juniper jncis jsec jn0 332

8/10/2019 Juniper Jncis Jsec Jn0 332

1/48

1. [A] establishes an IPsec tunnel with [B]. The NAT device translates the IP address 1.1.1.1 to2.1.1.1.On which port is the IKE SA established?

A. TCP 500

B. UDP 500

C. TCP 4500

D. UDP 4500

D. UDP 4500

2. After applying the policy-rematch statement under the security policies stanza, what wouldhappen to an existing flow if the policy source address or the destination address i s changedand committed?

A. The Junos OS drops any flow that does not match the source address or destinationaddress.

B. All traffic is dropped.

C. All existing sessions continue.

D. The Junos OS does a policy re-evaluation.

D. The Junos OS does apolicy re-evaluation.

3. Antispam can be leveraged with which two features on a branch SRX Series device to providemaximum protection from malicious e-mail content? (Choose two.)

A. integrated Web filtering

B. full AV

C. IPS

D. local Web filtering

B. full AV

C. IPS

4. Assume the default-policy has not been configured.Given the configuration shown in theexhibit, which two statements about traffic from host_a in the HR zone to host_b in the trustzone are true? (Choose two.)

A. DNS traffic is denied.

B. HTTP traffic is denied.

C. FTP traffic is permitted.

D. SMTP traffic is permitted.

A. DNS traffic is denied.

C. FTP traffic is permitted.

5. At which two levels of the Junos CLI hierarchy is the host-inbound-traffic commandconfigured? (Choose two.)

A. [edit security idp]

B. [edit security zones security-zone trust interfaces ge-0/0/0.0]

C. [edit security zones security-zone trust]

D. [edit security screen]

B. [edit security zonessecurity-zone trustinterfaces ge-0/0/0.0]

C. [edit security zonessecurity-zone trust]

Juniper JNCIS-JSEC JN0-332Study online at quizlet.com/_7n45z


2/48

6. By default, how is tra ffic evaluated when the antivirus databaseupdate is in progress?

A. Traffic is scanned against the old database.

B. Traffic is scanned against the existing portion of the currently downloaded da tabase.

C. All traffic that requires antivirus inspection is dropped and a logmessage generated displaying the traffic endpoints.

D. All traffic that requires antivirus inspection is forwarded with noantivirus inspection and a log message generated displaying thetraffic endpoints.

D. All traffic that requires antivirus inspection isforwarded with no antivirus inspection and a logmessage generated displaying the traffic endpoints.

7. Content filtering enables traffic to be permitted or blocked based oninspection of which three types of content? (Choose three.)

A. MIME pattern

B. file extension

C. IP spoofing

D. POP3

E. protocol command

A. MIME pattern

B. file extension

E. protocol command

8. For which network anomaly does Junos p rovide a SCREEN?

A. a telnet to port 80

B. a TCP packet with the SYN and ACK flags set

C. an SNMP getnext request

D. an ICMP packet larger than 1024 bytes

D. an ICMP packet larger than 1 024 bytes

9. Given the configuration shown in the exhibit, which configurationobject would be used to associate both Nancy and Walter withfirewall user authentication within a securi ty policy?

A. ftp-group

B. ftp-users

C. firewall-user

D. nancy and walter

A. ftp-group

10. Given the configuration shown in the exhibit, which protocol(s) areallowed to communicate with the device on ge-0/0/0.0?

A. RIP

B. OSPF

C. BGP and RIP

D. RIP and PIM

A. RIP


3/48

11. Host A opens a Telnet connection to Host B. Host A then opens another Telnet connection toHostThese connections are the only communication between Host A and Host B. The security policy configuration permits both connections.How many sessions exist between Host A and Host B?

A. 1

B. 2

C. 3

D. 4

B. 2

12. How do you apply UTM enforcement to security policies on the branch SRX series?

A. UTM profiles are applied on a security policy by policy basis.

B. UTM profiles are applied at the global policy level.

C. Individual UTM features like anti-spam or anti-virus are applied directly on a security

policy by policy basis .

D. Individual UTM features like anti-spam or anti-virus are applied directly at the globalpolicy level.

A. UTM profiles are appliedon a security policy by policy

basis .

13. How many IDP policies can be active at one time on an SRX Series device by means of the setsecurity idp active-policy configuration statement?

A. 1

B. 2

C. 4

D. 8

A. 1


4/48

14. If both nodes in a chassis cluster ini tialize at different times, which configuration example willallow you to ensure that the node with the higher priori ty will become primary for your RGs otherthan RG0?

A. [edit chassis cluster]user@host# show redundancy-group 1 {node 0 priority 200;

node 1 priority 150;preempt;}

B. [edit chassis cluster]user@host# show redundancy-group 1 {node 0 priority 200;node 1 priority 150;monitoring;}

C. [edit chassis cluster]user@host# show redundancy-group 1 {node 0 priority 200;node 1 priority 150;control-link-recovery;}

D. [edit chassis cluster]user@host# show redundancy-group 1 {node 0 priority 200;node 1 priority 150;strict-priority;}

A. [edit chassiscluster]user@host# show redundancy-group 1 {node 0 priority 200;node 1 priority 150;preempt;}

15. In a chassis cluster with two SRX 5800 devices, the interface ge-13/0/0 belongs to which device?

A. This interface is a system-created interface.

B. This interface belongs to node 0 of the cluster.

C. This interface belongs to node 1 of the cluster.

D. This interface will not exist because SRX 5800 devices have only 12 slots.

C. This interface belongs to node 1 of the cluster.


5/48

16. In the configuration shown in the exhibit, you decided to eliminate the junos-ftpapplication from the match condition of the policy MyTraffic.What will happen tothe existing FTP and BGPsessions?

A. The existing FTP and BGP sessions will continue.

B. The existing FTP and BGP sessions will be re-evaluated and only FTP sessions will be dropped.

C. The existing FTP and BGP sessions will be re-evaluated and all sessions will bedropped.

D. The existing FTP sessions will continue and only the existing BGP sessions will be dropped.

B. The existing FTP and BGP sessions will be re-evaluated and only FTPsessions will be dropped.

17. In the exhibit, a new policy named DenyTelnet was created. You notice that Telnettraffic i s sti ll allowed.

Which statement will allow you to rearrange the policies for the DenyTelnet policy to be evaluated before your Allow policy?

A. insert security policies from-zone A to-zone B policy DenyTelnet before policy Allow

B. set security policies from-zone B to-zone A policy DenyTelnet before policy Allow

C. insert securi ty policies from-zone A to-zone B policy DenyTelnet after policy Allow

D. set security policies from-zone B to-zone A policy Allow after policy DenyTelnet

A. insert security policies from-zone A to-zone B policy DenyTelnet beforepolicy Allow

18. In the exhibit, what is the function of the configuration statements?

A. This section is where you define all chassi s clustering configuration.

B. This configuration is required for members of a chassis cluster to talk to eachother.

C. You can apply this configuration in the chassis cluster to make configurationeasier.

D. This section is where unique node configuration is applied.

D. This section is where unique nodeconfiguration is applied.

19. In the exhibit, you decided to change myHosts addresses.What will happen to thenew sessions matching the policy and in-progress sessions that had already matched the policy?

A. New sessions will be evaluated. In-progress sessions will be re-evaluated.

B. New sessions will be evaluated. All in-progress sessions will continue.

C. New sessions will be evaluated. All in-progress sessions will be dropped.

D. New sessions will halt until all in-progress sessions are re-evaluated. In-progress sessions will be re-evaluated and possibly dropped.

A. New sessions wil l be evaluated. In-progress sessions will be re-evaluated.


6/48

20. In the Junos OS, which statement is true?

A. vlan.0 belongs to the untrust zone.

B. You must configure Web authentication to allow inbound traffic in the untrust zone.

C. The zone name "untrust" has no special meaning.

D. The untrust zone is not configurable.

C. Thezone nam"untrust"has nospecialmeaning.

21. Interface ge-0/0/2.0 of your device is attached to the Internet and i s configured with an IP address andnetwork mask of 71.33.252.17/24. A Web server with IP address 10.20.20.1 is running an HTTP service onTCP port 8080. The Web server is a ttached to the ge-0/0/0.0 interface of your device. You must use NAT tomake the Web server reachable from the Internet using port translation.Which type of NAT must youconfigure?

