[Free] 2018(Jan) EnsurePass Examcollection Juniper JN0-696 Dumps with VCE and PDF 11-20

Ensurepass.com : Ensure you pass the IT Exams
2018 Jan Juniper Official New Released JN0-696
100% Free Download! 100% Pass Guaranteed!

Security Support, Professional (JNCSP-SEC)

Question No: 11

Click the Exhibit button.

Ensurepass 2018 PDF and VCE

A customer has a problem connecting to an SRX Series device from the untrust zone using SSH only.

Referring to the exhibit, which action will solve the problem?

  1. Configure the ssh parameter under the [edit security zones security-zone trust interfaces ge-0/0/1.0 host inbound-traffic protocols] hierarchy.

  2. Configure the ssh parameter under the [edit security zones security-zone untrust hostinbound-traffic system-services] hierarchy.

  3. Configure the ssh parameter under the [edit security zones security-zone untrust hostinbound-traffic protocols] hierarchy.

  4. Configure the ssh parameter under the [edit security zones security-zone trust hostinbound-traffic system-services] hierarchy.

Answer: B Explanation:

Assume that inbound ssh, ftp, and ping traffic should be permitted from the untrusted zone. Then you should do the following:

[edit security zones]

root# set security zone untrust host-inbound-traffic ssh root# set security zone untrust host- inbound-traffic ftp root# set security zone untrust host-inbound-traffic ping

Note: For SRX Series branch devices, a factory default security policy is provided that: Allows all traffic from the trust zone to the untrust zone.

Allows all traffic between trusted zones, that is from the trust zone to intrazone trusted zones. Denies all traffic from the untrust zone to the trust zone.

References: http://www.dummies.com/how-to/content/how-to-configure-srx-security-zones- with-junos.html http://www.juniper.net/documentation/en_US/junos12.3×48/topics/concept/security-srx- device-zone-and-policyunderstanding.html

Question No: 12

You want to allow remote users using PCs running Windows 7 to access the network using an IPsec VPN. You implement a route-based hub-and-spoke VPN; however, users report that they are not able to access the network.

What is causing this problem?

  1. The remote clients do not have proper licensing.

  2. Hub-and-spoke VPNs cannot be route-based; they must be policy-based.

  3. The remote clients#39; OS is not supported.

  4. Hub-and-spoke VPNs do not support remote client access; a dynamic VPN must be implemented instead.

Answer: D

Question No: 13

You have deployed AppID on your SRX Series device. You want to block all HTTP connections. However, there is a packet-monitoring device that shows the SRX Series device is still allowing some packets through to the webservers on TCP port 80.

In this scenario, which statement is correct?

  1. Traffic is hitting the default fall-back option.

  2. The packet-monitoring device is allowing packets to TCP port 80.

  3. After deploying AppID, this is a normal behavior.

  4. There are new sessions matching the webservers on TCP port 80.

Answer: C Explanation:

Note: The APPID (application identification) feature is a Junos OS feature that identifies applications as constituents of application groups in TCP/UDP/ICMP traffic.

References: http://www.juniper.net/techpubs/en_US/junos- mobility12.1/topics/concept/pcef-app-idoverview.html

Question No: 14

Click the Exhibit button.

Ensurepass 2018 PDF and VCE

Ensurepass 2018 PDF and VCE

A customer has requested that you set up a dynamic VPN to allow users to reach the internal network. After running the configuration shown in the exhibit, users are sometimes unable to connect to the network. They cannot ping other IP addresses and they are

getting IP conflicts within the network.

What must you change in the configuration to solve this problem?

  1. The dyn-vpn-address-pool network address needs to be an address book.

  2. The configuration is missing a secondary DNS.

  3. The dyn-vpn-address-pool network address needs to be configured on a separate subnet.

  4. The configuration needs to be applied to a different interface.

Answer: C Explanation:

References: http://www.juniper.net/documentation/en_US/junos12.3×48/topics/example/vpn-security- dynamic-exampleconfiguring.html

Question No: 15

Click the exhibit button.

Ensurepass 2018 PDF and VCE

Your customer has indicated that their VPN is down.

Referring to the exhibit, what is the problem? A. The IKE IDs are mismatched.

  1. The proxy IDs are mismatched.

  2. The IKE Phase 2 proposals are mismatched.

  3. The IKE Phase 1 proposals are mismatched.

Answer: B Explanation:

Example of IKE proxy-id mismatch (see line 11 onwards):

1 [Apr 2 10:57:34]SA-CFG lookup for Phase 2 failed for local:, remote: IKEv1

2. [Apr 2 10:57:34]ikev2_fb_spd_select_qm_sa_cb: IKEv2 SA select failed with error TS unacceptable 3. [Apr 2 10:57:34]ikev2_fb_spd_select_qm_sa_cb: SA selection failed, no matching proposal (neg df6800)

11 [Apr 2 10:57:34]iked_pm_ike_spd_notify_received: Negotiation is already failed. Reason: TS unacceptable.

