[Free] Download New Latest (November) Juniper JN0-632 Actual Tests Topic 2, Volume B part 06

Ensurepass

QUESTION 121  (Topic 2)

 

What are two protection methods employed on SRX Series devices? (Choose two.)

 

A.

Stateless signature protection

B.

Stateful signature protection

C.

Protocol anomaly protection

D.

Preamble protection

 

Answer: BC

 

 

QUESTION 122  (Topic 2)

 

Click the Exhibit button

 

 

 

 

 

clip_image002

 

You are asked to help troubleshoot new connectivity to a server on your network. The system administrator is receiving user requests and confirms that the responses are being sent out. However, the user never sees the response packet and suspects the firewall is dropping them. You configure a basic data path trace option and confirm you see the return data but it is being dropped.

 

Referring to the exhibit, why is the traffic being dropped?

 

A.

The server is changing the ports, causing the session to be treated as a new session and it is being dropped.

B.

The sessions are stale and must be cleared manually.

C.

The traffic is failing a route lookup.

D.

The traffic is routing asymmetrically.

 

Answer: D

 

 

Explanation: Asymmetric return traffic can pass zone based firewall if outgoing interface is in the same zone.

 

Reference:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21983&actp=search&viewlocale =en_US&searchid=1320415514489#

 

 

QUESTION 123  (Topic 2)

 

You have an SRX650 that supports many customers who are each assigned to their own virtual router and do not normally communicate with each other. However, a request has been made to allow Customers A and B to communicate directly with Customer C.

 

Which two methods would enable the requested communication? (Choose two.)

 

A.

Create a static route from routing instances A and B with a qualified-next-hop of C’s interface and a route distinguisher ID of value “C”.

B.

Create a logical tunnel interface for each of Customer A, B, and C’s routing instances.

 

 

 

 

Configure a static route from A and B pointing to C’s single logical tunnel interface IP address.

C.

On the SRX device, physically connect cables from interfaces in Customer A and B’s routing instances to Customer C’s routing instance, and assign the same IP address space.

D.

Create individual static routes and logical tunnel interfaces between routing instances A and C as well as between routing instances B and C.

 

Answer: CD

 

 

QUESTION 124  (Topic 2)

 

An attacker from IP address 1.1.1.2 is filling your SRX Series device’s session table with TCP sessions that have all completed a legitimate three-way handshake.

 

What will help throttle the attack?

 

A.

syn-flood destination-threshold

B.

syn-ack-ack-proxy

C.

limit-session destination-ip-based

D.

limit-session source-ip-based

 

Answer: D

 

 

Explanation: Limit-session source-ip-based command is used to Limit the number of concurrent sessions the device can initiate from a single source IP address.

 

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security94/junos- security-cli-reference/limit-session.html

 

 

QUESTION 125  (Topic 2)

 

You have a VoIP application that requires external sessions to be initiated into your environment. The internal host has not sent an initial packet to the external host’s reflexive transport address.

 

Which NAT parameter will accomplish this task?

 

 

 

 

 

A.

target-host

B.

address-persistent

C.

target-host-port

D.

any-remote-host

 

Answer: D

 

 

Explanation: When persistent NAT is used with any-remote-host option all requests from a specific internal IP address and port are mapped to the same reflexive transport address and any external host can send a packet to the internal host by sending the packet to the reflexive transport address.

Reference: http://www.juniper.net/techpubs/en_US/junos11.1/information-products/topic- collections/security/software-all/security/index.html?topic-42825.html#jd0e125921

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21296&cat=JUNOS&actp=LIST

 

http://www.juniper.net/techpubs/en_US/junos11.1/information-products/topic- collections/security/software-all/security/index.html?topic-42826.html

 

 

QUESTION 126  (Topic 2)

 

You have many security policies configured using the predefined junos-ftp application. You create a new application named my-ftp for FTP traffic, but you do not want the FTP ALG to be used.

 

Which command should you use to disable the FTP ALG only for the application my-ftp?

