derived from the phase 1 SKEYID_d key. If anattacker was to acquire the SKEYID_dkey, all keys derived from this key could be compromised. During phase 2 each side also offers its proxy ID.Proxy IDs are simply the local IP, theremote IP, and the service. Both proxy IDs must match. For example, if 1.1.1.1 and 2.2.2.2 are using the SMTP

(Simple Mail Transfer Protocol) service,then the proxy ID for 1.1.1.1 would be 1.1.1.1-2.2.2.2-25 and for 2.2.2.2 it would be 2.2.2.2-1.1.1.1-25.Damage & Defense...Key Lifetime - Short vs Long and PFSWhen planning your VPN deployment, consideration should be given to the key lifetime and perfect forwardsecrecy in relation to security. Sinceenabling PFS requires additional processing time and resources some administrators choose not to use it,instead opting for a shorter key lifetime. This,however, can be a bad practice. If a successful man-in-themiddle attack were able to discover the SKEYID_dkey, all keys derived from this key couldbe compromised. Enabling PFS, even with a longer key life, is actually a more secure practice than having ashort key life with no PFS.


Based on the exhibit, NetScreen A is using a route-based VPN configuration. What two (2) things are "required"on NetScreen A to successfully establish a VPN? (Both device have static IP addresses)

A. Proxy-IDB. Peer address of 1.1.2.5C. Local ID of 1.1.1.1D. IKE Phase 1 aggressive modeE. Tunnel interface with an address in the 1.1.2.0/24 subnet



QUESTION 153When using a route-based VPN, what is the default proxy-id for the source address?

A. 0.0.0.0/0B. 0.0.0.0/32C. The source address of the first packet through the VPND. The source address of the final Phase 2 packet from the initiator



QUESTION 154Which is a valid Phase 2 IKE proposal?

A. pre-g1 -des-md5B. rsa-g2 3des-shaC. g2-esp-3des-md5D. g2-esp-aes120-md5



QUESTION 155Which two (2) statements are correct regarding NHTB?

A. The NHTB table can be viewed with the command "get nhtb"B. The NHTB table can be viewed with the command "get interface <tunnel interface>"C. The NHTB table can be viewed with the command "get interface <physical interface>"D. NHTB is enabled automatically when multiple route-based VPNs are bound to a single tunnel interface.E. You cannot see the contents of the NHTB table because it is built automatically and is used internally by the

system.




Review the exhibit. To deal with the overlapping addresses at the two sites, we are using NAT -src and NAT -dst in association with a route-based VPN. Which two (2) routes are required on NetScreen A to support the bi-directional traffic flow from NetScreenA to NetScreenB?

A. set route 192.16.11.1/24 interface trustB. set route 208.18.21.1/24 interface untrustC. set route 208.18.21.1/24 interface tunnel.1D. set route 192.16.11.1/24 interface tunnel.1E. set route 0.0.0.0./0 int untrust gateway 2.1.1.20F. set route 0.0.0.0./0 in untrust gateway 208.18.21.1

Correct Answer: CESection: (none)Explanation

Explanation/Reference:Explanation:Example: Tunnel Interface with NAT-Src and NAT-DstIn this example, you configure a VPN tunnel between "NetScreen-A" at a corporate site and "NetScreen-B" at abranch office. The address space for the VPN end entities overlaps; they both use addresses in the 10.1.1.0/24subnet. To overcome this conflict, you use NAT-src to translate the source address on outbound VPN trafficandNAT-dst to translate the destination address on inbound VPN traffic. The policies permit all addresses in thecorporate LAN to reach an FTP server at the branch site, and for all addresses at the branch office site to reachanFTP server at the corporate site.The tunnel configurations at both ends of the tunnel use the following parameters: AutoKey IKE, preshared key("netscreen1"), and the security level predefined as "Compatible" for both Phase 1 and Phase 2 proposals. (Fordetails about these proposals, see "Tunnel Negotiation" on page 11.)The outgoing interface on NetScreen-A at the corporate site is ethernet3, which has IP address 1.1.1.1/24 andisbound to the Untrust zone. NetScreen-B at the branch office uses this address as its remote IKE gateway.The outgoing interface on NetScreen-B at the branch office is ethernet3 , which has IP address 2.2.2.2/24 andisbound to the Untrust zone. NetScreen-A at the corporate site uses this address as its remote IKE gateway.The Trust zone interface on both NetScreen devices is ethernet1 and has IP address 10.1.1.1/24. All zones onbothNetScreen devices are in the trust-vr routing domain.CLI (NetScreen-A)1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 natset interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24set interface tunnel.1 zone untrustset interface tunnel.1 ip 10.10.1.1/242. DIPset interface tunnel.1 dip 5 10.10.1.2 10.10.1.23. Addressesset address trust corp 10.1.1.0/24set address trust virtualA 10.10.1.5/32set address untrust branch1 10.20.1.2/32set address untrust serverB 10.20.1.5/324. VPNset ike gateway branch1 address 2.2.2.2 outgoing-interfaceethernet327 preshare

netscreen1 sec-level compatibleset vpn vpn1 gateway branch1 sec-level compatibleset vpn vpn1 bind interface tunnel.1set vpn vpn1 proxy-id local-ip 10.10.1.0/24 remote-ip10.20.1.0/24 any5. Routesset vrouter trust-vr route 0.0.0.0/0 interface ethernet3gateway 1.1.1.250 <<<Requiredset vrouter trust-vr route 10.20.1.0/24 interface tunnel.1<<<Requiredset vrouter trust-vr route 10.20.1.0/24 interface nullmetric 106. Policiesset policy top from trust to untrust corp serverB ftp natsrc dip-id 5 permitset policy top from untrust to trust branch1 virtualA ftpnat dst ip 10.1.1.5permitsaveCLI (NetScreen-B)1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 natset interface ethernet3 zone untrustset interface ethernet3 ip 2.2.2.2/24set interface tunnel.1 zone untrustset interface tunnel.1 ip 10.20.1.1/242. DIPset interface tunnel.1 dip 6 10.20.1.2 10.20.1.23. Addressesset address trust branch1 10.1.1.0/24set address trust virtualB 10.20.1.5/32set address untrust corp 10.10.1.2/32set address untrust serverA 10.10.1.5/324. VPNset ike gateway corp address 1.1.1.1 outgoing-interfaceethernet328 presharenetscreen1 sec-level compatibleset vpn vpn1 gateway corp sec-level compatibleset vpn vpn1 bind interface tunnel.1set vpn vpn1 proxy-id local-ip 10.20.1.0/24 remote-ip10.10.1.0/24 any5. Routesset vrouter trust-vr route 0.0.0.0/0 interface ethernet3gateway 2.2.2.250 <<<Requiredset vrouter trust-vr route 10.10.1.0/24 interface tunnel.1<<<Requiredset vrouter trust-vr route 10.10.1.0/24 interface nullmetric 106. Policiesset policy top from trust to untrust branch1 serverA ftpnat src dip-id 6permitset policy top from untrust to trust corp virtualB ftp natdst ip 10.1.1.5permitsave

QUESTION 157

Up-to-the minute information on certificate status is critical to your organization.What should you implement?

A. Download new Certificate Revocation List every hourB. Implement SCEP to do real-time checking of Certificate statusC. Implement OCSP to do real-time checking of Certificate statusD. Download new Certificate Revocation List every day. The Certificate Revocation List are only updated once

a day so additional downloads are unnecessary


Explanation/Reference:Explanation:When a digital certificate becomes compromised, there needs to be an efficient method to revoke them so theycan no longer be used. A Certificate Revocation List (CRL) can be referenced when validating a digitalcertificate to ensure that the certificate has not been revoked.The validating of digital certificates against a CRL is normally a manual processes whereby the CRL isdownloaded on a period basis (daily, weekly, monthly). In the instance that the validator does not have thelatest CRL, a presented certificate may still be trusted even though it may have been revoked and added to amore recent CRL. To address this issue, the OCSP (Online Certificate Status Protocol) was developed toprovide online and real-time verification of a digital certificate's status. ! When a NetScreen uses OCSP, it isreferred to as the OCSP client (or requester). The server which receives the verification request is known asthe OCSP responder.

QUESTION 158You have implemented a hub and spoke VPN. On the hub, there are two tunnel interfaces, one to each spoke.Both tunnel interfaces are in zone Corporate. What do you need to configure on the hub to control trafficbetween the spokes?

A. Configure the Corporate zone to be not shareableB. Configure the Corporate zone to block inter-zone traffic.C. Configure the Corporate zone to block intra-zone traffic.D. Configure each tunnel interface to block intra-zone traffic.


Explanation/Reference:Explanation:Hub and Spoke VPNsNetScreen firewalls provide enhanced VPN functionality in order to allow inbound traffic from one tunnel to berouted out through another VPN tunnel. This type of configuration is known as a Hub and Spoke (many remotesites with a VPN into the central site, allowing all remote sites to route between each other). ! Hub and SpokeVPNs are generally easiest to configure using Route-based VPNs. While it is possible to achieve the same typeof advanced VPN functionality through Policy-based VPNs, it is only possible through the Trust and Untrustzones. As with any interface and zone assignment, tunnel interfaces assigned to the same security zone do notrequire policies for traffic to route between them (providing Intrazone blocking has been disabled). However, ifgranular access control is required (for example, site A being able to route through to site B, but not the otherway around) then tunnel interfaces can be assigned to different zones in order to control the traffic throughsecurity policies. This type of Hub and Spoke VPN is known as a Back-to-Back VPN.!It is often required to calculate the total number of VPN tunnels that will be required in a fully meshed VPN fora given number of sites. The easiest way to calculate this is with the formula: [N x (N-1)]/2 where N is thenumber of sites.

QUESTION 159

What term is used to describe a NetScreen device sending a request to an OCSP server?

A. ClientB. CallerC. InitiatorD. ResponderE. Requesting agent


Explanation/Reference:When a digital certificate becomes compromised, there needs to be an efficient method to revoke them so theycan no longer be used. A Certificate Revocation List (CRL) can be referenced when validating a digitalcertificate to ensure that the certificate has not been revoked.The validating of digital certificates against a CRL is normally a manual processes whereby the CRL isdownloaded on a period basis (daily, weekly, monthly). In the instance that the validator does not have thelatest CRL, a presented certificate may still be trusted even though it may have been revoked and added to amore recent CRL. To address this issue, the OCSP (Online Certificate Status Protocol) was developed toprovide online and real-time verification of a digital certificate's status. ! When a NetScreen uses OCSP, it isreferred to as the OCSP client (or requester). The server which receives the verification request is known asthe OCSP responder.


Refer to the exhibit. This Hub and Spoke design uses route-based VPNs. What is the minimum number ofpolicy rules required to establish full, bi-directional communications between all locations?

