[Free] Download New Latest (November) Juniper JN0-696 Actual Tests 11-20

Ensurepass

 

QUESTION 11  

 

user@host> show configuration security utm

 

custom-objects {

 

url-pattern {

 

block-juniper {

 

value *.spammer.com;

 

}

 

}

 

custom-url-category {

 

blacklist {

 

value block-juniper;

 

}

 

}

 

}

 

feature-profile {

 

anti-spam {

 

address-blacklist block-juniper;

 

sbl {

 

profile myprofile {

 

no-sbl-default-server;

 

spam-action block;

 

 

 

 

}

 

}

 

}

 

}

 

utm-policy wildcard-policy {

 

anti-spam {

 

smtp-profile myprofile;

 

}

 

}

 

 

Click the Exhibit button.

 

You added a blacklist to your antispam policy to block any e-mails from the spammer.com domain. However, your users are complaining that they are still receiving spam e-mails from that domain. You run the utm test-string test and confirm that the blacklist is not working.

 

Referring to the exhibit, what is causing this problem?

 

A.

The wildcard character * cannot be used for the e-mail pattern match.

B.

The protocol-command smtp value sender: needs to be added under custom-objects.

C.

url-pattern is not supported for antispam.

D.

The pattern needs to be preceded by an @ symbol.

 

Answer: A

 

 

QUESTION 12

You are having problems establishing an IPsec tunnel between two SRX Series devices.

 

What are two explanations for this problem? (Choose two.)

 

 

 

 

 

A.

proposal mismatch

B.

antivirus configuration

C.

preshared key mismatch

D.

TCP MSS clamping is disabled

 

Answer: BD

 

 

QUESTION 13  

 

user@host> show secu
rity flow session

 

 

Session ID. 41, Policy name: allow/5, Timeout: 20, Valid

 

In: 172.168.66.143/43886 –> 192.168.100.1/5000;tcp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60

 

Out: 10.100.1.100/5555 –> 172.168.66.143/43886;tcp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0

 

user@host> show configuration

 

 

security {

 

nat {

 

destination {

 

pool server {

 

address 10.100.1.100/32 port 5555;

 

}

 

rule-set rule1 {

 

from zone UNTRUST;

 

rule 1 {

 

match {

 

destination-address 192.168.100.1/32;

 

 

 

 

destination-port 5000;

 

}

 

then {

 

destination-nat pool server;

 

}

 

}

 

}

 

}

 

proxy-arp {

 

interface ge-0/0/1.0 {

 

address {

Q5

168.100.1/32;

 

}

 

}

 

}

 

}

 

policies {

 

from-zone UNTRUST to-zone TRUST {

 

policy allow {

 

match {

 

source-address any;

 

destination-address any;

 

application [ junos-ping tcp-5000 ];

 

}

 

then {

 

permit;

 

 

 

 

}

 

}

 

}

 

}

 

zones {

 

security-zone TRUST {

 

interfaces {

 

ge-0/0/2.0 {

 

host-inbound-traffic {

 

protocols {

 

all;

 

}

 

}

 

}

 

}

 

}

 

security-zone UNTRUST {

 

interfaces {

 

ge-0/0/1.0 {

 

host-inbound-traffic {

 

system-services {

 

ping;

 

}

 

}

 

}

 

}

 

 

 

 

}

< font face="Arial"> 

}

 

}

 

applications {

 

application tcp-5000 {

 

protocol tcp;

 

destination-port 5000;

 

}

 

}

 

 

Click the Exhibit button.

 

Your customer is attempting to reach your new server that should be accessible publicly using 192.168.100.100 on TCP port 5000, and internally using 10.100.100.1 on TCP port 5555. You notice a session forms when they attempt to access the server, but they are unable to reach the server.

 

Referring to the exhibit, what will resolve this problem?

 

A.

There must be a TRUST-to-UNTRUST security policy to allow return traffic.

B.

The NAT pool server address must be changed to 10.100.100.1/32.

C.

The NAT pool server port must be changed to 5000.

D.

The NAT rule set rule1 must match on address 172.168.66.143.

 

Answer: B

 

 

QUESTION 14  

 

[edit]

 

user@SRX-1# show security ike traceoptions

 

 

 

 

file ike-trace;

 

flag all;

 

[edit]

 

user@SRX-1# show security ipsec traceoptions

 

flag all;

 

user@SRX-1> show log ike-trace

 

 

Jun 13 17:00:33 :500 (Responder) -> 192.168.1.11:500 { 15276b72 6656c3b6 – 4ea713e7 d2487276 [1] / 0x9828a32e } QM; Invalid protocol_id = 0

 

Jun 13 17:00:34 Received authenticated notification payload unknown from local:192.168.1.10 remote:192.168.1.11 IKEv1 for P1 SA 3075335

 

Jun 13 17:00:34 iked_pm_ike_spd_notify_receiveD. Negotiation is already failed. Reason:

TS unacceptable.< /span>

 

