Juniper JN0-332 v6

Juniper JN0-332
Juniper Networks Certified Internet Specialist, SEC (JNCIS-SEC)

Version: 6.0
Juniper JN0-332 Exam QUESTION NO: 1 Which configuration keyword ensures that all in-progress sessions are re-evaluated upon committing a security policy change? A. policy-rematch B. policy-evaluate C. rematch-policy D. evaluate-policy Answer: A Explanation:
QUESTION NO: 2 Click the Exhibit button.
You need to alter the security policy shown in the exhibit to send matching traffic to an IPsec VPN tunnel. Which command causes traffic to be sent through an IPsec VPN named remote-vpn? A. [edit security policies from-zone trust to-zone untrust] user@host# set policy tunnel-traffic then tunnel remote-vpn B. [edit security policies from-zone trust to-zone untrust] user@host# set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn C. [edit security policies from-zone trust to-zone untrust] user@host# set policy tunnel-traffic then permit ipsec-vpn remote-vpn D. [edit security policies from-zone trust to-zone untrust] user@host# set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn Answer: D Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com
Juniper JN0-332 Exam QUESTION NO: 3 Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by AH? (Choose three.) A. data integrity B. data confidentiality C. data authentication D. outer IP header confidentiality E. outer IP header authentication Answer: A,C,E Explanation:
QUESTION NO: 4 You must configure a SCREEN option that would protect your router from a session table flood.Which configuration meets this requirement? A. [edit security screen] user@host# show ids-option protectFromFlood { icmp { ip-sweep threshold 5000; flood threshold 2000; } } B. [edit security screen] user@host# show ids-option protectFromFlood { tcp { syn-flood { attack-threshold 2000; destination-threshold 2000; } } } C. [edit security screen] user@host# show ids-option protectFromFlood { udp { flood threshold 5000; }
Juniper JN0-332 Exam } D. [edit security screen] user@host# show ids-option protectFromFlood { limit-session { source-ip-based 1200; destination-ip-based 1200; } } Answer: D Explanation:
QUESTION NO: 5 Which type of Web filtering by default builds a cache of server actions associated with each URL it has checked? A. Websense Redirect Web filtering B. integrated Web filtering C. local Web filtering D. enhanced Web filtering Answer: B Explanation:
QUESTION NO: 6 Which security or functional zone name has special significance to the Junos OS? A. self B. trust C. untrust D. junos-global Answer: D Explanation:
Juniper JN0-332 Exam QUESTION NO: 7 Which command do you use to display the status of an antivirus database update? A. show security utm anti-virus status B. show security anti-virus database status C. show security utm anti-virus database D. show security utm anti-virus update Answer: A Explanation:
QUESTION NO: 8 Which statement contains the correct parameters for a route-based IPsec VPN? A. [edit security ipsec] user@host# show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; } policy ipsec1-policy { perfect-forward-secrecy { keys group2; } proposals ike1-proposal; } vpn VpnTunnel { interface ge-0/0/1.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; } establish-tunnels immediately; } B. [edit security ipsec] user@host# show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96;
Juniper JN0-332 Exam encryption-algorithm 3des-cbc; lifetime-seconds 3200; } policy ipsec1-policy { perfect-forward-secrecy { keys group2; } proposals ike1-proposal; } vpn VpnTunnel { interface st0.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; } establish-tunnels immediately; } C. [edit security ipsec] user@host# show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; } policy ipsec1-policy { perfect-forward-secrecy { keys group2; } proposals ike1-proposal; } vpn VpnTunnel { bind-interface ge-0/0/1.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; } establish-tunnels immediately; } D. [edit security ipsec] user@host# show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; }policy ipsec1-policy { "Pass Any Exam. Any Time." - www.actualtests.com 6
Juniper JN0-332 Exam perfect-forward-secrecy { keys group2; } proposals ike1-proposal; } vpn VpnTunnel { bind-interface st0.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; } establish-tunnels immediately; } Answer: D Explanation:
QUESTION NO: 9 Which zone is system-defined? A. security B. functional C. junos-global D. management Answer: C Explanation:
QUESTION NO: 10 You want to allow your device to establish OSPF adjacencies with a neighboring device connected to interface ge-0/0/3.0. Interface ge-0/0/3.0 is a member of the HR zone.Under which configuration hierarchy must you permit OSPF traffic? A. [edit security policies from-zone HR to-zone HR] B. [edit security zones functional-zone management protocols] C. [edit security zones protocol-zone HR host-inbound-traffic] D. [edit security zones security-zone HR host-inbound-traffic protocols] Answer: D "Pass Any Exam. Any Time." - www.actualtests.com 7
Juniper JN0-332 Exam Explanation:
QUESTION NO: 11 Which three statements are true regarding IDP? (Choose three.) A. IDP cannot be used in conjunction with other Junos security features such as SCREEN options, zones, and security policy. B. IDP inspects traffic up to the Application Layer. C. IDP searches the data stream for specific attack patterns. D. IDP inspects traffic up to the Presentation Layer. E. IDP can drop packets, close sessions, prevent future sessions, and log attacks for review by network administrators when an attack is detected. Answer: B,C,E Explanation:
Your IKE SAs are up, but the IPsec SAs are not up.Referring to the exhibit, what is the problem? A. One or more of the phase 2 proposals such as authentication algorithm, encryption algorithm do not match. B. The tunnel interface is down. C. The proxy IDs do not match. D. The IKE proposals do not match the IPsec proposals. Answer: C Explanation: "Pass Any Exam. Any Time." - www.actualtests.com 8
Juniper JN0-332 Exam
QUESTION NO: 13 Which two statements regarding symmetric key encryption are true? (Choose two.) A. The same key is used for encryption and decryption. B. It is commonly used to create digital certificate signatures. C. It uses two keys: one for encryption and a different key for decryption. D. An attacker can decrypt data if the attacker captures the key used for encryption. Answer: A,D Explanation:
QUESTION NO: 14 Regarding content filtering, what are two pattern lists that can be configured in the Junos OS? (Choose two.) A. protocol list B. MIME C. block list D. extension Answer: B,D Explanation:
QUESTION NO: 15 Which two statements are true about hierarchical architecture? (Choose two.) A. You can assign a logical interface to multiple zones. B. You cannot assign a logical interface to multiple zones. C. You can assign a logical interface to multiple routing instances. D. You cannot assign a logical interface to multiple routing instances. Answer: B,D Explanation:
QUESTION NO: 16 Which two statements regarding external authentication servers for firewall user authentication are true? (Choose two.) A. Up to three external authentication server types can be used simultaneously. B. Only one external authentication server type can be used simultaneously. C. If the local password database is not configured in the authentication order, and the configured authentication server is unreachable, authentication is bypassed. D. If the local password database is not configured in the authentication order, and the configured authentication server rejects the authentication request, authentication is rejected. Answer: B,D Explanation:
10
Juniper JN0-332 Exam In the exhibit, a new policy named DenyTelnet was created. You notice that Telnet traffic is still allowed. Which statement will allow you to rearrange the policies for the DenyTelnet policy to be evaluated before your Allow policy? A. insert security policies from-zone A to-zone B policy DenyTelnet before policy Allow B. set security policies from-zone B to-zone A policy DenyTelnet before policy Allow C. insert security policies from-zone A to-zone B policy DenyTelnet after policy Allow D. set security policies from-zone B to-zone A policy Allow after policy DenyTelnet Answer: A Explanation:
QUESTION NO: 18 Which UTM feature requires a license to function? A. integrated Web filtering B. local Web filtering C. redirect Web filtering D. content filtering Answer: A Explanation:
11
System services SSH, Telnet, FTP, and HTTP are enabled on the SRX Series device. Referring to the configuration shown in the exhibit, which two statements are true? (Choose two.) A. A user can use SSH to interface ge-0/0/0.0 and ge-0/0/1.0. B. A user can use FTP to interface ge-0/0/0.0 and ge-0/0/1.0. C. A user can use SSH to interface ge-0/0/0.0. D. A user can use SSH to interface ge-0/0/1.0. Answer: B,C Explanation:
QUESTION NO: 20 A user wants to establish an HTTP session to a server behind an SRX device but is being pointed to Web page on the SRX device for additional authentication. Which type of user authentication is configured? A. pass-through with Web redirect B. WebAuth with HTTP redirect C. WebAuth "Pass Any Exam. Any Time." - www.actualtests.com 12
Juniper JN0-332 Exam D. pass-through Answer: A Explanation:
QUESTION NO: 21 Which two UTM features require a license to be activated? (Choose two.) A. antispam B. antivirus (full AV) C. content filtering D. Web-filtering redirect Answer: A,B Explanation:
QUESTION NO: 22 Which two statements in a source NAT configuration are true regarding addresses, rule-sets, or rules that overlap? (Choose two.) A. Addresses used for NAT pools should never overlap. B. If more than one rule-set matches traffic, the rule-set with the most specific context takes precedence. C. If traffic matches two rules within the same rule-set, both rules listed in the configuration are applied. D. Dynamic source NAT rules take precedence over static source NAT rules. Answer: A,B Explanation:
QUESTION NO: 23 A network administrator has configured source NAT, translating to an address that is on a locally connected subnet. The administrator sees the translation working, but traffic does not appear to come back. What is causing the problem?
13
Juniper JN0-332 Exam A. The host needs to open the telnet port. B. The host needs a route for the translated address. C. The administrator must use a proxy-arp policy for the translated address. D. The administrator must use a security policy, which will allow communication between the zones. Answer: C Explanation:
QUESTION NO: 24 Which statement describes an ALG? A. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to deny the traffic. B. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to permit the traffic to pass. C. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to deny the traffic. D. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to permit the traffic to pass. Answer: B Explanation:
QUESTION NO: 25 Which three components can be leveraged when defining a local whitelist or blacklist for antispam on a branch SRX Series device? (Choose three.) A. spam assassin filtering score B. sender country C. sender IP address D. sender domain E. sender e-mail address Answer: C,D,E Explanation:
14
Juniper JN0-332 Exam QUESTION NO: 26 What is the correct syntax for applying node-specific parameters to each node in a chassis cluster? A. set apply-groups node$ B. set apply-groups (node) C. set apply-groups $(node) D. set apply-groups (node)all Answer: C Explanation:
QUESTION NO: 27 Which statement describes a security zone? A. A security zone can contain one or more interfaces. B. A security zone can contain interfaces in multiple routing instances. C. A security zone must contain two or more interfaces. D. A security zone must contain bridge groups. Answer: D Explanation:
QUESTION NO: 28 A system administrator detects thousands of open idle connections from the same source.Which problem can arise from this type of attack? A. It enables an attacker to perform an IP sweep of devices. B. It enables a hacker to know which operating system the system is running. C. It can overflow the session table to its limit, which can result in rejection of legitimate traffic. D. It creates a ping of death and can cause the entire network to be infected with a virus. Answer: C Explanation:
15
Juniper JN0-332 Exam QUESTION NO: 29 Under which Junos hierarchy level are security policies configured? A. [edit security] B. [edit protocols] C. [edit firewall] D. [edit policy-options] Answer: B Explanation:
QUESTION NO: 30 You must configure a SCREEN option that would protect your device from a session table flood. Which configuration meets this requirement? A. [edit security screen] user@host# show ids-option protectFromFlood { icmp { ip-sweep threshold 5000; flood threshold 2000; } } B. [edit security screen] user@host# show ids-option protectFromFlood { tcp { syn-flood { attack-threshold 2000; destination-threshold 2000; } } } C. [edit security screen] user@host# show ids-option protectFromFlood { udp { flood threshold 5000; } } D. [edit security screen]
