[Free] Download New Latest (November) Juniper JN0-632 Actual Tests Topic 1, Volume A part 03

Ensurepass

QUESTION 21  (Topic 1)

 

Given the session shown below:

 

clip_image002

 

Which statement is true?

 

A.

The session indicates that destination NAT with no port translation is taking place.

B.

The session indicates that no NAT is taking place.

C.

The session indicates that source NAT is taking place.

D.

The
session indicates that destination NAT with port translation is taking place.

 

Answer: C

 

 

Explanation: The output of the command shows that the TCP packet with src ip 10.1.0.13 and src tcp port 52939 and dst ip 207.17.137.229 and dst port 80 is entering interface ge- 0/0/5.0 and the reverse connection is created for the same session: src ip 172.19.101.42 and src tcp port 2132 and dst ip 207.17.137.229 and dst tcp port 80. So the source ip

Q2

1.0.13 is translated to 172.19.101.42.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos- security10.0/junos-security-cli-reference/show-security-flow-session.html#jd0e143381

 

 

 

 

 

 

QUESTION 22  (Topic 1)

 

Which two configuration tasks should you use to implement filter-based forwarding? (Choose two.)

 

A.

Create a VRF routing instance.

B.

Create a firewall filter with an action of virtual-channel

C.

Create routing options with rib-groups.

D.

Create routing options with interface routes.

 

Answer: CD

 

 

Reference: http://www.juniper.net/techpubs/en_US/junos10.3/topics/usage- guidelines/routing-configuring-filter-based-forwarding.html

 

 

QUESTION 23  (Topic 1)

 

You obtained a license file from Juniper Networks for the SRX Series Services Gateway IPS feature set. You want to install the license onto the SRX Series device.

 

Which statement is accurate?

 

A.

The license file is automatically downloaded from the online license server, you need not do anything.

B.

Transfer the file to the SRX Series device using FTP or SCP and install the license with the request system license add <filename> command.

C.

The license file must be decrypted with the openssl utility before being installed on the SRX Series device.

D.

Transfer the file to the SRX firewall using FTP or SCP and install the license with the request system license install-permanent command.

 

Answer: B

 

 

Reference: http://www.juniper.net/techpubs/en_US/junos11.1/topics/reference/command- summary/request-system-license-add.html

 

 

 

 

 

 

QUESTION 24  (Topic 1)

 

Click the Exhibit button

 

clip_image004

 

Referring to the exhibit, an IPSec tunnel is established between SRXA and SRXB. A GRE tunnel is established between router A and router

B.Users in LANA can ping users in LANB however large FTP transfers are failing.

 

What is causing the problem?

 

A.

The anti-replay service window size needs to be increased to 64.

B.

SRXB is running in transport mode.

C.

Fragmentation is not allowed on the IPSec tunnel.

D.

GRE over IPSec is not supported.

 

Answer: C

 

 

Explanation: Fragmentation is not allowed on the IPSec tunnel because don’t fragment (DF) bit is set. So the packets with size equal to standard ethernet MTU (1500 bytes) are dropped.

Reference:

http://www.juniper.net/techpubs/en_US/junos11.2/topics/reference/configuration- statement/clear-dont-fragment-bit-edit-service-set.html

 

 

 

 

 

 

QUESTION 25  (Topic 1)

 

You configure an SRX Series chassis cluster with graceful restart support for the configured routing protocols. When testing your cluster failover in a large, multivendor lab environment, you notice that most of the BGP and OSPF neighbors remain adjacent, whereas a few other neighbors drop the adjacency with your cluster during the cluster failover test. You notice that the OSPF and BGP neighbors that drop the adjacencies are always the same

 

Why is this happening?

 

A.

The OSPF/BGP neighbors in question have misconfigured hello/dead interval timers, which causes the connection to flap during the failover.

B.

The OSPF/BGP neighbors in question are not running in GR helper mode, which causes the adjacencies to flap.

C.

The local SRX cluster devices have misconfigured OSPF/BGP hello/dead interval timers, which cause the connections to flap during the failover.

D.

The local SRX cluster devices are not running in GR helper mode, which causes the adjacencies to flap.

 

Answer: B

 

 

Explanation: When a router is running graceful restart and the router stops sending and replying to protocol livens messages (hellos), the adjacencies assume a graceful restart and begin running a timer to monitor the restarting router. During this interval, helper routers do not process an adjacency change for the router that they assume is restarting, but continue active routing with the rest of the network. The helper routers assume that the router can continue stateful forwarding based on the last preserved routing state during the restart. If the router was actually restarting and is back up before the graceful timer period expires in all of the helper routers, the helper routers provide the router with the routing table, topology table, or label table (depending on the protocol), exit the graceful period, and return to normal network routing.