A. 0B. 3C. 6D. 7E. 9


Explanation/Reference:Explanation:Hub and Spoke VPNsNetScreen firewalls provide enhanced VPN functionality in order to allow inbound traffic from one tunnel to berouted out through another VPN tunnel. This type of configuration is known as a Hub and Spoke (many remotesites with a VPN into the central site, allowing all remote sites to route between each other). ! Hub and SpokeVPNs are generally easiest to configure using Route-based VPNs. While it is possible to achieve the same typeof advanced VPN functionality through Policy-based VPNs, it is only possible through the Trust and Untrustzones.As with any interface and zone assignment, tunnel interfaces assigned to the same security zone do not requirepolicies for traffic to routebetween them (providing Intrazone blocking has been disabled).However, if granular access control is required (for example, site A being able to route through to site B, but notthe other way around) then tunnel interfaces can be assigned to different zones in order to control the trafficthrough security policies. This type of Hub and Spoke VPN is known as a Back-to-Back VPN. ! It is oftenrequired to calculate the total number of VPN tunnels that will be required in a fully meshed VPN for a givennumber of sites. The easiest way to calculate this is with the formula: [N x (N-1)]/2 where N is the number ofsites.

QUESTION 161What three (3) items do you need to download and install on your NetScreen device for IKE gateways to beable to use digital certificates without OCSP?

A. The CRL listB. The SCEP listC. A local CertificateD. The CA public key certificateE. The CA private key Certificate


Explanation/Reference:Explanation:CertificatesDigital certificates are nothing more than a way to verify your identity through a certificate authority using publickey cryptography. NetScreen appliances support the use of digital certificates as a method of validating youridentity during VPN negotiations.There are certain steps you must take before you can use a certificate tovalidate your identity. First, you must generate a certificate request from within the NetScreen appliance. Whenthis is done, the NetScreen appliance generates a public/private key pair.You then send a request with thepublic key to your certificate authority. A response, which incorporates the public key, will be forwarded to youthat will have to be loaded into the NetScreen appliance.This response generally includes three parts:The CA's certificate, which contains the CA's public key.The local certificate identifying your NetScreen device.In some cases a certificate revocation list (CRL).This lists any certificates revoked by the CA.You can load the reply into the NetScreen device either through the WebUI or via TFTP (Thin File TransportProtocol) through the CLI (command line interface), whichever you prefer. Loading the certificate informationinto the NetScreen gives us the following:Your identity can be verified using the local certificate.The CA's certificate can be used to verify the identity of other users.The CRL list can be used to identify invalid certificates.

QUESTION 162What does an NSRP device send to a network-connected device when a failover occurs and a new mastertakes over?

A. PingsB. Gratuitous ARPC. Heartbeat MessagesD. Nothing, it uses one MAC for both interfaces so no change is apparent to the connecting device


Explanation/Reference:Explanation:Failing OverA chapter on HA and NSRP would not be complete without a more in-depth dissection of what happens when afailover occurs. Things that can cause a failover are:Software crashes (resulting in lost heartbeats)Hardware or power failure (resulting in lost heartbeats)Link failure on monitored interfaces or zonesUnavailability of one or more tracked IP addressesManually requested failoverOnce the primary backup VSD has determined that it must become the master VSD, a few things happen.Firstly, the VSD promotes itself to master to prevent any other VSD from doing the same thing.Second, if the VSD has any links down, an attempt is made to bring them up. If a monitored link cannot bebrought up, the VSD relinquishes its role as master and puts itself in the inoperable state. (See "Avoiding theNo-brain Problem" in this chapter.) Assuming the VSD is the newly promoted master VSD with all relevant linksup, it proceeds to send out gratuitous ARP requests. This is a very important aspect of the failover. These ARPrequests tell the neighboring network nodes that the IP addresses configured on the VSIs are now reachablevia a different path than before. This will cause switches to update their forwarding tables, and routers to updatetheir ARP tables. By default, four ARP packets are sent out on each interface, but this can be adjusted ifneeded (see the example below).As soon as the neighboring nodes have adjusted to this change, traffic is sent to this VSD instead of the oldone. If RTO mirroring was enabled before the failover, this VSD already has a copy of the run-time state, andproceeds to handle traffic with no further disruption. Note that some packets may have been lost during thetime it takes for the neighboring nodes to reroute their traffic flows to the second NetScreen.

QUESTION 163How would you configure priority for an Active/Active configuration, where you want Device 1 to be master forthe first VSD and Device 2 FOR THE SECOND vsd?

A. Device 1 Device 2VSD 1: priority 50 VSD 1: Priority 100VSD 2: priority 50 VSD 2: Priority 100

B. Device 1 Device 2VSD 1: priority 50 VSD 1: Priority 100VSD 2: priority 100 VSD 2: Priority 50

C. Device 1 Device 2VSD 1: priority 100 VSD 1: Priority 50VSD 2: priority 50 VSD 2: Priority 100

D. Device 1 Device 2VSD 1: priority 100 VSD 1: Priority 50VSD 2: priority 100 VSD 2: Priority 50


Explanation/Reference:Explanation:Setting Up an Active/Active Cluster

Setting up an Active/Active NSRP cluster is not that different from setting up an Active/Passive cluster. Thedifference is that in an Active/Active cluster you have more than one VSD group. You configure the VSD groupsso that under normal circumstances the first firewall has the master VSD for the first VSD group and thebackup VSD for the second VSD group, and vice versa. Spreading the VSDs out like this is a simple matter ofsetting their priorities correctly (see Figure 13.20).Since each VSD contains its own set of VSIs, you end up with multiple IP addresses in each network,compared to a single IP address per network (not counting Managed IP addresses) if you are using a singleVSD. To benefit from this setup, you must configure the neighboring network nodes to load-balance betweenthese IP addresses. With routers this is commonly done by having two routes with identical cost, each pointingto one of the VSI IP addresses. If the NetScreens are providing the default gateway for a LAN, then you canconfigure half the hosts on the LAN to use the IP address in the first VSD, and the second half to use the otherVSD's IP address as their default gateway. This is the same approach as if you are using a pair of VRRProuters as the default gateway. An important thing to remember when setting up Active/Active configuration isthat you must duplicate the routes as well. If you do not have routes for the second VSD, it is forced to forwardall traffic to the first VSD across the HA data link, which should be avoided (see Figure 13.21).Figure 13.20 Multiple VSD Groups

Figure 13.21 Network with Missing Route in VSD Group 1

In addition to this, you must also take into account that the load you are putting on the firewalls may need to behandled by a single firewall. In other words, each firewall should run at 50 percent capacity at the most undernormal conditions because in a failover scenario, everything goes through the remaining firewall; it cannot beexpected to operate at more than 100 percent. If you attempt to put more traffic through it, be prepared to havesome packets dropped.

QUESTION 164How many devices can be added to an NSRP cluster configured in Active/Active mode?

A. 1B. 2C. 3D. 4E. 7



QUESTION 165What is the best description of an Active/Active configuration?

A. Both NetScreen devices are passing traffic. If one device fails, or If a monitored interface fails, all traffic willfail over to the other device.

B. Both Netscreen devices are operational. NSRP provides for a virtual device mac address. If one device orport fails the other device continues the traffic flow immediately.

C. Both NetScreen devices are turned on a but only one carries traffic. The Second device listens to traffic andbuilds all session tables, VPN,SA, and ARP table entries to take over in event of a failure.

D. Both NetScreen devices are passing traffic. If one device fails completely the other one will carry traffic forboth devices. If a monitored interface fails the other device will carry the traffic just for that interface.



QUESTION 166You are concerned about the security of HA traffic between NetScreen devices located in different building.What can you do to secure the traffic?

A. You can encrypt and authenticate the traffic.B. You can encrypt but not authenticate the traffic.C. You can authenticate but not encrypt the traffic.D. You don't need to do anything. All traffic is encrypted and authenticated by default.



QUESTION 167As a member of a VSD group, a device may be in which two (2) of the following states?

A. InitB. MainC. BootingD. BackupE. Inactive


Explanation/Reference:Explanation:Understanding NSRP StatesAs mentioned, the fundamental concept of NSRP is duplicating hardware-to be able to move the firewallfunctionality around as necessary using VSDs. As a consequence of this, at any given time each VSD is in oneof six states, which determines the current role of the VSD.The possible states are:MasterPrimary BackupBackupInitialIneligibleInoperableUnderstanding which state is used for what purpose is central to monitoring and controlling your NSRP cluster.Instead of simply explaining what each state is, let's look at the order in which the VSD transitions between thestates. When a VSD is first created, either due to a reboot or a configuration change, it is put in the initial state.While in this state, the VSD learns which other NetScreens are participating in the VSD group, synchronizesthat state with the other VSDs if needed, and possibly partakes in the election process for which VSD shouldbecome the master.From the initial state, the VSD can move into either the master or backup state. If it wins the election process,this VSD takes on the task of processing traffic. If it does not win, it transitions into the backup state. Theelection process used to determine the master VSD is reasonably straightforward. First, if there is no other VSDavailable, this VSD automatically wins the election. Second, if two VSDs are starting up at the same time, thewinner is determined based on the configured priorities (set nsrp vsd-group id X priority N).The unit with thelowest priority value is the preferred VSD.If both VSDs have the same priority, or the priority is not configured, the VSD with the lowest Media AccessControl (MAC) address wins. Normally, an election is only held if there is no master VSD in the VSD group.However, if the starting VSD has preemption enabled (set nsrp vsdgroup X preempt), it can force an election,which it would probably win due to having a better priority than the old master VSD.A VSD in the backup state checks to see if there is already a primary backup VSD, and if there isn't, makesitself the primary backup for the VSD group. As the primary backup, it is responsible for taking over the trafficprocessing should the master fail or step down. From the primary backup state there are generally twodirections the VSD can take; it either ends up promoted to master due to the old master VSD disappearing, or itgoes into the inoperable state.A VSD puts itself into the inoperable state if it detects a failure that would prevent it from processing traffic. Ifthis VSD were the master, any failure that resulted in a failover would result in this VSD becoming inoperable.In this state, the VSD does not participate in elections for the position of master VSD; however, it does continueto check for the failure condition. If that condition is remedied, as can be the case if the failure was caused by amonitored interface going down and subsequently is brought back up, the VSD will progress from theinoperable state back into the initial state again. The ineligible state is only entered by manual intervention. It isthe administratively down state of the VSD. If for any reason, you want to prevent the VSD from participating inthe master election, thereby preventing it from processing traffic, you can put the VSD into the ineligible state byusing the set nsrp vsd-group id X mode ineligible command.The VSD group stays in that state until you use thecorresponding unset command, or the NetScreen is rebooted without having saved the configuration (theineligible state can be kept across reboots if you save the configuration after entering the command). Thisexplains the various NSRP states that a VSD can be in. If you are confident in this knowledge, you will have no

problem understanding what the VSDs in your cluster are doing.

QUESTION 168You want to make sure that the NSRP cluster members keep themselves up to date with session table entries,arp cache entries, DHCP leases etc..What command do you need to perform to insure this process occurs on a real time basis?

A. exec rto syncB. set nsrp rto syncC. exec nsrp rto syncD. set nsrp sync global saveE. exec nsrp sycn global-config check-sum



QUESTION 169Which three (3) steps comprise the basic NSRP configuration?

