[Free] Download New Latest (November) Juniper JN0-332 Actual Tests Topic 4, Volume D part 07

Ensurepass

QUESTION 361  (Topic 4)

 

Your SRX Series device is configured so that all inbound traffic from the Internet is examined by the UTM content filtering feature.

 

As inbound traffic arrives at the SRX device, which packet processing component is responsible for sending the packets for UTM processing?

 

A.

zone

B.

security policy

C.

Junos Screen options

D.

forwarding lookup

 

Answer: B

 

 

QUESTION 362  (Topic 4)

 

You want to silently drop HTTP traffic.

 

Which action will accomplish this task?

 

A.

[edit security policies from-zone untrust to-zone trust policy drop-http] user@host# show

match {

source-address any;

destination-address any;

application junos-http;

}

then {

deny;

}

B.

[edit security policies from-zone untrust to-zone trust policy drop-http] user@host# show

match {

source-address any;

destination-address any;

application junos-http;

}

then {

reject;

}

C.

[edit security policies from-zone untrust to-zone trust policy drop-http] user@host# show

match {

 

 

 

 

source-address any;

destination-address any;

application junos-http;

}

then {

block;

}

D.

[edit security policies from-zone untrust to-zone trust policy drop-http] user@host# show

match {

source-address any;

destination-address any;

application junos-http;

}

then {

terminate;

}

 

Answer: A

 

 

QUESTION 363  (Topic 4)

 

You need to implement Junos Screen options to protect traffic coming through the ge-0/0/0 and ge-0/0/1 interfaces which are located in the trust and DMZ zones, respectively.

 

Where would you enable the Junos Screen options?

 

A.

in the trust and DMZ zone settings

B.

on the ge-0/0/0 and ge-0/0/1 interfaces

C.

in a security policy

D.

in the global security zone settings

 

Answer: A

 

 

QUESTION 364  (Topic 4)

 

Which two parameters are configurable under the [edit security zones security-zone zoneA] stanza? (Choose two.)

 

A.

the TCP RST feature

 

 

 

 

B.

the security policies for intrazone communication

C.

the zone-specific address book

D.

the default policy action for firewall rules in this zone

 

Answer: AC

 

 

QUESTION 365  (Topic 4)

 – Exhibit —

 

security {

 

policies {

 

from-zone TRUST to-zone UNTRUST {

 

policy allow-all {

 

match {

 

source-address any;

 

destination-address any;

 

application any;

 

}

 

then {

 

deny;

 

}

 

}

 

policy allow-hosts {

 

match {

 

source-address hosts;

 

destination-address any;

 

application junos-http;

 

}

 

 

 

 

then {

 

permit;

 

}

 

scheduler-name block-hosts;

 

}

 

policy deny {

 

match {

 

source-address any;

 

destination-address any;

 

application any;

 

}

 

then {

 

deny;

 

}

 

}

 

}

 

}

 

}

 

schedulers {

 

scheduler block-hosts {

 

daily {

 

start-time 10:00:00 stop-time 18:00:00;

 

}

 

}

 

}

 – Exhibit —

 

 

 

 

Click the Exhibit button.

 

Referring to the exhibit, you have configured a scheduler to allow hosts access to the Internet during specific times. You notice that hosts are unable to access the Internet.

 

What is blocking hosts from accessing the Internet?

 

A.

The policy allow-all should have the scheduler applied.

B.

The policy allow-hosts should match on source-address any.

C.

The policy allow-hosts should have an application of any.

D.

The policy allow-all should have a then statement of permit.

 

Answer: D

 

 

QUESTION 366  (Topic 4)

 

What are two valid network prefixes in address books? (Choose two.)

 

A.

172.16.3.11/29

B.

172.16.0.0/16

C.

172.16.3.11/32

D.