Jun 13 17:00:34 QM notification `(null)’ (40001) (size 8 bytes) from 192.168.1.11 for protocol Reserved spi[0…3]=0f f0 ce d3

 

Jun 13 17:00:34 ike_st_i_private: Start

 

Jun 13 17:00:34 ike_st_o_qm_hash_2: Start

 

Jun 13 17:00:34 ike_st_o_qm_sa_values: Start

 

Jun 13 17:00:34 :500 (Responder) -> 192.168.1.11:500 { 15276b72 6656c3b6 – 4ea713e7 d2487276 [1] / 0x9828a32e } QM; Error = No proposal chosen (14)

 

Jun 13 17:00:34 ike_alloc_negotiation: Start, SA = { 15276b72 6656c3b6 – 4ea713e7 d2487276}

 

Jun 13 17:00:34 ike_encode_packet: Start, SA = { 0x15276b72 6656c3b6 – 4ea713e7 d2487276 } / 65407839, nego = 2

 

Jun 13 17:00:34 ike_send_packet: Start, send SA = { 15276b72 6656c3b6 – 4ea713e7 d2487276}, nego = 2, dst = 192.168.1.11:500, routing table id = 0

 

Jun 13 17:00:34 ike_delete_negotiation: Start, SA = { 15276b72 6656c3b6 – 4ea713e7 d2487276}, nego = 2

 

Jun 13 17:00:34 ike_free_negotiation_info: Start, nego = 2

 

 

 

 

Jun 13 17:00:34 ike_free_negotiation: Start, nego = 2

 

Jun 13 17:00:34 IPSec negotiation failed for SA-CFG Unknown for local:192.168.1.10, remote:192.168.1.11 IKEv1. status: TS unacceptable

 

Jun 13 17:00:34 P2 ed info: flags 0x0, P2 error: TS unacceptable

 

Jun 13 17:00:34 iked_pm_ipsec_sa_done: Phase2 failed 2/3 times for P1 SA 3075335

 

 

Click the Exhibit button.

 

The IPsec tunnel is not establishing between SRX-1 and a remote device.

 

Referring to the exhibit, what is causing this problem?

 

A.

IKE Phase 1 IKE ID mismatch

B.

IKE Phase 1 proposals mismatch

C.

IKE Phase 2 proxy ID mismatch

D.

IKE Phase 2 proposals mismatch

 

Answer: C

 

 

QUESTION 15

Your SRX Series device has the following configuration:

 

user@host> show security policies

 

 

Policy: my-policy, State: enabled, Index: 5, Sequence number: 1

 

Source addresses: any

 

Destination addresses: any

 

Applications: snmp

 

Action: reject

 

From zone: trust, To zone: untrust

 

 

 

 

 

When traffic matches my-policy, you want the device to silently drop the traffic; however, you notice that the device is replying with ICMP unreachable messages instead.

 

What is causing this behavior?

 

A.

the snmp application

B.

the reject action

C.

the trust zone

D.

the untrust zone

 

Answer: C

 

 

QUESTION 16 – Exhibit?

 

clip_image002

 

 

Click the Exhibit button.

 

You have created a new VPN tunnel to your partner’s site but IKE Phase 1 is not coming up. You check the trace log and find the following log message:

 

 

 

 

Jun

 

[IKED 2] iked_pm_id_validate id NOT matched.

 

Considering the topology and the SRX Series device’s configuration shown in the exhibit, which modification is needed under [edit security gateway Partner]?

 

A.

rename address 20.1.1.1 to address 192.168.1.1

B.

set remote-identity inet 192.168.1.1

C.

set local-identity inet 20.1.1.1

D.

set local-identity inet 50.1.1.1

 

Answer: B

 

 

QUESTION 17  

 

user@host> show log flow.log

 

Jun 12 20:00:45 host clear-log[ ]: logfile cleared

 

Jun 12 20:01:10 20:01:10.412643:CID-0:RT:172.23.1.20/2526->10.3.202.56/443;6> matched filter to_https:

 

 

Jun 12 20:01:10 20:01:10.412643:CID-0:RT: fe-0/0/6.0:172.23.1.20/2526- >10.3.202.56/443, tcp, flag 2 syn

 

 

Jun 12 20:01:10 20:01:10.412643:CID-0:RT:check self-traffic on fe-0/0/6.0, in_tunnel 0x0

 

 

Jun 12 20:01:10 20:01:10.412643:CID-0:RT:flow_first_rule_dst_xlate: DST xlate:

Q6

3.202.56(443) to 10.25.0.3(443), rule/pool id 2/2.