A. Adjust VSD SettingsB. Configure interfacesC. Establish the HA linkD. Activate NSRP protocolE. Configure cluster settings

Correct Answer: ACESection: (none)Explanation


QUESTION 170You have taken your backup NetScreen device out of production for some maintenance. The device is broughtback online and rejoints the NSRP clister. What command is used to determine if any configuration changeshave been made during the time maintenance was performed?

A. get nsrp syncB. exec sync global-config check-sumC. get nsrp sync global-config check-sumD. exec nsrp sync global-config check-sum



QUESTION 171Which two the following statements are true about redundant interfaces?

A. Redundant interfaces require the use of NSRPB. Only one link in a redundant group is active at a time.C. You can place up to four interfaces in a redundant group.D. All interfaces in the redundant group are active, providing more bandwidthE. Each interface in the redundant group should be connected to a different L2 device

Correct Answer: BESection: (none)Explanation



What is the command to remove the filter shown in the exhibit?

A. unset ffilter allB. delete filter allC. unset ffilter 0-2D. unset ffilter 0

unset ffilter 1unset ffilter 2

E. unset ffilter 2unset ffilter 1unset ffilter 0

Correct Answer: ESection: (none)Explanation

Explanation/Reference:Explanation:The debug utility in ScreenOS is a powerful troubleshooting tool that allows you to track sessions going throughthe NetScreen firewall.The firewall has a memory buffer set aside for the debug system. Packets can becaptured in this memory for inspection. Here is a typical usage of the debug system:debug flow basic Enables the debugging system of the NetScreen firewall.clear db Clears the debug memory buffer.Test network traffic This can include any of the previous troubleshooting commands.undebug all Turns off the debug memory dump.get dbuf stream Displays the output for analysis.A filter can also be put into place to limit what traffic gets sent to the debug buffer.The command set ffilterallows you to set the type of traffic that will be collected.The following filters are available:www.syngress.comdst-ip Destination IP addressdst-port Destination portip-proto Internet Protocol numbersrc-ip Source IP address

src-port Source portIf multiple filters are specified in the set ffilter command, the filter will only collect traffic that matches all of thefilters specified.The set ffilter command can be executed multiple times and traffic will be collected if it matchesany of the filters. For example, to filter all tcp traffic from 192.168.0.1 to 10.1.1.1 issue the following command:ns5gt-> set ffilter src-ip 192.168.0.1 dst-ip 10.1.1.1 ip-proto 6To view current filters, use the get ffilter command. Each filter in place has an ID number to identify it.Toremove a filter use the unset ffilter command followed by the ID number of the filter to be deleted.

QUESTION 173You enter the following commands:Snoop filter ip dst-ip 1.1.1.10Snoop filter ip src-ip 2.1.1.10What is the net result of these settings?

A. Only packets with both a dst-ip of 1.1.1.10 and a src-ip of 2.1.1.10 will be capturedB. Packets that have either a dst-ip of 1.1.1.10 or packets with a src-ip of 2.1.1.10 will be capturedC. The second command will be ignored since a second filter cannot be added until the first one has been

deleted.D. The second command you entered will overwrite the first command you entered so you will only capture

traffic with a src-ip of 2.1.1.10


Explanation/Reference:Explanation:Snoop is a full packet sniffer.The output of snoop goes into the same memory buffer that debug sends to.Thebiggest difference between debug and snoop is that snoop can dump the actual contents of the packets to thememory buffer. Snoop output is more difficult to read than debug output and it is typically used when thecontents of the packets need to be analyzed. Here are the commands for using snoop:snoop Starts the snoop capture.snoop info Displays current snoop status.snoop detail Enables full packet logging.This will log the full contents of the ackets.snoop off Turns off the snoop capture.snoop filter Allows you to filter what gets captured. Uses syntax similar to that used for debug filtering.clear db Clears the debug memory buffer.get dbuf stream Displays the output for analysis.


Review the exhibit, which displays the output on an IKE VPN initiator. What could be the problem?

A. No response from responderB. Phase 1 proposal mismatchC. Phase 2 proposal mismatch

D. Phase 1 did not complete successfullyE. Encryption failure - Diffie Hellman key exchange failed




Based on the exhibit, what two (2) things are you able to determine about this VPN?

A. VPN monitor is not turned onB. VPN has been up for 11 secondsC. VPN has been up for 3589 secondsD. VPN monitor is on and the VPN is downE. VPN monitor is on and the VPN is active


Explanation/Reference:Explanation:In the results of the "get sa" command the lifetime shows how long until rekey, not how long the tunnel hasbeen up (Not C).


Refer to the exhibit. Which three types of address translation could have generated the output shown?

A. VIPB. MIP

C. NAT-dstD. NAT-srcE. Interface-based NAT



QUESTION 177Which three (3) items are valid debug options?

A. ike basicB. ike detailC. nat transD. flow basicE. flow advanced

Correct Answer: ABDSection: (none)Explanation

Explanation/Reference:Explanation:Troubleshooting Virtual Private Networks can be easy if the right steps are followed. With NetScreen firewalls,there are actually two different types of VPNs. Policy-based VPNs are based on rules in the Policies page offirewall. Route-based. VPNs are based on tunnel interfaces. Route-based VPNs can also have policies on topof the tunnel interfaces blocking certain types of traffic through the tunnel.When troubleshooting VPNs, the most important thing to remember is that both ends of the VPN have to sharethe same encryption settings. Below is a listing of which VPN settings must be set the same on both ends of thetunnel. These settings are for both route-based and policy-based VPNs. Phase 1 key management protocol, forexample, IKE. Phase 1 encryption algorithm to encrypt the key, for example, DES, 3DES,AES, or CAST. Phase1 hash/authentication algorithm, forexample, SHA1 or MD5.Phase 1 authentication, for example, PRE-SHARED SECRET orCERTIFICATE.Phase 1 mode, for example, MAIN or AGGRESSIVE.Phase 2 encryption algorithm to encrypt the data, for example, DES,3DES,AES, or CAST.Phase 2 hash/authentication algorithm, for example, SHA1 or MD5.Phase 2 Perfect Forward Secrecy, forexample,YES-GROUP1,YESGROUP2, YES-GROUP5, or NO.Outgoing interface of the VPN tunnel.Encryption domain.The Event log contains VPN events. When troubleshooting a VPN on a NetScreen firewall, you will want tokeep an eye on the Event log for PKI (Public-key infrastructure) events.There are a couple of debug commandsthat are also useful during troubleshootingPhase 1 issues:get ike cookie This will display all completed Phase 1 negotiations.debug flow basic This will enable debugging.debug ike This will enable detailed VPN debug logs.clear ike This will force a VPN tunnel to renegotiate. It will clearPhase 1 and Phase 2 for the specified tunnel.Here are troubleshooting commands useful for Phase 2 issues:get sa active This will display all completed Phase 2 negotiations.unset ike policy-checking This will tell the firewall to ignore the policy and allow all routed traffic through the VP

QUESTION 178Your policy-based VPN is not establishing. You suspect there is a proxy-id mismatch. Which command willenable you to determine if you have a mismatched proxy-id and where should this command be run?

A. "get sa" run on the initialing deviceB. "get event" run on the initialing deviceC. "get vpn" run on the responding deviceD. "get event" run on the responding device




Examine the network diagram in the exhibit. You enter the following command on the NetScreenSet route 0.0.0.0/0 int e1 gateway 1.1.8.254Which statement best reflects the impact of the command and the state of the network once the command hasbeen entered?

A. The network will pass the traffic to the internet as desiredB. The command will be accepted but the route will not function. Traffic will not be delivered to the internetC. The command is invalid and the system will not accept the command. It will be as if the command had

never been enteredD. The command will update the untrust-vr since no virtual router was specified in the route statement.

Because of this no traffic will be delivered to the internet


Explanation


QUESTION 180What are two ways to turn snoop off?

A. snoop offB. snoop stopC. unsnoop allD. unset snoopE. press the esc key

Correct Answer: AESection: (none)Explanation

Explanation/Reference:Explanation:Snoop is a full packet sniffer.The output of snoop goes into the same memory buffer that debug sends to.Thebiggest difference between debug and snoop is that snoop can dump the actual contents of the packets to thememory buffer. Snoop output is more difficult to read than debug output and it is typically used when thecontents of the packets need to be analyzed. Here are the commands for using snoop:snoop Starts the snoop capture.snoop info Displays current snoop status.snoop detail Enables full packet logging.This will log the full contents of the packets.snoop off Turns off the snoop capture. / or type ESC to stop .snoop filter Allows you to filter what gets captured. Uses syntax similar to that used for debug filtering.clear db Clears the debug memory buffer.get dbuf stream Displays the output for analysis.


You are troubleshooting a problem with traffic passing through the NetScreen. You run debug flow basic andget the results in the exhibit. Why was the packet dropped?

A. The packet was dropped because of the implicit deny at the end of the policy set.

B. The packet was dropped because a global policy was configured to deny the trafficC. There is not enough detail in the output to know exactly what part of the policy dropped the packetD. The packet was dropped because it was explicitly denied by the policy between zones 1002 and 1000




Review the exhibit. What needs to be done to correct this proxy-ID mismatch?

A. The 10.1.0.0 address book entry on the initiator needs to be changed to a 32 bit maskB. The 10.50.0.0 address book entry on the initiator needs to be changed to a 30 bit maskC. The 10.50.0.0 address book entry on the responder needs to be changed to a 24 bit maskD. The 10.50.0.0 address book entry on the responder needs to be changed to a 32 bit mask



QUESTION 183Which command will show you address translation for sessions that have been closed?

A. snoopB. get sessionC. get log trafficD. debug flow basic

E. get interface<>




Review the exhibit. What two (2) statements are true about the traffic captured in this debug output?

A. The default gateway is 1.1.8.254B. No address translation is occurringC. The traffic passing through the system is a DNS requestD. The traffic will be routed to a VSYS using IP Classification




Review the debug output in the exhibit. What type of NAT has occurred?

A. MIPB. Interface Based NATC. Policy based NAT with DIP enabledD. Policy based NAT without DIP enabled



QUESTION 186What is the proper order of policy checking when intra-zone blocking is turned on?

A. Global PolicyIntra-zone BlockLocal Policy

B. Global PolicyLocal PolicyIntra-zone Block

C. Intra-zone BlockLocal PolicyGlobal Policy

D. Local PolicyGlobal PolicyIntra-zone Block



QUESTION 187You have created a NAT -src policy that runs between the private zone in the trust-vr and the Public zone in theuntrust-vr. When looking at the session in debug output, the translated address is not what you expected. Whatcould be the problem? (choose two( 2) answer)

A. Policy-based NAT is not allowed between two VRsB. Your src-address is outside the range of your DIP IP shift poolC. A VIP defined on the egress interface is overriding your NATD. A MIP defined on the egress interface is overriding your NATE. The src interface is in NAT mode and it is overriding your NAT -src policy



QUESTION 188Which representation of an Interface depicts a VSI?

