[Free] 2018(Jan) EnsurePass Examcollection Juniper JN0-696 Dumps with VCE and PDF 1-10

Ensurepass.com : Ensure you pass the IT Exams
2018 Jan Juniper Official New Released JN0-696
100% Free Download! 100% Pass Guaranteed!
http://www.EnsurePass.com/JN0-696.html

Security Support, Professional (JNCSP-SEC)

Question No: 1

– Exhibit -user@hostgt; show security flow session

Session ID. 41, Policy name: allow/5, Timeout: 20, Valid

In: 172.168.66.143/43886 -gt; 192.168.100.1/5000;tcp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60 Out: 10.100.1.100/5555 -gt; 172.168.66.143/43886;tcp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0

user@hostgt; show configuration

security { nat { destination { pool server { address 10.100.1.100/32 port 5555;

}

rule-set rule1 { from zone UNTRUST; rule 1 { match {

destination-address 192.168.100.1/32; destination-port 5000;

} then {

destination-nat pool server;

}

}

}

}

proxy-arp {

interface ge-0/0/1.0 { address { 192.168.100.1/32;

}

}

}

} policies {

from-zone UNTRUST to-zone TRUST { policy allow {

match { source-address any; destination-address any; application [ junos-ping tcp-5000 ];

} then { permit;

}

}

}

}

zones {

security-zone TRUST { interfaces { ge-0/0/2.0 { host-inbound-traffic {

protocols { all;

}

}

}

}

}

security-zone UNTRUST {

interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { ping;

}

}

}

}

}

}

} applications { application tcp-5000 { protocol tcp; destination-port 5000;

}

}

– Exhibit –

Click the Exhibit button.

Your customer is attempting to reach your new server that should be accessible publicly using 192.168.100.100 on TCP port 5000, and internally using 10.100.100.1 on TCP port 5555. You notice a session forms when they attempt to access the server, but they are unable to reach the server.

Referring to the exhibit, what will resolve this problem?

  1. There must be a TRUST-to-UNTRUST security policy to allow return traffic.

  2. The NAT pool server address must be changed to 10.100.100.1/32.

  3. The NAT pool server port must be changed to 5000.

  4. The NAT rule set rule1 must match on address 172.168.66.143.

Answer: B

Question No: 2

Click the Exhibit button.

Ensurepass 2018 PDF and VCE

You recently configured a chassis cluster between two branch SRX Series devices and realize that the cluster is not functional, with node device status lost.

Referring to the exhibit, which two actions will correct this problem? (Choose two.)

  1. Confirm both devices are synchronized with the local NTP.

  2. Confirm that the software on both devices is the same Junos OS version.

  3. Confirm both devices are running with the same security policies.

  4. Confirm that the hardware on both devices is the same.

Answer: B,D Explanation:

Chassis Cluster prerequisites include:

B: The SOFTWARE on both standalone devices must be the same Junos OS version. Verify using this command on both devices:

rootgt; show version Model: srx220h

JUNOS Software Release [11.4R7.5]

D: Confirm that the HARDWARE on both devices is the same.

Verify using this command on both devices: root@srx220gt; show chassis hardware detail References: http://kb.juniper.net/InfoCenter/index?page=contentamp;id=KB21312amp;actp=search

Question No: 3

Click the Exhibit button.

Ensurepass 2018 PDF and VCE

A customer created a security policy and is not receiving any logs from permitted sessions, you are asked to obtain the logs for the customer.

Which parameter must you add to the configuration shown in the exhibit to accomplish this task?

  1. set system syslog file traffic-log any any

  2. set default-permit then log session-close

  3. set default-permit then count

  4. set system syslog file traffic-log match “traffic_session”.

Answer: A Explanation:

To send security policy logs to a file named traffic-log on the SRX Series device: user@host# set system syslog file traffic-log any any user@host# set system syslog file traffic-log match quot;RT_FLOW_SESSIONquot;

In the example above, traffic log messages are sent to a separate log file named traffic-log. The severity level is set to any so that the traffic log messages are captured. Only log messages that match RT_FLOW_SESSION, which identifies traffic log messages, are sent to the traffic-log file.

References: http://kb.juniper.net/InfoCenter/index?page=contentamp;id=KB16509amp;actp=search

Question No: 4

Click the Exhibit button.

