Professional Documents
Culture Documents
Number: JN0-632
Passing Score: 800
Time Limit: 120 min
File Version: 6.1
http://www.gratisexam.com/
Juniper JN0-632
Version: 6.1
Exam A
QUESTION 1
You are concerned about the latency introduced in processing packets through the IPS signature database and
want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode.
A. When packets pass through for firewall inspection, they are not copied to the IPS module.
B. Packets passing through the firewall module are copied to the IPS module for processing as the packets
continue through the forwarding process.
C. Traffic that exceeds the processing capacity of the IPS module will be dropped.
D. Traffic that exceeds the processing capacity of the IPS module will be forwarded without being inspected by
the IPS module.
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
Explanation: Inline Tap mode is supported in 10.2. It will have a positive impact on performance and will only be
supported in dedicated mode. The processing will essentially be the same as it is in dedicated inline mode,
however instead of flowd simply placing the packet in the IDPD queue to be processed, it will make a copy of
the packet, put that in the queue, and forward on the original packet without waiting for IDPD to perform the
inspection. This will mean that the IDP will not be a bottleneck in performance. The one limitation around this
feature is that some attacks may be able to pass through the SRX without being blocked such as single packet
attacks. However, even though the single packet attacks may not be blocked, most attacks will be blocked, and
even in the case that an attack is let through the SRX can still close down the session and even send TCP
resets if it is a TCP protocol and the Close Connection option is set.
QUESTION 2
You create a custom attack signature with the following criteria:
-- HTTP Request:
-- Pattern: *\x<404040...40
A. FTP GET.,\x404040...40
B. HTTP GET *\404040..40
C. HTPPOST.*\x404040...40
D. HTTP GET *\x4040401.40
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: Signature-based attack objects will be the most common form of attack object to configure. This is
where you use regular expression matching to define what attack objects should be matched by the detector
engine. The provided regular expression matches HTTP GET request containing *\x4040401..40. Here \x ?hex
based numbers, . - any symbol.
QUESTION 3
Click the Exhibit button.
A. It blocks TCP connection from a host when more than 1000 successive TCP connections are received
B. It blocks TCP connections for a host when more than 1000 connections are received within 3600 seconds.
C. It blocks TCP connection attempts from a host when more than 10 connection attempts are made within
1000 microseconds.
D. It blocks TCP connections from the host for 1000 seconds when a host is identified as a TCP scan source
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
"Pass Any Exam. Any Time." - www.actualtests.com 3
Explanation: The command prevents port scan attacks. A port scan attack occurs when an attacker sends
packets with different port numbers to scan available services. The attack succeeds if a port responds. To
prevent this attack, the device internally logs the number of different ports scanned from a single remote
source. For example, if a remote host scans 10 portsin 0.005 seconds (equivalent to 5000 microseconds, the
default threshold setting), the device flags this behavior as a port scan attack, and rejects further packets from
the remote source.
QUESTION 4
Click the Exhibit button
In the exhibit, Customer A and Customer B connect to the same SRX Series device. ISP1 and ISP2 are also
directly connected to the SRX device. Customer A's traffic must use ISP1, and Customer B's traffic must use
ISP2.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 5
You must configure a site-to-site VPN connection between your company and a business partner. The security
policy of your organization states that the source of incoming traffic must be authenticated by a neutral party to
prevent spoofing of an unauthorized source gateway.
http://www.gratisexam.com/
Explanation/Reference:
Explanation:
QUESTION 6
Company A and Company B are using the same IP address space. You are using static NAT to provide dual
translation between the two networks.
Which two additional requirements are needed to fully allow end-to-end communication? (Choose two.)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Reference:http://www.juniper.fr/techpubs/en_US/junos10.4/topics/example/nat-twice-configuring.html
http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf
QUESTION 7
Your company is deploying a new WAN that uses transport over a private network infrastructure to provide an
any-to-any topology. Your manager is concerned about the confidentiality of data as it crosses the WAN.
Scalability of the SRX Series device's ability to perform IKE key exchanges is a key consideration.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference: http://juniper.fr/techpubs/software/junos-security/junos-security10.2/junos-security- swconfig-
security/topic-45780.html
QUESTION 8
Click the Exhibit button
Senior management reports that your company's network is being attacked by hackers exploiting a recently
announced vulnerability. The attack is not being detected by the DP on your SRX Series device. You suspect
that your attack database is out of date. You check the version of the attack database and discover it is several
weeks old. You configured your device to download updates automatically as shown in the exhibit.
A. Change the interval to daily by adding set automatic interval 1 to the configuration and commit the change.
B. Enable the automatic updates by adding set automatic enable to the configuration and commit the change.
C. Set the time zone on your device.
D. Change the URL of the update site to use https:// instead of http://.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 9
You obtained a license file from Juniper Networks for the SRX Series Services Gateway IPS feature set. You
want to install the license onto the SRX Series device.
A. The license file is automatically downloaded from the online license server, you need not do anything.
B. Transfer the file to the SRX Series device using FTP or SCP and install the license with the request system
license add <filename> command.
C. The license file must be decrypted with the openssl utility before being installed on the SRX Series device.
D. Transfer the file to the SRX firewall using FTP or SCP and install the license with the request system license
install-permanent command.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference: http://www.juniper.net/techpubs/en_US/junos11.1/topics/reference/command- summary/request-
system-license-add.html
QUESTION 10
You have been asked to configure a signature to block an attack released by a security vulnerability reporting
agency.
Which two characteristics of the attack must you understand to configure the attack object? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Reference: http://www.juniper.net/techpubs/en_US/nsm2011.1/topics/task/configuration/attack- signature-
attack-object-creating-nsm.html
QUESTION 11
In a group VPN the members rekey with the server using the Unicast PUSH method.
A. KEK
B. IPSec SA
C. TEK
D. IKE SA
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: It's true that Key Encryption Key (KEK) is used to encrypt rekey messages. But in the same time
GDOI exchanges in Phase 2 must be protected by ISAKMP Phase 1 Sas. And GDOI groupkey-push exchange
is one of the two types of GDOI exchanges: groupkey-pull and groupkey-push.
QUESTION 12
Which two configuration tasks should you use to implement filter-based forwarding? (Choose two.)
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
Reference: http://www.juniper.net/techpubs/en_US/junos10.3/topics/usage-guidelines/routing- configuring-filter-
based-forwarding.html
QUESTION 13
Your corporate network consists of a central office and four branch offices. You are responsible for coming up
with an effective solution to provide secure connectivity between the sites.
Explanation/Reference:
Reference:
http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/vpn-hub-spoke-topologies-one- interface.html
QUESTION 14
Click the Exhibit button.
The client is downloading a file from the FTP server. The FTP control channel is established using a security
policy named t rust-to-untrust.
Which statement is correct about the output in the exhibit regarding the data channel?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 15
You want to verify how many security policies will match FTP traffic from source address 1.1.1.1 port 55000. to
destination address 2.2.2.2 port 21.
A. show security match-policy from-zone trust source-ip 1.1.1.1 source-port 55000 to-zone untrust destination-
ip 2.2.2.2 destination-port 21 protocol tcp result-count
B. test security match-policies from-zone trust source-ip 1.1.1.1 source-port 55000 to-zone untrust destination-
ip 2.2.2.2 destination-port 21 protocol tcp result-count
C. show security match-policies from-zone trust source-ip 1.1.1.1 source-port 55000 to-zone untrust
destination-ip 2.2.2.2 destination-port 21 protocol tcp result-count
D. show security match-policies from-zone trust source-ip 1.1.1.1 source-port 55000 to-zone untrust
destination-ip 2.2.2.2 destination-port 21 protocol udp result-count
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference: http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic- collections/security/
software-all/cli-reference/junos-security-cli-reference.pdf
QUESTION 16
Click the Exhibit button
The exhibit shows an IPSec tunnel configuration. In an effort to increase the security of the tunnel, you must
configure the tunnel to negotiate a new tunnel key during IKE phase 2.
How can the configuration be changed to accommodate this requirement?
A. A new tunnel key is negotiated by default during phase 2; no configuration change is necessary.
B. PFS must be added to the IKE policy pol-ike.
C. PFS must be added to the IPSec policy poi-IPSec.
D. A new tunnel key cannot be negotiated in IKE phase 2 with route-based IPSec VPNs; a policy- based IPSec
VPN must be
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: PFS is a method for deriving Phase 2 keys independent from and unrelated to the preceding keys.
Alternatively, the Phase 1 proposal creates the key (the SKEYID_d key) from which all Phase 2 keys are
derived. The SKEYID_d key can generate Phase 2 keys with a minimum of CPU processing. Unfortunately, if
an unauthorized party gains access to the SKEYID_d key, all your encryption keys are compromised. PFS
addresses this security risk by forcing a new DH key exchange to occur for each Phase 2 tunnel. Using PFS is
thus more secure, although the rekeying procedure in Phase 2 might take slightly longer with PFS enabled.
Reference:http://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/vpn-security-phase-2- ipsec-
proposal-understanding.html
QUESTION 17
You configured all the required parameters to allow IPv6 address book entries. You successfully committed the
configuration. You noticed that IPv4 traffic is still working as expected, but IPv6 traffic is being dropped.
A. IPv4 and IPv6 address book entries will not work together
B. IPv6 flow-based mode must be enabled.
C. The SRX device must be rebooted.
D. IPv6 policy-based mode must be enabled.
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
[edit security forwarding-options] diriger# set family inet6 mode flow-based[edit security forwarding-options]
diriger# exit[edit]diriger# commitwarning: You have enabled/disabled inet6 flow.You must reboot the system for
your change to take effect.If you have deployed a cluster, be sure to reboot all nodes.commit complete[edit]
Reference:
http://blog.kramse.org/blojsom/blog/default/IPv6/Juniper-SRX210-Junos-10-2-flow-based-IPv6-forwarding?
smm=y
http://blog.kramse.org/blojsom/blog/default/IPv6/JUNOS-software-on-SRX-basic-IPv6- configuration?smm=y
QUESTION 18
Given the session shown below:
Which statement is true?
A. The session indicates that destination NAT with no port translation is taking place.
B. The session indicates that no NAT is taking place.
C. The session indicates that source NAT is taking place.
D. The session indicates that destination NAT with port translation is taking place.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: The output of the command shows that the TCP packet with src ip 10.1.0.13 and src tcp port
52939 and dst ip 207.17.137.229 and dst port 80 is entering interface ge-0/0/5.0 and the reverse connection is
created for the same session: src ip 172.19.101.42 and src tcp port 2132 and dst ip 207.17.137.229 and dst tcp
port 80. So the source ip 10.1.0.13 is translated to 172.19.101.42.
Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos- security-cli-
reference/show-security-flow-session.html#jd0e143381
QUESTION 19
What are two implementations of NAT? (Choose two.)
A. source NAT
B. group NAT
C. filter-based NAT
D. destination NAT
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
A - Source NAT is the translation of the source IP address of a packet leaving the Juniper Networks device.
Source NAT is used to allow hosts with private IP addresses to access a public network
D - Destination NAT is the translation of the destination IP address of a packet entering the Juniper Networks
device. Destination NAT is used to redirect traffic destined to a virtual host (identified by the original destination
IP address) to the real host (identified by the translated destination IP address).
Reference:
http://www.juniper.net/techpubs/en_US/junos10.4/topics/example/nat-security-source-and- destination-nat-
translation-configuring.html
http://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/network-address-translation- overview.html
QUESTION 20
You are notified that a particular application passing through a SRX3600 is not working properly. A request has
been made to provide a packet capture of the application traffic as it egresses the SRX device.
What is required to capture the transit application traffic on the egress interface?
A. Create a firewall filter with the action packet-capture and apply the firewall filter to the egress interface.
B. Create a firewall filter with the action packet-mode and apply the firewall fitter to the egress interface.
C. Execute the operational mode command monitor traffic interface and specify the egress interface.
D. Configure the data path-debug capture parameters and start the packet capture from operational mode.
E. Create a firewall filter with action sample and apply the firewall filter to the egress interface.
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
Explanation: See reference for details.
Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB16110
QUESTION 21
The SRX Series device is configured for source NAT. The source IP address will be translated to 1.1.1.1. A
packet with a source address of 21.21.21.21 and destination address of 31.1.1.1 arrives at the SRX Series
device.