A. e1/1:1B. e2;2C. e3/1.2D. e4:4.1


Explanation/Reference:Virtual Security InterfacesWhen NetScreen firewalls are clustered together with NSRP, all the existing interfaces of both firewalls areconverted to Virtual Security Interfaces (VSIs). VSIs belong to a respective Virtual Security Device (VSD)Group. Depending on how many VSD Groups exist in a NetScreen cluster, the firewall will have a certainnumber of VSIs for each VSD Group. VSIs can be identified with the notation: interface:<VSD Group Number>.For example, ethernet4:0 is "Ethernet interface 4" and belongs in the VSD Group "0".VSIs and VSD Groups are covered in full detail in the NSRP section.

QUESTION 189What is the number of interfaces available for user traffic on a NetScreen 500 configured with 2 mini-GBICcards, 1 regular GBIC Card and 1 10.100 Ethernet card?

A. 4B. 7C. 8D. 11E. 16


Explanation/Reference:Explanation:The NS500 is the entry level NetScreen firewall System.

Apart from the onboard management and dual High Availability interfaces, the NS500 includes 4 modular baysfor different interface configurations. 2 of the module bays are required to be filled for the firewall to function.There are 3 different interface modules available:Dual Fast Ethernet Module

Gigabit Ethernet GBIC Module

Dual Gigabit Ethernet mini-GBIC Module

All NS500 modules are not hot-swappable.Depending on the combination of modules, the maximum number of usable interfaces (besides themanagement and HA interfaces) is 8 (all or a combination of the dual Fast Ethernets and dual mini-GBICs).

QUESTION 190Which two commands would be necessary to set up a default route on a NetScreen device using two virtualrouters? The default path is connected to vr-untrust, with a next-hop address of 1.1.8.1

A. set route 0.0.0.0/0 vrouter untrust-vrB. set vrouter trust-vr route 0.0.0.0/0 gate 1.1.8.1C. set vrouter untrust-vr route 0.0.0.0/0 int untrustD. set route 0.0.0.0/0 int untrust gateway 1.1.8.1E. set vrouter untrust-vr route 0.0.0.0/0 gate 1.1.8.1

Correct Answer: AESection: (none)Explanation


QUESTION 191When the NetScreen 5200 receives a packet for a session which is already established, which component isresponsible for performing the session match?

A. RAMB. CPUC. ASIC on interface cardD. ASIC on management card



QUESTION 192Place the following items in the order most closely matches the NetScreen Packet Flow process.1.Policy Lookup2.Route Lookup3.Check for MIP/VIP4.Create Session5.Session Lookup

A. 2,1,3,5,4B. 4,2,3,1,5C. 5,2,1,3,4,

D. 5,3,2,1,4,E. 5,4,3,2,1,


Explanation/Reference:Explanation:Netscreen Packet FlowsThis section highlights the address translation portion of the NetScreen packet flow. Understanding howNetScreen handles a packet flow provides a good base to understanding how address translations aretriggered and also makes troubleshooting and debugging a problem much easier. Figure bellow shows a high-level overview of how a NetScreen firewall handles packets flowing into their devices.

The process steps are as follows:1. Based on the arriving ingress packet, the NetScreen device notes the incoming interface and the bondedsecurity zone to that interface. (For the purposes of this book, the ingress security zone is considered theFROM zone.) The interface can be a physical Ethernet interface, a subinterface, a VPN tunnel interface, or aVPN tunnel zone. At this point, the NetScreen screening functions are performed.The screening functiondetects any anomalous traffic behavior such as denial of service (DOS) attacks.The screen options areconfigurable at the security zone level.2. Check to see if the session exists. If it does, forward the packet based on the session definition. If thesession does not exist, check to see whether a MIP or VIP entry exists. If one does exist, perform a MIP or VIPtranslation.3. Next, the route lookup is performed. Based on the destination packet IP address, the route lookupdetermines which egress interface the packet will eventually leave from. When you know the egress interfaceyou will also know the egress security zone (remember, the security zones are bonded to an interface). (For thepurposes of this book, the egress security zone is considered the TO zone.)4. Now that you know the FROM and TO security zones, you can apply them to a policy lookup. At a minimum,a policy performs a permit or deny or pushes the packet through a VPN tunnel. Other miscellaneous operationscan also be performed such as traffic shaping, deep inspection, authentication, logging, counters, anti-virus,and threshold alarms. If address translations are defined for either the source (NAT-Src) or the destination(NAT-Dst), those functions are also performed. If NAT-Dst is performed, another route lookup is required.5. A session is created and the packet is forwarded to the egress interface as defined.

QUESTION 193You need to configure your NetScreen device for management from a remote network. Which two of thefollowing configuration elements would be the minimum required elements? (The other three elements are valid

but optional)

A. Default routeB. Manage IP addressC. Manager IP addressD. Interface IP addressE. Creating an administrator


Explanation/Reference:Explanation:D: Uou need an IP address for management.Not B: Manage IP addressis automatically added, when you configure an interface ip address.Not C: A manager IP isn't a minimum requirement. You can manage a netscreen without a manager IP.

QUESTION 194Which two (2) port group represent an allowed aggregate interface configuration on a NetScreen 5400?

A. E2/1 and E3/1B. E2/2 and E2/3C. E3/1 and E3/3D. E3/1 and E3/2E. E4/5 AND e4/6



QUESTION 195You create three policies that will send through an interface configured for 1.544 mbps. All Policies areconfigured to have 256 kbps Guaranteed bandwidth and 512 kbps of Maximum bandwidth. Each policy hasbeen assigned the following priorities:Policy 1 = priority 4Policy 2 = priority 5Policy 3 = priority 3Each policy receive a constant stream of 1 mbps. How much bandwidth will policy 3 get to use?

A. 0 kbpsB. 256 kbpsC. 512 kbpsD. 768 kbpsE. 1 Mbps



QUESTION 196If you configure 5Mbps of bandwidth for a policy, how much is reserved for each flow in the session?

A. 0MbpsB. 1/2 MbpsC. 2.5MbpsD. 5MbpsE. 10Mbps



QUESTION 197What two (2) mechanisms provide traffic shaping on a NetScreen device?

A. Initial Brust AmountB. Maximum BandwidthC. Guaranteed BandwidthD. Maximum Information RateE. Committed Information Rate



QUESTION 198You have traffic from different polices going into the same high priority queue.How will the NetScreen deviceprocess this traffic?

A. REDB. WREDC. Round-robinD. Weighted-fair queuing



QUESTION 199What commands would you use to create a zone and make it ready to perform IP classification?

A. set zone name Zone 1set zone Zone1 ip-classification

B. set zone name Zone1 shared

Set zone Zone1 ip-classificationC. Set zone name Zone1

Set zone Zone1 sharedSet zone Zone 1 ip classification

D. Set zone name Zone1Set zone Zone1 sharedSet zone Zone1 ip-classification enable




QUESTION 200You want to set the default router for your VSYS called corp to be the shared untrust virtual router. How wouldyou do this?

A. From the corp VSYS as the VSYS admin enter the CLI command "set vr untrust-vr default-vrouter"B. From the corp VSYS as the VSYS admin enter the CLI command "set VSYS corp vr untrust-vr default-

vrouter"C. From the root VSYS as a root level administrator enter the CLI command "set VSYS corp vr untrust-vr

default-vr"D. From the root VSYS as the corp VSYS administrator enter the CLI command "set VSYS corp vr untrust-vr

default-vr"



QUESTION 201VLAN tagging within a NetScreen device is based on which industry standard?

A. 802.1dB. 802.1qC. 802.11qD. 802.2E. 802.3



QUESTION 202You have created a virtual router called VSYSA-vr and made it sharable. You then create the VSYS using theWebUi, telling it to use an existing VR and selecting the VR called VSYSA-vr. What is the status of the virtualrouter after you create the VSYS?

A. The router will be the default router but will no longer be shared.B. The router will be the default router and will still have a sharable status.C. The system will not let you use a shared virtual router when you create a new VSYS.

The initial virtual router must be private.D. The system will not create a private vr for the VSYS but will assign the Untrust-vr as the default router. The

shared Virtual router will not be the default router.



QUESTION 203What is the valid range of VLAN tag numbers that are usable on a NetScreen device?

A. 0 thru 500B. 1 thru 500C. 0thru 2048D. 1 thru 4094E. 0 thru 4095




Refer to the exhibit. Which two (2) of the following statements can be verified from the debug output?

A. Interface-based translation is occurringB. The routing decision used the default route.C. Traffic is arriving from the virtual system Custa.D. Traffic is departing using the root virtual system.E. The matched policy is from a custom zone to a system-defined zone.



QUESTION 205You are logged in as a read-only VSYS administrator and are trying to run snoop from within the virtual systembut the command does not appear to be working.Why?

A. You cannot run snoop from within a VSYS.B. You must be logged in as a read/write VSYS admin to run snoop in the VSYS.C. You must be logged in as least a read only root level admin to run snoop in the VSYS.D. You need to be logged in as at least a read/write root level admin to run snoop in the VSYS.



QUESTION 206Which three (3) VSYS features can only be created by the root administrator?

A. VPNsB. PoliciesC. Sub interfacesD. Dedicated interfacesE. Address book entriesF. VSYS read/write Admin

Correct Answer: CDFSection: (none)Explanation

Explanation/Reference:Explanation: VPNs, Policies and addressbook entries can be created by VSYS read/write admins. As a resultSubinterfaces, dedicated interfaces and VSYS read/write admins can only be created by root administrator.

QUESTION 207You are creating a sub-interface to support VLANs. What must be done to insure the system will insert theVLAN tags?

A. Turn on VLAN support for the NetScreen device through the admin function.B. Nothing needs to be done. Create the sub-interface and the system automatically applies the proper tags to

the appropriate frames.C. Create a cross-reference table entry after you create the sub-interface to map the VLAN tag to the traffic

passing through the interface.D. Sub-interfaces do not support VLAN tags. You need to create logical interfaces off the VLAN1 interface to

have VLANs work on a NetScreen device.



QUESTION 208Which two of the following combinations are NOT valid policy options for a system with multiple VSYS?

A. From within VSYS A: Private VSYS A zone to shared root zoneB. From within VSYS B: private VSYS B zone to private VSYS A zoneC. From within root VSYS: Shared root zone to a Private VSYS A zoneD. From within root VSYS: Shared root VSYS zone to private root VSYS zone



QUESTION 209Which item in a virtual system is shared by default?

A. Trust zone in the Trust-vrB. Trust zone in the Untrust-vr

C. Untrust zone in the Trust-vrD. Untrust zone in the Untrust-vr




Review the exhibit. There is a different administrator for VSYS A, VSYS B, and VSYS C, as well as the rootsystem administrator. What is the minimum number of administrators that will have to work together toconfigure cross-VSYS routing?

A. 1B. 2C. 3D. 4



QUESTION 211Which three (3) interface types are supported by Virtual Systems?

A. Sub interfacesB. VPN interfacesC. VLAN interfaces

D. Shared interfacesE. Limited interfacesF. Dedicated interfaces

Correct Answer: ADFSection: (none)Explanation


QUESTION 212You are a read/write VSYS administrator. Your configuration requires the use of a DIP. Which statementcorrectly describes this situation?