Ensurepass 2018 PDF and VCE

A customer is using a destination NAT to a remote webserver, but the configuration is not working.

Referring to the exhibit, which configuration changes will resolve this problem?

Ensurepass 2018 PDF and VCE

  1. Option A

  2. Option B

  3. Option C

  4. Option D

Answer: A Explanation:

Example of working configuration: user@host# show security nat destination { pool dst-nat-pool-1 {

address 192.168.1.200/32;

}

rule-set rs1 {

from interface ge-0/0/0.0; rule r1 { match {

destination-address 1.1.1.200/32;

} then {

destination-nat pool dst-nat-pool-1;

}

}

}

}

References: http://www.juniper.net/documentation/en_US/junos12.1×46/topics/example/nat- securitydestination-single-address-translation-configuring.html

Question No: 5

– Exhibit –

user@R1gt; show security ike security-associations user@R1gt; show security zones Security zone: trust

Send reset for non-SYN session TCP packets: Off

Policy configurable: Yes Interfaces bounD. 3 Interfaces: ge-0/0/0.0 ge-0/0/6.0 lo0.0 Security zone: untrust

Send reset for non-SYN session TCP packets: Off

Policy configurable: Yes Interfaces bounD. 1 Interfaces: ge-0/0/1.0

Security zone: junos-host

Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bounD. 0 Interfaces: user@R1gt; show interfaces st0

Physical interface: st0, Enabled, Physical link is Up Interface index: 130, SNMP ifIndex: 503

Type: Secure-Tunnel, Link-level type: Secure-Tunnel, MTU: 9192 Device flags : Present Running

Interface flags: Point-To-Point Input rate : 0 bps (0 pps) Output rate : 0 bps (0 pps)

Logical interface st0.0 (Index 72) (SNMP ifIndex 546) Flags: Link-Layer-Down Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel

Input packets : 3 Output packets: 3 Security: Zone: Null

Protocol inet, MTU: 9192 Flags: Sendbcast-pkt-to-re

Addresses, Flags: Dest-route-down Is-Preferred Is-Primary Destination: 172.19.0.0/30, Local: 172.19.0.1

user@R1gt; show interfaces ge-0/0/1

Physical interface: ge-0/0/1, Enabled, Physical link is Up Interface index: 135, SNMP ifIndex: 508

Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, SpeeD. 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled,

Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online

Device flags : Present Running

Interface flags: SNMP-Traps Internal: 0x0 Link flags : None

CoS queues : 8 supported, 8 maximum usable queues

Current address: b0:c6:9a:73:27:81, Hardware address: b0:c6:9a:73:27:81 Last flapped : 2013-06-12 15:22:48 UTC (00:59:41 ago)

Input rate : 0 bps (0 pps) Output rate : 0 bps (0 pps) Active alarms : None Active defects : None

Interface transmit statistics: Disabled

Logical interface ge-0/0/1.0 (Index 71) (SNMP ifIndex 541) Flags: SNMP-Traps 0x0 Encapsulation: ENET2

Input packets : 40 Output packets: 27 Security: Zone: untrust

Allowed host-inbound traffic : ping Protocol inet, MTU: 1500

Flags: Sendbcast-pkt-to-re

Addresses, Flags: Is-Preferred Is-Primary

Destination: 184.0.15.0/30, Local: 184.0.15.1, Broadcast: 184.0.15.3 user@R1gt; show log ipsec-trace | match quot;500|dropquot;

Jun 12 16:32:10 16:32:10.680034:CID-0:RT:ageout 71,184.0.15.2/500-gt;184.0.15.1/500,17,

(0/0) Jun 12 16:32:51 16:32:51.874191:CID-0:RT:184.0.15.2/500-gt;184.0.15.1/500;17gt; :

Jun 12 16:32:51 16:32:51.874191:CID-0:RT: ge-0/0/1.0:184.0.15.2/500-gt;184.0.15.1/500,

udp

Jun 12 16:32:51 16:32:51.874191:CID-0:RT: find flow: table 0x4f160b38, hash 8769(0xffff), sa 184.0.15.2, da

184.0.15.1, sp 500, dp 500, proto 17, tok 8

Jun 12 16:32:51 16:32:51.874191:CID-0:RT:pak_for_self : proto 17, dst port 500, action 0x0

