[Free] Download New Latest (November) Juniper JN0-632 Actual Tests Topic 2, Volume B part 02

Ensurepass

QUESTION 81  (Topic 2)

 

You have implemented a chassis cluster that spans a Layer 2 network between two office campuses. You are using dual fabric links. Some of the RTOs are getting lost.

 

What are two reasons why this happens? (Choose two.)

 

A.

The switches interconnecting the fabric links do not support jumbo frames.

B.

The switches are not configured with the proper VLAN tags used by RTO traffic.

C.

The Layer 2 network contains 10 Gigabit links.

D.

There is a 500 millisecond latency between the SRX Series devices.

 

Answer: AD

Explanation:

If you are connecting each of the fabric links through a switch, you must enable the jumbo frame feature on the corresponding switch ports. If both of the fabric links are connected through the same switch, the RTO-and-probes pair must be in one virtual LAN (VLAN) and the data pair must be in another VLAN. Here too, the jumbo frame feature must be enabled on the corresponding switch ports.

 

 

 

 

 

Reference:

 

http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/chassis-cluster-fabric- configuring-cli.html

 

 

QUESTION 82  (Topic 2)

 

Click the Exhibit button.

 

clip_image002

 

You have configured an SRX Series device to act as the hub in a hub-and-spoke environment. After configuring two of your spoke sites, you notice that only one of your VPNs is established.

 

Referring to the exhibit,
what must be added to the hub’s st0 interface to resolve the problem?

 

A.

Multipoint

B.

Point-to-multipoint

C.

Multi-tunnel

D.

Multi-path

 

Answer: A

 

 

QUESTION 83  (Topic 2)

 

A security alert has been issued for an application running on your network that exploits a buffer overflow to compromise the application. The security alert specifies that client-to-

 

 

 

 

server communication will contain the string “*~hack-man?” or the string “back*?/hat”.

 

Which type of IPS custom signature is required to block the traffic?

 

A.

A signature attack object for each of the specified strings

B.

A compound attack object

C.

A protocol anomaly attack object

D.

A regular expression matching the identified strings

 

Answer: A

 

 

Explanation: Signature-based attack objects will be the most common form of attack object to configure. This is where you use regular expression matching to define what attack objects should be matched by the detector engine.

 

Reference: O’Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August 2010, p. 430

 

 

QUESTION 84  (Topic 2)

 

Bandwidth utilization has significant increased recently on the SRX3600 connecting your company to the Internet. You have decided to enable the Application Tracking feature on the device to provide visibility into the volume of the different applications passing through.

 

Where in the configuration is Application Tracking applied?

 

A.

interfaces

B.

zone

C.

routing instances

D.

globally

 

Answer: B

 

 

Explanation: Application tracking is configured under security zone security-zone section.

 

Reference: http://www.juniper.net/techpubs/software/junos-security/junos- security10.2/junos-security-swconfig-security/topic-45953.html?searchid=1320424816614

 

 

 

 

 

 

QUESTION 85  (Topic 2)

 

Your company is bringing a remote office online and will use VPN connectivity for access to resources between offices. The remote SRX Series device has an IP address, which it obtained dynamically from a service provider.

 

Which VPN technique can be used on your remote office SRX Series device?

 

A.

Configure the head office to allow promiscuous VPN connections and disable the use of IKE peer identities.

B.

Use the main-mode IKE exchange method in combination with a transport-mode tunnel.

C.

Use a certificate authority for IKE Phase 2 authentication.

D.

Use a fully qualified domain name (FQDN) as the IKE identity and configure IKE to use aggressive mode.

 

Answer: D

 

 

Explanation: When using site-to-site VPNs the most common type of IKE identity is the IP address, assuming that the host has a static IP address. If the host does not have a static IP address, a hostname or FQDN can be used. Also dynamic IP address requires the use of aggressive mode (unprotected IKE identities)

 

Reference: O’Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August 2010, p. 261.

 

 

QUESTION 86  (Topic 2)

 

A security analyst at your company wants to make sure packets coming from the Internet accessing your public Web servers are protected from HTTP packets that do not meet standards.