A. a policy in which the match criteria has a source address of 21.21.21.21 and a destination- address of
31.1.1.1
B. a policy in which the match criteria has a source address of 1.1.1.1 and a destination address of
21.21.21.21
C. a policy in which the match criteria has a source address of 21.21.21.21 and a destination address of
1.1.1.1
D. a policy in which the match criteria has a source address of 31.1.1.1 and a destination address of 1.1.1.1
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 22
You want to allow users from routing-instance Juniper1 to route to the destination 2.2.2.2, reached through
routing-instance Juniper2 without sharing all the routes between the two instances.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 23
You want to implement a chassis cluster using SRX650s in your network. Your manager has informed you that
the nodes participating in the chassis cluster will reside in remote locations.
Which two statements represent valid considerations for this deployment scenario? (Choose two.)
A. The latency between the participating nodes cannot exceed 300 ms.
B. The links supporting the control and fabric links should all be 1 Gbps or higher.
C. The same physical path supporting the control and fabric links should be used.
D. The paths supporting the control and fabric links should use segregated virtual paths
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
Explanation: After configuring the SRX650 HA Chassis Cluster, ge-0/0/0 is reserved for FXP0 (out of band), ge-
0/0/1 for Control Link and one more port (mostly used ge-0/0/2) for Fabric Link. In most SRX Series devices in
a chassis cluster, you can configure any pair of Gigabit Ethernet interfaces or any pair of 10-Gigabit interfaces
to serve as the fabric between nodes. If you are connecting each of the fabric links through a switch, you must
enable the jumbo frame feature on the corresponding switch ports. If both of the fabric links are connected
through the same switch, theRTO-and-probes pair must be in one virtual LAN (VLAN) and the data pair must
be in another VLAN. Here too, the jumbo frame feature must be enabled on the corresponding switch ports.
Refrence:http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/chassis-cluster-fabric- configuring-
cli.html
QUESTION 24
Access to a Web server is being severely interrupted after configuring SCREEN parameters. The intent of the
IT group was to alleviate the mitigation of SYN flood attacks by dropping connections aggressively if the
number of SYN packets to the server exceeded 1000 packets per second.
Which two SCREEN settings will resolve the issue? (Choose two.)
A. Option A
B. Option B
C. Option C
D. Option D
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos- security-swconfig-
security/id-68220.html#id-68220
QUESTION 25
What are two valid chassis cluster implementations? (Choose two.)
A. active/active
B. online/offline
C. active/passive
D. passive/passive
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Explanation: There are only two options: active/active and active/passive. See reference.
Reference:
http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig- security/activeactive-full-
mesh-chassis-cluster-scenario.html
http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig- security/activepassive-
chassis-cluster-scenario.html
QUESTION 26
What describes the NULL scan and how would you effectively mitigate it?
A. A NULL scan attack consists of a series of packets that have source port 0 and various destination ports set
They can be minimized with SCREEN options, such as set security screen ids-option foo tcp-no-null and
udp-no-null.
B. A NULL scan attack is an attack targeting port of the remote device's TCP/IP stack. set security idp sensor-
configuration flow no-allow-tcp-without-flow.
C. A NULL scan attack uses packets with no flags set and you can minimize it with SCREEN options, set
screen ids-option foo tcp tcp-no-flag.
D. A NULL attack is making use of UDP packets that just contain "0" characters in their payload; a stateless
firewall filter can help to mitigate this attack.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
A normal TCP segment header has at least one flag control set. A TCP segment with no control flags set is an
anomalous event. Because different operating systems respond differently to suchanomalies, the response (or
lack of response) from the targeted device can provide a clue as to the type of OS it is running.
Reference:
http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos- security-swconfig-security/id-
91902.html#id-20336
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-cli- reference/
jd0e96963.html
QUESTION 27
Click the Exhibit button.
In the process of securing your network from network reconnaissance, you notice that a large number of
random packets are destined for unused segments on your network.
Referring to the exhibit, how should you secure the borders from these attacks while allowing legitimate traffic
to pass through?
A. Configure SYN fragment protection to prevent these types of packets from entering the network.
B. Configure IP sweep protection to rate-limit the number of allowed packets.
C. Configure TCP sweep protection to rate-limit the number of allowed packets to enter
D. Configure the teardrop screen to prevent these types of packets from entering your network.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: In a TCP Sweep attack, an attacker sends TCK SYN packets to the target device as part of the
TCP handshake. If the device responds to those packets, the attacker gets an indication that a port in the
device is open, which makes the port vulnerable to attack. The TCP Sweep SCREENoption restricts the
session establishment between the source IP (the attacker) and the destination IP (the target device) based on
the number of attempts made by the attacker within a particular timeframe. The default threshold is 50 packets
per second. If the number of attempts exceeds 50, the security device does not establish connection. You can
set the threshold to a value between 1 and 5000 packets per second.
Reference:http://help.juniper.net/help/english/6.2.0/zone_ids_edit_cnt.htm
QUESTION 28
You have been asked to configure a signature to block an attack released by a security vulnerability reporting
agency. Which two characteristics of the attack must you understand to configure the attack object? (Choose
two)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Reference:http://www.juniper.net/techpubs/en_US/idp5.1/topics/task/configuration/intrusion- detection-
prevention-signature-attack-object-creating-nsm.html
QUESTION 29
In a group VPN topology, you have three members A, B, and C. You want A lo communicate with B using a
different encryption key from the one it uses to communicate with C.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference: http://www.juniper.net/us/en/local/pdf/app-notes/3500202-en.pdf
QUESTION 30
What is the primary function of Junos Intrusion Prevention System (IPS)?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: IPS feature list includes:
Stateful Signature Detection: Signatures are applied only to relevant portions of the network traffic determined
by the appropriate protocol context, minimizing false positives. Protocol Anomaly Detection: Protocol usage is
verified against published RFCs to detect any violations or abuse, proactively protecting the network from
intrusions and even undiscovered vulnerabilities.
Traffic Anomaly Detection: Heuristic rules provide detection from unexpected traffic patterns that may suggest
reconnaissance or attacks. This intrusion prevention system proactively prevents reconnaissance activities and
blocks distributed denial of service (DDoS) attacks. Role-Based Administration: More than 100 different
activities can be assigned as unique permissions for different administrators, streamlining business operations
by logically separating and enforcing roles of various administrators.
Intrusion Prevention System functions conform to business operations: Enable logical separation of devices,
policies, reports, and other management activities to group devices based on business practices
Reference:
http://www.juniper.net/as/en/products-services/software/router-services/ips/
QUESTION 31
Click the Exhibit button
A junior network administrator has configured an inbound destination NAT to an internal server translating a
public IP to an RFC1918 IP address on the internal network. After configuring NAT and the policy to permit this
connectivity, the junior administrator is unable to get this to work.
Traffic never gets to the internal server.
Based upon the configuration in the exhibit, what is needed to resolve the problem?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: Destination-addressin policy permit-web-dmz should be 10.1.1.11/32.
QUESTION 32
In a group VPN a group member can reach the key server 100.0.0.3 using the interface ge-0/0/5. It can reach
all other group members using the interface ge-0/0/7. The IP address of ge-0/0/5 is 1.1.1.1 and the IP address
of ge-0/0/7 is 2.2.2.1.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: The correct answer should have:
QUESTION 33
You are implementing a chassis cluster and adding the cluster to your multicast domain. Which two statements
are valid considerations for this implementation scenario? (Choose two.)
A. Multicast sessions are only maintained on the primary node in the cluster and will not be maintained during
a failover scenario.
B. Multicast sessions are synchronized on both nodes within the cluster and will be maintained during a
failover scenario.
C. The ppe and ppd interfaces are used to enable a cluster to act as a rendezvous point (RP) or first hop
router in the multicast domain.
D. The pe and pd interfaces are used to enable a cluster to act as a rendezvous point (RP) or first hop router in
the multicast domain.
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation: Multicast protocols are supported in chassis clustering for all SRX Series and J Series devices. J
Series devices support pd and pe interfaces and SRX Series devices support ppd and ppe interfaces. If PIM
sparse mode is enabled on any router (potentially a PIM sparse- mode source DR) and a Tunnel Services PIC
is present on the router, a PIM register encapsulation interface, or pe interface, is automatically created for
each RP address that is used to encapsulate source data packets and send them to respective RP addresses
on the PIM DR as well as the PIM RP.The pe interface receives PIM register messages and encapsulates them
by means of the hardware.
Reference:
https://www.thenewnetworkishere.com/techpubs/en_US/junos10.3/information-products/topic- collections/
release-notes/10.3/topic-47950.html
QUESTION 34
Click the Exhibit button
In the exhibit, a site-to-site IPSec tunnel between the chassis cluster and the remote SRX240 device will not
establish. The chassis cluster and the remote SRX240 device are using their loopback interfaces tor IPSec
tunnel termination.
A. Site-to-site IPSec VPNs are not supported on a chassis cluster; a GRE tunnel must be used instead.
B. Loopback interface IPSec tunnel termination is not supported on high-end SRX Series chassis clusters; use
the reth0 interface instead.
C. Site-to-site IPSec VPNs between high-end SRX Series chassis clusters and branch SRX devices are not
supported. The SRX240 device must be replaced with a high-end SRX device
D. Loopback interface IPSec tunnel termination within a chassis cluster must have PFS enabled Configure
PFS on both ends of the IPSec tunnel.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos- security-swconfig-
security/topic-43738.html
http://kb.juniper.net/InfoCenter/index?page=content&id=KB14371
QUESTION 35
In terms of application and protocol recognition, how does the IPS engine inspect the traffic?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 36
Click the Exhibit button
In the exhibit, traffic from the client is routed to Server A by default You have just implemented filter-based
forwarding to redirect specific traffic from the client to Server B. Server B will then send that traffic to Server A.
After finalizing this implementation, you notice reverse traffic from Server A back to the client is being dropped
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference: http://juniper.ilkom.unsri.ac.id/stepbystep/Junos%20Security.pdf
QUESTION 37
Your company has installed a new transparent proxy server that it wants all employee traffic to traverse before
taking the default route to the Internet. The proxy server is within two DMZ zones from the SRX Series device,
which means your SRX device must now have two default routes:
one to the proxy DMZ and one to the Internet from the proxy DMZ.
What can you do to get the traffic to flow to the transparent proxy DMZ, and then from the proxy DMZ to the
Internet, regardless of the destination or port?
A. Configure two static default floating routes: one from the employee zone to the ingress proxy DMZ and a
second from the egress proxy DMZ to the Internet.
B. Configure two separate routing instances: one instance for the employee zone to the ingress proxy DMZ
and the second for the egress proxy DMZ to the Internet.
C. Configure security policies that will route all traffic to the ingress proxy DMZ then traffic will follow the default
route to the Internet from the egress proxy DMZ.
D. Configure a rib-group to handle the two default routes between the ingress and egress zones of the new
proxy.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 38
You are configuring a hub-and-spoke VPN topology between an SRX Series device deployed at the hub site
and several non-Juniper devices at spoke sites. You have decided to use static routes on the hub device to
make the spoke network reachable.
A. Use the NHTB protocol to ensure that automatic tunnel bindings are created.
B. Add static next-hop tunnel bindings on the spoke devices for the hub networks.
C. Configure proxy IDs for the remote networks on the hub device.
D. Add static next-hop tunnel bindings on the hub device for the spoke networks.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
http://kb.juniper.net/kb/documents/public/junos/jsrx/JSeries_SRXSeries_Multipoint_VPN_with_NH TB_12.pdf
QUESTION 39
Click the Exhibit button
A user complains that they cannot reach a destination host using Telnet. The user expresses concern that the
SRX Series device is blocking the connection attempt. You check the security policy log on the SRX device and
see the entry shown in the exhibit.
Based on the security policy log entry, which three statements describe why the user is unable to use Telnet to
reach the destination host? (Choose three.)
Explanation/Reference:
Explanation: Based on security policy log entry we can confirm that "allow-telnet" security policy is configured
on the SRX device and SRX device does not receive any packet from remote telnet server as the both server-
packets(server-bytes) are zero. So the possible options are B, C, D.
Reference:http://www.juniperforum.com/index.php?topic=10131.0
http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security- swconfig-security/
junos-security-swconfig-security.pdf
QUESTION 40
You have a problem with an FTP session that will not establish through your SRX240 device. You confirmed
that routing and security policies are correct. You want to capture packets to further troubleshoot the problem.
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Reference:
http://forums.juniper.net/t5/SRX-Services-Gateway/packet-capture-on-Juniper-SRX210/td-p/102454
QUESTION 41
You have been asked to add a dynamic VPN to your SRX650. This dynamic VPN must be able to support five
users at the same time.