A. DIP creation can only be done by the root administrator, not a VSYS administratorB. You can create the DIP on any interface imported into your VSYS, but not on shared interfacesC. You can create DIP on any interface you can see in your interface list, including both private and shared

interfacesD. You can create DIPs only on sub-interfaces within your VSYS.All other DIPs need to be created by the root

level VSYS admin



QUESTION 213You want to create a sub-interface in VSYS

A. What two (2) actions are required?B. Import the sub interfaceC. Login as root level adminD. Login as a VSYS level admin3E. Create the sub-interface at the root VSYSF. Create the sub interface at the VSYS level.



QUESTION 214EXHIBIT

You are having problems with traffic getting to destinations out of interface Ethernet 1. You execute a "getroute" command and get the results seen in the exhibit. What can you determine from the this routing table?

A. The physical link may be down on the interface and that problem has to be correctedB. Since the preference is 0 it is not being chosen to pass any routes. You must configure the preference to be

a higher valueC. Ethernet 1 does not have a gateway assigned to it so the system does not know where to send the traffic

using that interfaceD. You cannot tell why traffic would not be going out Ethernet 1. You will need to try other troubleshooting

commands to find your problem



QUESTION 215EXHIBIT

Based on the exhibit, what two (2) things are you able to determine about this VPN?

A. This is a route-based VPNB. This is a policy-based VPNC. The VPN tunnel is active but the VPN monitor shows the tunnel is downD. The VPN is active and has 312 more seconds until reaching its 3600 second timeoutE. The VPN is active and has 3288 more seconds until reaching its 3600 second timeout



QUESTION 216Which command allows you to see the current configuration of snoop?

A. Get filterB. Get snoopC. Snoop infoD. Get filter snoop



QUESTION 217How can you view the value of a Phase 1 pre-shared key on a device running ScreenOS 5.0 or later?

A. Get ike gatewayB. Get ike pre-shareC. Get conf | inc gatewayD. You cannot retrieve the pre-shared key value it is encrypted and cannot be viewed



QUESTION 218EXHIBIT

Which of the following two (2) statements are valid based on the debug output shown in the exhibit?

A. Fix-port is enableB. Port translation is occurringC. NAT-src is using a DIP pool with IP shiftD. NAT-src is using a DIP pool for translationE. NAT-src is using the interface address for translation



QUESTION 219EXHIBIT

Based on the exhibit, what three (3) things can be determined about the VPN?

A. You are not using PFSB. Phase 1 completed successfullyC. Phase 2 completed successfullyD. The maximum packet size for this tunnel is 522 bytesE. The destination gateway device IP address 1.1.1.10



QUESTION 220EXHIBIT

Refer to the exhibit. This Hub and Spoke design uses route-based VPNs and has intra-zone blocking enabledon the Evil zone. What is the minimum number of policy rules, across all devices, required to establish full, bi-directional communications between all locations?

A. 4B. 6C. 7

D. 9E. 10F. 12



QUESTION 221Which two (2) route-based VPN configurations would still require a policy?

A. A policy is never needed to get traffic to a route-based VPNB. The tunnel interface is in a different zone than the traffic source interfaceC. The tunnel interface is in a different zone than the traffic destination interfaceD. The tunnel interface is in the same zone as the traffic source interface and intra-zone blocking is turned off



QUESTION 222What is the purpose and use of digital certificates?

A. Prove authenticity and bind public keys to an entityB. Prove authenticity and bind private keys to an entityC. Hold both public and private keys of the bearer of the certificateD. Hold both the public and private keys of the issuer of the certificate



QUESTION 223Which is a valid Phase 1 IKE proposal?

A. pre-g1-des-md5B. g2-esp-des-md5C. g2-esp-aes128-md5D. nopfs-esp-des-md5



QUESTION 224You are creating a DIP pool of 30 addresses. You would like to see how addresses are being allocated todifferent traffic streams. What command will you use to view this information?

A. SnoopB. Get dip allC. Get sessionD. Get address xlate



QUESTION 225What is the recommended order for a basic policy-based VPN configuration? Refer to the exhibit.

A. 1, 4, 3, 5, 2B. 2, 1, 4, 3, 5C. 2, 3, 5, 1, 4D. 3, 5, 1, 3, 2



QUESTION 226How many tunnels would you have to be created to build a full mesh between 10 VPN devices?

A. 9B. 10C. 20D. 45E. 100



QUESTION 227Which two processes are able to use certificates on a NetScreen device?

A. IKE Phase 2 VPNSB. Certify NTP ServersC. IKE Phase 1 GatewaysD. Management using SNMPE. Management SSL traffic



QUESTION 228Which two statements regarding NHTB are correct?

A. If the hub device is running pre-5.0 software, manual configuration of NHTB is required on the hubB. If the spoke device is not a NetScreen device, manual configuration of NHTB is required on the hubC. If the spoke device is not a NetScreen device, manual configuration of NHTB is required on the spokeD. If the spoke device is running pre-5.0 software, manual configuration of NHTB is required on the hub deviceE. If the spoke device is running pre-5.0 software, manual configuration of NHTB is required on the spoke

device



QUESTION 229Which two statements are correct?

A. RA stands for Registration AgentB. RA stands for Registration AuthorityC. An RA is required in order to run a CAD. An RA distributes registration informationE. An RA accepts registration requests on behalf of a CA



QUESTION 230Which three components make up a redundant VPN configuration?

A. MasterB. Slaves

C. MonitorD. TargetsE. BackupsF. VPN Group

Correct Answer: CDESection: (none)Explanation

Explanation/Reference:Explanation:Redundant VPNs consists of Monitors, Targets and VPN groups

QUESTION 231Which messages exchange certificates during IKE Main Mode negotiations?

A. Messages 1 & 2B. Messages 2 & 3C. Messages 3 & 4D. Messages 5 & 6E. Certificates are not exchanged in main mode



QUESTION 232You create a policy-based VPN, and select an address group for the source address. What will be the source

part of the proxy-id seen by the remote security gateway?

A. 0.0.0.0/0B. the last member of the address groupC. the first member of the address groupD. a string of all of the addresses in the address groupE. the subnet that contains all addresses in the address group



QUESTION 233You have created a VPN to a dynamic peer. Which two configured parameters must match?

A. Peer id on the static sideB. Local id on the static sideC. Peer id on the dynamic stateD. Local id on the dynamic sideE. IP addresses on the static sideF. IP address on the dynamic side



QUESTION 234EXHIBIT

Based on the exhibit, what two things must you configure on NetScreen B to successfully establish a VPN?(Both sides have static addresses)

A. Default route

B. Peer address of 1.1.1.1C. Local ID of 1.1.2.5D. Tunnel interface associated with VLAN1E. Policy from Untrust to Trust allowing VPN traffic to the NetScreen



QUESTION 235What layers of the OSI model are captured when you use snoop with detail off?

A. 1-4B. 1-7C. 2-4D. 2-7E. 5-7


Explanation/Reference:Explanation:According to NMTP , snoop command gives an administrator the ability to view packet information from L2 toL4 as it comes into and out of Netscreen interface . Snoop output will be detected to either the console or aninternal buffer based on the console configuration .Snoop is a powerful tool but it must be used with caution . Snoop can cause a slow down in performance . Theperformance drop depends on a few factors :1) The amount of traffic being sent through the Netscreen. Increases in traffic flow decreases the performance ,as more data must be sent to the console or debug buffer .2) The debug output method . sending snoop output to a console is the most CPU intensive . It isrecommended that output be detected to the debug buffer , as it is less CPU intensive .

QUESTION 236EXHIBIT *** MISSING ***Based on the exhibit, what two options do you have for exchanging traffic between Site A and Site B?

A. Use VIPs on both sidesB. Use DIPs one both sidesC. Use a MIP on both sidesD. Use a combination of NAT-src and NAT-dstE. Use VIPs on one side and DIPs on the other side



QUESTION 237What formula does NetScreen use to determine which policies will be checked when traffic enters the device?

A. Netscreen builds an index on source IP and searches only those policies matching the source IP of theingress packet

B. NetScreen checks all policies that have been created with a special algorithm that checks all policies withfewer CPU cycles

C. NetScreen builds an index on destination IP and searches only those policies matching the destination IP ofthe ingress packet

D. NetScreen checks a subnet of all policies based on the ingress zone of the packet combined with theegress zone of the packet



QUESTION 238What is the correct method to reference a sub-interface?

A. Ethernet 2/1/1B. Ethernet 2/1:1C. Ethernet 2/1-1D. Ethernet 2/1.1



QUESTION 239Which two (2) commands would build a valid default gateway to a NetScreen device using 1 virtual router andhaving a next hop of 1.1.1.1?

A. Set route 0.0.0.0/0 int untrustB. Set route 1.1.1.1 gateway 0.0.0.0/0C. Set route 0.0.0.0/0 interface untrust gateway 1.1.1.1D. Set vr trust-vr route 0.0.0.0/0 gateway 1.1.1.1E. Set route 0.0.0.0/255.255.255.255 gateway 1.1.1.1



QUESTION 240What is the maximum number of ports that can be added to an aggregate interface group on a 24 FE card?

A. 2B. 4C. 5

D. 8E. 16



QUESTION 241Which component is responsible for performing both the forwarding lookup and policy evaluation on the firstpacket in a session received by an NS-500?

A. RAMB. CPUC. ASIC on system boardD. ASIC on interface card



QUESTION 242What are the minimum configuration requirements for configuring a NetScreen device for administrativeaccess? (Select the best two (2) answers)

A. PoliciesB. Adding routesC. SNMP configurationD. Interface addressingE. Creating an administrative



QUESTION 243What is the maximum number of interfaces available for user traffic on the NetScreen 5400? (Assume that5000-FE24 cards are supported)

A. 24B. 30C. 72D. 78E. 79

Correct Answer: DSection: (none)

Explanation


The 5000 series does not include onboard management and HA ports like the 500 series. Instead, there aretwo different management modules available, the 5000-M and the 5000-M2. The management module must beinserted in the first (top) modular bay.

The management module provides overall management and control over the NetScreen System and othermodules and assists primarily with non-flow related tasks (tasks not dedicated to processing packets). Bothmodules include a dedicated management interface, a console port, a modem port, dual dedicated HAinterfaces and a compact flash slot. The differenc e between the two lies in the processor speed. The 5000-Mincludes an onboard 600 MHz PowerPC CPU while the 5000-M2 unleashes a dual 1GHz PowerPC CPUconfiguration. The interface modules available for the 5000 series are named Secure Port Modules (SPMs).There are only two available, an 8 port modular hot-swappable mini-GBIC module (8G) or a 2 non-modularmini-GBIC port and 24 10/100 BaseTX ports module (2G24FE). It is possible to obtain different mini-GBICtransceivers (SX or LX) for the 8G module.