[Apr 2 10:57:34]QM notification `(null)#39; (40001) (size 8 bytes) from for protocol Reserved spi[0…3] =eb 7b b2 b4

[Apr 2 10:57:34]ike_st_i_private: Start

[Apr 2 10:57:34]ike_st_o_qm_hash_2: Start [Apr 2 10:57:34]ike_st_o_qm_sa_values: Start

Note: “A proxy-ID is used during phase 2 of Internet Key Exchange (IKE) Virtual Private Network (VPN) negotiations. Both ends of a VPN tunnel either have a proxy-ID manually configured (route-based VPN) or just use a combination of source IP, destination IP, and service in a tunnel policy. When phase 2 of IKE is negotiated, each end compares the configured local and remote proxy-ID with what is actually received. The configured proxy ID must match with what is received from the other device that is negotiating an IKE/IPsec tunnel.

References: http://www.twine-networks.com/blog/posts/5-troubleshooting-ipsec-log- messages

Question No: 16

Click the Exhibit button.

Ensurepass 2018 PDF and VCE

You are troubleshooting an IPsec VPN which is not establishing.

Which two issues would cause the message shown in the exhibit? (Choose two.)

  1. mismatched peer ID type

  2. Phase 2 proposal mismatch

  3. mismatched pre-shared key

  4. incorrect peer address

Answer: A,B

Question No: 17

Click the Exhibit button.

Ensurepass 2018 PDF and VCE

Your company has a Web server in the trust zone. You configure a NAT rule to allow Internet users from the untrust zone to access this Web server. Internet users use the public IP address to access this Web server, but they report that the server is not accessible.

Referring to the exhibit, which configuration change would resolve this problem?

  1. set security nat proxy-arp interface fe-0/0/2 address

  2. set security zones security-zone untrust host-inbound-traffic system-services http

  3. set security nat destination rule-set http rule 1 match source-address

  4. set security address-book global address web-server

Answer: D Explanation:

DNAT is first, followed by Policy look-up.

Question No: 18

Click the Exhibit button.

Ensurepass 2018 PDF and VCE

You are implementing a high availability chassis cluster on an SRX Series device. You would like to manage both devices through the J-Web utility. However, when you try to log in to the second device using SSL HTTP, you receive a message from your Web browser indicating that the message has timed out.

Why you are receiving this message?

  1. There is a firewall policy blocking traffic to the control plane.

  2. HTTP is not configured as host inbound traffic.

  3. The incoming traffic is not being allowed on the correct port.

  4. The rdp daemon is on standby on the secondary device.

Answer: A

Question No: 19

– Exhibit –


user@hostgt; show configuration chassis | display inheritance cluster { redundancy-group 1

{ node 0 priority 200; node 1 priority 100; interface-monitor { ge-0/0/12 weight 255; ge-

5/0/12 weight 255;




– Exhibit –

Click the Exhibit button.

A customer reports that their SRX failover is not working as expected. They expected node1 to become the primary node for the control plane when interface ge-0/0/12 failed. However, when ge-0/0/12 failed, node0 remained the primary node. They send you the output shown in the exhibit.

What is causing this problem?

  1. The interface-monitor configuration should be applied to redundancy-group 0.

  2. The redundancy-group configuration should include the preempt parameter.

  3. The weight parameter applied to ge-5/0/12 is too high.

  4. The weight parameter applied to ge-0/0/12 is too low.

Answer: A Explanation:

Node 0 remains the master for the routing engine and therefore the “control plane”, because the configuration applies to RG1 not RG0. The data plane or the forwarding for RG1 would failover in this instance which might mean nothing for the customer.

Question No: 20

– Exhibit –

[edit security utm] user@host# show custom-objects { url-pattern { blocklist { value [ http://badsite.com http://blocksite.com ];

} acceptlist {

value http://juniper.net;



custom-url-category { blacklist { value blocklist;

} whitelist { value acceptlist;


} }

feature-profile { web-filtering { url-whitelist whitelist; url-blacklist blacklist; type juniper-local; juniper-local { profile web-filter {

custom-block-message quot;Site is not allowedquot;; fallback-settings { default log-and-permit;






utm-policy utm1 { web-filtering { http-profile web-filter;



– Exhibit –

Click the Exhibit button.

You set up Web filtering to allow employees to only access your internal website. You notice that employees are still able to reach websites outside of the blacklists.

Referring the exhibit, which parameter must be changed?

  1. You must define all sites you want to block using the mime-pattern parameter.

  2. You must change the fallback-settings parameter to default block.

  3. You must use integrated or redirect Web filtering instead of local list filtering.

  4. You must define all sites you want to block using the protocol-command parameter.

Answer: C Explanation:


A, D: These are options for content filtering as opposed to web filtering. B: Fallback is for error conditions.

100% Ensurepass Free Download!
Download Free Demo:JN0-696 Demo PDF
100% Ensurepass Free Guaranteed!
JN0-696 Dumps

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

This entry was posted in JN0-696 Latest Exam (Jan 2018) and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.