16
Juniper JN0-332 Exam user@host# show ids-option protectFromFlood { limit-session { source-ip-based 1200; destination-ip-based 1200; } } Answer: D Explanation:
QUESTION NO: 31 Which three methods of source NAT does the Junos OS support? (Choose three.) A. interface-based source NAT B. source NAT with address shifting C. source NAT using static source pool D. interface-based source NAT without PAT E. source NAT with address shifting and PAT Answer: A,B,C Explanation:
QUESTION NO: 32 Which three firewall user authentication objects can be referenced in a security policy? (Choose three.) A. access profile B. client group C. client D. default profile E. external Answer: A,B,C Explanation:
17
Juniper JN0-332 Exam QUESTION NO: 33 What is the default session timeout for TCP sessions? A. 1 minute B. 15 minutes C. 30 minutes D. 90 minutes Answer: C Explanation:
QUESTION NO: 34 Which three advanced permit actions within security policies are valid? (Choose three.) A. Mark permitted traffic for firewall user authentication. B. Mark permitted traffic for SCREEN options. C. Associate permitted traffic with an IPsec tunnel. D. Associate permitted traffic with a NAT rule. E. Mark permitted traffic for IDP processing. Answer: A,C,E Explanation:
QUESTION NO: 35 Which statement is true regarding the Junos OS for security platforms? A. SRX Series devices can store sessions in a session table. B. SRX Series devices accept all traffic by default. C. SRX Series devices must operate only in packet-based mode. D. SRX Series devices must operate only in flow-based mode. Answer: C Explanation:
QUESTION NO: 36 "Pass Any Exam. Any Time." - www.actualtests.com 18
Juniper JN0-332 Exam Click the Exhibit button.
Which type of NAT is being used in the exhibit? A. no NAT B. destination NAT C. source NAT D. port address translation (PAT) Answer: C Explanation:
QUESTION NO: 37 At which two levels of the Junos CLI hierarchy is the host-inbound-traffic command configured? (Choose two.) A. [edit security idp] B. [edit security zones security-zone trust interfaces ge-0/0/0.0] C. [edit security zones security-zone trust] D. [edit security screen] Answer: B,C Explanation:
QUESTION NO: 38 Which two parameters are configured in IPsec policy? (Choose two.) A. mode B. IKE gateway C. security proposal D. Perfect Forward Secrecy Answer: C,D "Pass Any Exam. Any Time." - www.actualtests.com 19
QUESTION NO: 39 The SRX device receives a packet and determines that it does not match an existing session.After SCREEN options are evaluated, what is evaluated next? A. source NAT B. destination NAT C. route lookup D. zone lookup Answer: B Explanation:
QUESTION NO: 40 Which zone type can be specified in a policy? A. security B. functional C. user D. system Answer: A Explanation:
QUESTION NO: 41 Which two statements about Junos software packet handling are correct? (Choose two.) A. The Junos OS applies service ALGs only for the first packet of a flow. B. The Junos OS uses fast-path processing only for the first packet of a flow. C. The Junos OS performs policy lookup only for the first packet of a flow. D. The Junos OS applies SCREEN options for both first and consecutive packets of a flow. Answer: C,D Explanation: "Pass Any Exam. Any Time." - www.actualtests.com 20
QUESTION NO: 42 Which Web-filtering technology can be used at the same time as integrated Web filtering on a single branch SRX Series device? A. Websense redirect Web filtering B. local Web filtering (blacklist or whitelist) C. firewall user authentication D. ICAP Answer: B Explanation:
QUESTION NO: 43 In a chassis cluster with two SRX 5800 devices, the interface ge-13/0/0 belongs to which device? A. This interface is a system-created interface. B. This interface belongs to node 0 of the cluster. C. This interface belongs to node 1 of the cluster. D. This interface will not exist because SRX 5800 devices have only 12 slots. Answer: C Explanation:
QUESTION NO: 44 An IPsec tunnel is established on an SRX Series Gateway on an interface whose IP address was obtained using DHCP. Which two statements are true? (Choose two.) A. Only main mode can be used for IKE negotiation. B. A local-identity must be defined. C. It must be the initiator for IKE. D. A remote-identity must be defined. Answer: B,C Explanation: "Pass Any Exam. Any Time." - www.actualtests.com 21
QUESTION NO: 45 Which two statements about the use of SCREEN options are correct? (Choose two.) A. SCREEN options are deployed at the ingress and egress sides of a packet flow. B. Although SCREEN options are very useful, their use can result in more session creation. C. SCREEN options offer protection against various attacks at the ingress zone of a packet flow. D. SCREEN options examine traffic prior to policy processing, thereby resulting in fewer resources used for malicious packet processing. Answer: C,D Explanation:
In the exhibit, you decided to change my Hosts addresses. What will happen to the new sessions matching the policy and in-progress sessions that had already matched the policy?
22
Juniper JN0-332 Exam A. New sessions will be evaluated. In-progress sessions will be re-evaluated. B. New sessions will be evaluated. All in-progress sessions will continue. C. New sessions will be evaluated. All in-progress sessions will be dropped. D. New sessions will halt until all in-progress sessions are re-evaluated. In-progress sessions will be re-evaluated and possibly dropped. Answer: A Explanation:
QUESTION NO: 47 When using UTM features in an HA cluster, which statement is true for installing the licenses on the cluster members? A. One UTM cluster license will activate UTM features on both members. B. Each device will need a UTM license generated for its serial number. C. Each device will need a UTM license generated for the cluster, but licenses can be applied to either member. D. HA clustering automatically comes with UTM licensing, no additional actions are needed. Answer: B Explanation:
QUESTION NO: 48 Which statement is true regarding NAT? A. NAT is not supported on SRX Series devices. B. NAT requires special hardware on SRX Series devices. C. NAT is processed in the control plane. D. NAT is processed in the data plane. Answer: D Explanation:
QUESTION NO: 49 Which two functions of the Junos OS are handled by the data plane? (Choose two.)
23
Juniper JN0-332 Exam A. NAT B. OSPF C. SNMP D. SCREEN options Answer: A,D Explanation:
QUESTION NO: 50 After applying the policy-rematch statement under the security policies stanza, what would happen to an existing flow if the policy source address or the destination address is changed and committed? A. The Junos OS drops any flow that does not match the source address or destination address. B. All traffic is dropped. C. All existing sessions continue. D. The Junos OS does a policy re-evaluation. Answer: D Explanation:
QUESTION NO: 51 Which statement is correct about HTTP trickling? A. It prevents the HTTP client or server from timing-out during an antivirus update. B. It prevents the HTTP client or server from timing-out during antivirus scanning. C. It is an attack. D. It is used to bypass antivirus scanners. Answer: B Explanation:
QUESTION NO: 52 For which network anomaly does Junos provide a SCREEN?
24
Juniper JN0-332 Exam A. a telnet to port 80 B. a TCP packet with the SYN and ACK flags set C. an SNMP getnext request D. an ICMP packet larger than 1024 bytes Answer: D Explanation:
QUESTION NO: 53 What is the proper sequence of evaluation for the SurfControl integrated Web filter solution? A. whitelists, blacklists, SurfControl categories B. blacklists, whitelists, SurfControl categories C. SurfControl categories, whitelists, blacklists D. SurfControl categories, blacklists, whitelists Answer: B Explanation:
QUESTION NO: 54 A network administrator is using source NAT for traffic from source network 10.0.0.0/8. The administrator must also disable NAT for any traffic destined to the 202.2.10.0/24 network.Which configuration would accomplish this task? A. [edit security nat source rule-set test] user@host# show from zone trust; to zone untrust; rule A { match { source-address 202.2.10.0/24; } then { source-nat { pool { A; } } } "Pass Any Exam. Any Time." - www.actualtests.com 25
Juniper JN0-332 Exam } rule B { match { destination-address 10.0.0.0/8; } then { source-nat { off; } } } B. [edit security nat source] user@host# show rule-set test from zone trust; to zone untrust; rule 1 { match { destination-address 202.2.10.0/24; } then { source-nat { off; } } } rule 2 { match { source-address 10.0.0.0/8; } then { source-nat { pool { A; } } } } C. [edit security nat source rule-set test] user@host# show from zone trust; to zone untrust; rule A { match { source-address 10.0.0.0/8; } then { source-nat { "Pass Any Exam. Any Time." - www.actualtests.com 26
Juniper JN0-332 Exam pool { A; } } } } rule B { match { destination-address 202.2.10.0/24; } then { source-nat { off; } } } D. [edit security nat source rule-set test] user@host# show from zone trust; to zone untrust; rule A { match { source-address 10.0.0.0/8; } then { source-nat { pool { A; } } } } Answer: B Explanation:
QUESTION NO: 55 The Junos OS blocks an HTTP request due to the category of the URL. Which form of Web filtering is being used? A. redirect Web filtering B. integrated Web filtering C. categorized Web filtering "Pass Any Exam. Any Time." - www.actualtests.com 27
Juniper JN0-332 Exam D. local Web filtering Answer: B Explanation:
QUESTION NO: 56 Which two statements are true with regard to policy ordering? (Choose two.) A. The last policy is the default policy, which allows all traffic. B. The order of policies is not important. C. New policies are placed at the end of the policy list. D. The insert command can be used to change the order. Answer: C,D Explanation:
QUESTION NO: 57 Regarding fast path processing, when does the system perform the policy check? A. The policy is determined after the SCREEN options check. B. The policy is determined only during the first packet path, not during fast path. C. The policy is determined after the zone check. D. The policy is determined after the SYN TCP flag. Answer: B Explanation:
QUESTION NO: 58 Which URL database do branch SRX Series devices use when leveraging local Web filtering? A. The SRX Series device will download the database from an online repository to locally inspect HTTP traffic for Web filtering. B. The SRX Series device will use an offline database to locally inspect HTTP traffic for Web filtering. C. The SRX Series device will redirect local HTTP traffic to an external Websense server for Web "Pass Any Exam. Any Time." - www.actualtests.com 28
Juniper JN0-332 Exam filtering. D. The SRX Series administrator will define the URLs and their associated action in the local database to inspect the HTTP traffic for Web filtering. Answer: D Explanation:
QUESTION NO: 59 How do you apply UTM enforcement to security policies on the branch SRX series? A. UTM profiles are applied on a security policy by policy basis. B. UTM profiles are applied at the global policy level. C. Individual UTM features like anti-spam or anti-virus are applied directly on a security policy by policy basis. D. Individual UTM features like anti-spam or anti-virus are applied directly at the global policy level. Answer: A Explanation:
QUESTION NO: 60 What are two rule base types within an IPS policy on an SRX Series device? (Choose two.) A. rulebase-ips B. rulebase-ignore C. rulebase-idp D. rulebase-exempt Answer: A,D Explanation:
QUESTION NO: 61 Which configuration shows a pool-based source NAT without PAT? A. [edit security nat source] "Pass Any Exam. Any Time." - www.actualtests.com 29
Juniper JN0-332 Exam user@host# show pool A { address { 207.17.137.1/32 to 207.17.137.254/32; } } rule-set 1A { from zone trust; to zone untrust; rule 1 { match { source-address 10.1.10.0/24; } then { source-nat pool A; port no-translation; } } } B. [edit security nat source] user@host# show pool A { address { 207.17.137.1/32 to 207.17.137.254/32; } overflow-pool interface; } rule-set 1A { from zone trust; to zone untrust; rule 1 { match { source-address 10.1.10.0/24; } then { source-nat pool A; port no-translation; } } } C. [edit security nat source] user@host# show pool A { address { 207.17.137.1/32 to 207.17.137.254/32; } port no-translation; "Pass Any Exam. Any Time." - www.actualtests.com 30
Juniper JN0-332 Exam } rule-set 1A { from zone trust; to zone untrust; rule 1 { match { source-address 10.1.10.0/24; } then { source-nat pool A; } } } D. [edit security nat source]. user@host# show pool A { address { 207.17.137.1/32 to 207.17.137.254/32; } overflow-pool interface; } rule-set 1A { from zone trust; to zone untrust; rule 1 { match { source-address 10.1.10.0/24; } then { source-nat pool A; } } } Answer: C Explanation:
QUESTION NO: 62 Which two statements are true regarding IDP? (Choose two.) A. IDP can be used in conjunction with other Junos security features such as SCREEN options, zones, and security policy. "Pass Any Exam. Any Time." - www.actualtests.com 31
Juniper JN0-332 Exam B. IDP cannot be used in conjunction with other Junos security features such as SCREEN options, zones, and security policy. C. IDP inspects traffic up to the Presentation Layer. D. IDP inspects traffic up to the Application Layer. Answer: A,D Explanation:
QUESTION NO: 63 What is the purpose of a chassis cluster? A. Chassis clusters are used to aggregate routes. B. Chassis clusters are used to create aggregate interfaces. C. Chassis clusters are used to group two chassis into one logical chassis. D. Chassis clusters are used to group all interfaces into one cluster interface. Answer: A Explanation:
QUESTION NO: 64 Which three statements are true when working with high-availability clusters? (Choose three.) A. The valid cluster-id range is between 0 and 255. B. Junos OS security devices can belong to more than one cluster if cluster virtualization is enabled. C. If the cluster-id value is set to 0 on a Junos security device, the device will not participate in the cluster. D. A reboot is required if the cluster-id or node value is changed. E. Junos OS security devices can belong to one cluster only. Answer: C,D,E Explanation:
QUESTION NO: 65 A network administrator wants to permit Telnet traffic initiated from the address book entry the10net in a zone called UNTRUST to the address book entry Server in a zone called TRUST. "Pass Any Exam. Any Time." - www.actualtests.com 32
Juniper JN0-332 Exam However, the administrator does not want the server to be able to initiate any type of traffic from the TRUST zone to the UNTRUST zone.Which configuration statement would correctly accomplish this task? A. from-zone UNTRUST to-zone TRUST { policy DenyServer { match { source-address any; destination-address any; application any; } then { deny; } } } from-zone TRUST to-zone UNTRUST { policy AllowTelnetin { match { source-address the10net; destination-address Server; application junos-telnet; } then { permit; } } } B. from-zone TRUST to-zone UNTRUST { policy DenyServer { match { source-address Server; destination-address any; application any; } then { deny; } } } from-zone UNTRUST to-zone TRUST { policy AllowTelnetin { match { source-address the10net; destination-address Server; application junos-telnet; "Pass Any Exam. Any Time." - www.actualtests.com 33
Juniper JN0-332 Exam } then { permit; } } } C. from-zone UNTRUST to-zone TRUST { policy AllowTelnetin { match { source-address the10net; destination-address Server; application junos-ftp; } then { permit; } } } D. from-zone TRUST to-zone UNTRUST { policy DenyServer { match { source-address Server; destination-address any; application any; } then { permit; } } } from-zone UNTRUST to-zone TRUST { policy AllowTelnetin { match { source-address the10net; destination-address Server; application junos-telnet; } then { permit; } } } Answer: B Explanation:
34
QUESTION NO: 66 Which command do you use to manually remove antivirus patterns? A. request security utm anti-virus juniper-express-engine pattern-delete B. request security utm anti-virus juniper-express-engine pattern-reload C. request security utm anti-virus juniper-express-engine pattern-remove D. delete security utm anti-virus juniper-express-engine antivirus-pattern Answer: A Explanation:
QUESTION NO: 67 Which three parameters are configured in the IKE policy? (Choose three.) A. mode B. preshared key C. external interface D. security proposals E. dead peer detection settings Answer: A,B,D Explanation:
QUESTION NO: 68 Which two statements are true about the relationship between static NAT and proxy ARP? (Choose two.) A. It is necessary to forward ARP requests to remote hosts. B. It is necessary when translated traffic belongs to the same subnet as the ingress interface. C. It is not automatic and you must configure it. D. It is enabled by default and you do not need to configure it. Answer: B,C Explanation:
35
QUESTION NO: 69 Which CLI command do you use to block MIME content at the [edit security utm feature-profile] hierarchy? A. set content-filtering profile <name> permit-command block-mime B. set content-filtering profile <name> block-mime C. set content-filtering block-content-type <name> block-mime D. set content-filtering notifications block-mime Answer: B Explanation:
QUESTION NO: 70 If both nodes in a chassis cluster initialize at different times, which configuration example will allow you to ensure that the node with the higher priority will become primary for your RGs other than RG0? A. [edit chassis cluster] user@host# show redundancy-group 1 { node 0 priority 200; node 1 priority 150; preempt; } B. [edit chassis cluster] user@host# show redundancy-group 1 { node 0 priority 200; node 1 priority 150; monitoring; } C. [edit chassis cluster] user@host# show redundancy-group 1 { node 0 priority 200; node 1 priority 150; control-link-recovery; } D. [edit chassis cluster] "Pass Any Exam. Any Time." - www.actualtests.com 36
Juniper JN0-332 Exam user@host# show redundancy-group 1 { node 0 priority 200; node 1 priority 150; strict-priority; } Answer: A Explanation:
QUESTION NO: 71 By default, how is traffic evaluated when the antivirus database update is in progress? A. Traffic is scanned against the old database. B. Traffic is scanned against the existing portion of the currently downloaded database. C. All traffic that requires antivirus inspection is dropped and a log message generated displaying the traffic endpoints. D. All traffic that requires antivirus inspection is forwarded with no antivirus inspection and a log message generated displaying the traffic endpoints. Answer: D Explanation:
QUESTION NO: 72 Which statement is true regarding IPsec VPNs? A. There are five phases of IKE negotiation. B. There are two phases of IKE negotiation. C. IPsec VPN tunnels are not supported on SRX Series devices. D. IPsec VPNs require a tunnel PIC in SRX Series devices. Answer: C Explanation:
QUESTION NO: 73 Which command would you use to enable chassis cluster on an SRX device, setting the cluster ID "Pass Any Exam. Any Time." - www.actualtests.com 37
Juniper JN0-332 Exam to 1 and node to 0? A. user@host# set chassis cluster cluster-id 1 node 0 reboot B. user@host> set chassis cluster id 1 node 0 reboot C. user@host> set chassis cluster cluster-id 1 node 0 reboot D. user@host# set chassis cluster id 1 node 0 reboot Answer: C Explanation:
QUESTION NO: 74 Which three are necessary for antispam to function properly on a branch SRX Series device? (Choose three.) A. an antispam license B. DNS servers configured on the SRX Series device C. SMTP services on SRX D. a UTM profile with an antispam configuration in the appropriate security policy E. antivirus (full or express) Answer: A,B,D Explanation:
QUESTION NO: 75 How many IDP policies can be active at one time on an SRX Series device by means of the set security idp active-policy configuration statement? A. 1 B. 2 C. 4 D. 8 Answer: A Explanation:
QUESTION NO: 76 "Pass Any Exam. Any Time." - www.actualtests.com 38
Juniper JN0-332 Exam Which two statements regarding firewall user authentication client groups are true? (Choose two.)
A. A client group is a list of clients associated with a group. B. A client group is a list of groups associated with a client. C. Client groups are referenced in security policy in the same manner in which individual clients are referenced. D. Client groups are used to simplify configuration by enabling firewall user authentication without security policy. Answer: B,C Explanation:
QUESTION NO: 77 Your task is to provision the Junos security platform to permit transit packets from the Private zone to the External zone by using an IPsec VPN and log information at the time of session close. Which configuration meets this requirement? A. [edit security policies from-zone Private to-zone External] user@host# show policy allowTransit { match { source-address PrivateHosts; destination-address ExtServers; application ExtApps; } then { permit { tunnel { ipsec-vpn VPN; } } log { session-init; } } } B. [edit security policies from-zone Private to-zone External] user@host# show policy allowTransit { match { source-address PrivateHosts;
39
Juniper JN0-332 Exam destination-address ExtServers; application ExtApps; } then { permit { tunnel { ipsec-vpn VPN; } } count { session-close; } } } C. [edit security policies from-zone Private to-zone External] user@host# showpolicy allowTransit { match { source-address PrivateHosts; destination-address ExtServers; application ExtApps; } then { permit { tunnel { ipsec-vpn VPN; } } log { session-close; } } } D. [edit security policies from-zone Private to-zone External] user@host# show policy allowTransit { match { source-address PrivateHosts; destination-address ExtServers; application ExtApps; } then { permit { tunnel { ipsec-vpn VPN; log; count session-close; "Pass Any Exam. Any Time." - www.actualtests.com 40
Juniper JN0-332 Exam } } } } Answer: C Explanation:
QUESTION NO: 78 A user wants to establish an FTP session to a server behind an SRX device but must authenticate to a Web page on the SRX device for additional authentication. Which type of user authentication is configured? A. pass-through B. WebAuth C. WebAuth with Web redirect D. pass-through with Web redirect Answer: B Explanation:
QUESTION NO: 79 What is the functionality of redundant interfaces (reth) in a chassis cluster? A. reth interfaces are used only for VRRP. B. reth interfaces are the same as physical interfaces. C. reth interfaces are pseudo-interfaces that are considered the parent interface for two physical interfaces. D. Each cluster member has a reth interface that can be used to share session state information with the other cluster members. Answer: C Explanation:
QUESTION NO: 80 A network administrator receives complaints from the engineering group that an application on one "Pass Any Exam. Any Time." - www.actualtests.com 41
Juniper JN0-332 Exam server is not working properly. After further investigation, the administrator determines that source NAT translation is using a different source address after a random number of flows. Which two actions can the administrator take to force the server to use one address? (Choose two.) A. Use the custom application feature. B. Configure static NAT for the host. C. Use port address translation (PAT). D. Use the address-persistent option. Answer: B,D Explanation:
QUESTION NO: 81 What is the default session timeout for UDP sessions? A. 30 seconds B. 1 minute C. 5 minutes D. 30 minutes Answer: B Explanation:
QUESTION NO: 82 Which two statements about the Diffie-Hellman (DH) key exchange process are correct? (Choose two.) A. In the DH key exchange process, the session key is never passed across the network. B. In the DH key exchange process, the public and private keys are mathematically related using the DH algorithm. C. In the DH key exchange process, the session key is passed across the network to the peer for confirmation. D. In the DH key exchange process, the public and private keys are not mathematically related, ensuring higher security. Answer: A,B Explanation:
42
QUESTION NO: 83 You are required to configure a SCREEN option that enables IP source route option detection. Which two configurations meet this requirement? (Choose two.) A. [edit security screen] user@host# show ids-option protectFromFlood { ip { loose-source-route-option; strict-source-route-option; } } B. [edit security screen] user@host# show ids-option protectFromFlood { ip { source-route-option; } } C. [edit security screen] user@host# show ids-option protectFromFlood { ip { record-route-option; security-option; } } D. [edit security screen] user@host# show ids-option protectFromFlood { ip { strict-source-route-option; record-route-option; } } Answer: A,B Explanation:
QUESTION NO: 84
43
Juniper JN0-332 Exam What are three configuration objects used to build Junos IDP rules? (Choose three.) A. zone objects B. policy objects C. attack objects D. alert and notify objects E. network and address objects Answer: A,C,E Explanation:
Assume the default-policy has not been configured. Given the configuration shown in the exhibit, which two statements about traffic from host_a in the HR zone to host_b in the trust zone are true? (Choose two.) A. DNS traffic is denied. B. HTTP traffic is denied. "Pass Any Exam. Any Time." - www.actualtests.com 44
Juniper JN0-332 Exam C. FTP traffic is permitted. D. SMTP traffic is permitted. Answer: A,C Explanation:
QUESTION NO: 86 When an SRX series device receives an ESP packet, what happens? A. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, it will immediately decrypt the packet. B. If the destination IP address in the outer IP header of ESP does not match the IP address of the ingress interface, it will discard the packet. C. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, based on SPI match, it will decrypt the packet. D. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, based on SPI match and route lookup of inner header, it will decrypt the packet. Answer: C Explanation:
[A] establishes an IPsec tunnel with [B]. The NAT device translates the IP address 1.1.1.1 to 2.1.1.1.On which port is the IKE SA established? A. TCP 500 B. UDP 500 C. TCP 4500 D. UDP 4500 Answer: D "Pass Any Exam. Any Time." - www.actualtests.com 45
What are two valid reasons for the output shown in the exhibit? (Choose two.) A. The local Web-filtering daemon is not enabled or is not running. B. The integrated Web-filtering policy server is not reachable. C. No DNS is configured on the SRX Series device. D. No security policy is configured to use Web filtering. Answer: B,C Explanation:
QUESTION NO: 89 What is the maximum number of layers of decompression that juniper-express-engine (express AV) can decompress for the HTTP protocol? A. 0 B. 1 C. 4 D. 8 Answer: B Explanation:
QUESTION NO: 90 Which three features are part of the branch SRX series UTM suite? (Choose three.)
46
Juniper JN0-332 Exam A. antispam B. antivirus C. IPS D. application firewalling E. Web filtering Answer: A,B,E Explanation:
QUESTION NO: 91 What are two TCP flag settings that are considered suspicious? (Choose two.) A. Do-Not-Fragment flag is set. B. Both SYN and FIN flags are set. C. Both ACK and PSH flags are set. D. FIN flag is set and ACK flag is not set. Answer: B,D Explanation:
QUESTION NO: 92 The Junos OS blocks an HTTP request due to a Websense server response. Which form of Web filtering is being used? A. redirect Web filtering B. integrated Web filtering C. categorized Web filtering D. local Web filtering Answer: A Explanation:
QUESTION NO: 93 Which two statements are true regarding redundancy groups? (Choose two.)
47
Juniper JN0-332 Exam A. When priority settings are equal and the members participating in a cluster are initialized at the same time, the primary role for redundancy group 0 is assigned to node 0. B. The preempt option determines the primary and secondary roles for redundancy group 0 during a failure and recovery scenario. C. Redundancy group 0 manages the control plane failover between the nodes of a cluster. D. The primary role can be shared for redundancy group 0 when the active-active option is enabled. Answer: A,C Explanation:
QUESTION NO: 94 What are two components of the Junos software architecture? (Choose two.) A. Linux kernel B. routing protocol daemon C. session-based forwarding module D. separate routing and security planes Answer: B,C Explanation:
QUESTION NO: 95 Which IDP policy action closes the connection and sends an RST packet to both the client and the server? A. close-connection B. terminate-connection C. close-client-and-server D. terminate-session Answer: C Explanation:
QUESTION NO: 96 Which statement describes the UTM licensing model? "Pass Any Exam. Any Time." - www.actualtests.com 48
Juniper JN0-332 Exam A. Install the license key and all UTM features will be enabled for the life of the product. B. Install one license key per feature and the license key will be enabled for the life of the product. C. Install one UTM license key, which will activate all UTM features; the license will need to be renewed when it expires. D. Install one UTM license key per UTM feature; the licenses will need to be renewed when they expire. Answer: D Explanation:
QUESTION NO: 97 You have configured a UTM profile called Block-Spam, which has the appropriate antispam configuration to block undesired spam e-mails. Which configuration would protect an SMTP server in the dmz zone from spam originating in the untrust zone? A. set security policies from-zone dmz to-zone untrust policy anti-spam then permit applicationservices utm-policy Block-Spam B. set security policies from-zone untrust to-zone dmz policy anti-spam then permit applicationservices utm-policy Block-Spam C. set security policies from-zone untrust to-zone dmz policy anti-spam then permit applicationservices anti-spam-policy Block-Spam D. set security policies from-zone untrust to-zone dmz policy anti-spam then permit applicationservices Block-Spam Answer: B Explanation:
QUESTION NO: 98 Which two statements about the use of SCREEN options are correct? (Choose two.) A. SCREEN options offer protection against various attacks. B. SCREEN options are deployed prior to route and policy processing in first path packet processing. C. SCREEN options are deployed at the ingress and egress sides of a packet flow. D. When you deploy SCREEN options, you must take special care to protect OSPF. Answer: A,B Explanation:
49
Given the configuration shown in the exhibit, which protocol(s) are allowed to communicate with the device on ge-0/0/0.0? A. RIP B. OSPF C. BGP and RIP D. RIP and PIM Answer: A Explanation:
QUESTION NO: 100 Which two statements about static NAT are true? (Choose two.) A. Static NAT can only be used with destination NAT. "Pass Any Exam. Any Time." - www.actualtests.com 50
Juniper JN0-332 Exam B. Static NAT rules take precedence over overlapping dynamic NAT rules. C. NAT rules take precedence over overlapping static NAT rules. D. A reverse mapping is automatically created. Answer: B,D Explanation:
QUESTION NO: 101 Which three situations will trigger an e-mail to be flagged as spam if a branch SRX Series device has been properly configured with antispam inspection enabled for the appropriate security policy? (Choose three.) A. The server sending the e-mail to the SRX Series device is a known open SMTP relay. B. The server sending the e-mail to the SRX Series device is running unknown SMTP server software. C. The server sending the e-mail to the SRX Series device is on an IP address range that is known to be dynamically assigned. D. The e-mail that the server is sending to the SRX Series device has a virus in its attachment. E. The server sending the e-mail to the SRX Series device is a known spammer IP address. Answer: A,C,E Explanation:
QUESTION NO: 102 Which statement is true regarding a session key in the Diffie-Hellman key-exchange process? A. A session key value is exchanged across the network. B. A session key never passes across the network. C. A session key is used as the key for asymmetric data encryption. D. A session key is used as the key for symmetric data encryption. Answer: B Explanation:
QUESTION NO: 103 Which zone type will allow transit-traffic? "Pass Any Exam. Any Time." - www.actualtests.com 51
Juniper JN0-332 Exam A. system B. security C. default D. functional Answer: B Explanation:
QUESTION NO: 104 Which two statements are true for a security policy? (Choose two.) A. It controls inter-zone traffic. B. It controls intra-zone traffic. C. It is named with a system-defined name. D. It controls traffic destined to the device's ingress interface. Answer: A,B Explanation:
QUESTION NO: 105 Which CLI command provides a summary of what the content-filtering engine has blocked? A. show security utm content-filtering statistics B. show security flow session C. show security flow statistics D. show security utm content-filtering summary Answer: A Explanation:
52
Juniper JN0-332 Exam You are the responder for an IPsec tunnel and you see the error messages shown in the exhibit. What is the problem? A. One or more of the phase 1 proposals such as authentication algorithm, encryption algorithm, or pre-shared key does not match. B. There is no route for 2.2.2.2. C. There is no IKE definition in the configuration for peer 2.2.2.2. D. system services ike is not enabled on the interface with IP 1.1.1.2. Answer: C Explanation:
QUESTION NO: 107 Which URL will match the URL pattern www.news.com/asia? A. www.news.com B. www.news.com/asia/japan C. www-1.news.com/asia D. www.news.asia.com Answer: B Explanation:
53
In the exhibit, what is the function of the configuration statements? A. This section is where you define all chassis clustering configuration. B. This configuration is required for members of a chassis cluster to talk to each other. C. You can apply this configuration in the chassis cluster to make configuration easier. D. This section is where unique node configuration is applied. Answer: D Explanation:
54
Juniper JN0-332 Exam QUESTION NO: 109 A network administrator repeatedly receives support calls about network issues. After investigating the issues, the administrator finds that the source NAT pool is running out of addresses. To be notified that the pool is close to exhaustion, what should the administrator configure? A. Use the pool-utilization-alarm raise-threshold under the security nat source stanza. B. Use a trap-group with a category of services under the SNMP stanza. C. Use an external script that will run a show command on the SRX Series device to see when the pool is close to exhaustion. D. Configure a syslog message to trigger a notification when the pool is close to exhaustion. Answer: A Explanation:
QUESTION NO: 110 Which two statements are true when describing the capabilities of integrated Web filtering on branch SRX Series devices? (Choose two.) A. Integrated Web filtering can enforce UTM policies on traffic encrypted in SSL. B. Integrated Web filtering can detect client-side exploits that attack the user's Web browser. C. Integrated Web filtering can permit or deny access to specific categories of sites. D. Different integrated Web-filtering policies can be applied on a firewall rule-by-rule basis to allow different policies to be enforced for different users. Answer: C,D Explanation:
QUESTION NO: 111 Which statement is true when express AV detects a virus in TCP session? A. TCP RST is sent and a session is restarted. B. TCP connection is closed gracefully and the data content is dropped. C. TCP traffic is allowed and an SNMP trap is sent. D. AV scanning is restarted. Answer: B Explanation:
55
Which command is needed to change this policy to a tunnel policy for a policy-based VPN? A. set policy tunnel-traffic then tunnel remote-vpn B. set policy tunnel-traffic then permit tunnel remote-vpn C. set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn permit D. set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn Answer: D Explanation:
QUESTION NO: 113 Which two statements describe the difference between Junos software for security platforms and a traditional router? (Choose two.) A. Junos software for security platforms supports NAT and PAT; a traditional router does not support NAT or PAT. B. Junos software for security platforms does not forward traffic by default; a traditional router forwards traffic by default. C. Junos software for security platforms uses session-based forwarding; a traditional router uses packet-based forwarding. D. Junos software for security platforms performs route lookup for every packet; a traditional router performs route lookup only for the first packet.
56
Juniper JN0-332 Exam Answer: B,C Explanation:
QUESTION NO: 114 Using a policy with the policy-rematch flag enabled, what happens to the existing and new sessions when you change the policy action from permit to deny? A. The new sessions matching the policy are denied. The existing sessions are dropped. B. The new sessions matching the policy are denied. The existing sessions, not being allowed to carry any traffic, simply timeout. C. The new sessions matching the policy might be allowed through if they match another policy. The existing sessions are dropped. D. The new sessions matching the policy are denied. The existing sessions continue until they are completed or their timeout is reached. Answer: A Explanation:
QUESTION NO: 115 Which two content-filtering features does FTP support? (Choose two.) A. block extension list B. block MIME type C. protocol command list D. notifications-options Answer: A,C Explanation:
QUESTION NO: 116 Which statement is true about a NAT rule action of off? A. The NAT action of off is only supported for destination NAT rule-sets. B. The NAT action of off is only supported for source NAT rule-sets. C. The NAT action of off is useful for detailed control of NAT. "Pass Any Exam. Any Time." - www.actualtests.com 57
Juniper JN0-332 Exam D. The NAT action of off is useful for disabling NAT when a pool is exhausted. Answer: C Explanation:
QUESTION NO: 117 You want to create an out-of-band management zone and assign the ge-0/0/0.0 interface to that zone. From the [edit] hierarchy, which command do you use to configure this assignment? A. set security zones management interfaces ge-0/0/0.0 B. set zones functional-zone management interfaces ge-0/0/0.0 C. set security zones functional-zone management interfaces ge-0/0/0.0 D. set security zones functional-zone out-of-band interfaces ge-0/0/0.0 Answer: C Explanation:
QUESTION NO: 118 Host A opens a Telnet connection to Host B. Host A then opens another Telnet connection to Host B. These connections are the only communication between Host A and Host B. The security policy configuration permits both connections. How many sessions exist between Host A and Host B? A. 1 B. 2 C. 3 D. 4 Answer: B Explanation:
58
A network administrator receives complaints that the application voicecube is timing out after being idle for 30 minutes. Referring to the exhibit, what is a resolution? A. [edit] user@host# set applications application voicecube inactivity-timeout never B. [edit] user@host# set applications application voicecube inactivity-timeout 2 C. [edit] user@host# set applications application voicecube destination-port 5060 D. [edit] user@host# set security policies from-zone trust to-zone trust policy intrazone then timeout never Answer: A Explanation:
QUESTION NO: 120 Which parameters are valid SCREEN options for combating operating system probes? A. syn-fin, syn-flood, and tcp-no-frag
59
Juniper JN0-332 Exam B. syn-fin, port-scan, and tcp-no-flag C. syn-fin, fin-no-ack, and tcp-no-frag D. syn-fin, syn-ack-ack-proxy, and tcp-no-frag Answer: C Explanation:
QUESTION NO: 121 You have configured your chassis cluster to include redundancy group 1. Node 0 is configured to be the primary node for this redundancy group. You need to verify that the redundancy group failover is successful. Which command do you use to manually test the failover? A. request chassis cluster manual failover group 1 node 1 B. request cluster failover redundancy-group 1 node 1 C. request chassis cluster manual failover redundancy-group 1 node 1 D. request chassis cluster failover redundancy-group 1 node 1 Answer: D Explanation:
QUESTION NO: 122 The Junos OS blocks an HTTP request due to its inclusion on the url-blacklist. Which form of Web filtering on the branch SRX device is fully executed within the device itself? A. redirect Web filtering B. integrated Web filtering C. blacklist Web filtering D. local Web filtering Answer: D Explanation:
QUESTION NO: 123 In the Junos OS, which statement is true?
60
Juniper JN0-332 Exam A. vlan.0 belongs to the untrust zone. B. You must configure Web authentication to allow inbound traffic in the untrust zone. C. he zone name untrust has no special meaning D. The untrust zone is not configurable. Answer: C Explanation:
QUESTION NO: 124 Which statement is true about SurfControl integrated Web filter solution? A. The SurfControl server in the cloud provides the SRX device with the category of the URL as well as the reputation of the URL. B. The SurfControl server in the cloud provides the SRX device with only the category of the URL. C. The SurfControl server in the cloud provides the SRX device with only the reputation of the URL. D. The SurfControl server in the cloud provides the SRX device with a decision to permit or deny the URL. Answer: B Explanation:
Referring to the exhibit, you are not able to telnet to 192.168.10.1 from client PC 192.168.10.10.What is causing the problem?
61
Juniper JN0-332 Exam A. Telnet is not being permitted by self policy. B. Telnet is not being permitted by security policy. C. Telnet is not allowed because it is not considered secure. D. Telnet is not enabled as a host-inbound service on the zone. Answer: D Explanation:
QUESTION NO: 126 Which two statements are true regarding firewall user authentication? (Choose two.) A. When configured for pass-through firewall user authentication, the user must first open a connection to the Junos security platform before connecting to a remote network resource. B. When configured for Web firewall user authentication only, the user must first open a connection to the Junos security platform before connecting to a remote network resource. C. If a Junos security device is configured for pass-through firewall user authentication, new sessions are automatically intercepted to perform authentication. D. If a Junos security device is configured for Web firewall user authentication, new sessions are automatically intercepted to perform authentication. Answer: B,C Explanation:
QUESTION NO: 127 You want to create a security policy allowing traffic from any host in the Trust zone to hostb.example.com (172.19.1.1) in the Untrust zone. How do you create this policy? A. Specify the IP address (172.19.1.1/32) as the destination address in the policy. B. Specify the DNS entry (hostb.example.com) as the destination address in the policy. C. Create an address book entry in the Trust zone for the 172.19.1.1/32 prefix and reference this entry in the policy. D. Create an address book entry in the Untrust zone for the 172.19.1.1/32 prefix and reference this entry in the policy. Answer: D Explanation:
62
Juniper JN0-332 Exam QUESTION NO: 128 Which three types of content filtering are supported only for HTTP? (Choose three.) A. block Flash B. block Java applets C. block ActiveX D. block EXE files E. block MIME type Answer: B,C,D Explanation:
QUESTION NO: 129 Which three represent IDP policy match conditions? (Choose three.) A. protocol B. source-address C. port D. application E. attacks Answer: B,D,E Explanation:
QUESTION NO: 130 Which two statements are true regarding the system-default security policy [edit security policies default-policy]? (Choose two.) A. Traffic is permitted from the trust zone to the untrust zone. B. Intrazone traffic in the trust zone is permitted. C. All traffic through the device is denied. D. The policy is matched only when no other matching policies are found. Answer: C,D Explanation:
63
Juniper JN0-332 Exam QUESTION NO: 131 Which configuration shows the correct application of a security policy scheduler? A. [edit security policies from-zone Private to-zone External] user@host# show policy allowTransit { match { source-address PrivateHosts; destination-address ExtServers; application ExtApps; } then { permit { tunnel { ipsec-vpn myTunnel; } scheduler-name now; } } } B. [edit security policies from-zone Private to-zone External] user@host# show policy allowTransit { match { source-address PrivateHosts; destination-address ExtServers; application ExtApps; } then { permit { tunnel { ipsec-vpn myTunnel; } } } scheduler-name now; } C. [edit security policies from-zone Private to-zone External] user@host# show policy allowTransit { match { source-address PrivateHosts; destination-address ExtServers; application ExtApps; }
64
Juniper JN0-332 Exam then { permit { tunnel { ipsec-vpn myTunnel; scheduler-name now; } } } } D. [edit security policies from-zone Private to-zone External] user@host# show policy allowTransit { match { source-address PrivateHosts; destination-address ExtServers; application ExtApps; scheduler-name now; } then { permit { tunnel { ipsec-vpn myTunnel; } } } scheduler-name now; } Answer: B Explanation:
QUESTION NO: 132 Which three functions are provided by the Junos OS for security platforms? (Choose three.) A. VPN establishment B. stateful ARP lookups C. Dynamic ARP inspection D. Network Address Translation E. inspection of packets at higher levels (Layer 4 and above) Answer: A,D,E Explanation:
65
QUESTION NO: 133 Which three options represent IDP policy match conditions? (Choose three.) A. service B. to-zone C. attacks D. port E. destination-address Answer: B,C,E Explanation:
QUESTION NO: 134 Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by ESP? (Choose three.) A. data integrity B. data confidentiality C. data authentication D. outer IP header confidentiality E. outer IP header authentication Answer: A,B,C Explanation:
QUESTION NO: 135 Which two statements apply to policy scheduling? (Choose two.) A. An individual policy can have only one scheduler applied. B. You must manually configure system-time updates. C. Multiple policies can use the same scheduler. D. Policies that do not have schedulers are not active. Answer: A,C Explanation: "Pass Any Exam. Any Time." - www.actualtests.com 66
QUESTION NO: 136 Which three actions can a branch SRX Series device perform on a spam e-mail message? (Choose three.) A. It can drop the connection at the IP address level. B. It can block the e-mail based upon the sender ID. C. It can allow the e-mail and bypass all UTM inspection. D. It can allow the e-mail to be forwarded, but change the intended recipient to a new e-mail address. E. It can allow the e-mail to be forwarded to the destination, but tag it with a custom value in the subject line. Answer: A,B,E Explanation:
QUESTION NO: 137 What are three different integrated UTM components available on the branch SRX Series devices? (Choose three.) A. antivirus (full AV, express AV) B. antivirus (desktop AV) C. Web filtering D. antispam E. firewall user authentication Answer: A,C,D Explanation:
QUESTION NO: 138 You want to test a configured screen value prior to deploying. Which statement will allow you to accomplish this? A. [edit security screen] user@host# show "Pass Any Exam. Any Time." - www.actualtests.com 67
Juniper JN0-332 Exam ids-option untrust-screen { alarm-test-only; } B. [edit security screen] user@host# show ids-option untrust-screen { alarm-without-drop; } C. [edit security screen] user@host# show ids-option untrust-screen { alarm-no-drop; } D. [edit security screen] user@host# show ids-option untrust-screen { test-without-drop; } Answer: B Explanation:
QUESTION NO: 139 Which three contexts can be used as matching conditions in a source NAT configuration? (Choose three.) A. routing-instance B. zone C. interface D. policy E. rule-set Answer: A,B,C Explanation:
QUESTION NO: 140 Which command shows the event and traceoptions file for chassis clusters? A. show log chassisd "Pass Any Exam. Any Time." - www.actualtests.com 68
Juniper JN0-332 Exam B. show log clusterd C. show log jsrpd D. show log messages Answer: C Explanation:
QUESTION NO: 141 Which encryption type is used to secure user data in an IPsec tunnel? A. symmetric key encryption B. asymmetric key encryption C. RSA D. digital certificates Answer: A Explanation:
QUESTION NO: 142 Interface ge-0/0/2.0 of your device is attached to the Internet and is configured with an IP address and network mask of 71.33.252.17/24. A Web server with IP address 10.20.20.1 is running an HTTP service on TCP port 8080. The Web server is attached to the ge-0/0/0.0 interface of your device. You must use NAT to make the Web server reachable from the Internet using port translation. Which type of NAT must you configure? A. source NAT with address shifting B. pool-based source NAT C. static destination NAT D. pool-based destination NAT Answer: D Explanation:
QUESTION NO: 143 Which two types of attacks are considered to be denial of service? (Choose two.)
69
Juniper JN0-332 Exam A. zombie agents B. SYN flood C. IP packet fragments D. WinNuke Answer: B,D Explanation:
QUESTION NO: 144 Which antivirus solution integrated on branch SRX Series devices do you use to ensure maximum virus coverage for network traffic? A. express AV B. full AV C. desktop AV D. ICAP Answer: B Explanation:
QUESTION NO: 145 Which two statements are true about the Websense redirect Web filter solution? (Choose two.) A. The Websense redirect Web filter solution does not require a license on the SRX device. B. The Websense server provides the SRX device with a category for the URL and the SRX device then matches the category with its configured polices and decides to permit or deny the URL. C. The Websense server provides the SRX device with a decision as to whether the SRX device permits or denies the URL. D. When the Websense server does not know the category of the URL, it sends a request back to the SRX device to validate against the integrated SurfControl server in the cloud. Answer: A,C Explanation:
QUESTION NO: 146
70
Juniper JN0-332 Exam Click the Exhibit button.
Referring to the exhibit, which statement contains the correct gateway parameters? A. [edit security ike] user@host# show gateway ike-phase1-gateway { policy ike-policy1; address 10.10.10.1; dead-peer-detection { interval 20; threshold 5; } external-interface ge-1/0/1.0; } B. [edit security ike] user@host# show gateway ike-phase1-gateway { ike-policy ike-policy1; address 10.10.10.1; dead-peer-detection { interval 20; threshold 5; } external-interface ge-1/0/1.0; } C. [edit security ike] user@host# show gateway ike-phase1-gateway { policy ike1-policy; address 10.10.10.1; dead-peer-detection { interval 20; "Pass Any Exam. Any Time." - www.actualtests.com 71
Juniper JN0-332 Exam threshold 5; } external-interface ge-1/0/1.0; } D. [edit security ike] user@host# show gateway ike-phase1-gateway { ike-policy ike1-policy; address 10.10.10.1; dead-peer-detection { interval 20; threshold 5; } external-interface ge-1/0/1.0; } Answer: B Explanation:
QUESTION NO: 147 Antispam can be leveraged with which two features on a branch SRX Series device to provide maximum protection from malicious e-mail content? (Choose two.) A. integrated Web filtering B. full AV C. IPS D. local Web filtering Answer: B,C Explanation:
QUESTION NO: 148 Content filtering enables traffic to be permitted or blocked based on inspection of which three types of content? (Choose three.) A. MIME pattern B. file extension C. IP spoofing D. POP3 "Pass Any Exam. Any Time." - www.actualtests.com 72
Juniper JN0-332 Exam E. protocol command Answer: A,B,E Explanation:
QUESTION NO: 149 What are three valid Juniper Networks IPS attack object types? (Choose three.) A. signature B. anomaly C. trojan D. virus E. chain Answer: A,B,E Explanation:
QUESTION NO: 150 Which two statements are true about AH? (Choose two.) A. AH provides data integrity. B. AH is identified by IP protocol 50. C. AH is identified by IP protocol 51. D. AH cannot work in conjunction with ESP Answer: A,C Explanation:
73
Referring to the exhibit, what is the correct proxy-id? A. local 1.1.1.0/24, remote 2.1.1.0/24 B. local 2.1.1.0/24, remote 1.1.1.0/24 "Pass Any Exam. Any Time." - www.actualtests.com 74
Juniper JN0-332 Exam C. local 12.1.1.0/24, remote 11.1.1.0/24 D. local 11.1.1.0/24, remote 12.1.1.0/24 Answer: D Explanation:
QUESTION NO: 152 On which component is the control plane implemented? A. IOC B. PIM C. RE D. SPC Answer: C Explanation:
QUESTION NO: 153 Which two packet attributes contribute to the identification of a session? (Choose two.) A. destination port B. TTL C. IP options D. protocol number Answer: A,D Explanation:
QUESTION NO: 154 Which interface is used for RTO synchronization and forwarding traffic between the devices in a cluster? A. the st interface B. the reth interface C. the fxp1 and fxp0 interfaces "Pass Any Exam. Any Time." - www.actualtests.com 75
Juniper JN0-332 Exam D. the fab0 and fab1 interfaces Answer: D Explanation:
In the configuration shown in the exhibit, you decided to eliminate the junos-ftp application from the match condition of the policy My Traffic. What will happen to the existing FTP and BGP sessions? A. The existing FTP and BGP sessions will continue. B. The existing FTP and BGP sessions will be re-evaluated and only FTP sessions will be dropped. C. The existing FTP and BGP sessions will be re-evaluated and all sessions will be dropped. D. The existing FTP sessions will continue and only the existing BGP sessions will be dropped. Answer: B Explanation:
76
Juniper JN0-332 Exam QUESTION NO: 156 Click the Exhibit button.
Given the configuration shown in the exhibit, which configuration object would be used to associate both Nancy and Walter with firewall user authentication within a security policy? A. ftp-group B. ftp-users C. firewall-user D. nancy and walter Answer: A Explanation:
QUESTION NO: 157 Which two statements are true about pool-based source NAT? (Choose two.) A. PAT is not supported. B. PAT is enabled by default. C. It supports the address-persistent configuration option. D. It supports the junos-global configuration option.
77
Juniper JN0-332 Exam Answer: B,C Explanation:
QUESTION NO: 158 What is the maximum number of layers of compression that kaspersky-lab-engine (full AV) can decompress for the HTTP protocol? A. 1 B. 4 C. 8 D. 16 Answer: B Explanation:
QUESTION NO: 159 The same Web site is visited for the second time using a branch SRX Series Services Gateway configured with Surf Control integrated Web filtering. Which statement is true? A. The SRX device sends the URL to the SurfControl server in the cloud and the SurfControl server provides the SRX with a category of the URL. B. The SRX device sends the URL to the SurfControl server in the cloud and the SurfControl server asks the SRX device to permit the URL as it has been previously visited. C. The SRX device looks at its local cache to find the category of the URL. D. The SRX device does not perform any Web filtering operation as the Web site has already been visited. Answer: C Explanation:
QUESTION NO: 160 To determine whether a particular file has a virus by only inspecting a few initial packets before receiving the entire file, which UTM feature do you enable? A. URL white lists "Pass Any Exam. Any Time." - www.actualtests.com 78
Juniper JN0-332 Exam B. intelligent pre-screening C. trickling D. scan mode extensions Answer: B Explanation:
QUESTION NO: 161 Which element occurs first during the first-packet-path processing? A. destination NAT B. forwarding lookup C. route lookup D. SCREEN options Answer: D Explanation:
QUESTION NO: 162 Which statement describes the behavior of source NAT with address shifting? A. Source NAT with address shifting translates both the source IP address and the source port of a packet. B. Source NAT with address shifting defines a one-to-one mapping from an original source IP address to a translated source IP address. C. Source NAT with address shifting can translate multiple source IP addresses to the same translated IP address. D. Source NAT with address shifting allows inbound connections to be initiated to the static source pool IP addresses. Answer: B Explanation:
QUESTION NO: 163 Which two statements are true about IPsec traffic? (Choose two.)
79
Juniper JN0-332 Exam A. IPsec traffic can be forwarded when no IKE SA is present. B. IPsec traffic can be forwarded when no IPsec SA is present. C. For traffic that has to be encrypted, the security policy must be crafted based on the IP addresses in the inner IP header of the final ESP packet. D. For traffic that has to be encrypted, the security policy must be crafted based on the IP addresses in the outer IP header of the final ESP packet. Answer: A,C Explanation:
QUESTION NO: 164 You must configure a SCREEN option that will protect your router from a session table flood. Which configuration meets this requirement? A. [edit security screen] user@host# show ids-option protectFromFlood { icmp { ip-sweep threshold 5000; flood threshold 2000; } } B. [edit security screen] user@host# show ids-option protectFromFlood { tcp { syn-flood { attack-threshold 2000; destination-threshold 2000; } } } C. [edit security screen] user@host# show ids-option protectFromFlood { udp { flood threshold 5000; } } D. [edit security screen] user@host# show "Pass Any Exam. Any Time." - www.actualtests.com 80
Juniper JN0-332 Exam ids-option protectFromFlood { limit-session { source-ip-based 1200; destination-ip-based 1200; } } Answer: D Explanation:
QUESTION NO: 165 Which two statements are true regarding high-availability chassis clustering? (Choose two.) A. A chassis cluster consists of two devices. B. A chassis cluster consists of two or more devices. C. Devices participating in a chassis cluster can be different models. D. Devices participating in a chassis cluster must be the same models. Answer: A,D Explanation:
QUESTION NO: 166 Which statement is true for interfaces residing outside of redundancy groups? A. The interfaces cannot be mapped to security zones. B. Only interfaces that have redundancy can be active in the chassis cluster. C. All interfaces will be redundant if they reside on a system that is part of a chassiscluster. D. Interfaces that are not in a redundancy group can still forward traffic, but no redundancyis available for them. Answer: D Explanation:
QUESTION NO: 167 Under which configuration hierarchy is an access profile configured for firewall user "Pass Any Exam. Any Time." - www.actualtests.com 81
Juniper JN0-332 Exam authentication? A. [edit access] B. [edit security access] C. [edit firewall access] D. [edit firewall-authentication] Answer: A Explanation:
QUESTION NO: 168 Which two statements are true about juniper-express-engine (express AV)? (Choose two.) A. It does not support scan mode by extension. B. It can detect polymorphic viruses. C. It cannot decompress a zipped file transmitted using FTP. D. It cannot decompress a zipped file transmitted using POP3. Answer: A,C Explanation:
QUESTION NO: 169 What are two uses of NAT? (Choose two.) A. enabling network migrations B. conserving public IP addresses C. allowing stateful packet inspection D. preventing unauthorized connections from outside the network Answer: A,B Explanation:
QUESTION NO: 170 Which three statements are true when working with high-availability clusters? (Choose three.)
82
Juniper JN0-332 Exam A. The valid cluster-id range is between 0 and 255. B. Junos OS security devices can belong to more than one cluster if cluster virtualization isenabled. C. If the cluster-id value is set to 0 on a Junos security device, the device will notparticipate in the cluster. D. A reboot is required if the cluster-id or node value is changed. E. Junos OS security devices can belong to one cluster only. Answer: C,D,E Explanation:
QUESTION NO: 171 Which security or functional zone name has special significance to the Junos OS? A. self B. trust C. untrust D. junos-global Answer: D Explanation:
QUESTION NO: 172 Which statement is true regarding NAT? A. NAT is not supported on SRX Series devices. B. NAT requires special hardware on SRX Series devices. C. NAT is processed in the control plane. D. NAT is processed in the data plane. Answer: A Explanation:
QUESTION NO: 173 Which statement describes an ALG?
83
Juniper JN0-332 Exam A. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to deny the traffic. B. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to permit the traffic to pass. C. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to deny the traffic. D. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to permit the traffic to pass. Answer: B Explanation:
QUESTION NO: 174 Which UTM feature requires a license to function? A. integrated Web filtering B. local Web filtering C. redirect Web filtering D. content filtering Answer: A Explanation:
QUESTION NO: 175 Which URL will match the URL pattern "www.news.com/asia"? A. www.news.com B. www.news.com/asia/japan C. www-1.news.com/asia D. www.news.asia.com Answer: B Explanation:
QUESTION NO: 176 What are three valid Juniper Networks IPS attack object types? (Choose three.) "Pass Any Exam. Any Time." - www.actualtests.com 84
Juniper JN0-332 Exam A. signature B. anomaly C. trojan D. virus E. chain Answer: A,B,E Explanation:
QUESTION NO: 177 Regarding content filtering, what are two pattern lists that can be configured in the Junos OS? (Choose two.) A. protocol list B. MIME C. block list D. extension Answer: B,D Explanation:
QUESTION NO: 178 Which three are necessary for antispam to function properly on a branch SRX Series device? (Choose three.) A. an antispam license B. DNS servers configured on the SRX Series device C. SMTP services on SRX D. a UTM profile with an antispam configuration in the appropriate security policy E. antivirus (full or express) Answer: A,B,D Explanation:
QUESTION NO: 179 Which three actions can a branch SRX Series device perform on a spam e-mail message? "Pass Any Exam. Any Time." - www.actualtests.com 85
Juniper JN0-332 Exam (Choose three.) A. It can drop the connection at the IP address level. B. It can block the e-mail based upon the sender ID. C. It can allow the e-mail and bypass all UTM inspection. D. It can allow the e-mail to be forwarded, but change the intended recipient to a new e-mail address. E. It can allow the e-mail to be forwarded to the destination, but tag it with a custom value in the subject line. Answer: A,B,E Explanation:
QUESTION NO: 180 You have configured your chassis cluster to include redundancy group 1. Node 0 is configured to be the primary node for this redundancy group. You need to verify that the redundancy group failover is successful. Which command do you use to manually test the failover? A. request chassis cluster manual failover group 1 node 1 B. request cluster failover redundancy-group 1 node 1 C. request chassis cluster manual failover redundancy-group 1 node 1 D. request chassis cluster failover redundancy-group 1 node 1 Answer: D Explanation:
QUESTION NO: 181 Which antivirus solution integrated on branch SRX Series devices do you use to ensure maximum virus coverage for network traffic? A. express AV B. full AV C. desktop AV D. ICAP Answer: B "Pass Any Exam. Any Time." - www.actualtests.com 86
QUESTION NO: 182 Which two statements about static NAT are true? (Choose two.) A. Static NAT can only be used with destination NAT. B. Static NAT rules take precedence over overlapping dynamic NAT rules. C. NAT rules take precedence over overlapping static NAT rules. D. A reverse mapping is automatically created. Answer: B,D Explanation:
QUESTION NO: 183 Which statement is true about zone interface assignment? A. A logical interface can be assigned to a functional zone. B. A security zone must contain two or more logical interfaces. C. A logical interface can be assigned to multiple security zones. D. A logical interface can be assigned to a functional zone and a security zone simultaneously. Answer: A Explanation:
QUESTION NO: 184 You want to ensure end-to-end data connectivity through an IPsec tunnel. Which feature would you activate? A. DPD B. VPN monitor C. perfect forward secrecy D. NHTB Answer: B