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
Explanation: When a dynamic VPN user negotiates an AutoKey IKE tunnel with a preshared key, aggressive
mode must be used. Therefore, you must always use aggressive mode with the dynamic VPN feature.
http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-swconfig- security/
ipsec-vpn-overview.html
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security- swconfig-security/
vpn-dynamic-config-overview.html
QUESTION 42
Click the Exhibit button
The exhibit shows a configuration for two IPSec tunnels. The tunnel ipsec-vpn-primary is being used as the
primary tunnel, and the tunnel ipsec-vpn-backup is being used as the backup tunnel. The remote device is not a
Juniper Networks device. When a link failure occurs in the path that supports the primary tunnel, traffic is black
holed for many minutes before the backup tunnel is used.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference: http://www.juniper.net/techpubs/software/junos/junos94/swconfig-services/configuring- the-remote-
address-and-backup-remote-address.html
QUESTION 43
Click the Exhibit button.
You are troubleshooting a new IPSec VPN tunnel that is failing to establish an IKE security association between
SRX Series devices. You notice the error in the log shown in the exhibit.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: Most likely the Phase 1 pre-shared keys do not match. Reference: http://kb.juniper.net/InfoCenter/
index?page=content&id=KB10101
QUESTION 44
Click the Exhibit button
In the exhibit, two SRX240 devices form a chassis cluster. Node 0 is primary for RG 1, and interface monitoring
is configured to fail primacy over to Node 1 in the event interface ge-5/0/3 goes down. However, when interlace
ge-5/0/3 goes down, Node 0 retains primary for RG 1.
Which two statements describe why Node 0 retained primacy for RG 1? (Choose two)
A. The ge-5/0/3 interface belongs to Node 1 which is in a secondary state so no failover is necessary.
B. Node 0 has a priority of 254, but it will not switch unless an additional interface goes down.
C. Node 1 has a priority of 0 and is not eligible to take primacy of RG 1.
D. The ge-5/0/3 interface belongs to Node 1 and the priority was subtracted from Node 1.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference: http://answers.oreilly.com/topic/2040-how-to-initially-troubleshoot-a-junos-chassis- cluster/
QUESTION 45
You want to implement an IPS rule base action in which matching traffic is dropped.
http://www.gratisexam.com/
A. no-action
B. drop-packet
C. accept
D. notification
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Actions specify the actions you want IDP to take when the monitored traffic matches the attack objects
specified in the rules.The following table shows the actions you can specify for IDP rules:
Reference:
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security- swconfig-security/
understand-rule-action-section.html#understand-rule-action-section
QUESTION 46
Which two protocols are supported by Application Layer Gateways (ALGs) on SRX Series devices? (Choose
two.)
A. FTP
B. HTTP
C. SIP
D. SNMP
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
A - FTP use port number inside TCP payload. This requires ALG
C - SIP use contact info inside UDP payload. This requires ALG
Reference:
http://www.juniper.net/techpubs/en_US/nsm2010.4/topics/reference/specifications/secu rity-service-firewall-alg-
protocol-enable-disable-overview.html
http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic- collections/security/software-all/
feature-support-reference/junos-security-feature-support-guide.pdf
QUESTION 47
Click the Exhibit button
Your company uses a custom-built application that uses RSH. You have configured a new application definition
to support it on your SRX Series device as shown in the exhibit, and you applied the application to the relevant
security policy. After you commit the configuration, users report that they can no longer interact with remote
devices.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: http://www.juniper.net/techpubs/en_US/junos10.3/topics/usage-guidelines/services- configuring-
application-protocol-properties.html?searchid=1320265916617
QUESTION 48
Which two protection mechanisms are supported on SRX Series Services Gateways? (Choose two)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation: The IDP system detects Layer 2 attacks by defining implied rules on the IDP Sensor. By default,
the IDP has ARP spoof detection enabled. You can configure an interface to reject G-ARP requests and replies
based on your security concerns. Accepting gratuitous ARP requests and replies might make the network
vulnerable to ARP spoofing attacks.
The backdoor rulebase protects your network from mechanisms installed on a host computer that facilitates
unauthorized access to the system. Attackers who have already compromised a system typically install
backdoors (such as Trojans) to make future attacks easier. When attackers send and retrieve information to
and from the backdoor program (as when typing commands), they generate interactive traffic that IDP can
detect.
Reference:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB7443&actp=search&viewloc
ale=en_US&searchid=1248336689499#
http://www.juniper.net/techpubs/software/management/security-manager/nsm2008_2/nsm- intrusion-detection-
prevention-device-guide.pdf
QUESTION 49
Your new employer has contacted you because the company's Web servers located at the DM2 (dmz zone) are
not reachable from the Internet (untrust zone). After examining the configuration from the previous
administrator, you determine that the problem must be with the NAT configuration. The servers have the
internal IP addresses 172.14 14 9/24 and 172.14.14 10/24.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/nat-security- destination-address-
port-translation-configuring.html
QUESTION 50
You have a VoIP application that requires external sessions to be initiated into your environment. Your network
only has a single public IP address configured on the egress interface.
Which two parameters must be configured for your application to work properly? (Choose two)
A. port-oversubscription off
B. persistent-nat
C. overflow-pool interface
D. port-overloading off
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
Reference: http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/security/
software-all/cli-reference/junos-security-cli-reference.pdf
QUESTION 51
You configure an SRX Series chassis cluster with graceful restart support for the configured routing protocols.
When testing your cluster failover in a large, multivendor lab environment, you notice that most of the BGP and
OSPF neighbors remain adjacent, whereas a few other neighbors drop the adjacency with your cluster during
the cluster failover test. You notice that the OSPF and BGP neighbors that drop the adjacencies are always the
same
A. The OSPF/BGP neighbors in question have misconfigured hello/dead interval timers, which causes the
connection to flap during the failover.
B. The OSPF/BGP neighbors in question are not running in GR helper mode, which causes the adjacencies to
flap.
"Pass Any Exam. Any Time." - www.actualtests.com 40
C. The local SRX cluster devices have misconfigured OSPF/BGP hello/dead interval timers, which cause the
connections to flap during the failover.
D. The local SRX cluster devices are not running in GR helper mode, which causes the adjacencies to flap.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: When a router is running graceful restart and the router stops sending and replying to
protocollivensmessages (hellos), the adjacencies assume a graceful restart and begin running a timer to
monitor the restarting router. During this interval, helper routers do not process an adjacency change for the
router that they assume is restarting, but continue active routing with the rest of the network. The helper routers
assume that the router can continue stateful forwarding based on the last preserved routing state during the
restart. If the router was actually restarting and is back up before the graceful timer period expires in all of the
helper routers, the helper routers provide the router with the routing table, topology table, or label table
(depending on the protocol), exit the graceful period, and return to normal network routing.
QUESTION 52
Click the Exhibit button.
You are configuring a hub-and-spoke VPN in your company network Connectivity between the branches and
company headquarters is not working.
Referring to the configuration excerpt shown in the exhibit, which statement is correct?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: Policy-based VPNs are primarily used for simple site-to-site VPNs and for remote accessVPNs.
For more hub-and-spoke, route-based VPNs should be used.
QUESTION 53
You want to limit attacks on TCP ports.
A. TCP/IP scan
B. SYN scan
C. SYN/SYN scan
D. FIN/ACK scan
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
Explanation: A port scan occurs when one source IP address sends IP packets containing TCP SYN segments
to a defined number of different ports at the same destination IP address within a defined interval (5000
microseconds is the default). The purpose of this attack is to scan the available services in the hopes that at
least one port will respond, thus identifying a service to target.
Normally, TCP segments with the FIN flag set also have the ACK flag set (to acknowledge the previous packet
received). Because a TCP header with the FIN flag set but not the ACK flag is anomalous TCP behavior, there
is no uniform response to this. The OS might respond by sending a TCP segment with the RST flag set.
Another might completely ignore it. The victim's response can provide the attacker with a clue as to its OS.
(Other purposes for sending a TCP segment with the FIN flag set are to evade detection while performing
address and port scans and to evade defenses on guard for a SYN flood by performing a FIN flood instead
QUESTION 54
Click the Exhibit button.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The client connects to WEB server 207.17.137.229. The reverse flow shows that destination IP is changed
from 10.1.0.13 to 172.19.101.42. This indicates that source NAT is in place.
QUESTION 55
Two High End SRX Series devices are configured in a chassis cluster, but interchassis communication is
problematic and intermittent. Node 0 has SPCs located in slots 1, 2, 5, and 10 and has IOCs located in slots 3
and A. Node 1 has SPCs located in slots 13, 14, 18, and 22 and has IOCs located in slots 15 and 16.
A. The IOCs must be placed in the first two slots on each node.
B. The SPCs must all be placed in consecutive slots on each node.
C. The IOC slots being used do not align between nodes,
D. The SPC slots being used do not align between nodes.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: Both SRX devices are required to have the same number and location of SPCs and Network
Processing Cards (NPCs). This is required because the SPUs talk to their peer SPU in the same FPC and PIC
location.
Reference: Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim
Eberhard, James Quinn, August 2010, p. 543.
QUESTION 56
Click the Exhibit button.
Which two statements are true based on the configuration shown in the exhibit? (Choose two)
A. All ICMP traffic without the ACK bit set from the untrust zone will be dropped.
B. All ICMP traffic larger than 65 KB from the untrust zone will be dropped.
C. All fragmented IP packets belonging to the same original packet that have differing offset and size values
will be dropped.
D. All fragmented IP packets belonging to the same original packet that has matching offset and size values
will be dropped.
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation: A grossly oversized ICMP packet can trigger a range of adverse system reactions such as denial
of service (DoS), crashing, freezing, and rebooting. Ping-death command is used to protect against a ping of
deatch attack. Teardrop attacks exploit the reassembly of fragmented IP packets. IP tear-drop command
enable protection against a Teardrop attack.
Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos- security-swconfig-
security/id-12795.html
http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig- security/id-
58971.html
QUESTION 57
Click the Exhibit button
In the exhibit, a chassis cluster is deployed in active/active mode. This chassis cluster control and fabric links
are connected through 100 Mbps WAN connections. During peak data usage times the chassis cluster
becomes disabled even though the rate of new connections through the cluster is relatively low.
A. Control and fabric link WAN connections are not supported through a non-Ethernet-based technology.
VPLS must be used instead
B. Control link heartbeats are being lost during peak data usage times. The WAN connection that supports the
control link must be upgraded to support greater bandwidth.
C. Fabric link probes are being lost during peak data usage times. The WAN connection that supports the
fabric link must be upgraded to support greater bandwidth
D. Latency across a WAN connection will always exceed the recommended 100 ms limit. The chassis cluster
will always enter the disabled state during peak data usage.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: If the control link fails, Junos OS disables the secondary node to prevent the possibility of each
node becoming primary for all redundancy groups, including redundancy group 0.
A control link failure is described as not receiving heartbeats over the control link; however, heartbeats are still
received over the fabric link.
Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/chassis-cluster- control-link-
failure-recovery-understanding.html
QUESTION 58
You are working at a service provider that offers only residential access to DSL subscribers. Your company has
decided to make customer traffic subject to further inspection.
When you install a new IPS machine in the network, where should you place it?
A. as close as possible to the server farm that runs the company's Web and DNS servers
B. between the dual-homed upstream routers and the firewalls
C. as close to the B-RAS devices as possible
D. in the middle of the network
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: B-RAS concentrate the traffic from remote DSL subscribers. So IPS machine should be placed as
close to the B-RAS as possible.
QUESTION 59
Click the Exhibit button
In the exhibit, you are configuring a flow trace of all packets for a TCP session initiated by the client to the
server "Die server's IP address is translated using static NAT You want to use flow trace packet filters to limit
the traffic viewed in your trace.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The correct answer matches source IP 1.1.1.100 and destination IP 1.1.1.30 in request packets and source IP
192.168.224.30 and destination IP 10.1.1.100 in reply from the server.
QUESTION 60
You have correctly implemented a SIP Application Layer Gateway (ALG) on your company's SRX Series device
to support SIP traffic on the network. However, after committing the configuration, users report that they are
having problems making calls. Other traffic is property flowing through the device, and calls that do not pass
through the SRX Series device have no issues.
A. Configure trace options for the SIP Application Layer Gateway (ALG).
B. Configure the security policy to log SIP traffic events.
C. Configure trace options for the security policy.
D. Monitor traffic for the ingress interface, checking for SIP packet corruption.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: Troubleshooting this issue may be done by enabling the following traceoptions:set security
traceoptions file <filename> eg. sip-trace-detailset security traceoptions flag allset security alg sip traceoptions
flag all extensiveset security flow traceoptions file <filename>set security flow traceoptions flag allset security
flow traceoptions packet-filter 1 source-port 5060set security flow traceoptions packet-filter 1 destination-port
5060
Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos- security-cli-
reference/id-83758.html
http://kb.juniper.net/InfoCenter/index?page=content&id=KB21406&actp=search&viewlocale=en_U
S&searchid=1320325662928#
QUESTION 61
You want to source NAT all traffic initiated from Host A behind an SRX Series device to Server B. The internal
transport address must be mapped to the same external transport address. Also, the external Server B must
not communicate with the internal Host A using the NAT IP address/port unless the internal Host A has already
communicated with the external Server B.
