[Free] Download New Latest (November) Juniper JN0-632 Actual Tests Topic 1, Volume A part 05

Ensurepass

QUESTION 41  (Topic 1)

 

You have a problem with an FTP session that will not establish through your SRX240 device. You confirmed that routing and security policies are correct. You want to capture packets to further troubleshoot the problem.

 

Which two actions are required to do this? (Choose two.)

 

A.

Run the monitor traffic interface | save pcap command.

B.

Turn on the packet-capture option in the forwarding-options section of the configuration.

C.

Build a firewall filter with a sample action on the interface.

D.

Enable traceoptions on the interface.

 

Answer: BC

 

 

 

Reference:

 

http://forums.juniper.net/t5/SRX-Services-Gateway/packet-capture-on-Juniper-SRX210/td- p/102454

 

 

QUESTION 42  (Topic 1)

 

In a group VPN the members rekey with the server using the Unicast PUSH method.

 

This rekey mechanism is protected by which secure channel?

 

A.

IPSec SA

B.

TEK

C.

IKE SA

 

Answer: A

 

 

Explanation: The correct answer is: KEK

Introduction to group vpn:

there is three type of rekey methods:

pull methods: using IKE SA and no need for KEK

unicast push methods:using KEK with Ack mechanism multicast push methods: KEK without Ack mechanism

 

 

QUESTION 43  (Topic 1)

 

Which two protocols are supported by Application Layer Gateways (ALGs) on SRX Series devices? (Choose two.)

 

A.

FTP

B.

HTTP

C.

SIP

D.

SNMP

 

 

 

 

 

Answer: AC

Explanation:

A ?FTP use port number inside TCP payload. This requires ALG C ?SIP use contact info inside UDP payload. This requires ALG Reference:

http://www.juniper.net/techpubs/en_US/nsm2010.4/topics/reference/specifications/security- service-firewall-alg-protocol-enable-disable-overview.html

 

http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic- collections/security/software-all/feature-support-reference/junos-security-feature-support- guide.pdf

 

 

QUESTION 44  (Topic 1)

 

Click the Exhibit button.

 

clip_image002

 

 

 

 

You configured a security policy with an address book entry using a DNS name. Traffic matching the security policy for the DNS name is being dropped.

 

Referring to the exhibit, what is the cause?

 

A.

The domain name must be configured as www.juniper.net.

B.

The security policy is missing the junos-dns application

C.

The destination address configuration must also include an IP address.

D.

The domain name has not been resolved by DNS.

 

Answer: D

Explanation:

Once of requirements for configuring address-book with dns-name entries is “Configure Domain Name System (DNS) services” without which domain name cnnot be resolved.

 

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/zone- address-book-configuring-cli.html

 

 

QUESTION 45  (Topic 1)

 

The SRX Series device is configured for source NAT. The source IP address will be translated to 1.1.1.1. A packet with a source address of 21.21.21.21 and destination address of 31.1.1.1 arrives at the SRX Series device.

 

Which security policy will this packet match?

 

A.

a policy in which the match criteria has a source address of
21.21.21.21 and a destination-address of 31.1.1.1

B.

a policy in which the match criteria has a source address of 1.1.1.1 and a destination address of 21.21.21.21

C.

a policy in which the match criteria has a source address of 21.21.21.21 and a destination address of 1.1.1.1

D.

a policy in which the match criteria has a source address of 31.1.1.1 and a destination address of 1.1.1.1

 

Answer: A

 

 

 

 

 

QUESTION 46  (Topic 1)

 

Click the Exhibit button

 

clip_image004

 

In the exhibit, you are configuring a flow trace of all packets for a TCP session initiated by the client to the server ” The server’s IP address is translated using static NAT You want to use flow trace packet filters to limit the traffic viewed in your trace.

 

Which configuration specifies the correct filters?

 

 

 

 

 

 

 

 

 

A.

Option A

B.

Option B

C.

Option C

D.

Option D

 

Answer: D

Explanation:

The correct answer matches source IP 1.1.1.100 and destination IP 1.1.1.30 in request packets and source IP 192.168.224.30 and destination IP 10.1.1.100 in reply from the server.