87
QUESTION NO: 185 In which two cases would you consider the TCP flag settings to be suspicious? (Choose two.) A. Do-Not-Fragment flag is set. B. Both SYN and FIN flags are set. C. Both ACK and PSH flags are set. D. FIN flag is set and ACK flag is not set. Answer: B,D Explanation:
QUESTION NO: 186 Which operational mode command displays all active IKE phase 2 security associations? A. show ike security-associations B. show ipsec security-associations C. show security ike security-associations D. show security ipsec security-associations Answer: D Explanation:
QUESTION NO: 187 Antispam can be leveraged with which two features on a branch SRX Series device to provide maximum protection from malicious e-mail content? (Choose two.) A. integrated Web filtering B. full AV C. IPS D. local Web filtering Answer: B,C Explanation: "Pass Any Exam. Any Time." - www.actualtests.com 88
QUESTION NO: 188 Which three security policy actions are valid? (Choose three.) A. deny B. allow C. permit D. reject E. discard Answer: A,C,D Explanation:
QUESTION NO: 189 Which configuration keyword ensures that all in-progress sessions are re-evaluated upon committing a security policy change? A. policy-rematch B. policy-evaluate C. rematch-policy D. evaluate-policy Answer: A Explanation:
QUESTION NO: 190 Which URL database do branch SRX Series devices use when leveraging local Web filtering? A. The SRX Series device will download the database from an online repository to locally inspect HTTP traffic for Web filtering. B. The SRX Series device will use an offline database to locally inspect HTTP traffic for Web filtering. C. The SRX Series device will redirect local HTTP traffic to an external Websense server for Web filtering. D. The SRX Series administrator will define the URLs and their associated action in the local "Pass Any Exam. Any Time." - www.actualtests.com 89
Juniper JN0-332 Exam database to inspect the HTTP traffic for Web filtering. Answer: D Explanation:
QUESTION NO: 191 Your task is to provision the Junos security platform to permit transit packets from the Private zone to the External zone and send them through the IPsec VPN. You must also have the device generate a log message when the session ends. Which configuration meets this requirement? A. [edit security policies from-zone Private to-zone External] user@host# show policy allowTransit { match { source-address PrivateHosts; destination-address ExtServers; application ExtApps; } then { permit { tunnel { ipsec-vpn VPN; } } log { session-init; } } } B. [edit security policies from-zone Private to-zone External] user@host# show policy allowTransit { match { source-address PrivateHosts; destination-address ExtServers; application ExtApps; } then { permit { tunnel { ipsec-vpn VPN; "Pass Any Exam. Any Time." - www.actualtests.com 90
Juniper JN0-332 Exam } } count { session-close; } } } C. [edit security policies from-zone Private to-zone External] user@host# show policy allowTransit { match { source-address PrivateHosts; destination-address ExtServers; application ExtApps; } then { permit { tunnel { ipsec-vpn VPN; } } log { session-close; } } } D. [edit security policies from-zone Private to-zone External] user@host# show policy allowTransit { match { source-address PrivateHosts; destination-address ExtServers; application ExtApps; } then { permit { tunnel { ipsec-vpn VPN; log; count session-close; } } } } Answer: C Explanation: "Pass Any Exam. Any Time." - www.actualtests.com 91
QUESTION NO: 192 Which two statements are true for a security policy? (Choose two.) A. It controls inter-zone traffic. B. It controls intra-zone traffic. C. It is named with a system-defined name. D. It controls traffic destined to the device's ingress interface. Answer: A,B Explanation:
QUESTION NO: 193 Which command would you use to enable chassis clustering on an SRX device, setting the cluster ID to 1 and node to 0? A. user@host# set chassis cluster cluster-id 1 node 0 reboot B. user@host> set chassis cluster id 1 node 0 reboot C. user@host> set chassis cluster cluster-id 1 node 0 reboot D. user@host# set chassis cluster id 1 node 0 reboot Answer: C Explanation:
QUESTION NO: 194 Which three advanced permit actions within security policies are valid? (Choose three.) A. Mark permitted traffic for firewall user authentication. B. Mark permitted traffic for SCREEN options. C. Associate permitted traffic with an IPsec tunnel. D. Associate permitted traffic with a NAT rule. E. Mark permitted traffic for IDP processing. Answer: A,C,E Explanation: "Pass Any Exam. Any Time." - www.actualtests.com 92
QUESTION NO: 195 Which type of Web filtering by default builds a cache of server actions associated with each URL it has checked? A. Websense Redirect Web filtering B. integrated Web filtering C. local Web filtering D. enhanced Web filtering Answer: B Explanation:
QUESTION NO: 196 On which component is the control plane implemented? A. IOC B. PIM C. RE D. SPC Answer: C Explanation:
QUESTION NO: 197 When an SRX series device receives an ESP packet, what happens? A. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, it will immediately decrypt the packet. B. If the destination IP address in the outer IP header of ESP does not match the IP address of the ingress interface, it will discard the packet. C. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, based on SPI match, it will decrypt the packet. D. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, based on SPI match and route lookup of inner header, it will decrypt the "Pass Any Exam. Any Time." - www.actualtests.com 93
Juniper JN0-332 Exam packet. Answer: C Explanation:
QUESTION NO: 198 You are required to configure a SCREEN option that enables IP source route option detection. Which two configurations meet this requirement? (Choose two.) A. [edit security screen] user@host# show ids-option protectFromFlood { ip { loose-source-route-option; strict-source-route-option; } } B. [edit security screen] user@host# show ids-option protectFromFlood { ip { source-route-option; } } C. [edit security screen] user@host# show ids-option protectFromFlood { ip { record-route-option; security-option; } } D. [edit security screen] user@host# show ids-option protectFromFlood { ip { strict-source-route-option; record-route-option; } } Answer: A,B "Pass Any Exam. Any Time." - www.actualtests.com 94
QUESTION NO: 199 Which two statements are true about route-based VPNs? (Choose two.) A. Route-based VPNs cannot be used to configure remote access or dialup VPNs. B. The from-zone and to-zone, for a security policy to permit traffic over a route-based VPN,are derived from the zone in which the protected network liesand the zone in which the IKEinterface lies. C. system services ike must be enabled on the st0.x interface. D. You cannot re-write the DSCP bits on the inner IP header ofan ESP packet that was createdor forwarded using a route-based VPN. Answer: A,D Explanation:
QUESTION NO: 200 What is the purpose of an address book? A. It holds security policies for particular hosts. B. It holds statistics about traffic to and from particular hosts. C. It defines the hosts in a zone so they can be referenced by policies. D. It maps hostnames to IP addresses to serve as a backup to DNS resolution. Answer: C Explanation:
QUESTION NO: 201 Which two traffic types trigger pass-through firewall user authentication? (Choose two.) A. SSH B. ICMP C. Telnet D. FTP
95
Juniper JN0-332 Exam Answer: C,D Explanation:
QUESTION NO: 202 How does the antivirus feature operate once the antivirus license has expired? A. Any traffic matching a UTM policy will be dropped. B. Any traffic matching a UTM policy will be permitted. C. Any traffic matching a UTM policy will be correctly evaluatedwith the existing set ofantivirus signatures. D. Any traffic matching a UTM policy will be permitted with a log message of no inspection. Answer: C Explanation:
QUESTION NO: 203 What are two valid match conditions for source NAT? (Choose two.) A. port range B. source port C. source address D. destination address Answer: C,D Explanation:
QUESTION NO: 204 Which two configuration elements are required for a policy-based VPN? (Choose two.) A. IKE gateway B. secure tunnel interface C. security policy to permit the IKE traffic D. security policy referencing the IPsec VPN tunnel Answer: A,D "Pass Any Exam. Any Time." - www.actualtests.com 96
QUESTION NO: 205 Which two statements are true for both express antivirus and full file-based antivirus? (Choose two.) A. Signature updates of the pattern database are obtained from Symantec. B. Intelligent prescreening functionality is identical in both express antivirus and fullantivirus. C. Both express antivirus and full file-based antivirus use the same scan engines. D. The database pattern server is available through both HTTP and HTTPS. Answer: B,D Explanation:
QUESTION NO: 206 Which statement is true about interfaces, zones, and routing-instance relationships? A. All interfaces in a zone must belong to the same routing instance. B. All interfaces in a routing instance must belong to the same zone. C. All interfaces in a zone must be in inet.0. D. Each interface in a VR must belong to a unique security zone. Answer: A Explanation:
QUESTION NO: 207 What do you use to group interfaces with similar security requirements? A. zones B. policies C. address book D. NAT configuration Answer: A Explanation: "Pass Any Exam. Any Time." - www.actualtests.com 97
QUESTION NO: 208 Which statement is true when express AV detects a virus in a TCP session? A. A TCP RST is sent and the session is restarted. B. The TCP connection is closed gracefully and the data content is dropped. C. TCP traffic is allowed and an SNMP trap is sent. D. AV scanning is restarted. Answer: B Explanation:
QUESTION NO: 209 Which statement describes the behavior of a security policy? A. The implicit default security policy permits all traffic. B. Traffic destined to the device itself always requires a security policy. C. Traffic destined to the device's incoming interface does not require a security policy. D. The factory-default configuration permits all traffic from all interfaces. Answer: C Explanation:
QUESTION NO: 210 What are two rulebase types within an IPS policy on an SRX Series device? (Choose two.) A. rulebase-ips B. rulebase-ignore C. rulebase-idp D. rulebase-exempt Answer: A,D Explanation:
98
Juniper JN0-332 Exam QUESTION NO: 211 Click the Exhibit button.
Which type of source NAT is configured in the exhibit? A. interface-based source NAT B. static source NAT C. pool-based source NAT with PAT D. pool-based source NAT without PAT Answer: A Explanation:
QUESTION NO: 212 Click the Exhibit button. -- Exhibit -user@host> show security utm web-filtering statistics UTM web-filtering statistics: Total requests: 298171 white list hit: 0 Black list hit: 0 Queries to server: 17641 Server reply permit: 14103 "Pass Any Exam. Any Time." - www.actualtests.com 99
Juniper JN0-332 Exam Server reply block: 3538 Custom category permit: 0 Custom category block: 0 Cache hit permit: 171020 Cache hit block: 109510 Web-filtering sessions in total: 4000 Web-filtering sessions in use: 0 Fallback: log-and-permit block Default 0 0 Timeout 0 0 Connectivity 0 0 Too-many-requests 758 0 -- Exhibit -Which two statements are true about the output shown in the exhibit on the branch SRX device? (Choose two.) A. Redirect Web filtering is being used. B. Integrated Web filtering is being used. C. At some point the SRX had more than 4000 concurrent Web sessions. D. Local Web filtering is being used. Answer: B,C Explanation:
QUESTION NO: 213 Click the Exhibit button. -- Exhibit -[edit security policies from-zone HR to-zone trust] user@host# show "Pass Any Exam. Any Time." - www.actualtests.com 100
Juniper JN0-332 Exam policy two { match { source-address subnet_a; destination-address host_b; application [ junos-telnet junos-ping ]; } then { reject; } } policy one { match { source-address host_a; destination-address subnet_b; application any; } then { permit; } } -- Exhibit -host_a is in subnet_a and host_b is in subnet_b. Given the configuration shown in the exhibit, which two statements are true about traffic from host_a to host_b (Choose two.)? A. DNS traffic is denied. B. Telnet traffic is denied. C. SMTP traffic is denied. D. Ping traffic is denied. "Pass Any Exam. Any Time." - www.actualtests.com 101
Juniper JN0-332 Exam Answer: B,D Explanation:
QUESTION NO: 214 Review Below:
[edit security nat destination] user@host# show pool A { address 10.1.10.5/32; } rule-set 1 { from zone untrust; rule 1A { match { destination-address 100.0.0.1/32; } then { destination-nat pool A; } } } Which type of NAT is configured in the exhibit? A. static destination NAT B. static source NAT C. pool-based destination NAT without PAT D. pool-based destination NAT with PAT "Pass Any Exam. Any Time." - www.actualtests.com 102
Juniper JN0-332 Exam Answer: C Explanation:
103