How do you enforce this set of criteria on the SRX Series device?
Explanation/Reference:
Explanation: To keep transport address PAT should be disabled using "port no-translation" command.
Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB21296
QUESTION 62
Your company plans to increase the security level for VPNs in its network by using certificates instead of
preshared keys The company wants to introduce its own centrally administered certificate authority from which
all device certificates will be derived. You have been asked to automate certification enrollment, re-enrollment,
and revocation.
A. Use self-signed certificates on each device and have copies stored centrally
B. Contract out this problem to VeriSign to deliver a solution.
C. Roll out a certificate automation system that is based on SCEP.
D. Buy certificates that do not need to be renewed from Entrust.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
With Simple Certificate Enrollment Protocol (SCEP), you can configure your Juniper Networks device to obtain
a certificate authority (CA) certificate online and start the online enrollment for the specified certificate ID. The
CA public key verifies certificates from remote peers. Reference: http://www.juniper.net/techpubs/en_US/
junos11.2/topics/task/configuration/certificate- digital-online-configuration-enabling.html
QUESTION 63
Your company is bringing a remote office online and is using an IPSec VPN to establishes secure
communication between the offices. The remote SRX Series device is receiving its IP address dynamically from
the service provider.
Which VPN technique can you use on your remote office SRX device?
A. Configure a fully qualified domain name (FQDN) as the IKE identity, and configure IKE to use main mode.
B. Configure a fully qualified domain name (FQDN) as the IKE identity, and configure IKE to use aggressive
mode.
C. Configure the dynamic-host-address option as the IKE identity, and configure IKE to use aggressive mode
D. Configure the dynamic-host-address option as the IKE identity, and configure IKE to use main mode
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: When using site-to-site VPNs the most common type of IKE identity is the IP address, assuming
that the host has a static IP address. If the host does not have a static IP address, a hostname can be used.
Aggressive mode is an alternative to Main mode IPsec negotiation and it is most common when building VPNs
from client workstations to VPN gateways, where the client's IP address is neither known in advanced nor fixed.
QUESTION 64
Click the Exhibit button.
The output shown in the exhibit is from an SRX Series device that is the hub in a hub-and-spoke VPN.
Which two statements are true regarding this output? (Choose two.)
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
Explanation: The command show security ipsec security-associations is not NAT relative. The value of Mon
parameter proves that VPN monitoring is disabled. Here are the possible values of the Mon field:
Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB10090
QUESTION 65
Click the Exhibit button
Referring to the exhibit, an IPSec tunnel is established between SRXA and SRXB. A GRE tunnel is established
between router A and router B. Users in LANA can ping users in LANB however large FTP transfers are failing.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: Fragmentation is not allowed on the IPSec tunnel because don't fragment (DF) bit is set. So the
packets with size equal to standard ethernet MTU (1500 bytes) are dropped. Reference: http://www.juniper.net/
techpubs/en_US/junos11.2/topics/reference/configuration- statement/clear-dont-fragment-bit-edit-service-
set.html
QUESTION 66
You are asked to set up a multi-tenant configuration on your SRX Series device. Several remote branch
locations are connected to the device. You will connect each remote site to a separate logical interface. You
want to implement segmentation between the branch locations using security zones and routing-instances.
A. Multiple branch locations can be assigned to the same zone but different routing-instances.
B. Multiple branch locations can be assigned to the same routing-instance but different zones.
C. If you use the interfaces all configuration option under a zone, different interfaces in the same zone can be
assigned to multiple routing instances.
D. If you use the interfaces all configuration option under a zone, different interfaces must be assigned to the
same routing instance.
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
Explanation: If you connect each remote site to a separate logical interface then multiple branch locations can
be assigned to different zones. SRX is different from an ordinary Junos router. On the SRX, interfaces don't just
live in routing instances; they also live in security zones. All interfaces configured within the same security zone
must also be configured within the same routing instance (the security zone cannot span more than one routing
instance).
Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James
Quinn, August 2010, p. 691
QUESTION 67
Click the Exhibit button
You are troubleshooting a new IPSec VPN tunnel that is failing to establish an IKE security association between
SRX Series devices. You notice the error in the log shown in the exhibit.
What are two possible causes for this problem? (Choose two.)
A. no route to 2.2.2.2
B. mismatched peer ID type
C. incorrect peer address
D. missing Phase 1 policy
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation: Message "unable to find phase-1 policy as remote peer:2.2.2.2 is not recognized" means that the
responder did not recognize the incoming request as originating from a valid gateway peer.
You have to confirm that on the responder the following IKE gateway configuration settings are correct:
The Static IP Address specified for the Remote Gateway is correct.The Peer ID specified for the Remote
Gateway is correct.
The outgoing interface is correct.
Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB10101
QUESTION 68
In planning for your core data center's SRX5800 cluster software upgrade, minimal downtime is requested by
your management team.
With a goal to achieve maximum uptime, how should you upgrade the SRX cluster?
A. Preload the software onto the SRX devices and then issue the following command at the same time on both
SRX devices: request system software add <package-name> reboot
B. Use in-service software upgrade using the following command: request system software in- service-upgrade
<package-name> reboot.
C. Preload the software onto the SRX devices and then issue the following command at the same time on both
SRX devices: request system software add no-validate <package-name> reboot.
D. Use an in-service software upgrade using the following command: request system software in- service
upgrade <package-name> restart.
"Pass Any Exam. Any Time." - www.actualtests.com 56
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: The in-service software upgrade (ISSU) feature allows a chassis cluster pair to be upgraded or
downgraded from supported JUNOS versions with a traffic impact similar to that of redundancy group failovers.
Before upgrading, you should perform failovers so that all redundancy groups are active on only one device. It
is recommended that routing protocols graceful restart be enabled prior to initiating an ISSU.
Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos- security-cli-
reference/request-system-software-in-service-upgrade.html
QUESTION 69
A site-to-site VPN is configured between satellite offices and headquarters using a digital certificate from a
neutral party. Once the VPN is up and stable, the certificate issued by the neutral party is revoked. The next-
update time is not contained in the CRL.
Which two actions should you take to ensure that the SRX Series device renegotiates the VPN faster? (Choose
two.)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Explanation: The refresh interval specifies the frequency (in hours) to update the CRL. The default values are:
next-update time in CRL, or 1 week if no next-update time is specified. By default, the location (URL) to retrieve
the CRL (HTTP or LDAP) is empty and uses CDP information embedded in the CA certificate. To set URL the
following command may be used (example):
QUESTION 70
Click the Exhibit button.
You configured a security policy with an address book entry using a DNS name. Traffic matching the security
policy for the DNS name is being dropped.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Once of requirements for configuring address-book with dns-name entries is "Configure Domain Name System
(DNS) services" without which domain name cnnot be resolved.
Reference:http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/zone-address-book- configuring-
cli.html
Exam B
QUESTION 1
An attacker from IP address 1.1.1.2 is filling your SRX Series device's session table with TCP sessions that
have all completed a legitimate three-way handshake.
A. syn-flood destination-threshold
B. syn-ack-ack-proxy
C. limit-session destination-ip-based
D. limit-session source-ip-based
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: Limit-session source-ip-based command is used to Limit the number of concurrent sessions the
device can initiate from a single source IP address.
QUESTION 2
You want to allow users from routing-instance Juniper1 to route to the destination 2.2.2.2, reached through
routing-instance Juniper2 without sharing all the routes between the two instances. You have configured policy-
statement move_routes with a route-filter to accept the 2 2.2.2 route. You have created rib-group Group1, and
applied it under routing-instance Juniper2.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: We have to import only one route from Juniper2.inet.0 to Juniper1.inet.0 so we have to use import-
policy move_routes to filter out other route during the import. Also we have to do import into the Juniper1.inet.0
table so we have to select the option with "import Juniper1.inet.0"
QUESTION 3
A SYN packet traverses an SRX Series device and a session is created. When the return SYN- ACK packet
arrives at the SRX, the original interface on which the SYN packet arrived is down. However, an alternate route
exists through another interface in a different zone .no-syn-check is not configured on the device
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
As an alternate route exists through the interface in a different zone SYN-ACK packet will be dropped.
Reference:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB21983&actp=search&viewlocale=en_U
S&searchid=1320415514489#
QUESTION 4
A security analyst at your company wants to make sure packets coming from the Internet accessing your public
Web servers are protected from HTTP packets that do not meet standards.
Which attack object will protect your infrastructure from nonstandard packets?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Protocol anomaly attack objects are predefined objects developed by the Juniper Security Team to detect
activity that is outside the bounds of a protocol. Typically, the enforcement for what is considered acceptable
behavior for protocols is based on an RFC specification or a manufacturer spec if there is no RFC.
Reference: O'Reilly. Junos Security,Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James
Quinn, August 2010, p. 404
QUESTION 5
You want to deploy an SRX Series cluster for a distributed data center between two remote locations. The
earner will provide you with dark fiber capable of the following: a 100 km reach. 125 ms propagation delay, and
a packet loss of 1 out of 10.000.000 packets. You plan to connect the fiber directly to the SRX Series devices
without any switches in between, and you plan to configure the SRX Series devices with a straightforward
cluster configuration. One of the NOC engineers expresses doubts that this design will work.
http://www.gratisexam.com/
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: JUNOS Software transmits heartbeat signals over the control link at a configured interval. The
system uses heartbeat transmissions to determine the "health" of the control link. If the number of missed
heartbeats has reached the configured threshold, the system assesses whether a failure condition exists. You
specify the heartbeat threshold and heartbeat interval when you configure the chassis cluster. In a chassis
cluster configuration on an SRX100, SRX210, SRX240, or SRX650 device, the default values of the heartbeat-
threshold and heartbeat-interval options in the [edit chassis cluster] hierarchy are 8 beats and 2000 ms
respectively. These values
Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos- security-swconfig-
security/topic-43696.html?searchid=1320415514489
http://www.juniper.net/techpubs/en_US/junos10.2/information-products/topic-collections/release- notes/10.2/
topic-45729.html?searchid=1320415514489
QUESTION 6
A site-to-site VPN is configured between the main office and a remote office. An administrator wants to keep
track of the VPN tunnel.
Which feature is used to verify that the VPN tunnel is up even if user traffic is not passing through it?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: The command set security ipsec vpn-monitor-options interval 15 threshold 15 is used to monitor
the VPN by sending Internet Control Message Protocol (ICMP) requests to the peer every 15 seconds, and to
declare the peer unreachable after 15 unsuccessful pings. Reference: http://www.juniper.net/techpubs/
software/junos-security/junos-security10.1/junos- security-cli-reference/id-84923.html?
searchid=1320423410978
http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security- swconfig-security/
topic-40793.html?searchid=1320423410978
QUESTION 7
You want to add a dynamic VPN to your SRX650. This dynamic VPN must be able to support five users at the
same time.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Explanation: SRX only supports Dynamic VPN which has embedded client. For that it must be policy-based as
for client-based VPN SRX will be specifically looking for this tunnel policy. So this cannot work as route-based
VPN.
Dynamic VPN is a licensed feature. By default, a two user evaluation license is provided free of cost on the
SRX devices, and it does not expire. In cases where there are more than two users that need to connect
concurrently, a license is required. These are available as a 5, 10, 25, and 50 user license.
Reference:
http://forums.juniper.net/t5/SRX-Services-Gateway/dialup-vpn-over-route-based-vpn/m-p/90610
http://kb.juniper.net/InfoCenter/index?page=content&id=KB17436&actp=search&viewlocale=en_U
S&searchid=1320423410978#
QUESTION 8
What can cause a node in an SRX Series chassis cluster to be in the disabled state?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: JUNOS Software transmits heartbeat signals over the control link at a configured interval. The
system uses heartbeat transmissions to determine the "health" of the control link. If the number of missed
heartbeats has reached the configured threshold, the system assesses whether a failure condition exists. For a
chassis cluster with one control link, if the control link goes down, all redundancy groups on the secondary node
go to the ineligible state and eventually to the disabled state.
Reference:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB15421&actp=search&viewlocale=en_U
S&searchid=1320424816614#
http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security- swconfig-security/
topic-43696.html
QUESTION 9
Click the Exhibit button.
