[Free] Download New Latest (November) Juniper JN0-632 Actual Tests Topic 1, Volume A part 04

Ensurepass

QUESTION 31  (Topic 1)

 

Click the Exhibit button.

 

clip_image002

 

 

 

 

The client is downloading a file from the FTP server. The FTP control channel is established using a security policy named t rust-to-untrust.

 

Which statement is correct about the output in the exhibit regarding the data channel?

 

A.

Passive FTP is being used to establish the data channel.

B.

The pinhole has been opened by the FTP ALG for return traffic.

C.

The session requires a separate security policy for return traffic.

D.

The session is using NAT to translate IP addresses.

 

Answer: B

 

 

QUESTION 32  (Topic 1)

 

Click the Exhibit button.

 

clip_image004

 

The output shown in the exhibit is from an SRX Series device that is the hub in a hub-and- spoke VPN.

 

Which two statements are true regarding this output? (Choose two.)

 

A.

NAT traversal is being used.

B.

VPN monitoring has been enabled

C.

VPN monitoring has not been enabled.

D.

The IKE SA has been successfully established

 

Answer: CD

 

 

Explanation: The command show security ipsec security-associations is not NAT relative. The value of Mon parameter proves that VPN monitoring is disabled. Here are the possible values of the Mon field:  Hyphen means VPN Monitor is not configured

U VPN tunnel is Active, and the link (detected thru VPN Monitor) is UP

D: VPN tunnel is Active, but the link (detected thru VPN Monitor) is DOWN. VPN Monitor is not getting a response to its pings. This could be happening because the device that is being pinged is down or has ping disabled. This could also be

 

 

 

 

happening if the other side of the VPN is not a Juniper Firewall.

 

Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB10090

 

 

QUESTION 33  (Topic 1)

 

Click the Exhibit button.

 

clip_image006

 

You are troubleshooting a new IPSec VPN tunnel that is failing to establish an IKE security association between SRX Series devices. You notice the error in the log shown in the exhibit.

 

What is a possible cause for this problem?

 

A.

mismatched proxy IDs

B.

mismatched peer IDs

C.

mismatched Phase 2 proposals

D.

mismatched preshared key

 

Answer: D

 

 

Explanation: Most likely the Phase 1 pre-shared keys do not match. Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB10101

 

 

QUESTION 34  (Topic 1)

 

Your company has installed a new transparent proxy server that it wants all employee traffic to traverse before taking the default route to the Internet. The proxy server is within two DMZ zones from the SRX Series device, which means your SRX device must now have two default routes: one to the proxy DMZ and one to the Internet from the proxy DMZ.

 

 

 

 

What can you do to get the traffic to flow to the transparent proxy DMZ, and then from the proxy DMZ to the Internet, regardless of the destination or port?

 

A.

Configure two static default floating routes: one from the employee zone to the ingress proxy DMZ and a second from the egress proxy DMZ to the Internet.

B.

Configure two separate routing instances: one instance for the employee zone to the ingress proxy DMZ and the second for the egress proxy DMZ to the Internet.

C.

Configure security policies that will route all traffic to the ingress proxy DMZ then traffic will follow the default route to the Internet from the egress proxy DMZ.

D.

Configure a rib-group to handle the two default routes between the ingress and egress zones of the new proxy.

 

Answer: B

 

 

QUESTION 35  (Topic 1)

 

In a group VPN a group member can reach the key server 100.0.0.3 using the interface ge- 0/0/5. It can reach all other group members using the interface ge-0/0/7. The IP address of ge-0/0/5 is 1.1.1.1 and the IP address of ge-0/0/7 is 2.2.2.1.

 

Which configuration is correct for this member?

 

 

 

 

 

clip_image008

 

 

 

 

 

clip_image010

 

A.

Option A

B.

Option B

C.

Option C

D.

Option D

 

Answer: D

 

 

Explanation: The correct answer should have:

 

group-vpn-external-interface ge-0/0/7 as this is interface through which the member communicates with other members.

local address 1.1.1.1 as this is interface address of ge-0/0/5 through which the member communicates with key server.

 

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-

 

 

 

 

security10.2/junos-security-swconfig-security/topic-45798.html

 

 

QUESTION 36  (Topic 1)

 

What is the primary function of Junos Intrusion Prevention System (IPS)?

 

A.

to protect against scans and attacks

B.

to perform firewall filtering

C.

to perform NAT translation

D.

to provide IPSec tunneling

 

Answer: A

 

 

Explanation: IPS feature list includes:

Stateful Signature Detection: Signatures are applied only to relevant portions of the network traffic determined by the appropriate protocol context, minimizing false positives. Protocol Anomaly Detection: Protocol usage is verified against published RFCs to detect any violations or abuse, proactively protecting the network from intrusions and even undiscovered vulnerabilities.