The 8G module can support up to 4 aggregate interfaces (covered in a later section). The aggregate interfacesmust be paired in a sequence, that is, ports 1 and 2, 3 and 4 and so forth. It is not possible to mix ports (ports 1and 4). Ports must also be exactly the same type (SX and SX/LX and LX) and must reside on the same module(it is not possible, for example, to aggregate port 1 on modular slots 2 and 3 - from a 5400 perspective).2G24FE

This module is capable of supporting up to 6 aggregate interfaces, 1 for the GBIC pairs and 5 between the 24Fast Ethernet ports. Unlike the 8G module, any combination of FE pairs can be aggregated together, but it isstill recommended that they be paired sequentially. It is not possible to aggregate the GBICs and the FEstogether. Depending on the combination of modules, it is possible to obtain a maximum of 26 useable ports (1 x2G24FE) on a 5200 and 78 useable ports (3 x 2G24FE) on a 5400.

QUESTION 244How many queues are available to manage traffic priority on a NetScreen device?

A. 4B. 8C. 16D. 32E. 64


Explanation/Reference:Explanation:When using traffic shaping on a NetScreen firewall, incoming packets are put into a queue. As each packet ismatched against a policy, traffic shaping rules are applied.Then the different components of traffic shaping areused to determine what happens to the packet.Traffic shaping is configured per policy, so traffic that matches aspecified policy will have that policy's traffic shaping configuration applied to it. Below are the various terms that

are associated with traffic shaping on a NetScreen firewall:Priority Queuing There are eight priority queues that can be used ona NetScreen firewall.The higher the priority of the queue, the morelikely it will get available bandwidth. Each priority queue is ranked with a number with zero being the highestand 7 being the lowest.Guaranteed Bandwidth When you configure guaranteed bandwidth,you are specifying that a certain amount of bandwidth will be available for this traffic.Maximum Bandwidth This option defines the maximum amount ofbandwidth that matching traffic can consume.Interface Bandwidth For the firewall to determine the factors ofmaximum and guaranteed bandwidth, you must define how muchbandwidth is available on each interface. If you do not define the available bandwidth, the firewall will assumethe bandwidth of the interface.In many cases this may be 10Mbps or 100Mbps.That, of course, is muchmore than most organizations' Internet connections.DiffServ Marking Differentiated Services (DiffServ) allows you to tag packets according to their priorities.Thisallows you to mark individual packets in the Type of Service (ToS) byte in the IP (Internet Protocol) header.Thisconforms to Request For Comment (RFC) 2474 and RFC1349.Table 5.1 below shows a mapping of the DiffServ codes to thetraffic priorities configured on a NetScreen firewall.It is entirely possible to grind your network to a halt with a bad traffic shaping configuration, so it is important toconsider all aspects of it before implementing traffic shaping. In the next section we will look at and describe thevarious rules of traffic shaping.

QUESTION 245What is the best definition of #maximum bandwidth?

A. The total amount of bandwidth (configured in mbps) that can be used by a policy after guaranteedbandwidth has been serviced

B. The total amount of bandwidth (configured in kbps) that can be used by a policy after guaranteed bandwidthhas been serviced

C. The additional amount of bandwidth over the guaranteed bandwidth amount (Configured in kbps) that canbe used by a policy after guaranteed bandwidth has been serviced

D. The additional amount of bandwidth over the guaranteed bandwidth amount (Configured in mbps) that canbe used by a policy after guaranteed bandwidth has been serviced



QUESTION 246Which bits of DSCP mapping do NetScreen devices use?

A. first 3 bitsB. first 4 bitsC. last 2 bitsD. last 3 bitsE. last 4 bits


Explanation/Reference:Explanation:DiffServ Code Point MarkingNetScreen devices support DSCP marking on the first three bits of the DSCP fields in the IP header.NetSCreen devices now provide a global option to zero out the second 3 bits of the DSCP field. When thisfeature is on, the device changes the DS field values to 'xxx000|yy', ensuring that priority levels you set inpolicies are preserved and handled correctly by downstream routers.

QUESTION 247When using NSRP, what command will command will insure uninterruptedcommunications for VPNs using certificates for authentication?

A. Set hostnameB. Set NSRP clusternameC. Set NSRP cluster nameD. Set NSRP cluster hostname



QUESTION 248What should you configure to insure an HA cable failure does not result in both devices attempting to becomemaster?

A. Failover countB. Secondary pathC. Monitor thresholdD. Heartbeat intervalE. Heartbeat threahold



QUESTION 249You have configured NSRP, and disconnect an interface to test failover. No failover occurs. What is most likelythe problem?

A. The HA cable is unpluggedB. You forgot to activate NSRPC. You didn't configure monitoring on that interfaceD. You did not configure the rto object synchronization



QUESTION 250You are running debug, and you see a numeric value in the output that you know references a zone. Whatcommand will let you view zone names and corresponding numbers?

A. Get zoneB. Set zone idsC. You need to run "get zone <name>" for each zone on the deviceD. Zones are not referenced by numbers in debug. Zones are only referenced by name



QUESTION 251Which three items are automatically copied from one NetScreen device to the other once NSRP is configured?

A. DNSB. PoliciesC. HostnameD. VSD priorityE. Address Books



QUESTION 252You are running ScreenOS 5.0 and have configured NSRP so that session state messages are sent to thebackup device. Which statement most correctly depicts the session created on the backup when it receives theinitial session message from the master?

A. The sessions are created with the same timeout value

B. The backup session is created with half the timeout set on the masterC. The backup session is created with two (2) times the timeout set on the masterD. The backup session is created with eight (8) times the timeout set on the master



QUESTION 253You are using NSRP and enable preempt on a device with a priority of 120. The other device has the defaultpriority set. What will be the result of this action?

A. The device will be come master immediatelyB. The device will only become master if the device with default priority failsC. The device will wait the defined holdtime period and then take over is masterD. The device will enter a pending state until the next maintenance window and then assume the master role



QUESTION 254Which three of the following priority settings would ensure that a device is always the master of a VSD group?Assume that the other device in the group uses default priority?

A. 25B. 78C. 84D. 103E. 208



QUESTION 255What determines which interface is the primary link in a redundant interface group?

A. The lowest MAC addressB. The highest MAC addressC. The first interface placed in the groupD. The lowest numbered interface on the deviceE. The highest numbered interface on the device

Correct Answer: CSection: (none)

Explanation

Explanation/Reference:By default, the first physical interface added to the redundant interface group becomes the primary interface. Itis possible to change this afterwards, if desired. For this example, we assume that interface redundant1consists of physical interfaces ethernet1 and ethernet2, and that ethernet1 is currently the primary interface. Tochange the primary interface to ethernet2, use the following.From the CLI:set interface redundant1 phy primary ethernet2From the Web interface:It is not possible to change the primary interface of a redundant interface from the Web interface.

QUESTION 256You want to export an interface to the root VSYS. When you view the list of interfaces you do not see the exportoption. What three (3) things must be done to make the interface exportable?

A. The interface must be in the null zoneB. The interface must be in a predefined zoneC. The interface must be placed in a shared zoneD. The interface must have the IP address removedE. The interface must have all sub-interfaces removed



QUESTION 257When creating resources for use across multiple virtual systems, which two items need to be specificallyconfigured as shared?

A. ZonesB. PoliciesC. InterfacesD. Virtual routersE. AdministratorsF. Virtual systems




Review the debug output in the exhibit. What type of NAT has occurred?

A. VIPB. MIPC. Interface Based NATD. Policy based NAT with DIP enabledE. Policy based NAT without DIP enabled



QUESTION 259You are a read/write VSYS administrator. Your configuration requires the use of a MIP. Which statementcorrectly describes this situation?

A. MIP creation can only be done by the root administrator, not a VSYS administratorB. You can create the MIP on any interface imported into your VSYS, but not on shared interfacesC. You can create MIP on any interface you can see in your interface list, including both private and shared

interfacesD. You can create MIPs only on sub-interfaces within your VSYS. All other MIPs need to be created by the root

level VSYS admin



QUESTION 260Which four (4) interface types will support VLANs?

A. Tunnel interfacesB. Physical interfacesC. Loopback interfacesD. Aggregate interfacesE. Redundant interfacesF. Virtual system interfaces

Correct Answer: BDEFSection: (none)Explanation


QUESTION 261You are the VSYS read-only admin for VSYS A and are having a problem with traffic delivery. What must youdo to activate debug to see how the system is processing your traffic?

A. Run debug from the root CLI promptB. Run debug from the VSYS CLI promptC. You have to log in as a read-write VSYS administratorD. You cannot run debug as a read-only administrator at any level


Explanation/Reference:Explanation:Read-only administrator. This user has limited access to the system. As the name suggests, the user can onlyview the configuration and they are unable to modify the system in any way. This is useful if you want to havesomeone document your configurations, or if you want to give someone limited access to the device to performtroubleshooting on the network. The following list includes the limited privileges of the read-only administrator.Read-only privileges in the root systemRead-only privileges in all virtual systems

QUESTION 262EXHIBIT

Review the exhibit. Without address translation, what is the minimum number of routes needed to allowCustomer Certkiller 1 to talk to Customer Certkiller 2?

A. 2B. 3C. 4D. 5E. 6



QUESTION 263What is the maximum number of VLANs supported on a NS 500 FW/VPN device running ScreenOS 5.0?

A. 50B. 100C. 200D. 250E. 500


Explanation/Reference:Explanation:NS-500 Baseline NS-500 AdvancedInterfaces 8 10/100 Ethernet or 8 10/100 Ethernet or8 Mini-GBIC or 8 Mini-GBIC or4 GBIC 4 GBICMaximum ThroughputFirewall 700 Mbps 700 MbpsVPN 250 Mbps 250 MbpsMaximum Sessions 128,000 250,000

Maximum VPN Tunnels 1,000 5,000 and 5,000 Dial-UpMaximum Policies 20,000 20,000Virtual Systems Up to 25 Up to 25Security Zones 8 8Virtual Routers 2 2VLANs 100 100Routing ProtocolSupportRIP v2 Yes YesOSPF No YesBGP No YesHigh AvailabilityHA Lite No NoActive/Passive Yes YesActive/Active No YesActive/Active No YesFull MeshAnti-Virus ScanningEmbedded No NoExternal Yes YesDeep Inspection No YesThroughput N/A 180 Mbps

QUESTION 264Which four (4) components of a NetScreen device can be unique to a virtual system?

A. VPNsB. Routes in a shared virtual routerC. PoliciesD. AdministratorsE. Pre-defined servicesF. Address book entries

Correct Answer: ACDFSection: (none)Explanation


QUESTION 265Which two (2) methods can the NetScreen use to assign traffic to a VSYS?

A. IP-based classificationB. VPN based classificationC. TCP-based classificationD. VLAN-based classificationE. Policy-based classificationF. Interface-based classification



QUESTION 266Arrange the following steps in the recommended order to configure inter-VSYS routing (see exhibit).

A. 1, 5, 2, 3, 6, 4B. 3, 4, 1, 5, 2, 6C. 3, 5, 2, 1, 6, 4D. 5, 2, 6, 1, 3, 4



QUESTION 267What two (2) ways can a NetScreen Firewall/VPN device be administered by a secure, encrypted connection?