Referring to the exhibit, what happens when the source pool is exhausted?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: When a given pool is exhausted, it may then reference a completely different overflow-pool for
additional translations. If interface key word is used with overflow-pool then interface's IP address is used for
NAT and PAT.
Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos- security-cli-
reference/jd0e81039.html?searchid=1320424816614
QUESTION 10
Click the Exhibit button
A junior member of the network team has set up a new VPN tunnel using a PKI certificate and is unable to
establish the tunnel. After troubleshooting the problem and confirming that the proposals and encryption
algorithms match on both sides, they ask you for help.
A. The authentication method must be changed to pre-shared-keys to make use of the PKI certificate
B. The proposal set is missing which will cause the VPN tunnel to not establish.
C. PKI-based VPN tunnels cannot use main mode; aggressive mode must be used.
D. There is no trusted CA configured, which is required for PKI-based tunnels.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: Trusted-ca specifies the preferred certificate authority (CA) to use when requesting a certificate
from the peer. If no value is specified, then no certificate request is sent.
QUESTION 11
You initiated the download of the attack database. The system indicates that it will run asynchronous and
returns you to a command prompt in the CLI. You want to know if the download has completed.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: "request security idp security-package download status" command is used to verify the download
status.
Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James
Quinn, August 2010, p. 434
http://kb.juniper.net/InfoCenter/index?page=content&id=KB15806&actp=search&viewlocale=en_U
S&searchid=1320424816614#
QUESTION 12
Click the Exhibit button
In the exhibit, Node 0 had primacy of RG 1 until interface ge-0/0/1 failed. Upon restoration of interface ge-0/0/1
Node 1 retained primacy for RG 1
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Preempt command enables chassis cluster node preemption within a redundancy group. If preempt is added to
a redundancy group configuration, the device with the higher priority in the group can initiate a failover to
become master. By default, preemption is disabled.
Reference:
http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security-cli- reference/
jd0e11037.html?searchid=1320424816614
QUESTION 13
You have been asked to implement a hub-and-spoke IPSec VPN in a multi-vendor environment where the
spoke devices are not always Junos devices.
A. The next-hop tunnel bindings are not needed for a non-Junos spoke device.
B. The next-hop tunnel bindings are created automatically for all spoke devices.
C. You must manually configure the next-hop tunnel bindings for all non-Junos spoke devices.
D. You must manually configure the next-hop tunnel bindings for all spoke devices.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: The hub device uses the IP address of the remote peer's st0 interface as the next- hop. You can
enter the static route manually, or you can allow a dynamic routing protocol such as OSPF to automatically
enter the route referencing the peer's st0 interface IP address as the next- hop in the route table. The same IP
address must also be entered as the next hop, along with the appropriate IPSec VPN name, in the NHTB table.
In this way the route and NHTB tables are linked. Regarding the NHTB table, there are two options: you can
either enter the nexthop manually, or you can allow the J Series or SRX Series device to obtain it automatically
from the remote peer during Phase 2 negotiations using the NOTIFY_NS_NHTB_INFORM message. Note that
this functionality currently only applies if both peers are J Series or SRX Series devices, running the JUNOS.
Reference:http://kb.juniper.net/kb/documents/public/junos/jsrx/JSeries_SRXSeries_Multipoint_VP
N_with_NHTB_12.pdf
QUESTION 14
You have a VoIP application that requires external sessions to be initiated into your environment. The internal
host has previously sent a packet to the external VoIP application's reflexive transport address.
A. persistent-nat all-remote-host
B. persistent-nat target-host-port
C. persistent-nat target-host
D. persistent-nat any-remote-host
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: You can configure three persistent NAT types on the SRX device. With all three types, all requests
from a specific internal IP address and port are mapped to the same external address. Differences exist
between the three types.
Reference
http://kb.juniper.net/InfoCenter/index?page=content&id=KB21296&cat=JUNOS&actp=LIST
QUESTION 15
An IPSec tunnel has just gone down in your network and you have been asked to troubleshoot and resolve the
issue.
Which three reasons might be the cause of this issue? (Choose three.)
Explanation/Reference:
Reference:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB21899&actp=search&viewlocale=en_U
S&searchid=1320424816614#
QUESTION 16
Bandwidth utilization has significant increased recently on the SRX3600 connecting your company to the
Internet. You have decided to enable the Application Tracking feature on the device to provide visibility into the
volume of the different applications passing through.
A. interfaces
B. zone
C. routing instances
D. globally
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: Application tracking is configured under security zone security-zone section.
QUESTION 17
You have been asked to troubleshoot a VoIP connectivity problem that occurs every time the IPSec VPN tunnel
drops. The SRX Series device has a default route to the Internet and receives a more specific route for the
VoIP server over the IPSec tunnel using OSPF. Every time the tunnel drops, when the tunnel re-establishes,
the NOC must manually clear the sessions on the SRX device for these VoIP sessions to work again.
A. Configure the route change timeout value under the flow options.
B. Configure OSPF to advertise the default route to the SRX device.
C. Write security policies bidirectionally so either side can initiate traffic.
D. Configure the IPSec tunnels to establish tunnels immediately.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The session with incorrect route information needs to be deleted in a timely fashion. To do this there is a flow
command in the firewall:
set flow route-change-timeout <seconds>
This is the command to timeout the sessions which are affected by a route change. The sessions can timeout
with this setting instead of the actual timeout of the session. This being shorter than the original timeout can
clear the session before the actual timeout.
Reference:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB13637&actp=search&viewlocale=en_U
S&searchid=1320424816614#
QUESTION 18
You need to establish a new point-to-point IPSec VPN to a recently acquired remote site. The remote site is
currently using the same network space with many overlapping IP addresses. You have been asked to
implement an interim solution until there is time to migrate the remote site to a different network space.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: Because both networks use the same internal IP addressing, it is not possible to simply build a
tunnel between the two sites. However, if the tunnel endpoints on both sides are Juniper services routers, it is
possible to configure a tunnel between these sites with an advanced configuration using NAT. It is important to
understand this basic routing dilemma. If a host is attached to a network, say 10.0.0.0/24, and the other device
on the remote end is attached to a network using the same IP address subnet, it is not possible to build a tunnel
and route the traffic to the other device without some sort of address translation. This is because all packets are
routed based on the destination IP address. Before routing occurs, a determination must be made as to
whether the destination IP is on the same (local) network or not. If the destination IP is on the same network,
say 10.0.0.10, the destination device is found using Address Resolution Protocol (ARP). However, if the
destination IP resides on a different network, the packet is sent to the next- hop router based on the device's
routing table. Because both the local and remote networks share the same IP addressing scheme, the packets
will be handled locally and never route to the VPN tunnel. To work around this, we can perform static NAT on
the source IP and destination IP of all traffic destined for the remote network at the other end of the tunnel. For
this reason, aroute based approach to IPsec VPNs makes sense, because the creation of a "virtual" network
interface on each services router by way of a "secure tunnel" or "st0" interface is required. It is important to note
that in this case the both source and destination addresses are translated as the packet traverses the VPN
tunnel to the end host. Thus the services routers at each end of the tunnel must contact each other using a
newly created IP network.
Reference:
http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/JSRX_VPN_with_Ov
erlapping_Subnetsv2_0.pdf
QUESTION 19
Click the Exhibit button
Host A and Server B must each be able to initiate traffic to each other. Server B does not have a route to the
1.1.1 0/24 network; it can send traffic only to IP addresses in the 2.1.1.0/24 network.
Which NAT type will you configure to achieve this communication using the SRX Series device?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: Static NAT defines a one-to-one mapping from one IP subnet to another IP subnet. The mapping
includes destination IP address translation in one direction (2.1.1.100 to 1.1.1.1 for IP packets going from
Server B to Host A) and source IP address translation in the reverse direction (1.1.1.1 to 2.1.1.1.100 for
packets going from Host A t oServer B). From the NAT device, the original destination address is the virtual
host IP address while the mapped-to address is the real host IP address. Static NAT allows connections to be
originated from either side of the network, but translation is limited to one-to-one or between blocks of
addresses of the same size. For each private address, a public address must be allocated. No address pools
are necessary.
QUESTION 20
You notice an unusual increase in activity in your network. You investigate by reviewing logs and analyzing
traffic flows. In your analysis, you identify a remote host is sending traffic to your network with random TCP
flags set including URG PSH, ACK and FIN.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: The Xmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags
set. This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte
(00101001), much like the lights of a Christmas tree.
http://en.wikipedia.org/wiki/Christmas_tree_packet
QUESTION 21
Your company is bringing a remote office online and will use VPN connectivity for access to resources between
offices. The remote SRX Series device has an IP address, which it obtained dynamically from a service
provider.
Which VPN technique can be used on your remote office SRX Series device?
A. Configure the head office to allow promiscuous VPN connections and disable the use of IKE peer identities.
B. Use the main-mode IKE exchange method in combination with a transport-mode tunnel.
C. Use a certificate authority for IKE Phase 2 authentication.
D. Use a fully qualified domain name (FQDN) as the IKE identity and configure IKE to use aggressive mode.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: When using site-to-site VPNs the most common type of IKE identity is the IP address, assuming
that the host has a static IP address. If the host does not have a static IP address, a hostname or FQDN can be
used. Also dynamic IP address requires the use of aggressive mode (unprotected IKE identities)
Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James
Quinn, August 2010, p. 261.
QUESTION 22
You have a branch location connected to a virtual-router type of routing-instance. To provide Internet access,
one requirement is to provide connectivity to an interface and its direct route, which belongs to the default inet.0
routing-instance.
A. The scenario is not possible; the interfaces must both be in the same routing-instance.
B. You must configure a non-forwarding routing-instance.
C. You must configure interface-routes with a share rib-group.
D. You must configure a policy in the forwarding-options configuration hierarchy.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: You have to import interface routes from inet.0 table into routing-instance. This is done by
configuring routing-options interface-routes rib-group command.
QUESTION 23
Click the Exhibit button.
The client is downloading a file from the FTP server. The FTP control channel is established using a security
policy named trust-to-untrust.
Referring to the exhibit, which two statements are correct from the output showing the data channel? (Choose
two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
Explanation: The client is using passive FTP to establish the data channel (active FTP use port 20 and reverse
direction). There is no need to open hole for return traffic as theboth session are initiated by the client.
Reference: http://slacksite.com/other/ftp.html
QUESTION 24
You have configured your SRX Series device with two route-based VPNs for the same destination network
Remote SRX Series device A's route has a preference of 5 and remote SRX Series device B has a preference
of 10. Users complain they cannot reach the networks through the VPN tunnel. You verify the VPN's status and
discover that the IKE Phase 1 and Phase 2 security associations are active, but the remote networks are not
reachable.
Which SRX VPN feature would you use to cause the route-based VPN with preference 10 to be used?
A. Configure the dead peer detection feature.
B. Configure the vpn-monitor feature.
C. Configure the establish-tunnels-immediately option.
D. Configure the IPSec security association lifetime to a lower value.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: One issue with DPD is that it doesn't necessarily mean the underlying VPN is up and running, just
that the peer is up and responding. VPN monitoring is not an Ipsec standard feature, but it utilizes Internet
Control Message Protocol (ICMP) to determine if the VPN is up. VPN monitoring allows the SRX to send ICMP
traffic either to the peer gateway, or to another destination on the other end of the tunnel (such as a server),
along with specifying the source IP address of the ICMP traffic. If the ICMP traffic fails, the VPN is considered
down.
Reference: Reference: O'Reilly,Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard,
James Quinn, August 2010, p. 269.
QUESTION 25
Click the Exhibit button.
You created the IPS policy displayed in the exhibit and find that the policy is not being used to inspect traffic.
A. You must import and activate the IPS signature database to the SRX Series device.
B. You must run the set security idp active-policy base-policy command and commit the configuration
C. You must run the set security idp activate base-policy command and commit the configuration.
D. You must use the commit activate-ips command to recompile the IPS rule base.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: New policy must be activated with set security idp active-policy base-policy command.
QUESTION 26
In the sequence of IPS inspection steps, protocol anomaly detection is performed after which step?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: Anomaly detection can be performed only after application and protocol are idetified.
Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos- security-swconfig-
security/topic-42473.html
http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security- swconfig-security/
topic-42478.html?searchid=1320438879836
QUESTION 27
You have configured persistent NAT in your NAT rule base. You create a security policy in the direction of
external to internal.
A. all-remote-host
B. target-host
C. any-remote-host
D. target-host-port
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The following types of persistent NAT can be configured on the Juniper Networks device:
* Any remote host--All requests from a specific internal IP address and port are mappedto the same reflexive
transport address. Any external host can send a packet to theinternal host by sending the packet to the
reflexive transport address.