Jun 12 16:32:51 16:32:51.874191:CID-0:RT: flow_first_in_dst_nat: in 0/1.0gt;, out Agt; dst_adr 184.0.15.1, sp 500, dp 500

Jun 12 16:32:51 16:32:51.874555:CID-0:RT: packet droppeD. for self but not interested

Jun 12 16:32:51 16:32:51.874555:CID-0:RT: packet dropped, packet droppeD. for self but not interested. Jun 12 16:32:54 16:32:54.680399:CID-0:RT:ageout 71,184.0.15.2/500-

gt;184.0.15.1/500,17, (0/0) Jun 12 16:32:56 16:32:56.888094:CID-0:RT:184.0.15.2/500-

gt;184.0.15.1/500;17gt; :

Jun 12 16:32:56 16:32:56.888094:CID-0:RT: ge-0/0/1.0:184.0.15.2/500-gt;184.0.15.1/500,

udp

Jun 12 16:32:56 16:32:56.888094:CID-0:RT: find flow: table 0x4f160b38, hash 8769(0xffff), sa 184.0.15.2, da

184.0.15.1, sp 500, dp 500, proto 17, tok 8

Jun 12 16:32:56 16:32:56.888094:CID-0:RT:pak_for_self : proto 17, dst port 500, action 0x0

Jun 12 16:32:56 16:32:56.888094:CID-0:RT: flow_first_in_dst_nat: in 0/1.0gt;, out Agt; dst_adr 184.0.15.1, sp 500, dp 500

Jun 12 16:32:56 16:32:56.888094:CID-0:RT: packet droppeD. for self but not interested

Jun 12 16:32:56 16:32:56.888094:CID-0:RT: packet dropped, packet droppeD. for self but not interested. Jun 12 16:33:00 16:33:00.680794:CID-0:RT:ageout 71,184.0.15.2/500-

gt;184.0.15.1/500,17, (0/0) Jun 12 16:33:07 16:33:06.902220:CID-0:RT:184.0.15.2/500-

gt;184.0.15.1/500;17gt; :

Jun 12 16:33:07 16:33:06.902220:CID-0:RT: ge-0/0/1.0:184.0.15.2/500-gt;184.0.15.1/500,

udp

Jun 12 16:33:07 16:33:06.902220:CID-0:RT: find flow: table 0x4f160b38, hash 8769(0xffff), sa 184.0.15.2, da 184.0.15.1, sp 500, dp 500, proto 17, tok 8

Jun 12 16:33:07 16:33:06.902220:CID-0:RT:pak_for_self : proto 17, dst port 500, action 0x0

Jun 12 16:33:07 16:33:06.902220:CID-0:RT: flow_first_in_dst_nat: in 0/1.0gt;, out Agt; dst_adr 184.0.15.1, sp 500, dp 500

Jun 12 16:33:07 16:33:06.902220:CID-0:RT: packet droppeD. for self but not interested

Jun 12 16:33:07 16:33:06.902220:CID-0:RT: packet dropped, packet droppeD. for self but not interested. – Exhibit –

Click the Exhibit button.

You are asked to troubleshoot a new IPsec tunnel that is not establishing between R1 and R2. The remote team has verified that R2#39;s configuration is correct.

Referring to the exhibit, which two actions are required to resolve the problem? (Choose two.)

  1. Add the st0.0 interface to a security zone.

  2. Change the st0.0 interface MTU to 1400.

  3. Enable IKE for host inbound traffic in the untrust zone.

  4. Enable IKE for host inbound traffic in the trust zone.

Answer: A,C

Question No: 6

Click the Exhibit button.

Ensurepass 2018 PDF and VCE

A customer wants to commit a configuration but receives the error shown in the exhibit.

Ensurepass 2018 PDF and VCE

What would solve the problem?

  1. Option A

  2. Option B

  3. Option C

  4. Option D

Answer: A Explanation:

The Source address or address_set not found error message indicates that we need to create addressbook entries for

192.168.1.1 and 192.168.1.2.

Question No: 7

You recently installed a new webserver which resides in the DMZ zone of an SRX Series device. However, the server is not accessible from any host in the Untrust zone.

Which two statements are true? (Choose two.)

