[Free] Download New Latest (November) Juniper JN0-633 Actual Tests 31-40

Ensurepass

QUESTION 31

You are troubleshooting an IPsec session and see the following IPsec security associations:

 

ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys

 

< 192.168.224.1 500 ESP:aes-256/sha1 d6393645 26/ unlim – 0

 

 

 

 

> 192.168.224.1 500 ESP:aes-256/sha1 153ec235 26/ unlim – 0

 

< 192.168.224.1 500 ESP:aes-256/sha1 f9a2db9a 3011/ unlim – 0

 

> 192.168.224.1 500 ESP:aes-256/sha1 153ec236 3011/ unlim – 0

 

What are two reasons for this behavior? (Choose two.)

 

A.

Both peers are trying to establish IKE Phase 1 but are not successful.

B.

Both peers have established SAs with one another, resulting in two IPsec tunnels.

C.

The lifetime of the Phase 2 negotiation is close to expiration.

D.

Both peers have establish-tunnels immediately configured.

 

Answer: CD

 

 

Reference: http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es- swcmdref/show-security-ipsec-security-associations.html

 

 

QUESTION 32

Click the Exhibit button.

 – Exhibit —

 

user@srx# show security datapath-debug

 

capture
-file pkt-cap-file format pcap size 5m;

 

action-profile {

 

pkt-cap-profile {

 

event np-ingress {

 

packet-dump;

 

}

 

}

 

}

 

packet-filter pkt-filter {

 

 

 

 

action-profile pkt-capture;

 

source-prefix 1.2.3.4/32;

 


}

 – Exhibit —

 

You want to capture transit traffic passing through your SRX3600. You add the configuration shown in the exhibit but do not see entries added to the capture file.

 

What is causing the problem?

 

A.

You are missing the configuration set security datapath-debug maximum-capture-size 1500.

B.

You are missing the configuration set security datapath-debug packet-filter pkt-filter destination-prefix 5.6.7.8/32.

C.

You must start the capture from operational mode with the command request security datapath-debug capture start.

D.

You must start the capture from operational mode with the command monitor start capture.

 

Answer: C

 

 

QUESTION 33

Click the Exhibit button.

 – Exhibit?

 

 

 

 

 

clip_image002

 – Exhibit —

 

An attacker is using a nonstandard port for HTTP for reconnaissance into your network.

 

Referring to the exhibit, which two statements are true? (Choose two.)

 

A.

The IPS engine will not detect the application due to the nonstandard port.

B.

The IPS engine will detect the application regardless of the nonstandard port.

C.

The IPS engine will perform application identification until the session is established.

D.

The IPS engine will perform application identification until it processes the first 256 bytes of the packet.

 

Answer: BD

 

 

Reference:https://www.juniper.net/techpubs/en_US/idp/topics/example/simple/intrusion- detection-prevention-idp-rulebase-default-service-usage.html

 

 

QUESTION 34

What is the default action for an SRX device in transparent mode to determine the outgoing

 

 

 

 

interface for an unknown destination MAC address?

 

A.

Perform packet flooding.

B.

Send an ARP query.

C.

Send an ICMP packet with a TTL of 1.

D.

Perform a traceroute request.

 

Answer: A

 

 

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos- security-swconfig-interfaces-and-routing/understand-l2-forwarding-tables-section.html

 

 

QUESTION 35

You want to implement persistent NAT for an internal resource so that external hosts are able to initiate communications to the resource, without the internal resource having previously sent packets to the external hosts.Which configuration setting will accomplish this goal?

 

A.

persistent-nat permit target-host

B.

persistent-nat permit any-remote-host

C.

persistent-nat permit target-host-port

D.

address-persistent

 

Answer: B

Explanation:

Reference :http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos- security-swconfig-security/understand-persistent-nat-section.html

 

 

QUESTION 36

What are the three types of attack objects used in an IPS engine? (Choose three.)

 

A.

signature

B.

chargen

C.

compound

D.

component

 

 

 

 

E.

anomaly

 

Answer: ACE

 

 

Reference:http://www.juniper.net/techpubs/en_US/idp5.0/topics/concept/intrusion- detection-prevention-idp-rulebase-attack-object-using.html

 

 

QUESTION 37

Which three match condition objects are required when creating IPS rules? (Choose three.)

 

A.

attack objects

B.

address objects

C.

terminal objects

D.

IP action objects

E.

zone objects

 

Answer: ABE

 

 

Reference: http://www.juniper.net/techpubs/software/junos-security/junos- security10.2/junos-security-swconfig-security/topic-42453.html#understand-rule-match- cond-section

 

 

QUESTION 38

A security administrator has configured an IPsec tunnel between two SRX devices. The devices are configured with OSPF on the st0 interface and an external interface destined to the IPsec endpoint. The adminstrator notes that the IPsec tunnel and OSPF adjacency keep going up and down. Which action would resolve this issue?

 

A.

Create a firewall filter on the st0 interface to permit IP protocol 89.

B.

Configure the IPsec tunnel to accept multicast traffic.

C.

Create a /32 static route to the IPsec endpoint through the external interface.

D.

Increase the OSPF metric of the external interface.

 

Answer: C

 

 

Reference: http://packetsneverlie.blogspot.in/2013/03/route-based-ipsec-vpn-with-ospf.html

 

 

 

 

 

 

QUESTION 39

You have recently deployed a dynamic VPN. Some remote users are complaining that they cannot authenticate through the SRX device at the corporate network. The SRX device serves as the tunnel endpoint for the dynamic VPN.What are two reasons for this problem? (Choose two.)

 

A.

The supported number of users has been exceeded for the applied license.

B.

The users are connecting to the portal using Windows Vista.

C.

The SRX device does not have the required user account definitions.

D.

The SRX device does not have the required access profile definitions.

 

Answer: AD

Explanation:

Reference :https://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic- collections/syslog-messages/index.html?jd0e28566.html http://kb.juniper.net/InfoCenter/index?page=content&id=KB16477

 

 

QUESTION 40

Which statement is true about NAT?

 

A.

When you implement destination NAT, the router does not apply ALG services.

B.

When you implement destination NAT, the router skips source NAT rules for the initiating traffic flow.

C.

When you implement static NAT, each packet must go through a route lookup.

D.

When you implement static NAT, the router skips destination NAT rules for the initiating traffic flow.

 

Answer: D

 

 

Explanation: The NAT type determines the order in which NAT rules are processed. During the first packet processing for a flow, NAT rules are applied in the following order:

Static NAT rules

Destination NAT rules

Route lookup

 

Reference :http://www.juniper.net/techpubs/software/junos-security/junos-

 

 

 

 

security10.2/junos-security-swconfig-security/topic-42804.html

 

Free VCE & PDF File for Juniper JN0-633 Actual Tests

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

This entry was posted in JN0-633 Actual Tests (November) and tagged , , , , , , . Bookmark the permalink.