* Target host--All requests from a specific internal IP address and port are mapped tothe same reflexive
transport address. An external host can send a packet to an internalhost by sending the packet to the reflexive
transport address. The internal host musthave previously sent a packet to the external host's IP address.
Reference:
http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic- collections/security/software-all/
security/junos-security-swconfig-security.pdf
QUESTION 28
You have implemented a chassis cluster that spans a Layer 2 network between two office campuses. You are
using dual fabric links. Some of the RTOs are getting lost.
A. The switches interconnecting the fabric links do not support jumbo frames.
B. The switches are not configured with the proper VLAN tags used by RTO traffic.
C. The Layer 2 network contains 10 Gigabit links.
D. There is a 500 millisecond latency between the SRX Series devices.
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
If you are connecting each of the fabric links through a switch, you must enable the jumbo frame feature on the
corresponding switch ports. If both of the fabric links are connected through the same switch, the RTO-and-
probes pair must be in one virtual LAN (VLAN) and the data pair must be in another VLAN. Here too, the jumbo
frame feature must be enabled on the corresponding switch ports.
Reference:
http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/chassis-cluster-fabric- configuring-cli.html
QUESTION 29
Your company recently acquired another company. During a site visit and network audit, you recognize that the
acquired company's private network address space overlaps with yours. You will eventually merge the
networks, but for the moment, you must make communication between the networks work over the Internet as
a first step toward the migration.
A. Use source NAT to deliver the necessary translations between private and public networks.
B. Implement a static NAT at one site.
C. Implement double NAT on both sites' public network-facing routers.
D. Migrate to multicast.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: Double NAT occurs when both the source IP address and destination IP address leave the
translating system changed. Double NAT is commonly used for merging two networks with overlapping address
space. This has become an increasingly common scenario as more organizations have moved to using RFC
1918 private address space for their internal addressing in an effort to overcome public IPv4 address
exhaustion. When these organizations merge, they are left with overlapping RFC 1918 addressing. In these
cases, double NAT must be leveraged until systems can be readdressed.
Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James
Quinn, August 2010, p. 243
QUESTION 30
What is a NULL scan attack and how can you minimize its effects?
A. A NULL scan attack consists of a series of packets that have source port 0 and various destination ports
set. This attack can be minimized using 3et security screen ids-option my screen tcp-no-null and udp-no-
null.
B. A NULL scan attack is an attack targeting port 0 of the remote device's TCP/IP stack. This attack can be
minimized Using set security idp sensor-configuration flow no-allow-tcp without-flow.
C. A NULL scan attack uses TCP packets with no flags set. This attack can be minimized using set screen ids-
option my-screen tcp tcp-no-flag.
D. A NULL attack makes use of UDP packets that contain only null characters in their payload.
This attack can be minimized using a stateless firewall filter.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. In a
production environment, there will never be a TCP packet that doesn't contain a
flag. Because the Null Scan does not contain any set flags, it can sometimes penetrate firewalls and edge
routers that filter incoming packets with particular flags. Null scan attack can be minimized using set screen ids-
option my-screen tcp tcp-no-flag.
QUESTION 31
Click the Exhibit button
You have been asked to configure a virtual-router routing-instance (or a group of internal users. To grant the
internal users Internet access, you create a static route for all unknown traffic to be routed to the main instance
inet.0 table, as shown in the exhibit.
What is required for the return traffic from the Internet to be allowed back through the SRX?
A. You must configure a rib-group to move routes from the Juniper routing-instance route table into the inet.0
table for the return traffic to be routed back through.
B. The return traffic uses fast path processing to bypass routing in the inet.0 routing table.
C. You must configure a group to move routes from inet.0 table into the Juniper routing-instance route table for
the return traffic to be routed back through.
D. The return traffic uses first packet processing to bypass routing in the inet.0 routing table.
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
Explanation: Without exporting routes from routing-instance Juniper to inet.0 the traffic from internet to the
networks in routing-instance Juniper is dropped. When a packet enters the SRX, the flow daemon (flowd)
performs a session lookup. It does this to see whether the packet is already part of an existing session. If the
packet is part of an existing session, it takes what is referred to as the fast path . If it is not found to be part of
an existing session, it goes down the slow path .
Thefast path has fewer steps involved in checking the packet, and as a result, it is much faster at processing
the packet.
http://www.juniper.net/techpubs/en_US/junos11.3/topics/reference/configuration-statement/rib- groups-edit-
routing-options.html
QUESTION 32
Your company provides a managed network service for its customers. Two of your customers have merged
and want to have the same configurations and firewalls. However, they must use their legacy Internet
connections. As a result, you need 172.27.0.0/24 to go to ISP A and 172.25.0 0/24 to go to ISP B.
Which filter-based forwarding configuration will work for these two customers?
A. Option A
B. Option B
C. Option C
D. Option D
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Option D is selected because it forward traffic sourced from 172.27.0.0/24 to routing-instance ISP- A and traffic
sourced from 172.25.0.0/24 to routing-instance ISP-B.
Reference:
http://kb.juniper.net/InfoCenter/index?
page=content&id=KB17223&actp=search&viewlocale=en_US&searchid=1320488885905#
QUESTION 33
Which two make up the context of an IPS attack signature? (Choose two.)
A. service binding
B. application
C. scope
D. application subset
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
Explanation: To aid in the accuracy and performance of IPS inspection, the SRX uses a concept called
contexts to match an attack in the specific place where it occurs in the application protocol. This helps to
ensure that performance is optimized by not searching for attacks where they would not occur, and it limits false
positives.
Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James
Quinn, August 2010, p. 405
QUESTION 34
Which component can you use to find an attack for traffic that uses a nonstandard service?
A. last packet
B. ToS markings
C. first packet
D. last data packet
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: Juniper Networks provides predefined application signatures that detect Transmission Control
Protocol (TCP) and User Datagram Protocol (UDP) applications running on nonstandard ports.Identifying these
applications allows Intrusion Detection and Prevention (IDP) to apply appropriate attack objects to applications
running on nonstandard ports. The application signatures identify an application by matching patterns in the first
packet of a session.
QUESTION 35
Click the Exhibit button
You are asked to help troubleshoot new connectivity to a server on your network. The system administrator is
receiving user requests and confirms that the responses are being sent out. However, the user never sees the
response packet and suspects the firewall is dropping them. You configure a basic data path trace option and
confirm you see the return data but it is being dropped.
A. The server is changing the ports,causing the session to be treated as a new session and it is being
dropped.
B. The sessions are stale and must be cleared manually.
C. The traffic is failing a route lookup.
D. The traffic is routing asymmetrically.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: Asymmetric return traffic can pass zone based firewall if outgoing interface is in the same zone.
Reference:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB21983&actp=search&viewlocale=en_U
S&searchid=1320415514489#
QUESTION 36
You loaded the attack database on your SRX device, but it must be installed.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: The command request security idp security-package install is used to Install the signature DB on
to the control and data-plane.
Reference:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB15806&actp=search&viewlocale=en_U
S&searchid=1320424816614
QUESTION 37
A user residing in the trust zone of the SRX Series device cannot access a Web page hosted on a server in the
DMZ zone. You verity that an active security policy exists on the SRX device that allows the user's PC to
access the Web server with the application HTTP. However, you do not see the security policy access counter
increment, nor do you see any information in the log file associated with the security policy.
A. A security policy exists further down the list that is denying the user access to Web server traffic
B. No route exists on the SRX device to the destination server.
C. A firewall filter is applied to the egress interface.
D. The policy rematch option is disabled for the session configuration
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: Without the correct route to Web server in DMZ zone the packet will be dropped.
QUESTION 38
You have configured persistent NAT with the default inactivity timeout. All of the sessions of a persistent NAT
binding have expired.
How long will the binding remain in the SRX Series device's memory?
A. 30 seconds
B. 120 seconds
C. 300 seconds
D. 360 seconds
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: The inactivity-timeout option defines how long a persistent NAT mapping will remain in the
persistent NAT table. The value is defined in increments of seconds from a minimum of one minute to a
maximum of two hours. The default is five minutes.
Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James
Quinn, August 2010, p. 224.
QUESTION 39
Click the Exhibit button.
Referring to the exhibit, which type of NAT is implemented?
A. persistent NAT
B. double NAT
C. destination NAT
D. source NAT
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Double NAT occurs when both the source IP address and destination IP address leave the translating system
changed. Double NAT is commonly used for merging two networks with overlapping address space.
Reference: Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim
Eberhard, James Quinn, August 2010, p. 243.
QUESTION 40
You are configuring a hub-and-spoke VPN topology between an SRX Series device deployed at the hub site
and several devices at spoke sites. You have configured all the settings to establish the tunnel, but the IPSec
SA has not yet established all configured proposals and policies match on both sides
Which three actions can you perform to establish the IPSec SA between the hub and spoke sites? (Choose
three.)
Explanation/Reference:
Explanation: The VPN can be established immediately when the configuration is applied (and subsequently
whenever the VPN expires), or it can be established on-traffic when there is user data traffic. By default, VPNs
are established on-traffic.
Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James
Quinn, August 2010, p. 296
QUESTION 41
Your company has decided to enable IPv6 in its corporate network. All core network elements are already
enabled. You have completed the configuration of the SRX Series cluster. All tests are running well and no
issues have been found. The IT department decides to increase the MTU on the access switches and the
workstations to 9000, everything else will continue using the standard settings.
Which statement is correct about how the SRX chassis cluster will handle all these packets?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: For IPv4 Internet Control Message Protocol (IPv4 ICMP), if a node within the path between a
source node and a destination node receives a packet that is larger than its MTU size, it can fragment the
packet and transmit the resulting smaller packets. For IPv6, only a source node (the node that sent the packet)
can fragment a packet, and this is done to accommodate a path MTU size-adjustment requirement. Nodes
along the path of a packet cannot fragment the packet to transmit it.
QUESTION 42
You have set up a chassis cluster in an active-active state. While monitoring the fabric link during a failover
scenario, you noticed the utilization is higher than expected.
What are two possible causes of the higher utilization? (Choose two)
A. An upstream link failure has resulted in Internet-bound traffic ingressing the primary node and egressing the
secondary node.
B. The failover from the primary node to the secondary node has resulted in increased heartbeat and RTO
traffic.
C. A LAN interface failure has resulted in Internet-bound traffic ingressing the secondary node and egressing
the primary node.
D. The failover from the primary node to the secondary node has resulted in a graceful restart scenario in
which all traffic must use the fabric link.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Explanation: The control plane software operates in active/backup mode. When configured as a chassis
cluster, the two nodes back up each other, with one node acting as the primary device and the other as the
secondary device, ensuring stateful failover of processes and services in the event of system or hardware
failure. If the primary device fails, the secondary device takes over processing of traffic.
The data plane software operates in active/active mode. In a chassis cluster, session information is updated as
traffic traverses either device and this information is transmitted between the nodes over the fabric link to
guarantee that established sessions are not dropped when a failover occurs. In active/active mode, it is
possible for traffic to ingress the cluster on one node and egress from the other node.
Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos- security-swconfig-
security/junos-security-swconfig-security.pdfp. 779
QUESTION 43
Your network engineering department has decided another SRX cluster is needed for additional capacity and
DMZ segments. After installing the new cluster on the same VLANs, network segment customers are reporting
intermittent loss of service. Upon investigating the problem, you have confirmed that there are no IP address
conflicts.
A. The two SRX clusters are competing for primary RE1 status and the traffic keeps failing over between the
two clusters.
B. The two SRX clusters have been configured with matching cluster IDs and as a result have conflicting MAC
addresses.
C. The two SRX clusters are flooding the network with gratuitous ARPs and overloading the directly connected
switches.
D. The two SRX clusters are competing for primary REO status and traffic keeps failing over between the two
clusters.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: The cluster ID is used when determining Media Access Control (MAC) addresses for the
redundant Ethernet interfaces.
Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James
Quinn, August 2010, p. 545.
QUESTION 44
When fragmented traffic is processed by the IPS engine, two steps are performed. First, the IPS engine
identifies IP fragments.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: Forfurther processing fragments of IP packet must be reassembled and serialized
QUESTION 45
Click the Exhibit button.
Referring to the exhibit, Company A and Company B are using the same IP address space
Explanation/Reference:
Explanation:
To habdle this situation double NAT is required. First of all you create two one-to-one maping for translation of
destination IPs:
10.1.1.0/24 172.31.1.0/24 for packets that go from Company B to Company A and 10.1.1.0/24 172.31.2.0/24 fro
packets that go from Company A to Company B
Then on each router you create destination addrress translation for packets coming from untrusted zone.