172.16.3.11/24

 

Answer: BC

 

 

QUESTION 367  (Topic 4)

 – Exhibit —

 

user@host> show security ipsec security-associations

 

Total active tunnels: 1

 

ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway

 

<131073 ESP:3des/sha1 ac23df79 2532/ unlim – root 4500 1.1.1.1

 

>131073 ESP:3des/sha1 cbc9281a 2532/ unlim – root 4500 1.1.1.1

 

user@host> show security ipsec security-associations detail

 

 

 

 

Virtual-system: root

 

Local Gateway: 1.0.0.1, Remote Gateway: 1.1.1.1

 

Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

 

Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

 

Version: IKEv1

 

DF-bit: clear

 

Direction: inbound, SPI: ac23df79, AUX-SPI: 0

 

, VPN Monitoring: –

 

Hard lifetime. Expires in 3186 seconds

 

Lifesize Remaining: Unlimited

 

Soft lifetime. Expires in 2578 seconds

 

Mode. Tunnel, Type. dynamic, State. installed

 

Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc

 

Anti-replay service. counter-based enabled, Replay window size. 64

 

Direction: outbound, SPI: cbc9281a, AUX-SPI: 0

 

, VPN Monitoring: –

 

Hard lifetime. Expires in 3186 seconds

 

Lifesize Remaining: Unlimited

 

Soft lifetime. Expires in 2578 seconds

 

Mode. Tunnel, Type. dynamic, State. installed

 

Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc

 

Anti-replay service. counter-based enabled, Replay window size. 64

 – Exhibit —

 

Click the Exhibit button.

 

The exhibit shows output from two show commands.

 

 

 

 

What are two conclusions about the VPN tunnel from the output? (Choose two.)

 

A.

VPN monitoring is enabled.

B.

There is a device performing NAT between the two VPN endpoints.

C.

3DES is the encryption protocol.

D.

Traffic with the DF-bit set that exceeds the MTU will be dropped.

 

Answer: BC

 

 

QUESTION 368  (Topic 4)

 

You are asked to establish a chassis cluster between two branch SRX Series devices. You must ensure that no single point of failure exists.

 

What would prevent a single point of failure?

 

A.

dual data plane links

B.

redundant routing tables

C.

redundant cluster IDs

D.

dual control plane links

 

Answer: A

 

 

QUESTION 369  (Topic 4)

 – Exhibit —

 

security {

 

policies {

 

from-zone TRUST to-zone UNTRUST {

 

policy hosts-allow {

 

match {

 

source-address hosts;

 

destination-address any;

 

 

 

 

application any;

 

}

 

then {

 

permit;

 

}

 

scheduler-name block-hosts;

 

}

 

policy allow {

 

match {

 

source-address any;

 

destination-address any;

 

application junos-http;

 

}

 

then {

 

permit;

 

}

 

}

 

policy deny {

 

match {

 

source-address any;

 

destination-address any;

 

application any;

 

}

 

then {

 

deny;

 

}

 

 

 

 

}

 

}

 

}

 

}

 

schedulers {

 

scheduler block-hosts {

 

daily {

 

start-time 10:00:00 stop-time 18:00:00;

 

}

 

}

 

}

 – Exhibit —

 

Click the Exhibit button.

 

Referring to the exhibit, you have configured a scheduler to allow hosts access to the Internet during specific times. You notice that hosts are still accessing the Internet during times outside of the scheduler’s parameters.

 

What is allowing hosts to access the Internet?

 

A.

The policy allow is allowing hosts access during unscheduled hours.

B.

The policy hosts-allow should have a then statement of deny.

C.

The policy hosts-allow should have an application of junos-http.

D.

The policy deny should have the scheduler applied.

 

Answer: A

 

 

QUESTION 370  (Topic 4)

 – Exhibit —

 

[edit security policies]

 

 

 

 

user@host# show

 

from-zone hr to-zone internet {

 

policy internet-access {

 

match {

 

source-address any;

 

destination-address any;

 

application any;

 

}

 

then {

 

permit;

 

}

 

}

 

policy clean-up {

 

match {

 

source-address any;

 

destination-address any;

 

application any;

 

}

 

then {

 

deny;

 

}

 

}

 

}

 – Exhibit —

 

Click the Exhibit button.

 

 

 

 

You want to permit access to the Internet from the hr zone during a specified time.

 

Which configuration will accomplish this task?

 

A.

Configure a scheduler, apply it to a new policy, and insert it after internet-access to permit Internet access.

B.

Configure a scheduler and apply it to the policy internet-access to deny Internet access.

C.

Configure a scheduler and apply it to the policy internet-access to permit Internet access.

D.

Configure a scheduler, apply it to a new policy, and insert it before internet-access to permit Internet access.

 

Answer: C

 

Free VCE & PDF File for Juniper JN0-332 Actual Tests

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

This entry was posted in JN0-332 Actual Tests (November) and tagged , , , , , , . Bookmark the permalink.