A. source NAT with address shifting

B. pool-based source NAT

C. static destination NAT

D. pool-based destination NAT

D. pool- baseddestinationNAT

22. An IPsec tunnel is established on an SRX Series Gateway on an interface whose IP address was obtainedusing DHCP.Which two statements are true? (Choose two.)

A. Only main mode can be used for IKE negotiation.

B. A local-identity must be defined.

C. It must be the initiator for IKE.

D. A remote-identity must be defined.

B. A localidentity must bedefined.

C. It must be theinitiatorfor IKE.

23. The Junos OS blocks an HTTP request due to a Websense server response.Which form of Web filtering is being used?

A. redirect Web filtering

B. integrated Web filtering

C. categorized Web filtering


A. redirec Webfiltering

24. The Junos OS blocks an HTTP request due to its inclusion on the url-blacklist.Which form of Web filteringon the branch SRX device is fully executed within the device itself?



C. blacklist Web filtering


D. local Webfiltering


7/48

25. The Junos OS blocks an HTTP request due to the category of the URL.Which form of Webfiltering is being used?



C. categorized Web filtering



26. A network administrator has configured source NAT, translating to an address that is on alocally connected subnet. The administrator sees the translation working, but traffic does notappear to come back.What is causing the problem?

A. The host needs to open the telnet port.

B. The host needs a route for the translated address.

C. The administrator must use a proxy-arp policy for the translated address.

D. The administrator must use a security policy, which will allow communication betweenthe zones.

C. The a dministrator mustuse a proxy-arp policy forthe transla ted address.


8/48

27. A network administrator is using source NAT for traffic from source network 10.0.0.0/8. Theadministrator must also disable NAT for any traffic destined to the 202.2.10.0/24 network.Whichconfiguration would accomplish this task?

A. [edit security nat source rule-set test]user@host# show from zone trust;to zone untrust;

rule A {match {source-address 202.2.10.0/24;}then {source-nat {pool {

A;}}}}

rule B {match {destination-address 10.0.0.0/8;}then {source-nat {off;}}}

B. [edit security nat source]user@host# show rule-set testfrom zone trust;to zone untrust;rule 1 {match {destination-address 202.2.10.0/24;}then {source-nat {off;}}}

rule 2 {match {source-address 10.0.0.0/8;}then {source-nat {pool {

A;}}}}

C. [edit security nat source rule-set test]user@host# show

B. [editsecurity natsource]user@host#show rule-settestfrom zonetrust;

to zoneuntrust;rule 1 {match {destination-address202.2.10.0/24;}then {source-nat {off;}

}}rule 2 {match {source-address10.0.0.0/8;}then {source-nat {pool {

A;}}}}


9/48

from zone trust;to zone untrust;rule A {match {source-address 10.0.0.0/8;}then {source-nat {pool {

A;}}

}}rule B {match {destination-address 202.2.10.0/24;}then {source-nat {off;}}}

D. [edit security nat source rule-set test]user@host# show from zone trust;to zone untrust;rule A {match {source-address 10.0.0.0/8;}then {source-nat {pool {

A;

}}}}

28. A network administrator receives complaints from the engineering group that an application onone server is not working properly. After further investigation, the administrator determines thatsource NAT translation is using a different source address after a random number of flows.Whichtwo actions can the administrator take to force the server to use one address? (Choose two.)

A. Use the custom application feature.

B. Configure static NAT for the host.

C. Use port address translation (PAT).

D. Use the address-persistent option.

B. Configure staticNAT for the host.

D. Use the address-persistent option.

29. A network administrator receives complaints that the application voicecube is timing out after being idle for 30 minutes.Referring to the exhibit, what is a resolution?

A. [edit]user@host# set applica tions app lication voicecube inactivity-timeout never

B. [edit]user@host# set applications application voicecube inactivity-timeout 2

C. [edit]-

A. [edit]user@host# setapplicationsapplication

voicecube inactivity-timeout never


10/48

D. [edit]user@host# set securi ty policies from-zone trust to-zone trust p olicy intrazone then timeout never

30. A network administrator repeatedly receives support calls about network issues. Afterinvestigating the issues, the administrator finds that the source NAT pool is running out of addresses.To be notified that the pool is close to exhaustion, what should the administratorconfigure?

A. Use the pool-utilization-alarm raise-threshold under the security nat source stanza.

B. Use a trap-group with a category of services under the SNMP stanza.

C. Use an external script that will run a show command on the SRX Series device to see when thepool is close to exhaustion.

D. Configure a syslog message to trigger a notifica tion when the pool is close to exhaustion.

A. Use the pool-utilization-alarmraise-thresholdunder the security nat source stanza.

31. A network administrator wants to permit Telnet traffic initia ted from the address book entry the10net in a zone called UNTRUST to the address book entry Server in a zone called TRUST.However, the administrator does not want the server to be able to initiate any type of traffic from theTRUST zone to the UNTRUST zone.Which configuration statement would correctly accomplish thistask?

A. from-zone UNTRUST to-zone TRUST {

policy DenyServer {match {source-address any;destination-address any;application any;}then {deny;}}}from-zone TRUST to-zone UNTRUST {policy AllowTelnetin {match {source-address the10net;destination-address Server;application junos-telnet;}then {permit;}}}

B. from-zone TRUST to-zone UNTRUST {

policy DenyServer {match {source-address Server;destination-address any;application any;}then {deny;}}}from-zone UNTRUST to-zone TRUST {

policy AllowTelnetin {match {source-address the10net;

B. from-zoneTRUST to-zoneUNTRUST {policy DenyServer match {source-addressServer;

destination-address any;application any;}then {deny;}}}from-zoneUNTRUST to-zoneTRUST {policy

AllowTelnetin {match {source-addressthe10net;destination-address Server;application junos-telnet;}then {permit;}

}}


11/48

destination-address Server;application junos-telnet;}then {permit;}}}

C. from-zone UNTRUST to-zone TRUST {policy AllowTelnetin {match {

source-address the10net;destination-address Server;application junos-ftp;}then {permit;}}}

D. from-zone TRUST to-zone UNTRUST {policy DenyServer {

match {source-address Server;destination-address any;application any;}then {permit;}}}from-zone UNTRUST to-zone TRUST {policy AllowTelnetin {match {source-address the10net;destination-address Server;application junos-telnet;}then {permit;}}}

32. On which component is the control plane implemented?

A. IOC

B. PIM

C. RE

D. SPC

C. RE


12/48

33. Referring to the exhibit, which statement contains the correct gateway parameters?

A. [edit security ike]user@host# show gateway ike-phase1-gateway {policy ike-policy1;address 10.10.10.1;dead-peer-detection {

interval 20;threshold 5;}external-interface ge-1/0/1.0;}

B. [edit security ike]user@host# show gateway ike-phase1-gateway {ike-policy ike-policy1;address 10.10.10.1;dead-peer-detection {

interval 20;threshold 5;}external-interface ge-1/0/1.0;}

C. [edit security ike]user@host# show gateway ike-phase1-gateway {policy ike1-policy;address 10.10.10.1;dead-peer-detection {interval 20;threshold 5;}external-interface ge-1/0/1.0;}

D. [edit securi ty ike]user@host# show gateway ike-phase1-gateway {ike-policy ike1-policy;address 10.10.10.1;dead-peer-detection {interval 20;

threshold 5;}external-interface ge-1/0/1.0;}

B. [edit security ike]user@host# show gateway ike-phase1-gateway {ike-policy ike-policy1;address 10.10.10.1 ;dead-peer-detection {interval 20;threshold 5;

}external-interface ge-1/0/1.0;}


13/48

34. Referring to the exhibit, you are not able to telnet to 192.168.10.1 from client PC192.168.10.10.What is causing the p roblem?

A. Telnet is not being permitted by self policy.

B. Telnet is not being permitted by security policy.

C. Telnet is not allowed because it is not considered secure.

D. Telnet is not enabled as a host-inbound service on the zone.

D. Telnet is not enabled as a host-inbound service on the zone.

35. Regarding content filtering, what are two pattern lists that can be configured in theJunos OS? (Choose two.)

A. protocol list

B. MIME

C. block list

D. extension

B. MIME

D. extension

36. Regarding fast path processing, when does the system perform the policy check?

A. The policy is determined after the SCREEN options check.

B. The policy is determined only during the first packet path, not during fast path.

C. The policy is determined after the zone check.

D. The policy is determined after the SYN TCP flag.

B. The policy i s determined only during the first packet path, not duringfast path.

37. The same Web site is visited for the second time using a branch SRX Series ServicesGateway configured with SurfControl integrated Web filtering.Which statement istrue?