  1. A security policy must be configured to allow traffic from the Untrust zone destined to the DMZ zone.

  2. The webserver and the SRX Series device must be configured to use the same NTP server.

  3. The webserver’s IP address must be represented in an address book entry on the SRX Series device.

  4. The SRX Series device must be configured to allow SSH as host-inbound-traffic.

Answer: A,C Explanation:

C: Example: set security zones security-zone dmz address-book address webserver 172.16.1.250/24 – Creates an address book entry for the webserver

References: http://www.juniper.net/documentation/en_US/junos12.1×47/topics/example/security-srx- device-natconfiguring.html http://www.juniper.net/us/en/local/pdf/app-notes/3500153-en.pdf

Question No: 8

Click the exhibit button.

Ensurepass 2018 PDF and VCE

Ensurepass 2018 PDF and VCE

You recently installed two new internal webservers. You configure destination NAT on your SRX Series device so that external users will have access to internal Web resources.

However, the external users reported that they still do not have access to the server. Referring to the exhibit, what should you do to solve the problem?

  1. Configure proxy ARP for the address 190.133.117.184/32.

  2. Contact your ISP since the packets are not reaching the SRX Series device.

  3. Configure 190.133.117.184/32 under a security zone.

  4. Configure a different IP address for the internal servers.

Answer: C Explanation:

An interface for a security zone can be thought of as a doorway through which TCP/IP traffic can pass between that zone and any other zone.

Through the policies you define, you can permit traffic between zones to flow in one direction or in both. With the routes that you define, you specify the interfaces that traffic from one zone to another must use

Note: A security zone is a collection of one or more network segments requiring the regulation of inbound and outbound traffic through policies. Security zones are logical entities to which one or more interfaces are bound.

References:

http://www.juniper.net/techpubs/en_US/junos12.1×44/information-products/pathway- pages/security/securitybasic-zone-interface.pdf

Question No: 9

Click the Exhibit button.

Ensurepass 2018 PDF and VCE

A customer configured DHCP relay. After committing the configuration, the DHCP server does not provide addresses and you suspect that a configuration is missing. The server is connected to ge-0/0/8 and the hosts are connected to ge-0/0/7 through a switch. The server IP address is 192.18.24.38.

Referring to the exhibit, which two commands would be used to solve the problem? (Choose two.)

  1. set security zones security-zone trust interfaces ge-0/0/7 host-inbound-traffic system-

    services dhcp

  2. set security policies from-zone untrust to-zone trust policy DHCP-reply match destination-address 192.18.24.38

  3. set security policies from-zone trust to-zone untrust policy DHCP-request match source- address 192.18.24.38

  4. set security zones security-zone untrust interfaces ge-0/0/8 host-inboundtraffic system- services dhcp

Answer: A,C Explanation:

SRX Getting Started – Configure Global DHCP Relay Service

A: Specify DHCP as an allowed inbound service for each interface that is associated with DHCP. In the following example, DHCP is configured as an inbound service for ge-0/0/7. user@host# set security zones security-zone trust interfaces ge-0/0/7 host-inbound-traffic system-services dhcp

C: Make sure that you have a security policy that allows the session from the DHCP server to the DHCP client apart for the policy from trust to untrust.

Example:

user@host# set security policies from-zone trust to-zone untrust policy DHCP-request match destinationaddress DHCP-server

References: https://kb.juniper.net/InfoCenter/index?page=contentamp;id=KB15755amp;pmv=printamp;actp=LIST

Question No: 10

You are troubleshooting a problem on your Junos device where the antispam SBL server is no longer filtering known spam hosts. You notice that local list antispam filtering is still working for known spam hosts.

What would cause this problem?

  1. You have configured the sbl-default-server parameter in the antispam feature profile.

  2. DNS has stopped working on your Junos device.

  3. The antispam license has expired on your Junos device.

  4. The default spam-action parameter has been set to permit.

Answer: C Explanation:

When it stops working remotely but still works locally it is normally due to the license

expiring unless something else has changed in your configuration. References:

http://www.juniper.net/documentation/en_US/junos12.1/topics/concept/utm-antispam-filter- server-basedunderstanding.html

100% Ensurepass Free Download!
Download Free Demo:JN0-696 Demo PDF
100% Ensurepass Free Guaranteed!
JN0-696 Dumps

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

This entry was posted in JN0-696 Latest Exam (Jan 2018) and tagged , , , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.