[Free] Download New Latest (November) Juniper JN0-633 Actual Tests 21-30

Ensurepass

QUESTION 21

You have a group IPsec VPN established with a single key server and five client devices.

 

Regarding this scenario, which statement is correct?

 

A.

There is one unique Phase 1 security association and five unique Phase 2 security associations used for this group.

B.

There is one unique Phase 1 security association and one unique Phase 2 security association used for this group.

C.

There are five unique Phase 1 security associations and five unique Phase 2 security associations used for this group.

D.

There are five unique Phase 1 security associations and one unique Phase 2 security association used for this group.

 

Answer: D

Explanation:

Reference :http://www.thomas-

krenn.com/redx/tools/mb_download.php/mid.x6d7672335147784949386f3d/Manual_Confi guring_Group_VPN_Juniper_SRX.pdf

 

 

QUESTION 22

You are attempting to establish an IPsec VPN between two SRX devices. However, there is another device between the SRX devices that does not pass traffic that is using UDP port 4500.

 

How would you resolve this problem?

 

 

 

 

 

A.

Enable NAT-T.

B.

Disable NAT-T.

C.

Disable PAT.

D.

Enable PAT.

 

Answer: B

Explanation:

NAT-T also uses UDP port 4500 (by default) rather than the standard UDP. So disabling NAT-T will resolve this issue.

 

Reference :

https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&cad=rja&ved=0C HsQFjAJ&url=http%3A%2F%2Fchimera.labs.oreilly.com%2Fbooks%2F1234000001633% 2Fch10.html&ei=NZrtUZHHO4vJrQezmoCwAw&usg=AFQjCNGU05bAtnFu1vXNgssixHtC BoNBnw&sig2=iKzzPNQqiH2xrsjveXIleA&bvm=bv.49478099,d.bmk

 

 

QUESTION 23

Click the Exhibit button.

 – Exhibit —

 

user@srx> show security flow session

 

Session ID.7724, Policy namE.default-permit/4, Timeout: 2

 

In: 1.1.70.6/17 –> 100.0.0.1/2326;icmp, IF.ge-0/0/3

 

Out: 10.1.10.5/2326 –> 1.1.70.6/17;icmp, IF.ge-0/0/2

 

Session ID.18408, Policy namE.default-permit/4, Timeout: 2

 

In: 10.1.10.5/64513 –> 1.1.70.6/512;icmp, IF.ge-0/0/2.0

 

Out: 1.1.70.6/512 –> 100.0.0.1/64513;icmp, IF.ge-0/0/3.10

 – Exhibit —

 

A user has reported a traffic drop issue between a host with the 10.1.10.5 internal IP address and a host with the 1.1.70.6 IP address. The traffic transits an SRX240 acting as a NAT translator. You are investigating the issue on the SRX240 using the output shown in the exhibit.

 

 

 

 

Regarding this scenario, which two statements are true? (Choose two.)

 

A.

The sessions shown indicate interface-based NAT processing.

B.

The sessions shown indicate static NAT processing.

C.

ICMP traffic is passing in both directions.

D.

ICMP traffic is passing in one direction.

 

Answer: BC

 

 

QUESTION 24

Click the Exhibit button.

 – Exhibit?

 

clip_image002

 – Exhibit —

 

 

 

 

You receive complaints from users that their Web browsing sessions keep dropping prematurely. Upon investigation, you find that the IDP policy shown in the exhibit is detecting the users’ sessions as HTTP:WIN-CMD:WIN-CMD-EXE attacks, even though their sessions are not actual attacks. You must allow these sessions but still inspect for all other relevant attacks.

 

How would you configure your SRX device to meet this goal?

 

A.

Create a new security policy that allows HTTP for all users and does not apply IDP.

B.

Modify the security policy to add an application exception.

C.

Modify the IDP policy to delete this particular attack from the IDP rulebase.

D.

Modify the IDP policy to add an exempt rulebase rule to not inspect for this attack.

 

Answer: D

 

 

QUESTION 25

You must configure a central SRX device connected to two branch offices with overlapping IP address space. The branch office connections to the central SRX device must reside in separate routing instances.Which two components are required? (Choose two.)

 

A.

virtual routing instance

B.

forwarding instance

C.

static NAT

D.

persistent NAT

 

Answer: AC

Explanation:

Reference :http://kb.juniper.net/InfoCenter/index?page=content&id=KB21286

 

 

QUESTION 26

Click the Exhibit button.

 – Exhibit?

 

 

 

 

 

clip_image004

 – Exhibit —

 

Referring to the exhibit, a pair of SRX3600s is in an active/passive chassis cluster configured for transparent mode. Which type of traffic would traverse the secondary SRX3600 (node 1)?

 

A.

all traffic including non-IP traffic

B.

any IP traffic

C.

only TCP and UDP traffic

D.

only BPDU traffic

 

Answer: D

 

 

QUESTION 27

You are asked to implement an IPsec VPN between your main office and a new remote office. The remote office receives its IKE gateway address from their ISP dynamically.

 

Regarding this scenario, which statement is correct?

 

 

 

 

 

A.

Configure a fully qualified domain name (FQDN) as the IKE identity.

B.

Configure the dynamic-host-address option as the IKE identity.

C.

Configure the unnumbered option as the IKE identity.

D.

Configure a dynamic host configuration name (DHCN) as the IKE identity.

 

Answer: A

 

 

QUESTION 28

Microsoft has altered the way their Web-based Hotmail application works. You want to update your application firewall policy to correctly identify the altered Hotmail application.

 

Which two steps must you take to modify the application? (Choose two.)

 

A.

user@srx> request services application-identification application copy junos:HOTMAIL

B.

user@srx> request services application-identification application enable junos:HOTMAIL

C.

user@srx# edit services custom application-identification my:HOTMAIL

D.

user@srx# edit services application-identification my:HOTMAIL

 

Answer: AD

 

 

Reference:http://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/command- summary/request-services-application-identification-application.html

 

 

QUESTION 29

You have just created a few hundred application firewall rules on an SRX device and applied them to the appropriate firewall polices. However, you are concerned that the SRX device might become overwhelmed with the increased processing required to process traffic through the application firewall rules.

 

Which three actions will help reduce the amount of processing required by the application firewall rules? (Choose three.)

 

A.

Use stateless firewall filtering to block the unwanted traffic.

B.

Implement AppQoS to drop the unwanted traffic.

C.

Implement screen options to block the unwanted traffic.

D.

Implement IPS to drop the unwanted traffic.

E.

Use security policies to block the unwanted traffic.

 

 

 

 

 

Answer: ACE

Explanation:

 

IPS and AppDoS are the most powerful, and thus, the least efficient method of dropping traffic on the SRX, because IPS and AppDoS tend to take up the most processing cycles.

 

Reference :http://answers.oreilly.com/topic/2036-how-to-protect-your-network-with-security- tools-for-junos/

 

 

QUESTION 30

You are asked to merge the corporate network with the network from a recently acquired company. Both networks use the same private IPv4 address space (172.25.126.0/24). An SRX device serves as the gateway for each network.Which solution allows you to merge the two networks without adjusting the current address assignments?

 

A.

source NAT

B.

persistent NAT

C.

double NAT

D.

NAT444

 

Answer: C

Explanation:

Reference :http://class10e.com/juniper/what-should-you-do-to-meet-the-requirements/

 

Free VCE & PDF File for Juniper JN0-633 Actual Tests

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

This entry was posted in JN0-633 Actual Tests (November) and tagged , , , , , , . Bookmark the permalink.