A. The SRX device sends the URL to the SurfControl server in the cloud and theSurfControl server provides the SRX with a category of the URL.

B. The SRX device sends the URL to the SurfControl server in the cloud and theSurfControl server asks the SRX device to permit the URL as i t has been previously

visited.

C. The SRX device looks at its local cache to find the category of the URL.

D. The SRX device does not perform any Web filtering operation as the Web site hasalready been visited.

C. The SRX device looks at its localcache to find the category of the URL.

38. The SRX device receives a packet and determines that it does not match an existingsession.After SCREEN options are evaluated, what is evaluated next?

A. source NAT

B. destination NAT

C. route lookup

D. zone lookup

B. destination NAT


14/48

39. A system administrator detects thousands of open idle connections from the samesource.Which problem can arise from this type of attack?

A. It enables an attacker to perform an IP sweep of devices.

B. It enables a hacker to know which operating system the system is running.

C. It can overflow the session table to its limit, which can result in rejection of

legitimate traffic.

D. It creates a ping of death and can cause the entire network to be infected with a virus.

C. It can overflow the session table toits limit, which can result in rejectionof legitimate traffic.

40. System services SSH, Telnet, FTP, and HTTP are enabled on the SRX Series device.

Referring to the configuration shown in the exhibit, which two statements are true?(Choose two.)

A. A user can use SSH to interface ge-0/0/0.0 and ge-0/0/1.0.

B. A user can use FTP to interface ge-0/0/0.0 and ge-0/0/1.0.

C. A user can use SSH to interface ge-0/0/0.0.

D. A user can use SSH to interface ge-0/0/1.0.

B. A user can use FTP to interface ge-0/0/0.0 and ge-0/0/1.0.

C. A user can use SSH to interface ge-0/0/0.0.

41. To determine whether a particular file has a virus by only inspecting a few initialpackets before receiving the entire file, which UTM feature do you enable?

A. URL white lists

B. intelligent pre-screening

C. trickling

D. scan mode extensions

B. intelligent pre-screening

42. Under which Junos hierarchy level are security policies configured?

A. [edit security]

B. [edit protocols]

C. [edit firewall]

D. [edit policy-options]

A. [edit security]

43. A user wants to establish an FTP session to a server behind an SRX device but mustauthenticate to a Web page on the SRX device for additional authentication.Whichtype of user authentication is configured?

A. pass-through

B. WebAuth

C. WebAuth with Web redirect

D. pass-through with Web redirect

B. WebAuth


15/48

44. A user wants to establish an HTTP session to a server behind an SRX device but is being pointed to Web page on the SRX device for additional authentication.Which typeof user authentication is configured?

A. pass-through with Web redirect

B. WebAuth with HTTP redirect

C. WebAuth

D. pass-through

D. pass-through

45. Using a policy with the policy-rematch flag enabled, what happens to the existing andnew sessions when you change the policy action from permit to deny?

A. The new sessions matching the policy are denied. The existing sessions aredropped.

B. The new sessions matching the policy are denied. The existing sessions, not beingallowed to carry any traffic, s imply timeout.

C. The new sessions matching the policy might be allowed through if they matchanother policy.The existing sessions are dropped.

D. The new sessions matching the policy are denied. The existing sessions continueuntil they are completed or their timeout is reached.

A. The new sessions matching thepolicy are denied. The existingsessions are dropped.

46. What are three configuration objects used to build Junos IDP rules? (Choose three.)

A. zone objects

B. policy objects

C. attack objects

D. alert and notify objects

E. network and address objects

A. zone objects

C. attack objects

E. network and address objects

47. What are three different integrated UTM components available on the branch SRXSeries devices? (Choose three.)

A. antivirus (full AV, express AV)

B. antivirus (desktop AV)

C. Web filtering

D. antispam

E. firewall user authentication

A. an tivirus (full AV, express AV)

C. Web filtering

D. antispam


16/48

48. What are three valid Juniper Networks IPS attack object types? (Choosethree.)

A. signature

B. anomaly

C. trojan

D. virus

E. chain

A. signature

B. anomaly

E. chain

49. What are two components of the Junos software architecture? (Choosetwo.)

A. Linux kernel

B. routing protocol daemon

C. session-based forwarding module

D. separate routing and securi ty planes

B. routing protocol daemon

C. session-based forwarding module

50. What are two rulebase types within an IPS policy on an SRX Seriesdevice? (Choose two.)

A. rulebase-ips

B. rulebase-ignore

C. rulebase-idp

D. rulebase-exempt

A. rulebase-ips

D. rulebase-exempt

51. What are two TCP flag settings that are considered suspicious? (Choosetwo.)

A. Do-Not-Fragment flag is set.

B. Both SYN and FIN flags are set.

C. Both ACK and PSH flags are set.

D. FIN flag is set and ACK flag is not set.

B. Both SYN and FIN flags are set.

D. FIN flag is set and ACK flag is not set.

52. What are two valid reasons for the output shown in the exhibit? (Choosetwo.)

A. The local Web-filtering daemon is not enabled or is not running.

B. The integrated Web-filtering policy server is not reachable.

C. No DNS is configured on the SRX Series device.

D. No security policy is configured to use Web filtering.

B. The integrated Web-filtering policy server is notreachable.

C. No DNS is configured on the SRX Series device.


17/48

53. What is the correct syntax for applying node-specific parameters toeach node in a chassis cluster?

A. set apply-groups node$

B. set apply-groups (node)

C. set apply-groups $(node)

D. set apply-groups (node)all

C. set apply-groups $(node)

54. What is the default session timeout for TCP sessions?

A. 1 minute

B. 15 minutes

C. 30 minutes

D. 90 minutes

C. 30 minutes

55. What is the default session timeout for UDP sessions?

A. 30 seconds

B. 1 minute

C. 5 minutes

D. 30 minutes

B. 1 minute

56. What is the functionality of redundant interfaces (reth) in a chassiscluster?

A. reth interfaces are used only for VRRP.

B. reth interfaces are the same as physical interfaces.

C. reth interfaces are pseudo-interfaces that are considered theparent interface for two physical interfaces.

D. Each cluster member has a reth interface that can be used to sharesession state information with the other cluster members.

C. reth interfaces are pseudo-interfaces tha t areconsidered the parent interface for two physicalinterfaces.

57. What is the maximum number of layers of compression thatkaspersky-lab-engine (full AV) can decompress for the HTTPprotocol?

A. 1

B. 4

C. 8

D. 16

B. 4


18/48

58. What is the maximum number of layers of decompression that juniper-express-engine (express AV) can decompress for the HTTPprotocol?

A. 0

B. 1

C. 4

D. 8

B. 1

59. What is the proper sequence of evaluation for the SurfControlintegrated Web filter solution?

A. whitelists, blacklists, SurfControl categories

B. blacklists, whitelists, SurfControl categories

C. SurfControl categories, whitelists, blacklists

D. SurfControl categories, blacklists, whi telists

B. blacklists, whitelists, SurfControl categories

60. What is the purpose of a chassis cluster?

A. Chassis clusters are used to aggregate routes.

B. Chassis clusters are used to create aggregate interfaces.

C. Chassis clusters are used to group two chassis into one logicalchassis.

D. Chassis clusters are used to group all interfaces into one clusterinterface.

C. Chassis clusters are used to group two chassis intoone logical chassis.

61. When an SRX series device receives an ESP packet, what happens?

A. If the destination address of the outer IP header of the ESP packetmatches the IP address of the ingress interface, it will immediately decrypt the packet.

B. If the destination IP address in the outer IP header of ESP doesnot match the IP address of the ingress interface, it will discard thepacket.

C. If the destination address of the outer IP header of the ESP packetmatches the IP address of the ingress interface, based on SPI match,

it will decrypt the packet.

D. If the destination address of the outer IP header of the ESP packetmatches the IP address of the ingress interface, based on SPI matchand route lookup of inner header, it will decrypt the packet.

C. If the destination address of the outer IP header of theESP packet matches the IP address of the ingressinterface, based on SPI match, i t will decrypt the packet.


19/48

62. When using UTM features in an HA cluster, which statement is true forinstalling the licenses on the cluster members?

A. One UTM cluster license will activate UTM features on both members.

B. Each device will need a UTM license generated for its serial number.

C. Each device will need a UTM license generated for the cluster, but licenses can

be applied to either member.