QUESTION 46
You administer an SRX5600 to which several customer networks are attached. Each customer network
terminates in a virtual routing-instance. You have been asked to direct traffic sourced from a specific prefix in
one routing-instance to another routing-instance. The affected traffic enters the SRX5600 on one physical
interface.
A. Use a stateless firewall on the interface to forward traffic to the other routing-instance.
B. Use a routing policy on the interface to forward traffic to the other routing-instance.
C. Use a security policy on the zone to forward traffic to the other routing-instance.
D. Use a forwarding rule on the interface to forward traffic to the other routing-instance.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: You configure firewall filter to match source address and then forward matched traffic to needed
routing-instance.
Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James
Quinn, August 2010, p. 694
QUESTION 47
You have many security policies configured using the predefined junos-ftp application. You create
a new application named my-ftp for FTP traffic, but you do not want the FTP ALG to be used.
Which command should you use to disable the FTP ALG only for the application my-ftp?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 48
You are troubleshooting a problem with a chassis cluster, and you issue the show log jsrpd command.
A. The output displays fabric link status information, including details such as jitter and when a link goes up
and down.
B. The output displays node-to-node tunneling status information, including details such as tunnel negotiations
and endpoint discovery information.
C. The output displays authentication error conditions for reth interfaces, including details used for link
aggregation negotiations and member interface status.
D. The output displays redundancy group status information, including details such as node primacy or
redundancy group failover reasons.
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
Explanation: The data link uses jsrpd heartbeat messages to validate that the path is up and is actively working.
The JSRPD detects a change in chassis cluster redundancy mode.
QUESTION 49
You are having problems with SYN flood attacks against your network. You administered the TCP syn-flood
options on your SRX device to block these attacks, but internal hosts are still seeing floods that fall just under
the threshold you have set for blocking SYN floods. You cannot set the threshold any lower without impacting
legitimate traffic.
What are two SYN flood protection commands that you can use to resolve the problem? (Choose two.)
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
Explanation: When syn-proxy is configured the first SYN packets are allowed through. Once the attack
threshold is met, the SRX proxies the connection, sending a SYN/ACK back to the source. This is used to
determine if it is a legitimate request or just a drone flooding SYN requests. In the source- and destination-
based SYN flooding protections, the SYN packets are not proxied but dropped to the floor. Anything above that
configured threshold is dropped. This is a dangerous setting, and you must be cautious when designing these
thresholds. SYN cookie protection is a stateless SYN proxy that you can use to defend against SYN floods from
spoofed source IP addresses. A SYN cookie doesn't add much value if the source IP addresses are legitimate
and reply to the SYN/ACK packet.
Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB3268
QUESTION 50
You have been asked to secure your network from as many network reconnaissance activities as possible.
Which three screens would be helpful in blocking these types of activities? (Choose three.)
A. Option A
B. Option B
C. Option C
D. Option D
Explanation/Reference:
Explanation:
The packets with source-route-option creates load on CPU and may create security risk. A TCP header with the
FIN flag set but not the ACK flag is anomalous TCP behavior, causing various responses from the recipient,
depending on the OS. Blocking packets with the FIN flag and without the ACK flag helps prevent OS system
probes. Land attacks occur when an attacker sends spoofed SYN packets containing the IP address of the
victim as both the destination and source IP address.
Reference:
http://www.juniper.net/techpubs/en_US/junos11.2/topics/reference/statement-hierarchy/security- screen.html
QUESTION 51
Your company is in the process of deploying a VPN network 10 connects its sites Traffic will predominantly
access resources at the central site. However, on occasion, traffic must be transported from one spoke site to
another.
Which two methods will provide the desired connectivity? (Choose two.)
A. a hub-and-spoke IPSec VPN using a multipoint secure tunnel interface on the hub device
B. a hub-and-spoke IPSec VPN using a multipoint secure tunnel interface on all devices
C. a hub-and-spoke IPSec VPN using a separate secure tunnel unit for each spoke device
D. a hub-and-spoke IPSec VPN using a separate multipoint secure tunnel on each spoke device
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Explanation: Route-based VPNs offer two different types of architectures: point-to-point and point-to-multipoint.
Point-to-point VPNs map a single VPN to a single logical interface unit, so the SRX connects directly to a single
peer VPN gateway on the interface. Point-tomultipoint VPNs allow the device to connect to multiple peer
gateways on a single logical interface.
Reference: Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim
Eberhard, James Quinn, August 2010, p. 266.
QUESTION 52
You recently added NAT in your environment and now users are complaining about not being able to access
the Internet.
Which two parameters would you configure to verify that NAT is working correctly? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation: The NAT trace options hierarchy configures trace file and flags for verification purposes. J Series
and SRX Series devices have two main components. Those are the Routing Engine (RE) and the Packet
Forwarding Engine (PFE). The PFE is divided into the ukernel portion and the real-time portion. For verification,
you can turn on flags individually to debug NAT functionality on the RE, ukernel PFE, or real-time PFE. The
trace data is written to/var/log/security- trace by default. Example:
set security nat traceoptions flag all
set security nat traceoptions flag source-nat-pfe
set security nat traceoptions flag source-nat-re
set security nat traceoptions flag source-nat-rt
Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos- security-swconfig-
security/topic-42831.html?searchid=1320517464784
http://kb.juniper.net/InfoCenter/index?page=content&id=KB15758&actp=search&viewlocale=en_U
S&searchid=1320517464784#Verification
QUESTION 53
Click the Exhibit button.
Compare the two outputs shown in the exhibit.
Which two statements are correct about VPN monitoring? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
If VPN monitoring is enabled, then this will show Up or Down. A hyphen (-) means VPN monitoring is not
enabled for this SA.
Reference: http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es- swcmdref/show-security-
ipsec-security-associations.html
QUESTION 54
Click the Exhibit button.
Referring to the exhibit, which parameter can be applied under the destination-address hierarchy?
A. utm-policy
B. idp-filter
C. drop-translated
D. uac-policy
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: With uac-policy enabled JUNOS security policies enforce rules for transit traffic, defining what
traffic can pass through the Juniper Networks device. The policies control traffic that enters from one zone
(from-zone) and exits another (to-zone).
http://kb.juniper.net/InfoCenter/index?page=content&id=KB17476&cat=SRX_SERIES&actp=LIST
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security- swconfig-security/
uac-config-enabling-uac.html
QUESTION 55
Which statement accurately describes an idle scan?
A. A scanning method where "stealth" packets (packets without arty flags set) are sent from an attacker to a
remote target host through IDS systems.
B. A scanning method that scans all idle TCP connections on a remote target host to hijack them, so that you
can take advantage of an authenticated data connection.
C. A scanning method where long idle periods exist between the scanning packets sent so IDS systems do not
sense the scan attack.
D. A scanning method where a "zombie" host is used by an attacker to exploit a predictable IP fragmentation
ID sequence and to discover open ports on the target host.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: The idle scan is a TCP port scan method that consists of sending spoofed packets to a computer
to find out what services are available. This is accomplished by impersonating another computer called a
"zombie" (that is not transmitting or receiving information) and observing the behavior of the zombie system.
Reference:http://nmap.org/book/idlescan.html
http://en.wikipedia.org/wiki/Idle_scan
QUESTION 56
You must protect your network against Layer 4 scans.
Which two actions help you achieve this objective? (Choose two)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
B. Example: set security screen ids-option untrusted-internet tcp port-scan threshold 1000000
C. Juniper provides predefined attack objects (both protocol anomaly and signatures) individually and in
predefined groups to customers who have active licenses. The predefinedattack objects cannot be edited for
the most part; however, you can use these as a basis for creating custom attack objects.
Reference: Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim
Eberhard, James Quinn, August 2010, p. 405.
QUESTION 57
You have been asked to design and deploy a VPN-based backup network for your enterprise. Your network is
currently configured across a single OSPF Area 0. All the VPN termination points in your network will be
Juniper Networks SRX Series devices.
How must you configure your devices so that static routing can be avoided?
A. OSPF will not provide the needed functionality. The group VPN feature is required to create the next-hop
tunnel binding and arrange key management across routing domains.
B. Configure VPN tunnels between the SRX Series devices and enable OSPF Area 0 on the st.0 interfaces.
You can use the next-hop tunnel binding (NHTB) protocol for next hops to the tunnels.
C. Configure VPN tunnels between the SRX Series devices and enable OSPF Area 0 on the st.0 interfaces.
You must configure next-hop tunnel binding for the remote peers mapping next hops to VPN names.
D. Because OSPF will not provide the required next-hop VPN binding alone, dynamic VPN must be used to
discover the next-hop tunnel binding automatically.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: Point-to-multipoint VPNs allow you to bind multiple VPNs to a single interface on the hub. For this
to work properly, the SRX must know not only which VPN to send the traffic into on the st0 interface to which it
is bound, but also which next-hop will be used for routing that traffic on the interface. To accomplish this, the
SRX uses a mechanism called a Next-Hop Tunnel Binding (NHTB) table on the interface to map all of this
information. On the SRX, if you are going to another SRX or ScreenOS device and you are using static routing,
the SRX can automatically exchange the next-hop tunnel information with the peer as part of the optional
vendor attribute exchanges in Phase 2 (also known as auto NHTB). If you are using a dynamic routing protocol
(such as RIP, OSPF, or BGP), you will not need to make a manual mapping entry because the SRX can build
the table automatically from the routing updates matching the next-hop to the tunnel it came out of.
Reference: Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim
Eberhard, James Quinn, August 2010, p. 268.
QUESTION 58
Click the Exhibit button.
Referring to the exhibit, which two statements are true? (Choose two)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Explanation: Authentication-method: Pre-shared-keys indicates that pre-shared key is used for authentication.
Certificates and preshared keys are mutually exclusive options.
The VPN is set with NAT traversal as NAT-T uses UDP port 4500 (by default) rather than the standard UDP
port 500.
Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James
Quinn, August 2010, p. 270.
QUESTION 59
For RG 1, Node 0 has priority 200; Node 1 has priority 100. Preempt has been configured. Node 0 has been
rebooted; therefore, Node 1 is primary for RG 1.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: Each node is given a priority within a redundancy group. The higher-priority device is given
mastership over the redundancy group. This depends on a few options, and one of them, by default, is that a
node with a higher priority will not preempt the device with the lower priority. The result is that if a lower-priority
node were to have ownership of a redundancy group and then a node with the higher priority were to come
online, it would not give ownership to the higher- priority device. To enable this, the preempt option would need
to be enabled, and the device with the higher priority would take ownership of the redundancy group when it
was healthy to do so.
Reference: Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim
Eberhard, James Quinn, August 2010, p. 572.
QUESTION 60
Click the Exhibit button.
Which statement is true regarding the session displayed in the exhibit?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: The session tokens match (0x20a) for In and Out parts. This indicates that the session traverses
only one routing-instance.
QUESTION 61
Click the Exhibit button.
The NHTB configuration excerpt shown in the exhibit is applied on an SRX Series device that is a hub in a hub-
and-spoke VPN
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: As far as NHTB is configured the remote spoke device is not required to be Juniper. NHTB
protocol must be supported by the hub only and only on the hub st0 is configured as multipoint.
Reference: Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim
Eberhard, James Quinn, August 2010, p. 267.
QUESTION 62
Click the Exhibit button
In the exhibit, which two commands should you use to ping 10.1.1.100 from me SRX Series device's command
line? (Choose two)
A. ping 10.1.1.100
B. ping source 10.1.1.1 10.1.1.100
C. ping routing-instance vr1 10.1.1.100
D. ping interface ge-0/0/1.0 10.1.1.100
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
Explanation: As far as 10.1.1.100 belongs to routing-instance vr1 we have the two options to ping this host:
QUESTION 63
Your company has VPNs that connect to other companies. The company wants to use certificates with a
recognized third-patty certificate authority.
Which two steps are required to use certificates with a certificate authority? (Choose two)
A. Configure a CRL
B. Configure RSA signatures for the IKE authentication method
C. Configure DSA signatures for the IKE authentication method
D. Generate a certificate request for the SRX device
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
Explanation: To use certificates with a certificate authority you have to set the IKE authentication method
configuring phase 1 proposal by setting the "rsa-signature" attribute. the rsa-signatures attribute signifies
certificates using RSA key generation. Before you can use certificate basedauthentication you have to generate
certificate request fro each participating SRX device.
You can do it by issuing th ecommand:
request security pki generate-certificate-request
Reference: http://jsrx.juniperwiki.com/index.php?title=JNCIE-SEC#Certificates
QUESTION 64
Your company wants to deploy IPv6. The deployment on core routers has been completed. You now must
enable your firewalls with the new protocol, but you must configure the SRX Series device so that it does not
yet examine IPv6 packets.