Juniper JN0-332 v6

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Juniper JN0-332 v6

Uploaded by

Copyright:

Available Formats

Juniper JN0-332

Juniper Networks Certified Internet Specialist, SEC (JNCIS-SEC)

QUESTION NO: 2 Click the Exhibit button.

"Pass Any Exam. Any Time." - www.actualtests.com

"Pass Any Exam. Any Time." - www.actualtests.com

"Pass Any Exam. Any Time." - www.actualtests.com

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332 Exam Explanation:

QUESTION NO: 12 Click the Exhibit button.

Juniper JN0-332 Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332 Exam

QUESTION NO: 17 Click the Exhibit button.

"Pass Any Exam. Any Time." - www.actualtests.com

QUESTION NO: 19 Click the Exhibit button.

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332 Exam

Juniper JN0-332 Exam D. pass-through Answer: A Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com

"Pass Any Exam. Any Time." - www.actualtests.com

"Pass Any Exam. Any Time." - www.actualtests.com

"Pass Any Exam. Any Time." - www.actualtests.com

"Pass Any Exam. Any Time." - www.actualtests.com

QUESTION NO: 36 "Pass Any Exam. Any Time." - www.actualtests.com 18

Juniper JN0-332 Exam Click the Exhibit button.

Juniper JN0-332 Exam Explanation:

Juniper JN0-332 Exam

Juniper JN0-332 Exam

QUESTION NO: 46 Click the Exhibit button.

"Pass Any Exam. Any Time." - www.actualtests.com

"Pass Any Exam. Any Time." - www.actualtests.com

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332 Exam D. local Web filtering Answer: B Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332 Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332 Exam

QUESTION NO: 76 "Pass Any Exam. Any Time." - www.actualtests.com 38

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332 Exam } } } } Answer: C Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332 Exam

"Pass Any Exam. Any Time." - www.actualtests.com

QUESTION NO: 85 Click the Exhibit button.

QUESTION NO: 87 Click the Exhibit button.

Juniper JN0-332 Exam Explanation:

QUESTION NO: 88 Click the Exhibit button.

"Pass Any Exam. Any Time." - www.actualtests.com

"Pass Any Exam. Any Time." - www.actualtests.com

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332 Exam

QUESTION NO: 99 Click the Exhibit button.

Juniper JN0-332 Exam A. system B. security C. default D. functional Answer: B Explanation:

QUESTION NO: 106 Click the Exhibit button.

"Pass Any Exam. Any Time." - www.actualtests.com

QUESTION NO: 108 Click the Exhibit button.

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332 Exam

"Pass Any Exam. Any Time." - www.actualtests.com

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332 Exam

QUESTION NO: 112 Click the Exhibit button.

"Pass Any Exam. Any Time." - www.actualtests.com