D. HA clustering automatically comes with UTM licensing, no additional actionsare needed.

B. Each device will need a UTM licensegenerated for its serial number.

63. Which antivirus solution integrated on branch SRX Series devices do you use toensure maximum virus coverage for network traffic?

A. express AV

B. full AV

C. desktop AV

D. ICAP

B. full AV

64. Which CLI command do you use to block MIME content at the [edit security utmfeature-profile] hierarchy?

A. set content-filtering profile permit-command block-mime

B. set content-filtering profile block-mime

C. set content-filtering block-content-type block-mime

D. set content-filtering notifications block-mime

B. set content-filtering profile block-mime

65. Which CLI command provides a summary of what the content-filtering enginehas blocked?

A. show security utm content-filtering statistics

B. show security flow session

C. show security flow statistics

D. show security utm content-filtering summary

A. sh ow security utm content-filteringstatistics

66. Which command do you use to disp lay the status of an antivirus databaseupdate?

A. show security utm anti-virus status

B. show security anti-virus database status

C. show security utm anti-virus database

D. show security utm anti-virus update

A. sh ow security utm anti-virus status


20/48

67. Which command do you use to manually remove antivirus patterns?

A. request security utm anti-virus juniper-express-engine pattern-delete

B. request security utm anti-virus juniper-express-engine pattern-reload

C. request security utm anti-virus j uniper-express-engine pattern-remove

D. delete security utm anti-virus juniper-express-engine antivirus-pattern

A. request security utm anti-virus juniper-express-engine pattern-delete

68. Which command is needed to change this policy to a tunnel policy for a policy- based VPN?

A. set policy tunnel-traffic then tunnel remote-vpn

B. set policy tunnel-traffic then permit tunnel remote-vpn

C. set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn permit

D. set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn

D. set policy tunnel-traffic then permittunnel ipsec-vpn remote-vpn

69. Which command shows the event and traceoptions file for chassis clusters?

A. show log chassisd

B. show log clusterd

C. show log jsrpd

D. show log messages

C. show log jsrpd

70. Which command would you use to enable chassis cluster on an SRX device,setting the cluster ID to 1 and node to 0?

A. user@host# set chassi s cluster cluster-id 1 node 0 reboot

B. user@host> set chassis cluster id 1 node 0 reboot

C. user@host> set chassis cluster cluster-id 1 node 0 reboot

D. user@host# set chassis cluster id 1 node 0 reboot

C. user@host> set chassis cluster cluster-id1 node 0 reboot

71. Which configuration keyword ensures that all in-progress sessions are re-evaluated upon committing a securi ty policy change?

A. policy-rematch

B. policy-evaluate

C. rematch-policy

D. evaluate-policy

A. policy-rematch


21/48

72. Which configuration shows a pool-based source NAT without PAT?

A. [edit security nat source]user@host# show pool A {address {207.17.137.1/32 to 207.17.137.254/32;}

}rule-set 1A {from zone trust;to zone untrust;rule 1 {match {source-address 10.1.10.0/24;}then {source-nat pool A;port no-translation;}

}}

B. [edit security nat source]user@host# show pool A {address {207.17.137.1/32 to 207.17.137.254/32;}overflow-pool interface;}rule-set 1A {from zone trust;to zone untrust;rule 1 {match {source-address 10.1.10.0/24;}then {source-nat pool A;port no-translation;}}}

C. [edit security nat source]user@host# show pool A {address {207.17.137.1/32 to 207.17.137.254/32;}port no-translation;}rule-set 1A {from zone trust;to zone untrust;rule 1 {match {source-address 10.1.10.0/24;}

C. [edit security nat source]user@host# show pool A {address {207.17.137.1/32 to 207.17.137.254/32;}port no-translation;}

rule-set 1A {from zone trust;to zone untrust;rule 1 {match {source-address 10.1.10.0/24;}then {source-nat pool A;}}}


22/48

then {source-nat pool A;}}}

D. [edit security nat source].user@host# show pool A {address {207.17.137.1/32 to 207.17.137.254/32;}

overflow-pool interface;}rule-set 1A {from zone trust;to zone untrust;rule 1 {match {source-address 10.1.10.0/24;}then {source-nat pool A;}}}


23/48

73. Which configuration shows the correct application of a security policy scheduler?

A. [edit security policies from-zone Private to-zone External]user@host# show policy allowTransit {match {source-address PrivateHosts;

destination-address ExtServers;application ExtApps;}then {permit {tunnel {ipsec-vpn myTunnel;}scheduler-name now;}}}

B. [edit security policies from-zone Private to-zone External]user@host# show policy allowTransit {match {source-address PrivateHosts;destination-address ExtServers;application ExtApps;}then {permit {tunnel {ipsec-vpn myTunnel;}}}scheduler-name now;}

C. [edit security policies from-zone Private to-zone External]user@host# show policy allowTransit {match {source-address PrivateHosts;destination-address ExtServers;

application ExtApps;}then {permit {tunnel {ipsec-vpn myTunnel;scheduler-name now;}}}}

D. [edit security policies from-zone Private to-zone External]user@host# show policy allowTransit {

B. [edit security policies from-zone Private to-zone External]user@host# show policy allowTransit {match {source-address PrivateHosts;destination-address ExtServers;application ExtApps;}

then {permit {tunnel {ipsec-vpn myTunnel;}}}scheduler-name now;}


24/48

match {source-address PrivateHosts;destination-address ExtServers;application ExtApps;scheduler-name now;}then {permit {tunnel {ipsec-vpn myTunnel;}}

}scheduler-name now;}

74. Which element occurs firs t during the first-packet-path processing?

A. destination NAT

B. forwarding lookup

C. route lookup

D. SCREEN options

D. SCREEN options

75. Which encryption type is used to secure user data in an IPsec tunnel?

A. symmetric key encryption

B. asymmetric key encryption

C. RSA

D. digital certificates

A. symmetric key encryption

76. Which IDP policy action closes the connection and sends an RST packet to both the clientand the server?

A. close-connection

B. terminate-connection

C. close-client-and-server

D. terminate-session

C. close-client-and-server

77. Which interface is used for RTO synchronization and forwarding traffic between thedevices in a cluster?

A. the st interface

B. the reth interface

C. the fxp1 and fxp0 interfaces

D. the fab0 and fab1 interfaces

D. the fab0 and fab1 interfaces

78. Which parameters are valid SCREEN options for combating operating system probes?

A. syn-fin, syn-flood, and tcp-no-frag

B. syn-fin, port-scan, and tcp-no-flag

C. syn-fin, fin-no-ack, and tcp-no-frag

D. syn-fin, syn-ack-ack-proxy, and tcp-no-frag

C. syn-fin, fin-no-ack, and tcp-no-frag


25/48

79. Which securi ty or functional zone name has special significance to the Junos OS?

A. self

B. trust

C. untrust

D. junos-global

D. junos-global


26/48

80. Which statement contains the correct parameters for a route-based IPsec VPN?

A. [edit security ipsec]user@host# show proposal ike1-proposal {protocol esp;authentication-algorithm hmac-md5-96;encryption-algorithm 3des-cbc;

lifetime-seconds 3200;}policy ipsec1-policy {perfect-forward-secrecy {keys group2;}proposals ike1-proposal;}

vpn VpnTunnel {interface ge-0/0/1.0;ike {gateway ike1-gateway;

ipsec-policy ipsec1-policy;}establish-tunnels immediately;}

B. [edit security ipsec]user@host# show proposal ike1-proposal {protocol esp;authentication-algorithm hmac-md5-96;encryption-algorithm 3des-cbc;lifetime-seconds 3200;}policy ipsec1-policy {perfect-forward-secrecy {keys group2;}proposals ike1-proposal;}

vpn VpnTunnel {interface st0.0;ike {gateway ike1-gateway;ipsec-policy ipsec1-policy;}

establish-tunnels immediately;}

C. [edit security ipsec]user@host# show proposal ike1-proposal {protocol esp;authentication-algorithm hmac-md5-96;encryption-algorithm 3des-cbc;lifetime-seconds 3200;}policy ipsec1-policy {perfect-forward-secrecy {keys group2;}

D. [edit security ipsec]user@host# show proposal ike1-proposal {protocol esp;authentication-algorithm hmac-md5-96;encryption-algorithm 3des-cbc;lifetime-seconds 3200;}policy ipsec1-policy {

perfect-forward-secrecy {keys group2;}proposals ike1-proposal;}

vpn VpnTunnel { bind-interface st0.0;ike {gateway ike1-gateway;ipsec-policy ipsec1-policy;}establish-tunnels immediately;