A. SSHB. HTTPC. TelnetD. HTTPSE. Console



QUESTION 268You are concerned about log entries being overwritten and would like to save this valuable information on anexternal system. Which three (3) systems will work with NetScreen devices to accomplish this goal?

A. SNMPB. WebSenseC. WebTrendsD. Syslog ServerE. NetScreen Security Manager

Correct Answer: CDESection: (none)Explanation


Explanation:Before we start to discuss NSM, it's important to understand the other options available to us from a monitoringperspective. If NSM is not an option for your organization, each firewall provides capability to monitor throughthe use of tools like Syslog, SNMP,Webtrends, or e-mail.SyslogSyslog is an industry standard and typically low-cost method used for capturing log files from devices, servers,or applications. Most often, Syslog is a service running on a UNIX host that has the capability to capture andstore logging data that is sent to it over a network connection. Syslog is not included with Windows, but thereoptions available. Since NetScreen firewall devices to not contain a hard drive, memory is allocated for storinglogs. Once the memory fills up, newer entries overwrite the older entries. Administrators are typically required tokeep this information for several reasons, among those being legal purposes, trending and usage reports, andtroubleshooting.This is where Syslog comes in. NetScreen firewalls can be configured to send their loggingdata to a remote Syslog server.NetScreen devices operate over the standard Syslog UDP (User Datagram Protocol) port 514.The Sylogprotocol provides the ability to categorize traffic through what are referred to as facilities. NetScreen firewallsmake use of two facilities, called normal and security.Within the normal and security facilities, logs can be sentto one of nine locations, Local0 through Local7 and Auth/Sec.A single firewall device can be configured to sendlogs to up to four Syslog servers.WebTrendsWebTrends offers a product called WebTrends Firewall Suite that allows you to create customized reports fromSyslog data. NetScreen firewall devices have support for this product built into ScreenOS.SNMPSNMP is another industry standard for monitoring a network environment. An SNMP system is a fairly simpledesign that consists of a manager and agents. For a typical scenario, the administrator would configure anSNMP manager, like HP OpenView, to receive notifications, or traps, from the agent. The NetScreen agentsupports SNMPv1 and v2c as well as Management Information Base II (MIB II). MIBs are a group of definitionsthat define properties within the managed device. In addition to the MIB-II information, Juniper provides privateenterprise MIBs that can be loaded through a MIB browser on to the SNMP manager. The NetScreen MIBs canbe downloaded from http://support.juniper.net.NetScreen devices can be configured to support up to three SNMP communities, each of which can contain upto eight hosts. Communities can be granted read and read/write access. Due to security reasons, write accessis only provided for sysName and sysContact in MIB-II, the rest are read-only. When defining SNMP hosts forthe community, you can enter a specific host with a 32-bit subnet or you can define an entire subnet. Keep inmind that only specific hosts will be able to receive traps. Hosts defined as part of a subnet will not be able toreceive traps, but will be able to query the device. MIB-II data or traps can be accessed through any physicalinterface. If virtual systems are being used, it's important to keep in mind that SNMP data cannot beimplemented individually on each virtual system. Instead, it must be configured at the root virtual system.E-mail and Log SettingsE-mail messages can be used to alert administrators when an event is taking place on a NetScreen device.NetScreen Security ManagerUp to this point in the chapter, several methods for monitoring the devices have been presented. This is usefulfor keeping informed about the traffic and status of devices, but what can be done to effectively manage policyand hardware configuration changes? In a small environment, managing each individual device isprobably acceptable, but with large, distributed deployments, this model does not scale appropriately. It's forthis environment that NetScreen Security Manager was developed. NSM provides the capability to managemultiple devices, up to 1000, from a single console.Additionally, NSM supports domains and role-based administration.Thedomain capability allows for NSM to create logical groupings of devices and place them into subdomains. Eachdomain can have its own unique objects, VPNs, and policies.Within the domains, roles can be created to allowaccess to certain parts of the system. For example, a role could be created for the help desk that only allowsthem access to the Log Viewer and the Realtime monitor, while an administrative role could be assigned tofirewall admin allowing that user to make changes and update policy.Another feature of NSM that makes it such a powerful tool is the ability to model devices and configure withtemplates. By creating a model, an administrator has the ability to create a device that does not yet exist.Thecomplete configuration can be created in advance, so once the device is deployed, it can bepushed to the firewall, making it immediately ready for application.Templates provide the capability to simplifythe process further.With templates, common configuration elements can be predefined and applied to existingor modeled devices. For example, assume that all NetScreen devices in a network use the same DNS servers.A template for the DNS servers could be created and then applied to each device, reducing time and effortrequired for configuration. NetScreen Rapid Deployment is a feature that simplifies the process of bringing a

device online. Once the device is modeled, the administrator can create a small file, called a configlet, that canbe sent to an onsite administrator who can then load the configlet onto the NetScreen device.The information inthe configlet contains just enough information to get the device communicating on the network and to talk toNSM. Once NSM has been notified by the device that it is active, the administrator can then push the remainingconfiguration to make it fully functional.

QUESTION 269You need to investigate some physical layer problems. Which command will provide you with information thatyou can use to analyze these type of problems?

A. Get log eventsB. Get counter screen <zone>C. Get counter flow interface <name>D. Get counter statistics interface <name>


Explanation/Reference:Explanation:Use the counter commands to clear or display the values contained in traffic counters. Traffic counters provideprocessing information, which you can use to monitor traffic flow. NetScreen devices maintain the followingcategories of counters:Screen counters, for monitoring firewall behavior for the entire zone or for a particular interfacePolicy counters, for reporting the amount of traffic affected by specified policies Hardware counters, formonitoring hardware performance and trackingthe number of packets containing errorsFlow counters, for monitoring the number of packets inspected at the flow level Usage :clear [ cluster ] counter{all |ha |screen [ interface interface | zone zone ]}get counter{flow | statistics[ interface interface | zone zone ] |screen { interface interface | zone zone }policy pol_num { day |hour | minute | month | second }}

QUESTION 270Which CLI command will allow you to change the root administrators name?

A. Set admin joehouserB. Set admin name joehouserC. Set admin user name joehouserD. Set admin joehouser password 2Wx3rpYq


Explanation/Reference:According the the following explanation , the recommend answer is BSecuring the Management InterfaceNow that you are beginning to understand the management of the NetScreen firewall device, it is time to securethe management access to your device.The last thing you want to do is leave the doors wide open for anotherindividual to take over your device.There are some easy things that you can do to prevent this. First, as wementioned earlier, you should change the root username and password. Everyone who owns a NetScreenfirewall is well aware of the default login and password to the device. Use the following steps to change the rootusername and password via the WebUI:1. Select Configuration | Admin | Administrators. A screen similar to

Figure,WebUI Administrators Screen2. Click the Edit link for the user with root privileges (in our example, the root user is the only username entry).A screen similar to that in Figure 3.6 will be displayed.Figure 3.6 below is identical to Figure 3.5 above - thefigure below has to be replaced with a screenshot of the Edit screen.

Figure, Edit Administrator3. Change the Administrator Name from netscreen to synadmin.4. Enter netscreen in the Old Password field.5. Enter the new password in the New Password and Confirm New Password fields.6. Click OK.Use the following steps to change the root username and password via the CLI:1. Enter the following command to change the admin name:Syngress-> set admin name synadminYou will see the following message:Password has been restored to default "netscreen". For securityreasons, please change password immediately.2. Enter the following command to change the password:Syngress-> set admin password password3. Use the following command to verify the changes:Syngress-> get admin userYou will see an output similar to the following:Name Privilege-------------------------------- ---------------synadmin RootSyngress->The device now has its root users name set to synadmin and its password has been changed. It is suggestedthat you make the password a minimum of eight characters.The maximum allowed number of characters in thepassword is thirty-one.

QUESTION 271EXHIBIT

Review the exhibit. What two (2) things can you tell about the traffic that was captures in this debug output?

A. NAT is occurring on the ingress interfaceB. Traffic is between two user defined zoneC. The gateway configured is either invalid or not upD. After NAT the final destination for the packet is 1.1.8.254



QUESTION 272What does the following route entry perform: set route 0.0.0.0/0 gateway 1.1.1.254

A. Adds a default route to the Untrust-vrB. Adds a default route to the Trust-vrC. Adds a default route to the default virtual routerD. Nothing. The command is not valid.


Explanation/Reference:The command is valid , and as the virtual router is not been specified , so the route is supposed to added to thedefault virtual router.

QUESTION 273What is the reason why you can't assign a VLAN ID to an interface?

A. The interface is in Route modeB. The interface is in NAT modeC. The interface is in Transparent modeD. The interface type is Tunnel


Explanation/Reference:Explanation:Tunnel interfaces do not support VLANs.

QUESTION 274You cannot add an IP address to one of your interfaces. What is most likely the problem?

A. The interface is in NAT modeB. The interface is in Route modeC. The interface is bound to the Null zoneD. The interface is disconnected


Explanation/Reference:The interface must belong to a valid Security or Function zone before an IP address can be assigned to it.

QUESTION 275Which options must be configured for VPN redundancy? Select the two best options.

A. Aggressive modeB. IKE Heartbeats and Recovery AttemptsC. TCP-SYN-CheckD. Main modeE. VPN Group Weightings


Explanation/Reference:Explanation:In order to connect to a VPN Group, IKE heartbeats and IKE recovery attempts must be configured, as well asthe assignment of weightings to each of the VPN Group members. It is possible to connect to a VPN Groupregardless of the IKE mode being used. While TCP -SYN-Check provides seamless failover, it is not mandatory(leaving it enabled will require connections to be re-established by the client).

QUESTION 276Observe the following information:Active: 1, Dead: 0, Total 1500f/0003, 1.1.1.2:500->1.1.1.1:23, PRESHR/grp2/3DES/SHA, xchg(2)

resent-tmr 7166032 lifetime 28800 lt-recv 28800 nxt_rekey 28500 cert-expire 0 initiator, err cnt 0, send dir 0,cond 0x0nat-traversal map not availableike heartbeat : disabledike heartbeat last rcv time: 0ike heartbeat last snd time: 0XAUTH status: 0What can you determine from the presented information? Select the TWO best answers.

A. Phase 1 negotiation has failed.B. NAT traversal is not enabled.C. The key has been valid for 300 seconds.D. The key has been valid for 28500 seconds.E. The identification method is Digital Certificates.


Explanation/Reference:Explanation:The active status of this output shows that the Phase 1 negotiation is successful. The nxt-rekey field is detailsthe number of seconds remaining before the next rekey. Hence, we can assume that the current key has beenactive for 300 seconds (28800 - 28500). As the NAT traversal map is not available, we can assume that NATtraversal has not been enabled. By the proposal method, we can tell that this Phase 1 tunnel was establishedusing PRESHR - Preshared Keys.

QUESTION 277Observe the following information:total configured sa: 1HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys00000001< 1.1.1.1 23 esp:3des/sha1 e3270b99 3200 unlim A/- 2 000000001> 1.1.1.1 23 esp:3des/sha1 3c472af5 3200 unlim A/- 1 0What can you determine from the presented information? Select the TWO best answers.