 

A.

set applications my-ftp application-protocol ftp ignore

B.

set applications application my-ftp application-protocol ignore

C.

set security alg ftp disable

D.

set applications application my-ftp application-protocol ftp ignore

 

Answer: D

 

 

QUESTION 127  (Topic 2)

 

You recently added NAT in your environment and now users are complaining about not

 

 

 

 

being able to access the Internet.

 

Which two parameters would you configure to verify that NAT is working correctly? (Choose two.)

 

A.

security trace-options flag flow basic

B.

security flow trace-options flag packet-drops

C.

security nat trace-options flag all

D.

security nat source/destination trace-options flag all

 

Answer: BC

 

 

Explanation: The NAT trace options hierarchy configures trace file and flags for verification purposes. J Series and SRX Series devices have two main components. Those are the Routing Engine (RE) and the Packet Forwarding Engine (PFE). The PFE is divided into the ukernel portion and the real-time portion. For verification, you can turn on flags individually to debug NAT functionality on the RE, ukernel PFE, or real-time PFE. The trace data is written to/var/log/security-trace by default. Example:

set security nat traceoptions flag all

set security nat traceoptions flag source-nat-pfe set security nat traceoptions flag source-nat-re set security nat traceoptions flag source-nat-rt

 

Reference: http://www.juniper.net/techpubs/software/junos-security/junos- security10.1/junos-security-swconfig-security/topic-42831.html?searchid=1320517464784

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15758&actp=search&viewlocale =en_US&searchid=1320517464784#Verification

 

 

QUESTION 128  (Topic 2)

 

You have a VoIP application that requires external sessions to be initiated into your environment. The internal host has previously sent a packet to the external VoIP application’s reflexive transport address.

 

Which parameter would be enabled for this solution?

 

A.

persistent-nat all-remote-host

 

 

 

 

B.

persistent-nat target-host-port

C.

persistent-nat target-host

D.

persistent-nat any-remote-host

 

Answer: B

 

 

Explanation: You can configure three persistent NAT types on the SRX device. With all three types, all requests from a specific internal IP address and port are mapped to the same external address. Differences exist between the three types. With the type any-remote-host, any user external to the SRX device can reach the internal host by sending the packet to the external address used for translation. With the type target-host, any user external to the SRX device can reach the internal host by sending the packet to the external address used for translation, but only if the internal host has previously sent a packet to the external user’s IP address.

With the type target-host-port, any user external to the SRX device can reach the internal host by sending the packet to the external address used for translation, but only if the internal host has previously sent a packet to the external user’s IP address and port.

Reference

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21296&cat=JUNOS&actp=LIST

 

 

QUESTION 129  (Topic 2)

 

You initiated the installation of the attack database. The system indicates that it will run asynchronously and returns you to a command prompt in the CLI. You want to know if the installation has completed.

 

Which command do you run to confirm this?

 

A.

Request security idp security-package install status

B.

Request system software idp security-package install status

C.

Request security idp security-package download status

D.

Request security idp security-package install

 

Answer: A

 

 

QUESTION 130  (Topic 2)

 

 

 

 

You want to allow users from routing-instance Juniper1 to route to the destination 2.2.2.2, reached through routing-instance Juniper2 without sharing all the routes between the two instances. You have configured policy-statement move_routes with a route-filter to accept the 2 2.2.2 route. You have created rib-group Group1, and applied it under routing-instance Juniper2.

 

Which rib-group configuration will accomplish this?

 

 

 

 

 

A.

Option A

B.

Option B

C.

Option C

D.

Option D

 

 

 

 

 

Answer: C

 

 

Explanation: We have to import only one route from Juniper2.inet.0 to Juniper1.inet.0 so we have to use import-policy move_routes to filter out other route during the import. Also we have to do import into the Juniper1.inet.0 table so we have to select the option with “import Juniper1.inet.0”

 

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos- security-cli-reference/jd0e34855.html

 

Free VCE & PDF File for Juniper JN0-632 Actual Tests

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

This entry was posted in JN0-632 Actual Tests (November) and tagged , , , , , , . Bookmark the permalink.