}


27/48

proposals ike1-proposal;}

vpn VpnTunnel { bind-interface ge-0/0/1.0;ike {gateway ike1-gateway;ipsec-policy ipsec1-policy;}establish-tunnels immediately;}

D. [edit security ipsec]

user@host# show proposal ike1-proposal {protocol esp;authentication-algorithm hmac-md5-96;encryption-algorithm 3des-cbc;lifetime-seconds 3200;}policy ipsec1-policy {perfect-forward-secrecy {keys group2;}proposals ike1-proposal;}

vpn VpnTunnel { bind-interface st0.0;ike {gateway ike1-gateway;ipsec-policy ipsec1-policy;}establish-tunnels immediately;}

81. Which statement describes a security zone?

A. A security zone can contain one or more interfaces.

B. A security zone can contain interfaces in multiple routinginstances.

C. A security zone must contain two or more interfaces.

D. A security zone must contain bridge groups.

A. A security zone can contain one or more interfaces.

82. Which statement describes an ALG?

A. An ALG intercepts and analyzes all traffic, allocatesresources, and defines dynamic policies to deny the traffic.

B. An ALG intercepts and ana lyzes the specified traffic,allocates resources, and defines dynamic policies to permit thetraffic to pass.

C. An ALG intercepts and analyzes the specified traffic,allocates resources, and defines dynamic policies to deny thetraffic.

D. An ALG intercepts and analyzes all traffic, allocatesresources, and defines dynamic policies to permit the traffic topass.

B. An ALG intercepts and analyzes the specified traffic,allocates resources, and defines dynamic policies to permit thetraffic to pass.

83. Which statement describes the behavior of source NAT withaddress shifting?

A. Source NAT with address shifting translates both the sourceIP address and the source port of a packet.

B. Source NAT with address shifting defines a one-to-onemapping from an original source IP address to a translatedsource IP address.


28/48

B. Source NAT with address shifting defines a one-to-onemapping from an original source IP address to a translatedsource IP address.

C. Source NAT with address shifting can translate multiplesource IP addresses to the same translated IP address.

D. Source NAT with address shifting allows inboundconnections to be initiated to the static source pool IPaddresses.

84. Which statement describes the UTM licensing model?

A. Install the license key and all UTM features will be enabledfor the life of the product.

B. Install one license key per feature and the license key will beenabled for the life of the product.

C. Install one UTM license key, which will activate all UTMfeatures; the license will need to be renewed when it expires.

D. Install one UTM license key per UTM feature; the licenses will need to be renewed when they expire.

D. Install one UTM license key per UTM feature; the licenses will need to be renewed when they expire.

85. Which statement is correct about HTTP trickling?

A. It prevents the HTTP client or server from timing-out during anantivirus update.

B. It prevents the HTTP client or server from timing-out duringantivirus scanning.

C. It is an attack.

D. It is used to bypass antivirus scanners.

B. It prevents the HTTP client or server from timing-out during antivirus scanning.

86. Which statement is true about a NAT rule action of off?

A. The NAT action of off is only supported for destination NAT rule-sets.

B. The NAT action of off is only supported for source NAT rule-sets.

C. The NAT action of off is useful for detailed control of NAT.

D. The NAT action of off is useful for disabling NAT when a pool isexhausted.

C. The NAT action of off is useful for detailed controlof NAT.

87. Which statement is true about SurfControl integrated Web filtersolution?

A. The SurfControl server in the cloud provides the SRX device with thecategory of the URL as well as the reputation of the URL.

B. The SurfControl server in the cloud provides the SRX device withonly the category of the URL.

C. The SurfControl server in the cloud provides the SRX device withonly the reputation of the URL.

D. The SurfControl server in the cloud provides the SRX device with adecision to permit or deny the URL.

B. The SurfControl server in the cloud provides theSRX device with only the category of the URL.

88. Which statement is true regarding a session key in the Diffie-Hellmankey-exchange process?

B. A session key never passes across the network.


29/48

A. A session key value is exchanged across the network.

B. A session key never passes across the network.

C. A session key is used as the key for asymmetric data encryption.

D. A session key is used as the key for symmetric data encryption.

89. Which statement is true regarding IPsec VPNs?

A. There are five phases of IKE negotiation.

B. There are two phases of IKE negotiation.

C. IPsec VPN tunnels are not supported on SRX Series devices.

D. IPsec VPNs require a tunnel PIC in SRX Series devices.

B. There are two phases of IKE negotiation.

90. Which statement is true regarding NAT?

A. NAT is not supported on SRX Series devices.

B. NAT requires special hardware on SRX Series devices.

C. NAT is processed in the control plane.

D. NAT is processed in the data plane.

D. NAT is processed in the data plane.

91. Which statement is true regarding the Junos OS for security platforms?

A. SRX Series devices can store sessions in a session table.

B. SRX Series devices accept all traffic by default.

C. SRX Series devices must operate only in packet-based mode.

D. SRX Series devices must operate only in flow-based mode.

A. SRX Series devices can s tore sessions in a sess ion table.

92. Which statement is true when express AV detects a virus inTCP session?

A. TCP RST is sent and a session is restarted.

B. TCP connection is closed gracefully and the data content isdropped.

C. TCP traffic i s allowed and an SNMP trap i s sent.

D. AV scanning is restarted.

B. TCP connection is closed gracefully and the data content isdropped.

93. Which three actions can a branch SRX Series device performon a spam e-mail message? (Choose three.)

A. It can drop the connection at the IP address level.

B. It can block the e-mail based upon the sender ID.

C. It can allow the e-mail and bypass all UTM inspection.

D. It can allow the e-mail to be forwarded, but change theintended recipient to a new e-mail address.

E. It can a llow the e-mail to be forwarded to the destination, but

tag it with a custom value in the subject line.

A. It can drop the connection at the IP address level.

B. It can block the e-mail based upon the sender ID.

E. It can allow the e-mail to be forwarded to the destination, but tag it with a custom value in the subject line.

94. Which three advanced permit actions within security policies A. Mark permitted traffic for firewall user authentication.


30/48

are va ? C oose t ree.

A. Mark permitted traffic for firewall user authentication.

B. Mark permitted traffic for SCREEN options.

C. Associate permitted traffic with an IPsec tunnel.

D. Associate permitted traffic with a NAT rule.

E. Mark permitted traffic for IDP processing.

C. Associate permitted traffic with an IPsec tunnel.

E. Mark permitted traffic for IDP processing.

95. Which three are necessary for antispam to function properly on a branch SRXSeries device? (Choose three.)

A. an antispam license

B. DNS servers configured on the SRX Series device

C. SMTP services on SRX

D. a UTM profile with an antispam configuration in the appropriate security policy

E. antivirus (full or express)

A. an antispam license

B. DNS servers configured on the SRXSeries device

D. a UTM profile with an antispamconfiguration in the appropriate security policy

96. Which three components can be leveraged when defining a local whitelist or blacklist for antispam on a branch SRX Series device? (Choose three.)

A. spam assass in filtering score

B. sender country

C. sender IP address

D. sender domain

E. sender e-mail address

C. sender IP address

D. sender domain

E. sender e-mail address

97. Which three contexts can be used as matching conditions in a source NATconfiguration? (Choose three.)

A. routing-instance

B. zone

C. interface

D. policy

E. rule-set

A. routing-instance

B. zone

C. interface

98. Which three features are part of the branch SRX series UTM suite? (Choosethree.)

A. antispam

B. antivirus

C. IPS

D. application firewalling

E. Web filtering

A. antispam

B. antivirus

E. Web filtering


31/48

99. Which three firewall user authentication objects can be referenced in asecurity policy? (Choose three.)

A. access profile

B. client group

C. client

D. default profile

E. external

A. access profile

B. client group

C. client

100. Which three functions are provided by the Junos OS for security platforms?(Choose three.)

A. VPN establishment

B. stateful ARP lookups

C. Dynamic ARP inspection

D. Network Address Translation

E. inspection of packets at higher levels (Layer 4 and above)

A. VPN establishment

D. Network Address Translation

E. inspection of packets at higher levels(Layer 4 and above)

101. Which three methods of source NAT does the Junos OS support? (Choosethree.)

A. interface-based source NAT

B. source NAT with address shifting

C. source NAT using static source pool

D. interface-based source NAT without PAT

E. source NAT with address shifting and PAT

A. interface-based source NAT

B. source NAT with address shifting

C. source NAT using static source pool

102. Which three options represent IDP policy match conditions? (Choose three.)

A. service

B. to-zone

C. attacks

D. port

E. destination-address

B. to-zone

C. attacks

E. destination-address


32/48

103. Which three parameters are configured in the IKE policy? (Choose three.)

A. mode

B. preshared key

C. external interface

D. security proposals

E. dead peer detection settings

A. mode

B. preshared key

D. s ecurity proposals

104. Which three represent IDP policy match conditions? (Choose three.)

A. protocol

B. source-address

C. port

D. application

E. attacks

B. source-address

D. application

E. attacks

105. Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by AH? (Choose three.) A.data integrity

B. data confidentiality

C. data authentication

D. outer IP header confidentiality

E. outer IP header authentication

A. data integrity C. data authenticationE. outer IP headerauthentication

106. Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by ESP? (Choose three.)