A. Configure IPv6 addresses on all Layer 3 interfaces, including the reth interfaces, enhance the security
policies so that IPv6 packets are ignored; enhance the used routing protocols with IPv6 capabilities.
B. Configure IPv6 addresses on all Layer 3 interfaces, including the reth interfaces, and enhance the used
routing protocols with IPv6 capabilities.
C. Configure IPv6 addresses on all Layer 3 interfaces, including the reth interfaces, enhance the used routing
protocols with IPv6 capabilities; configure the security forwarding options so that IPv6 traffic is not
transported in the stateful forwarding mode.
D. Configure IPv6 addresses on all Layer 3 interfaces, including the reth interfaces, and enhance the security
protocols with IPv6 capabilities as well as to switch on "Inet6 routing" in the configuration's routing-options
stanza.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: By default, SRX runs with flow-based forwarding, which drops IPv6 packets. To allow IPv6 packets
to be able to be forwarded by SRX, a forwarding-options command must be configured. The following
forwarding-options command is required:
Reference:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16040&actp=search&viewlo
cale=en_US&searchid=1320572266620#
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security- swconfig-interfaces-
and-routing/logical-properties-section.html#ipv6-enable-section
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-admin- guide/config-
selective-stateless-chap.html#config-selective-stateless-chap
QUESTION 65
You have a VoIP application that requires external sessions to be initiated into your environment. The internal
host has not sent an initial packet to the external host's reflexive transport address.
A. target-host
B. address-persistent
C. target-host-port
D. any-remote-host
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: When persistent NAT is used with any-remote-host option all requests from a specific internal IP
address and port are mapped to the same reflexive transport address and any external host can send a packet
to the internal host by sending the packet to the reflexive transport address.
Reference:http://www.juniper.net/techpubs/en_US/junos11.1/information-products/topic- collections/security/
software-all/security/index.html?topic-42825.html#jd0e125921
http://kb.juniper.net/InfoCenter/index?page=content&id=KB21296&cat=JUNOS&actp=LIST
http://www.juniper.net/techpubs/en_US/junos11.1/information-products/topic- collections/security/software-all/
security/index.html?topic-42826.html
QUESTION 66
You want to implement a VPN on your SRX device that will use certificates to authenticate with the peer
gateway. You plan to allow certificates from any certificate authority.
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
Explanation: Set security ike proposal rsa-prop1 authentication-method rsa-signatures enables certificate based
authentication in IKE phase 1.
Set security ike policy ike-poll certificate trusted-ca use-all enables the using of all configured certificate
authorities.
Reference:http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic- collections/security/
software-all/cli-reference/junos-security-cli-reference.pdf
QUESTION 67
A security alert has been issued for an application running on your network that exploits a buffer overflow to
compromise the application. The security alert specifies that client-to-server communication will contain the
string "*~\hack-man?\" or the string "\back\*?/hat".
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: Signature-based attack objects will be the most common form of attack object to configure. This is
where you use regular expression matching to define what attack objects should be matched by the detector
engine.
Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James
Quinn, August 2010, p. 430
QUESTION 68
Click the Exhibit button.
Given the exhibit, which type of NAT is implemented?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: Many-to-many with port translation type of NAT was implemented in exhibit. It translates source IP
for maximum 255 hosts from matching 10.1.1.0/24 network to the pool of 11 Ips from 200.0.0.30 ?200.0.0.40.
As the first number 255 isgreaterthan the second one (11) PAT may be neede for translation.
Reference: Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim
Eberhard, James Quinn, August 2010, p. 209.
QUESTION 69
After implementing a chassis cluster for active/active clustering, you have identified a congestion issue with
traffic traversing the data link between the two nodes.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: You have to upgrade fabric link to support a higher bandwidth. Connecting two fabric links
between nodes provide with redundency. Having two fabric links helps to avoid a possible single point of failure
but does not provide load balancing of data traffic.
QUESTION 70
In which order are the stages of an attack?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: An attacker usually precedes an attack by performing reconnaissance on the target. Before
launching an exploit, attackers might try to probe the targeted host to learn its operating system (OS).Whether
gathering information or launching an attack, it is generally expected that the attacker avoids detection.
Although some IP address and port scans are blatant and easily detectable, more wily attackers use a variety of
means to conceal their activity. Techniques such as using FIN scans instead of SYN scans--which attackers
know most firewalls and intrusion detection programs detect--indicate an evolution of reconnaissance and
exploit techniques for evading detection and successfully accomplishing their tasks.
Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos- security-swconfig-
security/id-93100.html
http://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/attack-detection-prevention- overview.html
http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig- security/understanding-
operating-system-probes.html
QUESTION 71
Which three scans can an attacker use to probe your network for open TCP ports? (Choose three.)
Explanation/Reference:
Explanation:
QUESTION 72
The finance department has implemented a new network application that transits multiple network devices,
including an SRX5600. Application servers in different locations are unable to communicate. You have
narrowed down the issue to the SRX5600, and have determined that the application can initiate a flow, but
return traffic is dropped by the SRX5600.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 73
Which feature would you use to bypass the flow-based forwarding capability of an SRX Series branch device
for a specific application?
A. security policy
B. policer
C. firewall filter
D. routing policy
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 74
Click the Exhibit button.
Your company has begun implementing a hub-and-spoke VPN to connect employees safely to the corporate
network. You are asked to work on a troubleshooting ticket in which employees complain that their VPN
connection is not working. The exhibit shows the VPN configuration for the hub device.
What must you change to make the setup work?
A. Option A
B. Option B
C. Option C
D. Option D
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 75
While configuring your SRX device, you notice problems with the configuration. You suspect that someone
made an undocumented change to your device. You want to determine who made the change and when it was
made. All administrators have unique logins.
Which two commands do you use to troubleshoot this problem? (Choose two.)
A. user@srx# rollback ?
B. user@srx# show | compare rollback 2
C. user@srx> show rollback 2
D. user@srx> show system commit
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 76
Your SRX Series device must have the IPS signature database installed for use in IPS policy development.
How do you install the IPS signature database onto the SRX Series device?
A. Run the request security idp security-package idp install command, the signature database will be
downloaded from Juniper Networks and installed.
B. Run the request security idp security-package download command followed by the request security idp
security-package install command.
C. Run the request security idp security-package download command after the signature database has been
manually downloaded from Juniper Networks.
D. Download the signature database from Juniper Networks and run the request security idp security-package
download <ip-address> to use TFTP to transferee file from your laptop and install it on the SRX Series
device.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 77
You have an SRX650 that supports many customers who are each assigned to their own virtual router and do
not normally communicate with each other. However, a request has been made to allow Customers A and B to
communicate directly with Customer C.
Which two methods would enable the requested communication? (Choose two.)
A. Create a static route from routing instances A and B with a qualified-next-hop of C's interface and a route
distinguisher ID of value "C".
B. Create a logical tunnel interface for each of Customer A, B, and C's routing instances.
Configure a static route from A and B pointing to C's single logical tunnel interface IP address.
C. On the SRX device, physically connect cables from interfaces in Customer A and B's routing instances to
Customer C's routing instance, and assign the same IP address space.
D. Create individual static routes and logical tunnel interfaces between routing instances A and C as well as
between routing instances B and C.
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 78
Click the Exhibit button.
You are troubleshooting a new IPsec VPN tunnel that is failing to establish an IKE security association between
SRX Series devices.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 79
While performing routine monitoring of your network, you notice an unusual increase in activity. You check the
logs and notice a specific set of flows from a single source IP address. In analyzing these flows you determine
that a remote host has sent several packets to your server with no TCP flags set.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 80
In a group VPN, the members rekey with the server using the Unicast PuLL method.
A. KEK
B. IPsec SA
C. TEK
D. IKESA
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 81
Click the Exhibit button.
Which two commands are required to generate the results shown in the exhibit? (Choose two.)
A. Option A
B. Option B
C. Option C
D. Option D
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 82
Which IPS inspection step is completed last?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 83
Click the Exhibit button.
You have configured an SRX Series device to act as the hub in a hub-and-spoke environment. After configuring
two of your spoke sites, you notice that only one of your VPNs is established.
Referring to the exhibit, what must be added to the hub's st0 interface to resolve the problem?
A. Multipoint
B. Point-to-multipoint
C. Multi-tunnel
D. Multi-path
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 84
Click the Exhibit button.
Your company uses a custom-built FTP application. You have configured an application definition to support it
on your SRX Series device as shown in the exhibit, and applied the application to the relevant security policy.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 85
Two High End SRX Series devices are configured in a chassis cluster, but interchassis communication is
problematic and intermittent. Node 0 has SPCs located in slots 1, 2, 5, and 10 and has IOCs located in slots 3
and 4. Node 1 has SPCs located in slots 13, 14, and 18 and has IOCs located in slots 15 and 16.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 86
You have an internal application that requires the same IP address to be used for multiple concurrent sessions.
A. persistent-nat any-remote-host
B. persistent-address
C. address-persistence
D. persistent-nat target-host
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 87
Click the Exhibit button.
High availability chassis clustering has been configured. The SRX 5800-A is in passive mode, while the SRX
5800-B is in active mode. The administrator has configured the control-link- recovery feature. A unidirectional
fabric link causes the SRX 5800-A to see the SRX 5800-B's probes, but the SRX 5800-B cannot see the SRX
5800-A's probes.
A. Traffic from R2 toward R4 flows through the SRX 5800-B to the SRX 5800-A.
B. Traffic from R2 toward R4 flows through the SRX 5800-A reth3 interface to R3.
C. Traffic from R2 toward R4 flows through the SRX 5800-B reth2 interface.
D. Traffic from R2 toward R4 flows through the SRX 5800-A reth2 interface to R3.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 88
You have been asked to change the authentication mechanism on one of your VPNs to use public-key
certificates to authenticate the peer SRX devices at each end.
Which part of the VPN configuration must you change?
A. IKE Phase 2
B. IKE Phase 1
C. Security policy
D. Proxy ID
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 89
You have two SRX3400s running in active/passive mode. The primary SRX device has an NPC fail and goes
offline. What happens to the SRX cluster?
A. The SRX device cannot recover from an NPC failure, and causes a no-brain situation; both SRXs go in to a
disabled state.
B. Both RGO and RG1 fail over to the backup node, and the primary node goes into a disabled state.
C. The RG1 fails over to the backup node, whereas RGO remains active on the primary.
D. The SRX device cannot recover from an NPC failure, and causes a split-brain situation; both SRX devices
become active.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 90
What are two protection methods employed on SRX Series devices? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 91
You are using certificates for IPsec VPNs and want the SRX Series device to verify that the certificates are
valid.
When configuring the SRX device, which protocol is supported for retrieving the CRL?
A. RADIUS
B. TACACS+
C. LDAP
D. FTP
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 92
You initiated the installation of the attack database. The system indicates that it will run asynchronously and
returns you to a command prompt in the CLI. You want to know if the installation has completed.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 93
How many components can a compound attack object contain?
A. 8
B. 16
C. 24
D. 32
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 94
You want out-of-band management traffic to be separated from the transit traffic going through an SRX chassis
cluster.
Which two must you implement to meet this requirement? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 95
You have configured several new security policies on your SRX Series device, and they are ready to be
committed. The device is running in a live network and you are concerned that any configuration errors will
affect traffic.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 96
What can cause a node in an SRX Series chassis cluster to be in the disabled state?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 97
Click the exhibit.
The exhibit contains the full routing-instances and interface configuration present on your SRX Series device.
Customer A hosts are attached to the ge-0/0/3 interface and belong to the 10.0.0.0/24 network. Customer B
hosts are attached to the ge-0/0/4 interface and belong to the 20.0.0.0/24 network. Assume the appropriate
security configuration is in place.
Which statement is correct when a host with the IP address 10.0.0.100 pings a host with the IP address
20.0.0.100?
A. The SRX Series device will drop the packets because interface routes are not shared within a rib-group.
B. The SRX Series device will drop the packets because filter-based forwarding is not configured.
C. The SRX Series device will forward the traffic because filter-based forwarding is configured.
D. The SRX Series device will forward the traffic using the logical tunnel interfaces.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 98
A security alert has been issued for an application running on your network that exploits a buffer overflow to
compromise the application. The security alert specifies that initial client-to-server communication will contain
the string "~\hack-app\", followed by the string "\&&-phase-2//" or the string "\bad\7string".
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 99
You are asked to configure an IPsec tunnel to securely connect from the headquarters office to a remote office.
You are required to use ESP and to disable NAT traversal between offices.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
http://www.gratisexam.com/