 

Reference: http://www.juniper.net/techpubs/en_US/junos10.2/topics/concept/high- availability-features-in-junos-introducing.html

 

 

QUESTION 26  (Topic 1)

 

 

 

 

You want to implement a chassis cluster using SRX650s in your network. Your manager has informed you that the nodes participating in the chassis cluster will reside in remote locations.

 

Which two statements represent valid considerations for this deployment scenario? (Choose two.)

 

A.

The latency between the participating nodes cannot exceed 300 ms.

B.

The links supporting the control and fabric links should all be 1 Gbps or higher.

C.

The same physical path supporting the control and fabric links should be used.

D.

The paths supporting the control and fabric links should use segregated virtual paths

 

Answer: BD

 

 

Explanation: After configuring the SRX650 HA Chassis Cluster, ge-0/0/0 is reserved for FXP0 (out of band), ge-0/0/1 for Control Link and one more port (mostly used ge-0/0/2) for Fabric Link. In most SRX Series devices in a chassis cluster, you can configure any pair of Gigabit Ethernet interfaces or any pair of 10-Gigabit interfaces to serve as the fabric between nodes. If you are connecting each of the fabric links through a switch, you must enable the jumbo frame feature on the corresponding switch ports. If both of the fabric links are connected through the same switch, the RTO-and-probes pair must be in one virtual LAN (VLAN) and the data pair must be in another VLAN. Here too, the jumbo frame feature must be enabled on the corresponding switch ports. Refrence: http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/chassis- cluster-fabric-configuring-cli.html

 

 

QUESTION 27  (Topic 1)

 

You want to allow users from routing-instance Juniper1 to route to the destination 2.2.2.2, reached through routing-instance Juniper2 without sharing all the routes between the two instances.

 

Which static route configuration will accomplish this?

 

A.

set routing-instances Juniper1 routing-options static route 2.2.2.2 next-table Juniper2.inet.0

B.

set routing-instances Juniper2 routing-options static route 2.2.2.2 next-table Juniperl.inet.0

C.

set routing-options static route 2.2.2.2 next-table Juniper2.inet.0

 

 

 

 

D.

set routing-options static route 2.2.2.2 next-table Juniperl.inet.0

 

Answer: A

 

 

QUESTION 28  (Topic 1)

 

Click the Exhibit button

 

clip_image006

 

You are troubleshooting a new IPSec VPN tunnel that is failing to establish an IKE security association between SRX Series devices. You notice the error in the log shown in the exhibit.

 

What are two possible causes for this problem? (Choose two.)

 

A.

no route to 2.2.2.2

B.

mismatched peer ID type

C.

incorrect peer address

D.

missing Phase 1 policy

 

Answer: BC

 

 

Explanation: Message “unable to find phase-1 policy as remote peer:2.2.2.2 is not recognized” means that the responder did not recognize the incoming request as originating from a valid gateway peer.

You have to confirm that on the responder the following IKE gateway configuration settings are correct:

The Static IP Address specified for the Remote Gateway is correct.The Peer ID specified for the Remote Gateway is correct.

The outgoing interface is correct.

 

Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB10101

 

 

QUESTION 29  (Topic 1)

 

 

 

 

You create a custom attack signature with the following criteria:

 – HTTP Request:

 – Pattern: *x<404040…40

 – Direction Client to Server

 

Which client request would be identified as an attack?

 

A.

FTP GET.,x404040…40

B.

HTTP GET *404040..40

C.

HTPPOST.*x404040…40

D.

HTTP GET *x4040401.40

 

Answer: D

 

 

Explanation: Signature-based attack objects will be the most common form of attack object to configure. This is where you use regular expression matching to define what attack objects should be matched by the detector engine. The provided regular expression matches HTTP GET request containing *x4040401..40. Here x ?hex based numbers, . – any symbol.

 

Reference: http://www.juniper.net/techpubs/en_US/idp5.1/topics/example/simple/intrusion- detection-prevention-custom-attack-object-compound-signature.html

 

 

QUESTION 30  (Topic 1)

 

Click the Exhibit button.

 

clip_image008

 

You want to verify a security flow on your SRX Series device.

 

Which statement is true regarding the output shown in the exhibit?

 

 

 

 

 

A.

This output indicates interface-based source NAT

B.

The policy nat-security-policy denies traffic from 10.1.0.13 to 207.17.137 229

C.

This output indicates source NAT without port translation.

D.

The “out” direction shows traffic egressing out of the firewall towards 207.17.137.229.

 

Answer: C

Explanation:

The client connects to WEB server 207.17.137.229. The reverse flow shows that destination IP is changed from 10.1.0.13 to 172.19.101.42. This indicates that source NAT is in place.

 

Reference: http://www.juniper.net/techpubs/software/junos-security/junos- security10.0/junos-security-cli-reference/show-security-flow-session.html

 

Free VCE & PDF File for Juniper JN0-632 Actual Tests

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

This entry was posted in JN0-632 Actual Tests (November) and tagged , , , , , , . Bookmark the permalink.