A. data integrity



D. outer IP header confidentiality

E. outer IP header authentication

A. data integrity




33/48

107. Which three situations will trigger an e-mail to be flagged as spam if a branch SRX Series device has been properly configured with antispaminspection enabled for the appropriate security policy? (Choose three.)

A. The server sending the e-mail to the SRX Series device is a known openSMTP relay.

B. The server sending the e-mail to the SRX Series device is running

unknown SMTP server software.

C. The server sending the e-mail to the SRX Series device is on an IPaddress range that is known to be dynamically assigned.

D. The e-mail that the server is sending to the SRX Series device has a virus in its attachment.

E. The server sending the e-mail to the SRX Series device is a knownspammer IP address.

A. The server sending the e-mail to the SRXSeries device is a known open SMTP relay.

C. The server sending the e-mail to the SRXSeries device is on an IP address range that isknown to be dynamically assigned.

E. The server sending the e-mail to the SRX

Series device is a known spammer IP address.

108. Which three statements are true regarding IDP? (Choose three.)

A. IDP cannot be used in conjunction with other Junos security featuressuch as SCREEN options, zones, and securi ty policy.

B. IDP inspects traffic up to the Application Layer.

C. IDP searches the data stream for specific attack patterns.

D. IDP inspects traffic up to the Presentation Layer.

E. IDP can drop packets, close sessions, prevent future sessions, and logattacks for review by network administrators when an attack is detected.

B. IDP inspects traffic up to the ApplicationLayer.

C. IDP searches the data stream for specificattack patterns.

E. IDP can drop packets, close sessions, preventfuture sessions, and log attacks for review by network administrators when an attack isdetected.

109. Which three statements are true when working with high-availability

clusters? (Choose three.)

A. The valid cluster-id range is between 0 and 255.

B. Junos OS security devices can belong to more than one cluster if cluster virtualization is enabled.

C. If the cluster-id value is set to 0 on a Junos security device, the device will not participate in the cluster.

D. A reboot is required if the cluster-id or node value is changed.

E. Junos OS security devices can belong to one cluster only.

C. If the cluster-id value is set to 0 on a Junos

security device, the device will not participate inthe cluster.

D. A reboot is required if the cluster-id or node value is changed.

E. Junos OS security devices can belong to onecluster only.


34/48

110. Which three types of content filtering are supported only for HTTP? (Choose three.)

A. block Flash

B. block Java applets

C. block ActiveX

D. block EXE files

E. block MIME type

B. block Java applets

C. block ActiveX

D. block EXE files

111. Which two content-filtering features does FTP support? (Choose two.)

A. block extension list

B. block MIME type

C. protocol command list

D. notifications-options

A. block extension l ist

C. protocol command list

112. Which two functions of the Junos OS are handled by the data plane? (Choose two.)

A. NAT

B. OSPF

C. SNMP

D. SCREEN options

A. NAT

D. SCREEN options

113. Which two packet attributes contribute to the identification of a session? (Choose two.)

A. destination port

B. TTL

C. IP options

D. protocol number

A. destination port

D. protocol number

114. Which two parameters are configured in IPsec policy? (Choose two.)

A. mode

B. IKE gateway

C. security proposal

D. Perfect Forward Secrecy

C. security proposal

D. Perfect Forward Secrecy


35/48

115. Which two statements about Junos software packet handlingare correct? (Choose two.)

A. The Junos OS applies service ALGs only for the first packetof a flow.

B. The Junos OS uses fast-path processing only for the firstpacket of a flow.

C. The Junos OS performs policy lookup only for the firstpacket of a flow.

D. The Junos OS applies SCREEN options for both first andconsecutive packets of a flow.

C. The Junos OS performs policy lookup only for the firstpacket of a flow.

D. The Junos OS applies SCREEN options for both first andconsecutive packets of a flow.

116. Which two statements about static NAT are true? (Choose two.)

A. Static NAT can only be used with destination NAT.

B. Static NAT rules take precedence over overlapping dynamicNAT rules.

C. NAT rules take precedence over overlapping static NATrules.

D. A reverse mapping is automatically created.

B. Static NAT rules take precedence over overlapping dynamicNAT rules.

D. A reverse mapping is automatically created.

117. Which two statements about the Diffie-Hellman (DH) key exchange process are correct? (Choose two.)

A. In the DH key exchange process, the session key is neverpassed across the network.

B. In the DH key exchange process, the public and private keys

are mathematically related using the DH algorithm.

C. In the DH key exchange process, the session key is passedacross the network to the peer for confirmation.

D. In the DH key exchange process, the public and private keysare not mathematically related, ensuring higher security.

A. In the DH key exchange process, the session key is neverpassed across the network.

B. In the DH key exchange process, the public and privatekeys are mathematically related using the DH algorithm.

118. Which two statements about the use of SCREEN options arecorrect? (Choose two.)

A. SCREEN options are deployed at the ingress and egress sidesof a packet flow.

B. Although SCREEN options are very useful, their use canresult in more session creation.

C. SCREEN options offer protection against various attacks atthe ingress zone of a packet flow.

D. SCREEN options examine traffic prior to policy processing,thereby resulting in fewer resources used for malicious packetprocessing.

C. SCREEN options offer protection aga inst various attacks atthe ingress zone of a packet flow.

D. SCREEN options examine traffic prior to policy processing,thereby resulting in fewer resources used for malicious packet

processing.


36/48

119. Which two statements apply to policy scheduling? (Choosetwo.)

A. An individual policy can have only one scheduler applied.

B. You must manually configure system-time updates.

C. Multiple policies can use the same scheduler.

D. Policies that do not have schedulers are not active.

A. An individual policy can have only one scheduler applied.

C. Multiple policies can use the same scheduler.

120. Which two statements are true about AH? (Choose two.)

A. AH provides data integrity.

B. AH is identified by IP protocol 50.

C. AH is identified by IP protocol 51.

D. AH cannot work in conjunction with ESP

A. AH provides data integrity.

C. AH is identified by IP protocol 51.

121. Which two statements are true about hierarchicalarchitecture? (Choose two.)

A. You can assign a logical interface to multiple zones.

B. You cannot assign a logical interface to multiple zones.

C. You can assign a logical interface to multiple routinginstances.

D. You cannot assign a logical interface to multiple routinginstances.

B. You cannot assign a logical interface to multiple zones.

D. You cannot assign a logical interface to multiple routinginstances.

122. Which two statements are true about IPsec traffic? (Choosetwo.)

A. IPsec traffic can be forwarded when no IKE SA is present.

B. IPsec traffic can be forwarded when no IPsec SA is present.

C. For traffic that has to be encrypted, the security policy must be crafted based on the IP addresses in the inner IP header of the final ESP packet.

D. For traffic that has to be encrypted, the security policy must be crafted based on the IP addresses in the outer IP header of

the final ESP packet.

A. IPsec traffic can be forwarded when no IKE SA is present.

C. For traffic that has to be encrypted, the security policy must be crafted based on the IP addresses in the inner IP header of the final ESP packet.

123. Which two statements are true about pool-based source NAT?(Choose two.)

A. PAT is not supported.

B. PAT is enabled by default.

C. It supports the address-persistent configuration option.

D. It supports the junos-global configuration option.

B. PAT is enabled by default.

C. It supports the address-persistent configuration option.


37/48

124. Which two statements are true about the relationship betweenstatic NAT and proxy ARP? (Choose two.)

A. It is necessary to forward ARP requests to remote hosts.

B. It is necessary when translated traffic belongs to the samesubnet as the ingress interface.

C. It is not automatic and you must configure it.

D. It is enabled by default and you do not need to configure it.

B. It is necessary when translated traffic belongs to thesame subnet as the ingress interface.

C. It is not automatic and you must configure it.

125. Which two statements are true about the Websense redirect Webfilter solution? (Choose two.)

A. The Websense redirect Web filter solution does not require alicense on the SRX device.

B. The Websense server provides the SRX device with a category for the URL and the SRX device then matches the category withits configured polices and decides to permit or deny the URL.