 

Which attack object will protect your infrastructure from nonstandard packets?

 

A.

signature attack objects

B.

compound protocol attack objects

C.

protocol anomaly attack objects

D.

the HTTP anomaly screen

 

Answer: C

 

 

 

 

Explanation:

Protocol anomaly attack objects are predefined objects developed by the Juniper Security Team to detect activity that is outside the bounds of a protocol. Typically, the enforcement for what is considered acceptable behavior for protocols is based on an RFC specification or a manufacturer spec if there is no RFC.

 

Reference: O’Reilly. Junos Security, Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August 2010, p. 404

 

 

QUESTION 87  (Topic 2)

 

Two High End SRX Series devices are configured in a chassis cluster, but interchassis communication is problematic and intermittent. Node 0 has SPCs located in slots 1, 2, 5, and 10 and has IOCs located in slots 3 and 4. Node 1 has SPCs located in slots 13, 14, and 18 and has IOCs located in slots 15 and 16.

 

What is causing the interchassis communication issues?

 

A.

There must be a SPC installed in the first slot on each node.

B.

The SPCs must all be placed in consecutive slots on each node.

C.

The IOCs must be placed in the first two slots on each node.

D.

The number of SPCs being used must be the same on both nodes

 

Answer: D

 

 

QUESTION 88  (Topic 2)

 

What is a NULL scan attack and how can you minimize its effects?

 

A.

A NULL scan attack consists of a series of packets that have source port 0 and various destination ports set. This attack can be minimized using 3et security screen ids-option my screen tcp-no-null and udp-no-null.

B.

A NULL scan attack is an attack targeting port 0 of the remote device’s TCP/IP stack. This attack can be minimized Using set security idp sensor-configuration flow no-allow-tcp without-flow.

C.

A NULL scan attack uses TCP packets with no flags set. This attack can be minimized

 

 

 

 

using set screen ids-option my-screen tcp tcp-no-flag.

D.

A NULL attack makes use of UDP packets that contain only null characters in their payload. This attack can be minimized using a stateless firewall filter.

 

Answer: C

 

 

Explanation: A Null Scan is a series of
TCP packets that contain a sequence number of 0 and no set flags. In a production environment, there will never be a TCP packet that doesn’t contain a flag. Because the Null Scan does not contain any set flags, it can sometimes penetrate firewalls and edge routers that filter incoming packets with particular flags. Null scan attack can be minimized using set screen ids-option my-screen tcp tcp-no- flag.

 

Reference: http://www.juniper.net/techpubs/software/junos-security/junos- security10.1/junos-security-cli-reference/jd0e98530.html?searchid=1320438879836

 

 

QUESTION 89  (Topic 2)

 

You are troubleshooting a problem with a chassis cluster, and you issue the show log jsrpd command.

 

What information would be helpful in the generated output? (Choose two)

 

A.

The output displays fabric link status information, including details such as jitter and when a link goes up and down.

B.

The output displays node-to-node tunneling status information, including details such as tunnel negotiations and endpoint discovery information.

C.

The output displays authentication error conditions for reth interfaces, including details used for link aggregation negotiatio
ns and member interface status.

D.

The output displays redundancy group status information, including details such as node primacy or redundancy group failover reasons.

 

Answer: AD

 

 

Explanation: The data link uses jsrpd heartbeat messages to validate that the path is up and is actively working. The JSRPD detects a change in chassis cluster redundancy mode.

 

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic- collections/syslog-messages/syslog-messages.pdf

 

 

 

 

 

 

QUESTION 90  (Topic 2)

 

Click the Exhibit button.

 

clip_image004

 

Which two commands are required to generate the results shown in the exhibit? (Choose two.)

 

clip_image006

 

A.

Option A

B.

Option B

C.

Option C

D.

Option D

 

Answer: BC

 

Free VCE
& PDF File for Juniper JN0-632 Actual Tests


Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

This entry was posted in JN0-632 Actual Tests (November) and tagged , , , , , , . Bookmark the permalink.