[Free] Download New Latest (November) Juniper JN0-632 Actual Tests Topic 2, Volume B part 03

Ensurepass

QUESTION 91  (Topic 2)

 

You have been asked to change the authentication mechanism on one of your VPNs to use public-key certificates to authenticate the peer SRX devices at each end.

 

Which part of the VPN configuration must you change?

 

A.

IKE Phase 2

 

 

 

 

B.

IKE Phase 1

C.

Security policy

D.

Proxy ID

 

Answer: B

 

 

QUESTION 92  (Topic 2)

 

Click the Exhibit button.

 

clip_image002

 

Referring to the exhibit, which two statements are true? (Choose two)

 

A.

The VPN is setup using a preshared key.

B.

The VPN is set up using certificates,

C.

The VPN is set with NAT traversal.

D.

The VPN is set without NAT traversal.

 

Answer: AC

 

 

Explanation: Authentication-method: Pre-shared-keys indicates that pre-shared key is used for authentication. Certificates and preshared keys are mutually exclusive options.

 

The VPN is set with NAT traversal as NAT-T uses UDP port 4500 (by default) rather than the standard UDP port 500.

 

Reference: O’Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim

 

 

 

 

Eberhard, James Quinn, August 2010, p. 270.

 

 

QUESTION 93  (Topic 2)

 

While configuring your SRX device, you notice problems with the configuration. You suspect that someone made an undocumented change to your device. You want to determine who made the change and when it was made. All administrators have unique logins.

 

Which two commands do you use to troubleshoot this problem? (Choose two.)

 

A.

user@srx# rollback ?

B.

user@srx# show | compare rollback 2

C.

user@srx> show rollback 2

D.

user@srx> show system commit

 

Answer: AD

 

 

QUESTION 94  (Topic 2)

 

Click the Exhibit button.

 

clip_image004

 

 

 

 

Referring to the exhibit, which parameter can be applied under the destination-address hierarchy?

 

A.

utm-policy

B.

idp-filter

C.

drop-translated

D.

uac-policy

 

Answer: D

 

 

Explanation: With uac-policy enabled JUNOS security policies enforce rules for transit traffic, defining what traffic can pass through the Juniper Networks device. The policies control traffic that enters from one zone (from-zone) and exits another (to-zone).

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17476&cat=SRX_SERIES&actp =LIST

 

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security- swconfig-security/uac-config-enabling-uac.html

 

 

QUESTION 95  (Topic 2)

 

Click the Exhibit button

 

clip_image006

 

In the exhibit, which two commands should you use to ping 10.1.1.100 from me SRX Series device’s command line? (Choose two)< /p>

 

A.

ping 10.1.1.100

B.

ping source 10.1.1.1 10.1.1.100

 

 

 

 

C.

ping routing-instance vr1 10.1.1.100

D.

ping interface ge-0/0/1.0 10.1.1.100

 

Answer: CD

 

 

Explanation: As far as 10.1.1.100 belongs to routing-instance vr1 we have the two options to ping this host:

explicitely mention routing-instance name

by selecting interface through which host is conencted to SRX device.

 

Reference:

http://www.juniper.net/techpubs/en_US/junos11.2/topics/task/operational/security-ping- command-using.html

 

 

QUESTION 96  (Topic 2)

 

What can cause a node in an SRX Series chassis cluster to be in the disabled state?

 

A.

One of the nodes has no power.

B.

The control link between the two nodes has gone down, but the fabric link is still up.

C.

The configuration on the SRX Series device was set to disable a node permanently.

D.

Both the control and fabric links between the two nodes have gone down.

 

Answer: B

 

 

QUESTION 97  (Topic 2)

 

You administer an SRX5600 to which several customer networks are attached. Each customer network terminates in a virtual routing-instance. You have been asked to direct traffic sourced from a specific prefix in one routing-instance to another routing-instance. The affected traffic enters the SRX5600 on one physical interface.

 

Which method can accomplish this objective?

 

A.

Use a stateless firewall on the interface to forward traffic to the other routing-instance.

B.

Use a routing policy on the interface to forward traffic to the other routing-instance.

C.

Use a security policy on the zone to forward traffic to the other routing-instance.

D.

Use a forwarding rule on the interface to forward traffic to the other routing-instance.

 

 

 

 

 

Answer: A

 

 

Explanation: You configure firewall filter to match source address and then forward matched traffic to needed routing-instance.

 

Reference: O’Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August 2010, p. 694

 

 

QUESTION 98  (Topic 2)

 

Click the Exhibit button

 

clip_image008

 

A junior member of the network team has set up a new VPN tunnel using a PKI certificate and is unable to establish the tunnel. After troubleshooting the problem and confirming that the proposals and encryption algorithms match on both sides, they ask you for help.

 

Referring to the exhibit, what is the cause of this problem?

 

A.

The authentication method must be changed to pre-shared-keys to make use of the PKI certificate

B.

The proposal set is missing which will cause the VPN tunnel to not establish.

 

 

 

 

C.

PKI-based VPN tunnels cannot use main mode; aggressive mode must be used.

D.

There is no trusted CA configured, which is required for PKI-based tunnels.

 

Answer: D

 

 

Explanation: Trusted-ca specifies the preferred certificate authority (CA) to use when requesting a certificate from the peer. If no value is specified, then no certificate request is sent.

 

Reference: http://www.juniper.net/techpubs/software/junos-security/junos- security10.1/junos-security-cli-reference/jd0e104424.html?searchid=1320424816614

 

 

QUESTION 99  (Topic 2)

 

In a group VPN, the members rekey with the server using the Unicast PuLL method.

 

This rekey mechanism is protected by which secure channel?

 

A.

KEK

B.

IPsec SA

C.

TEK

D.

IKE SA

 

Answer: D

 

 

QUESTION 100  (Topic 2)

 

Which feature would you use to bypass the flow-based forwarding capability of an SRX Series branch device for a specific application?

 

A.

security policy

B.

policer

C.

firewall filter

D.

routing policy

 

Answer: C

 

Free VCE & PDF File for Juniper JN0-632 Actual Tests

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

 

This entry was posted in JN0-632 Actual Tests (November) and tagged , , , , , , . Bookmark the permalink.