A. The VPN tunnel is not active.B. VPN Monitoring is enabled and the tunnel is Up.C. The SA has been valid for 3200 seconds.D. The SA has been valid for 400 seconds.E. The outgoing SA is related to port 23.


Explanation/Reference:Explanation:This information is the output of "get sa" displays information regarding the status of Phase 2 negotiation. If aVPN tunnel is active, the output will be similar to that of the above. Similar to the "get ike cookies" output, thelifetime is displayed in the number of seconds before rekey. Hence, we can assume that the SA has been validfor 400 seconds (3600 - 3200). The Sta field informs us about the status of the tunnel, and if VPN monitoring isenabled, whether the tunnel is Up or Down. If the character of the right side of the "/" is "- ", then we canassume that VPN monitoring has not been enabled for this VPN. The outgoing SA is represented by the ">"character, and we can see that it relates to PID (Policy ID) 1.

QUESTION 278Observe the following information:

2005-07-29 10:20:20 system info 00536 Rejected an IKE packet on ethernet3 from 2.2.2.2:21 to 2.2.2.1:21 withcookies cfaf76fe7f73ae52 and57436be50cbe5372 because the peer senta proxy ID that did not match the onein the SA config.2005-07-29 10:20:20 system info 00536 IKE<2.2.2.2> Phase 2: No policy exists for the proxy ID received: localID(<192.168.1.1>/<255.255.255.255>, <0>,<0>) remote ID (<192.168.2.0>/<255.255.255.0>, <0>, <0>).The policy for the initiator is:src "192.168.2.0/24", dst "192.168.1.1/32", serv "ANY"The policy for the recipient is:src "192.168.1.0/24", dst "192.168.2.0/24", serv "ANY"Which of the below options could be used to correct this issue?

A. Change the dst for the initiator to be 192.168.1.0/24B. Change the src for the recipient to be 192.168.1.0/32C. Change the dst for the recipient to be 192.168.2.1/32D. Change the src for the initiator to be 192.168.2.1/32


Explanation/Reference:Explanation:In order for Phase 2 negotiations to be successful, both peers must exchange a matching proxy-ID. Aboveshows either the dst of the initiator can be changed to match the recipient, or the src of the recipient can bechanged to match the dst of the initiator.

QUESTION 279What is the default proxy-ID for a Route-based VPN?

A. It is dynamically derived from the policy.B. Route-based VPNs do not have a default proxy-ID. It must be specified.C. The source IP and destination IP of the first packet through the VPN.D. Any network.


Explanation/Reference:Explanation:Only Policy-based VPNs can automatically derive a proxy-ID from a security policy. Route-based VPN may notnecessary require the configuration of policies, the default proxy-ID does not exist and must be manuallyspecified.

QUESTION 280What must be configured on a Hub and Spoke VPN for it to be able to enforce policies?Select the 2 best answers.

A. Intrazone Blocking needs to be disabled.B. Intrazone Blocking needs to be enabled.C. All tunnels need to be in the same zone.

D. All tunnels need to be in different zones.E. You cannot enforce policies on a Hub and Spoke VPN.


Explanation/Reference:Explanation:It is possible to enforce security policies in a Hub and Spoke VPN environment if the tunnel interfaces eitherreside in different zones (which will then require a security policy for traffic to flow from one zone to the other) orfor Intrazone Blocking to be enabled (which will then require a security policy for traffic to flow within interfacesbound to the same zone).

QUESTION 281How many SNMP communities can be configured?

A. 8 communities with 3 members.B. 8 communities with 8 members.C. 3 communities with 8 members.D. 3 communities with 3 members.


Explanation/Reference:Explanation:Netscreen firewall can be configured up to 3 SNMP communities, each with 8 members.

QUESTION 282In what event log does a SYN flood event appear?

A. AlertB. CriticalC. EmergencyD. Attack


Explanation/Reference:SYN Floods and other critical attacks (such as Tear Drop attacks , Ping of Death attacks etc.. ) are recordedinto the emergency event log.

QUESTION 283Which command can be used to display an interface's hardware statistics?

A. get interface interface statisticsB. get counter statistics interface interfaceC. get counter interface interfaceD. get counter hardware interface interface

Correct Answer: B


Explanation/Reference:Explanation:Only this command can achieve this goal .

QUESTION 284How can remote management traffic be secured? Select the 3 best options.

A. Restrict which IP addresses can manage the firewall.B. Enable Screen options.C. Enable secure management options such as SSH and SSL.D. Assign a different IP address on the relevant interface for management.E. Configure an additional administrator.


Explanation/Reference:Explanation:In order to secure remote management traffic , you could restrict which IP addresses can manage the firewallwith Manager-IPs, use secure management protocols such as SSH and SSL and not use the IP address of theinterface.

QUESTION 285Which command could be used to determine the number of failed VLAN packets?

A. Get interface vlanB. Get eventC. Get counter flowD. Get counter policy


Explanation/Reference:Explanation:The get counter flow command includes a count for packets with incorrect VLAN tags.

QUESTION 286Which of the following is not a valid event log level?

A. alarmB. criticalC. emergencyD. debugging



The valid event log levels are: Emergency, Alert, Critical, Error, Warning, Notification, Information andDebugging.

QUESTION 287Which command can be issued to determine the enabled management methods for a given interface?

A. get interface interface manageB. get manage interface interfaceC. get interface interface managementD. get interface interface


Explanation/Reference:Explanation:The get interface interface command can displayed the management methods enabled and disabled for a giveninterface.

QUESTION 288What command can be used to clear all configured flow filters?

A. unset ffilter allB. It is not possible to clear all flow filtersC. unset ffilterD. clear ffilter


Explanation/Reference:Explanation:It is not possible to remove all flow filters at once.

QUESTION 289What command can be used to determine the DIP pool used for a given traffic flow?

A. get dipB. get eventC. get log policy policy-IDD. get session


Explanation/Reference:Explanation:The session table displays the DIP pool assigned to a given traffic session.

QUESTION 290Observe the following output:05375.0: 6(i):00b0d080b93e->0010db06eeb0/08001.1.1.100->2.1.1.1/6, tlen=48

vhl=45, id=7015, frag=4000, ttl=128ports 2459->23, seq=3821340563, ack=1024583351, flag=5010What can you determine from the output? Select the TWO best answers.

A. The packet is a SYN/ACK packetB. The traffic is outboundC. The VLAN tag is 45D. The interface in use is Ethernet3E. The packet has been fragmented


Explanation/Reference:Explanation:From the output, we can determine that the packet is actually an ACK packet (as it has an ACK number, but noSYN flag). We can also determine that the traffic is inbound (i) on the interface Ethernet4 (7 - 3 = 4). Thepacket has indeed been fragmented based on the fragment ID.

QUESTION 291Which of the following commands are invalid?

A. get dbuf streamB. clear dbufC. set dbuf size 65535D. set dbuf size 1024


Explanation/Reference:Explanation:It is not possible to set a debug buffer larger than 4096 Kbytes.

QUESTION 292Which debug command must be issued for flow filter events to appear in the debug buffer?

A. debug ffilterB. debug filterC. debug packetD. debug packet basic


Explanation/Reference:Explanation:In order to debug packets using flow filters, the debug packet basic command must also be issued.

QUESTION 293What is the maximum bandwidth setting used for in a policy? Select the TWO best options.

A. It is the bandwidth that can be allocated to a policy on top of the guaranteed bandwidth

B. It is the total bandwidth that can ever be allocated to a policyC. It is the bandwidth that can be allocated to a policy after all guaranteed bandwidth has been allocatedD. It is the dedicated amount of bandwidth allocated to a policyE. It determines the priority of the policy


Explanation/Reference:Explanation:The maximum bandwidth is the most bandwidth that can ever be assigned to a policy, and is allocated after allguaranteed bandwidth has first been allocated.

QUESTION 294What happens when you attempt to allocate more bandwidth to policies than the totalbandwidth configured for the interface?

A. An error will occur preventing you from assigning more bandwidth than what is availableB. No error will occur and the total bandwidth for the interface will be adjusted to equal the maximum amount

allocated to policiesC. No error will occur and any bandwidth which exceeds the total bandwidth for the interface will be droppedD. An error will occur and bandwidth management for all policies will be deactivated


Explanation/Reference:Explanation:The NetScreen firewall will not prevent you from allocating more bandwidth than the total bandwidth configuredfor the interface. However, when the interface total bandwidthis exceeded, the firewall will begin dropping traffic.

QUESTION 295Which command needs to be issued to enable IP-based classification?

A. set interface interface ip-classificationB. set zone zone ip-classificationC. set ip-classification enableD. set interface interface ip-classification enable


Explanation/Reference:Explanation:IP-based classification must be enabled on the shared zone that the interface is bound to.

QUESTION 296Which of the following cannot be created in a virtual system with a Virtual System write/read administrator?Select the TWO best options.

A. SubinterfaceB. Security policy

C. VPND. Virtual RouterE. Security zone


Explanation/Reference:Explanation:Virtual System write/read administrators can manage all aspects of a vsys but cannot create subinterfaces.Subinterfaces can only be created by a root administrator entering the vsys. When a vsys is created, a defaultvirtual router can be created for the vsys. It is not possible to configure any additional virtual routers for thevsys.

QUESTION 297What would be the outcome of traffic if both ingress and egress IP-classification matchedbut the interfaces were bound to different shared security zones?

A. The vsys associated with the ingress interface would process the trafficB. The vsys associated with the egress interface would process the trafficC. The root system would process the trafficD. The traffic would be dropped


Explanation/Reference:Explanation:NetScreen firewalls do not support intervsys communication for different shared security zones.

QUESTION 298Which of the following statements is NOT true? Select the TWO best answers.

A. All Virtual Systems share a global routing tableB. All vsys subinterfaces are in Route mode by defaultC. Each virtual system has its own routing tableD. A virtual system cannot be configured to use both IP-based and VLAN based classification at the same timeE. VLAN-based classification is more secure than IP -based classification


Explanation/Reference:Explanation:All Subinterfaces created in a vsys are in NAT mode by default. It is possible, and in fact, quite common toconfigure two interfaces of a vsys with one in IP -based classification (shared) and the other in VLAN-basedclassification mode.

QUESTION 299How many administrators would be required to enable routing between six different vsys in route mode?

A. Just the root system administratorB. The root system administrator and all six vsys administrators

C. Just the six vsys administratorsD. No administrators


Explanation/Reference:Explanation:No administrators are required to configure routing between Virtual Systems in route mode as the routes areadded into the global routing table automatically.

QUESTION 300How can you ensure that two cluster members will not both try to become the master of a cluster?

A. Leave one cluster member disconnected until it is required to become activeB. Use the preempt optionC. Ensure that both devices are the same modelsD. Set both firewalls to the same priority


Explanation/Reference:Explanation:The preempt option allows a device to be configured as master of a VSD group by default. When it becomesactive again, it will regain master status without being contested.


juniper jn0-531 exam questions & answers · 6/3/2014 · this device will always be master in...

Documents