C. The Websense server provides the SRX device with a decis ionas to whether the SRX device permits or denies the URL.

D. When the Websense server does not know the category of theURL, it sends a request back to the SRX device to validate againstthe integrated SurfControl server in the cloud.

A. The Websense redirect Web filter solution does notrequire a license on the SRX device.

C. The Websense server provides the SRX device with adecision as to whether the SRX device permits or denies theURL.

126. Which two statements are true for a security policy? (Choosetwo.)

A. It controls inter-zone traffic.

B. It controls intra-zone traffic.

C. It is named with a system-defined name.

D. It controls traffic destined to the device's ingress interface.

A. It controls inter-zone traffic.

B. It controls intra-zone traffic.

127. Which two statements are true regarding firewall userauthentication? (Choose two.)

A. When configured for pass-through firewall userauthentication, the user must first open a connection to theJunos security platform before connecting to a remote network resource.

B. When configured for Web firewall user authentication only,the user must first open a connection to the Junos security platform before connecting to a remote network resource.

C. If a Junos security device is configured for pass-throughfirewall user authentication, new sessions are automatically intercepted to perform authentication.

D. If a Junos security device is configured for Web firewall userauthentication, new sessions are automatically intercepted toperform authentication.

B. When configured for Web firewall user authenticationonly, the user must first open a connection to the Junossecurity platform before connecting to a remote network resource.

C. If a Junos security device is configured for pass-throughfirewall user authentication, new sessions are automatically

intercepted to perform authentication.


38/48

128. Which two statements are true regarding IDP? (Choose two.)

A. IDP can be used in conjunction with other Junos security features such as SCREEN options, zones, and securi ty policy.

B. IDP cannot be used in conjunction with other Junos securi ty features such as SCREEN options, zones, and securi ty policy.

C. IDP inspects traffic up to the Presentation Layer.

D. IDP inspects traffic up to the Application Layer.

A. IDP can be used in conjunction with other Junos security features such as SCREEN options, zones, and security policy.

D. IDP inspects traffic up to the Application Layer.

129. Which two statements are true regarding redundancy groups?(Choose two.)

A. When priority settings are equal and the membersparticipating in a cluster are initialized at the same time, theprimary role for redundancy group 0 is assigned to node 0.

B. The preempt option determines the primary and secondary roles for redundancy group 0 during a fai lure and recovery

scenario.

C. Redundancy group 0 manages the control plane failover between the nodes of a cluster.

D. The primary role can be shared for redundancy group 0 when the active-active option is enabled.

A. When priority settings are equal and the membersparticipating in a cluster are initialized at the same time, theprimary role for redundancy group 0 is ass igned to node 0.

C. Redundancy group 0 manages the control plane failover between the nodes of a cluster.

130. Which two statements are true regarding the system-defaultsecurity policy [edit security policies default-policy]? (Choosetwo.)

A. Traffic is permitted from the trust zone to the untrust zone.

B. Intrazone traffic in the trust zone is permitted.

C. All traffic through the device is denied.

D. The policy is matched only when no other matching policiesare found.

C. All traffic through the device is denied.

D. The policy is matched only when no other matchingpolicies are found.

131. Which two statements are true when describing thecapabilities of integrated Web filtering on branch SRX Seriesdevices? (Choose two.)

A. Integrated Web filtering can enforce UTM policies on traffic

encrypted in SSL.

B. Integrated Web filtering can detect client-side exploits thatattack the user's Web browser.

C. Integrated Web filtering can permit or deny access tospecific categories of sites.

D. Different integrated Web-filtering policies can be applied ona firewall rule-by-rule basis to a llow different policies to beenforced for d ifferent users.

C. Integrated Web filtering can permit or deny access tospecific categories of sites.

D. Different integrated Web-filtering policies ca n be appliedon a firewall rule-by-rule basis to allow different policies to be

enforced for different users.


39/48

132. Which two statements are true with regard to policy ordering?(Choose two.)

A. The last policy is the default policy, which allows all traffic.

B. The order of policies is not important.

C. New policies are placed at the end of the policy list.

D. The insert command can be used to change the order.

C. New policies are placed at the end of the policy list.

D. The insert command can be used to change theorder.

133. Which two statements describe the difference between Junossoftware for security platforms and a tradi tional router? (Choosetwo.)

A. Junos software for security platforms supports NAT and PAT; atraditional router does not support NAT or PAT.

B. Junos software for security platforms does not forward traffic by default; a traditional router forwards traffic by default.

C. Junos software for security platforms uses session-basedforwarding; a traditional router uses packet-based forwarding.

D. Junos software for security platforms performs route lookup forevery packet; a traditional router performs route lookup only for thefirst packet.

B. Junos software for security platforms does notforward traffic by default; a traditional router forwardstraffic by default.

C. Junos software for security platforms uses session- based forwarding; a traditional router uses packet- based forwarding.

134. Which two statements in a source NAT configuration are trueregarding addresses, rule-sets, or rules that overlap? (Choose two.)

A. Addresses used for NAT pools should never overlap.

B. If more than one rule-set matches traffic, the rule-set with the

most specific context takes precedence.

C. If traffic matches two rules within the same rule-set, both ruleslisted in the configuration are applied.

D. Dynamic source NAT rules take precedence over static sourceNAT rules.

A. Addresses used for NAT pools should never overlap.

B. If more than one rule-set matches traffic, the rule-set with the most specific context takes precedence


40/48

135. Which two statements regarding external authenticationservers for firewall user authentication are true? (Choose two.)

A. Up to three external authentication server types can be usedsimultaneously.

B. Only one external authentication server type can be usedsimultaneously.

C. If the local password da tabase is not configured in theauthentication order, and the configured authentication serveris unreachable, authentication is bypassed.

D. If the local password database is not configured in theauthentication order, and the configured authentication serverrejects the authentication request, authentication is rejected.

B. Only one external authentication server type can be usedsimultaneously.

D. If the local password database is not configured in theauthentication order, and the configured authenticationserver rejects the authentication request, authentication isrejected.

136. Which two statements regarding firewall user authenticationclient groups are true? (Choose two.)

A. A client group is a list of clients associated with a group.

B. A client group is a list of groups associated with a client.

C. Client groups are referenced in securi ty policy in the samemanner in which individual clients are referenced.

D. Client groups are used to simplify configuration by enablingfirewall user authentication without security policy.

B. A client group is a list of groups associated with a client.

C. Client groups a re referenced in security policy in the samemanner in which individual cl ients are referenced.

137. Which two statements regarding symmetric key encryption aretrue? (Choose two.)

A. The same key is used for encryption and decryption.

B. It is commonly used to create digital certificate signatures.

C. It uses two keys: one for encryption and a different key fordecryption.

D. An attacker can decrypt data if the attacker captures the key used for encryption.

A. The same key is used for encryption and decryption.

D. An a ttacker can decrypt data if the attacker captures thekey used for encryption.

138. Which two types of attacks are considered to be denial of service? (Choose two.)

A. zombie agents

B. SYN flood

C. IP packet fragments

D. WinNuke

B. SYN flood

D. WinNuke


41/48

139. Which two UTM features require a license to be activated?(Choose two.)

A. antispam

B. antivirus (full AV)

C. content filtering

D. Web-filtering redirect

A. an tispam

B. antivirus (full AV)

140. Which type of NAT is being used in the exhibit?

A. no NAT

B. destination NAT

C. source NAT

D. port address translation (PAT)

C. source NAT

141. Which type of Web filtering by default builds a cache of serveractions associated with each URL it has checked?

A. Websense Redirect Web filtering


C. local Web filtering

D. enhanced Web filtering


142. Which URL database do branch SRX Series devices use whenleveraging local Web filtering?

A. The SRX Series device will download the database from anonline repository to locally inspect HTTP traffic for Webfiltering.