 

 

QUESTION 47  (Topic 1)

 

Your company is bringing a remote office online and is using an IPSec VPN to establishes secure communication between the offices. The remote SRX Series device is receiving its IP address dynamically from the service provider.

 

Which VPN technique can you use on your remote office SRX device?

 

A.

Configure a fully qualified domain name (FQDN) as the IKE identity, and configure IKE to use main mode.

B.

Configure a fully qualified domain name (FQDN) as the IKE identity, and configure IKE to use aggressive mode.

C.

Configure the dynamic-host-address option as the IKE identity, and configure IKE to use aggressive mode

D.

Configure the dynamic-host-address option as the IKE identity, and configure IKE to use main mode

 

Answer: B

 

 

Explanation: When using site-to-site VPNs the most common type of IKE identity is the IP address, assuming that the host has a static IP address. If the host does not have a static IP address, a hostname can be used. Aggressive mode is an alternative to Main mode IPsec negotiation and it is most common when building VPNs from client workstations to VPN gateways, where the client’s IP address is neither known in advanced nor fixed.

 

 

 

 

 

 

QUESTION 48  (Topic 1)

 

Click the Exhibit button

 

clip_image006

 

In the exhibit, two SRX240 devices form a chassis cluster. Node 0 is primary for RG 1, and interface monitoring is configured to fail primacy over to Node 1 in the event interface ge- 5/0/3 goes down. However, when interlace ge-5/0/3 goes down, Node 0 retains primary for RG 1.

 

Which two statements describe why Node 0 retained primacy for RG 1? (Choose two)

 

A.

The ge-5/0/3 interface belongs to Node 1 which is in a secondary state so no failover is necessary.

B.

Node 0 has a priority of 254, but it will not switch unless an additional interface goes down.

C.

Node 1 has a priority of 0 and is not eligible to take primacy of RG 1.

D.

The ge-5/0/3 interface belongs to Node 1 and the priority was subtracted from Node 1.

 

Answer: AC

 

 

Reference: http://answers.oreilly.com/topic/2040-how-to-initially-troubleshoot-a-junos- chassis-cluster/

 

 

 

 

 

 

QUESTION 49  (Topic 1)

 

You want to limit attacks on TCP ports.

 

Which two scans should you be concerned about? (Choose two)

 

A.

TCP/IP scan

B.

SYN scan

C.

SYN/SYN scan

D.

FIN/ACK scan

 

Answer: BD

 

 

Explanation: A port scan occurs when one source IP address sends IP packets containing TCP SYN segments to a defined number of different ports at the same destination IP address within a defined interval (5000 microseconds is the default). The purpose of this attack is to scan the available services in the hopes that at least one port will respond, thus identifying a service to target.

Normally, TCP segments with the FIN flag set also have the ACK flag set (to acknowledge the previous packet received). Because a TCP header with the FIN flag set but not the ACK flag is anomalous TCP behavior, there is no uniform response to this. The OS might respond by sending a TCP segment with the RST flag set. Another might completely ignore it. The victim’s response can provide the attacker with a clue as to its OS.(Other purposes for sending a TCP segment with the FIN flag set are to evade detection while performing address and port scans and to evade defenses on guard for a SYN flood by performing a FIN flood instead

 

 

QUESTION 50  (Topic 1)

 

Click
the Exhibit button

 

 

 

 

 

clip_image008

 

In the exhibit, Customer A and Customer B connect to the same SRX Series device. ISP1 and ISP2 are also directly connected to the SRX device. Customer A’s traffic must use ISP1, and Customer B’s traffic must use ISP2.

 

Which configuration will create the required routing tables?

 

A.

set routing-options rib-groups fbf import-rib [ custA.inet.0 custB.inet.0]

B.

set routing-options rib-groups fbf export-rib [ custA.inet.0 custB.inet.0 ]

C.

set routing-options rib-groups fbf import-rib [ custA.inet.0 custB.inet.0 inet.0 ]

D.

set routing-options rib-groups fbf export-rib [ custA.inet.0 custB.inet.0 inet.0 ]

 

Answer: C

 

Free VCE & PDF File for Juniper JN0-632 Actual Tests

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

This entry was posted in JN0-632 Actual Tests (November) and tagged , , , , , , . Bookmark the permalink.