Traffic Anomaly Detection: Heuristic rules provide detection from unexpected traffic patterns that may suggest reconnaissance or attacks. This intrusion prevention system proactively prevents reconnaissance activities and blocks distributed denial of service (DDoS) attacks.

Role-Based Administration: More than 100 different activities can be assigned as unique permissions for different administrators, streamlining business operations by logically separating and enforcing roles of various administrators. Intrusion Prevention System functions conform to business operations: Enable logical separation of devices, policies, reports, and other management activities to group devices based on business practices

 

Reference:

 

http://www.juniper.net/as/en/products-services/software/router-services/ips/

 

 

QUESTION 37  (Topic 1)

 

 

 

 

Which two protection mechanisms are supported on SRX Series Services Gateways? (Choose two)

 

A.

flow overflow attack protection

B.

back door protection

C.

Layer 2 protection for ARP spoofing

D.

back link protection

 

Answer: BC

 

 

Explanation: The IDP system detects Layer 2 attacks by defining implied rules on the IDP Sensor. By default, the IDP has ARP spoof detection enabled. You can configure an interface to reject G-ARP requests and replies based on your security concerns. Accepting gratuitous ARP requests and replies might make the network vulnerable to ARP spoofing attacks.

 

The backdoor rulebase protects your network from mechanisms installed on a host computer that facilitates unauthorized access to the system. Attackers who have already compromised a system typically install backdoors (such as Trojans) to make future attacks easier. When attackers send and retrieve information to and from the backdoor program (as when typing commands), they generate interactive traffic that IDP can detect.

 

Reference:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB7443&actp=search&viewlocale= en_US&searchid=1248336689499#

 

http://www.juniper.net/techpubs/software/management/security-manager/nsm2008_2/nsm- intrusion-detection-prevention-device-guide.pdf

 

 

QUESTION 38  (Topic 1)

 

Click the Exhibit button

 

clip_image012

 

A user complains that they cannot reach a destination host using Telnet. The user expresses concern that the SRX Series device is blocking the connection attempt. You

 

 

 

 

check the security policy log on the SRX device and see the entry shown in the exhibit.

 

Based on the security policy log entry, which three statements describe why the user is unable to use Telnet to reach the destination host? (Choose three.)

 

A.

No security policy is configured on the SRX device to match the request.

B.

The destination host does not have a valid route for the user’s PC.

C.

The destination host is not listening on the requested service.

D.

Another device between the SRX device and destination host is blocking the request.

E.

A trace options flag is set on the SRX device to drop the telnet traffic

 

Answer: BCD

 

 

Explanation: Based on security policy log entry we can confirm that “allow-telnet” security policy is configured on the SRX device and SRX device does not receive any
packet from remote telnet server as the both server-packets(server-bytes) are zero. So the possible options are B, C, D.

 

Reference: http://www.juniperforum.com/index.php?topic=10131.0

 

http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security- swconfig-security/junos-security-swconfig-security.pdf

 

 

QUESTION 39  (Topic 1)

 

You have been asked to configure a signature to block an attack released by a security vulnerability reporting agency. Which two characteristics of the attack must you understand to configure the attack object? (Choose two)

 

A.

the source IP address of the attacker

B.

the protocol the attack is transported in

C.

a string or regular expression that occurs within the attack

D.

IPv4 routing header

 

Answer: BC

 

 

Reference:

http://www.juniper.net/techpubs/en_US/idp5.1/topics/task/configuration/intrusion-detection- prevention-signature-attack-object-creating-nsm.html

 

 

 

 

 

 

QUESTION 40  (Topic 1)

 

You want to source NAT all traffic initiated from Host A behind an SRX Series device to Server

B.The internal transport address must be mapped to the same external transport address. Also, the external Server B must not communicate with the internal Host A using the NAT IP address/port unless the internal Host A has already communicated with the external Server B.

 

How do you enforce this set of criteria on the SRX Series device?

 

A.

Configure port randomization and pool overloading for source NAT.

B.

Configure pool overloading and persistent NAT for source NAT.

C.

Turn off port randomization and configure persistent NAT for source NAT.

D.

Turn off pool overloading and configure persistent NAT for source NAT.

 

Answer: D

 

 

Explanation: To keep transport address PAT should be disabled using “port no- translation” command.

 

Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB21296

 

Free VCE & PDF File for Juniper JN0-632 Actual Tests

Instant Access to F
ree VCE Files: CompTIA | VMware | SAP …

Instant Access to Free PDF Files: CompTIA | VMware | SAP …

This entry was posted in JN0-632 Actual Tests (November) and tagged , , , , , , . Bookmark the permalink.