B. The SRX Series device will use an offline database to locally inspect HTTP traffic for Web filtering.

C. The SRX Series device will redirect local HTTP tra ffic to anexternal Websense server for Web filtering.

D. The SRX Series administrator will define the URLs andtheir associated action in the local database to inspect the

HTTP traffic for Web filtering.

D. The SRX Series administrator will define the URLs andtheir associated action in the local database to inspect theHTTP traffic for Web filtering.

143. Which URL will match the URL pattern www.news.com/asia?

A. www.news.com

B. www.news.com/asia/japan

C. www-1.news.com/asia

D. www.news.asia.com

B. www.news.com/asia/japan


42/48

144. Which UTM feature requires a license to function?


B. local Web filtering

C. redirect Web filtering

D. content filtering


145. Which Web-filtering technology can be used at the same time as integrated Web filteringon a single branch SRX Series device?

A. Websense redirect Web filtering

B. local Web filtering (blacklist or whitelist)

C. firewall user authentication

D. ICAP

B. local Web filtering(blacklist or whitelist)

146. Which zone is system-defined?

A. security

B. functional

C. junos-global

D. management

C. junos-global

147. Which zone type can be specified in a policy?

A. security

B. functional

C. user

D. system

A. security

148. Which zone type will allow transit-traffic?

A. system

B. security

C. default

D. functional

B. security


43/48

149. You are required to configure a SCREEN option that enables IP source route optiondetection.Which two configurations meet this requirement? (Choose two.)

A. [edit security screen]user@host# show ids-option protectFromFlood {ip {loose-source-route-option;

strict-source-route-option;}}

B. [edit security screen]user@host# show ids-option protectFromFlood {ip {source-route-option;}}

C. [edit security screen]user@host# show ids-option protectFromFlood {ip {record-route-option;security-option;}}

D. [edit security screen]user@host# show ids-option protectFromFlood {ip {strict-source-route-option;record-route-option;}}

A. [edit security screen]user@host# show ids-option protectFromFlood {ip {loose-source-route-option;strict-source-route-option;}}

B. [edit security screen]user@host# show ids-option protectFromFlood {ip {source-route-option;}}

150. You are the responder for an IPsec tunnel and you see the error messages shown inthe exhibit.What is the problem?

A. One or more of the phase 1 proposals such as authentication algorithm, encryptionalgorithm, or pre-shared key does not match.

B. There is no route for 2.2.2.2.

C. There is no IKE definition in the configuration for peer 2.2.2.2.

D. system services ike is not enabled on the interface with IP 1.1.1.2.

C. There is no IKE definition in theconfiguration for peer 2.2.2.2.


44/48

151. You have configured a UTM profile called Block-Spam, which has the appropriateantispam configuration to block undesired spam e-mails.Which configuration

would protect an SMTP server in the dmz zone from spam originating in the untrustzone?

A. set security policies from-zone dmz to-zone untrust policy anti-spam then permitapplication- services utm-policy Block-Spam

B. set security policies from-zone untrust to-zone dmz policy anti-spam then permitapplication- services utm-policy Block-Spam

C. set security policies from-zone untrust to-zone dmz policy anti-spam then permitapplication- services anti-spam-policy Block-Spam

D. set security policies from-zone untrust to-zone dmz policy anti-spam thenpermit application- services Block-Spam

B. set security policies from-zoneuntrust to-zone dmz policy anti-spamthen permit application- services utm-policy Block-Spam

152. You have configured your chassis cluster to include redundancy group 1. Node 0 isconfigured to be the primary node for this redundancy group. You need to verify that the redundancy group failover is successful.Which command do you use tomanually test the failover?

A. request chassis cluster manual failover group 1 node 1

B. request cluster fai lover redundancy-group 1 node 1

C. request chassi s cluster manual failover redundancy-group 1 node 1

D. request chassis cluster failover redundancy-group 1 node 1

D. request chassis cluster failoverredundancy-group 1 node 1


45/48

153. You must configure a SCREEN option that would protect your device from a session tableflood.Which configuration meets this requirement?

A. [edit security screen]user@host# show ids-option protectFromFlood {icmp {ip-sweep threshold 5000;

flood threshold 2000;}}

B. [edit security screen]user@host# show ids-option protectFromFlood {tcp {syn-flood {attack-threshold 2000;destination-threshold 2000;}

}}

C. [edit security screen]user@host# show ids-option protectFromFlood {udp {flood threshold 5000;}}

D. [edit security screen]user@host# show ids-option protectFromFlood {limit-session {source-ip-based 1200;destination-ip-based 1200;}}

D. [edit security screen]user@host# show ids-optionprotectFromFlood {limit-session {source-ip-based1200;

destination-ip-based1200;}}


46/48

154. You must configure a SCREEN option that would protect your routerfrom a session table flood.Which configuration meets this requirement?

A. [edit security screen]user@host# show ids-option protectFromFlood {icmp {ip-sweep threshold 5000;

flood threshold 2000;}}

B. [edit security screen]user@host# show ids-option protectFromFlood {tcp {syn-flood {attack-threshold 2000;destination-threshold 2000;}

}}

C. [edit security screen]user@host# show ids-option protectFromFlood {udp {flood threshold 5000;}}



155. You need to alter the security policy shown in the exhibit to sendmatching traffic to an IPsec VPN tunnel. Which command causes trafficto be sent through an IPsec VPN named remote-vpn?

A. [edit security policies from-zone trust to-zone untrust] user@host#set policy tunnel-traffic then tunnel remote-vpn

B. [edit security policies from-zone trust to-zone untrust] user@host#set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn

C. [edit security policies from-zone trust to-zone untrust] user@host#set policy tunnel-traffic then permit ipsec-vpn remote-vpn

D. [edit security policies from-zone trust to-zone untrust] user@host#set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn

D. [edit security policies from-zone trust to-zoneuntrust] user@host# set policy tunnel-traffic thenpermit tunnel ipsec-vpn remote-vpn


47/48

156. You want to allow your device to establish OSPF adjacencies with a neighboringdevice connected to interface ge-0/0/3.0. Interface ge-0/0/3.0 is a member of theHR zone.Under which configuration hierarchy must you permit OSPF traffic?

A. [edit security policies from-zone HR to-zone HR]

B. [edit security zones functional-zone management protocols]

C. [edit security zones protocol-zone HR host-inbound-traffic]

D. [edit securi ty zones security-zone HR host-inbound-traffic protocols]

D. [edit security zones security-zoneHR host-inbound-traffic protocols]

157. You want to create a security policy allowing traffic from any host in the Trust zoneto hostb.example.com (172.19.1.1) in the Untrust zone.How do you create thispolicy?

A. Specify the IP address (172.19.1.1/32) as the destination address in the policy.

B. Specify the DNS entry (hostb.example.com) as the destination address in thepolicy.

C. Create an address book entry in the Trust zone for the 172.19.1.1/32 prefix andreference this entry in the policy.

D. Create an address book entry in the Untrust zone for the 172.19.1.1/32 prefix andreference this entry in the policy.

D. Create an address book entry in theUntrust zone for the 172.19.1.1/32prefix and reference this entry in thepolicy.

158. You want to create an out-of-band management zone and assign the ge-0/0/0.0interface to that zone.From the [edit] hierarchy, which command do you use toconfigure this assignment?

A. set security zones management interfaces ge-0/0/0.0

B. set zones functional-zone management interfaces ge-0/0/0.0

C. set securi ty zones functional-zone management interfaces ge-0/0/0.0

D. set securi ty zones functional-zone out-of-band interfaces ge-0/0/0.0

C. set security zones functional-zonemanagement interfaces ge-0/0/0.0


48/48

159. You want to test a configured screen value prior to deploying.Which statement will allow youto accomplish this?

A. [edit security screen]user@host# show ids-option untrust-screen {alarm-test-only;}

B. [edit security screen]user@host# show ids-option untrust-screen {alarm-without-drop;}

C. [edit security screen]user@host# show ids-option untrust-screen {alarm-no-drop;}

D. [edit security screen]user@host# show ids-option untrust-screen {test-without-drop;}

B. [edit security screen]user@host# show ids-option untrust-screen{alarm-without-drop;}

160. Your IKE SAs are up, but the IPsec SAs are not up.Referring to the exhibit, what is theproblem?

A. One or more of the phase 2 proposals such as authentication algorithm, encryptionalgorithm do not match.

B. The tunnel interface is down.

C. The proxy IDs do not match.

D. The IKE proposals do not match the IPsec proposals.

C. The proxy IDs do notmatch.

juniper jncis jsec jn0 332

Documents