 

Jun 12 20:01:10 20:01:10.412643:CID-0:RT:flow_first_routing: vr_id 0, call

 

 

 

 

flow_route_lookup(): src_ip 172.23.1.20, x_dst_ip 10.25.0.3, in ifp fe-0/0/6.0, out ifp N/A sp 2526, dp 443, ip_proto 6, tos 0

 

Jun 12 20:01:10 20:01:10.412643:CID-0:RT:Doing DESTINATION addr route-lookup

 

Jun 12 20:01:10 20:01:10.412643:CID-0:RT: routed (x_dst_ip 10.25.0.3) from managed (fe-0/0/6.0 in 0) to ge-0/0/1.4093, Next-hop: 10.25.0.3

 

Jun 12 20:01:10 20:01:10.412643:CID-0:RT:flow_first_policy_search: policy search from zone managed-> zone trust (0x110,0x9de01bb,0x1bb)

 

Jun 12 20:01:10 20:01:10.412643:CID-0:RT: app 58, timeout 1800s, curr ageout 20s

 

Jun 12 20:01:10 20:01:10.412643:CID-0:RT: permitted by policy default-policy-00(2)

 

 

Jun 12 20:01:10 20:01:10.412643:CID-0:RT:flow_xlate_pak

 

Jun 12 20:01:10 20:01:10.412643:CID-0:RT: post addr xlation: 172.23.1.20->10.25.0.3.

 

Jun 12 20:01:10 20:01:10.412643:CID-0:RT: post addr xlation: 172.23.1.20->10.25.0.3.

 

Jun 12 20:01:10 20:01:10.412643:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0

 

Jun 12 20:01:10 20:01:10.412643:CID-0:RT:mbuf 0x42344180, exit nh 0xb00010

 

Jun 12 20:01:10 20:01:10.412643:CID-0:RT: —– flow_process_pkt rc 0x0 (fp rc 0)

 

 

Click the Exhibit button.

 

You want to allow Web-based management of your SRX Series device through fe-0/0/6.0. This interface belongs to the managed zone with an IP address of 10.3.202.56. You are unable to open an HTTPS connection and have enabled traceoptions to troubleshoot the problem.

 

Referring to the exhibit, what is causing this problem?

 

 

 

 

 

A.


The HTTPS protocol is not enabled in the managed zone.

B.

The HTTPS protocol is not enabled in the trust zone.

C.

The lo0 interface is not configured in the managed zone.

D.

The packet was diverted to the wrong zone.

 

Answer: D

 

 

QUESTION 18  

 

{hold:node0}

 

user@host1> show chassis cluster status

 

Cluster ID. 1

 

Node Priority Status Preempt Manual failover

 

Redundancy group: 0 , Failover count: 0

 

node0 1 hold no no

 

node1 0 lost n/a n/a

 

{hold:node0}

 

user@host1> show configuration | no-more

 

system {

 

host-name host1;

 

root-authentication {

 

encrypted-password “$1$KI99zGk6$MbYFuBbpLffu9tn2.sI7l1”; ## SECRET-DATA

 

}

 

name-server {

Q7

16.10.100;

 

}

 

services {

 

 

 

 

ssh;

 

telnet;

 

web-management {

 

http;

 

}

 

}

 

syslog {

 

user * {

 

any emergency;

 

}

 

file messages {

 

any any;

 

authorization info;

 

}

 

file interactive-commands {

 

interactive-commands any;

 

}

 

}

 

}

 

interfaces {

 

ge-0/0/0 {

 

unit 0 {

 

family inet {

 

address 10.210.14.131/26;

 

}

 

}

 

 

 

 

}

 

ge-0/0/8 {

 

unit 0 {

 

family inet {

 

address 172.16.1.1/24;

 

}

 

}

 

}

 

ge-0/0/9 {

 

unit 0 {

 

family inet {

 

address 172.16.10.1/24;

 

}

 

}

 

}

 

}

 

security {

 

policies {

 

default-policy {

 

permit-all;

 

}

 

}

 

zones {

 

functional-zone management {

 

interfaces {

 

ge-0/0/0.0;

 

 

 

 

}

 

host-inbound-traffic {

 

system-services {

 

ssh;

 

telnet;

 

ping;

 

traceroute;

 

http;

 

snmp;

 

}

 

}

 

}

 

security-zone Trust {

 

host-inbound-traffic {

 

system-services {

 

any-service;

 

}

 

}

 

interfaces {

 

ge-0/0/9.0;

 

}

 

}

 

security-zone Untrust {

 

host-inbound-traffic {

 

system-services {

 

any-service;

 

 

 

 

}

 

}

 

interfaces {

 

ge-0/0/8.0;

 

}

 

}

 

}

 

}

 —————

 

{hold:node1}

 

user@host2> show chassis cluster status

 

Cluster ID. 1

 

Node Priority Status Preempt Manual failover

 

Redundancy group: 0 , Failover count: 0

 

node0 0 lost n/a n/a

 

node1 1 hold no no

 

{hold:node1}

 

user@host2> show configuration | no-more

 

system {

 

host-name host2;

 

root-authentication {

 

encrypted-password “$1$KI99zGk6$MbYFuBbpLffu9tn2.sI7l1”; ## SECRET-DATA

 

}

 

name-server {

 

A.

 

B.

 

C.

 

D.

 

 

Answer:

 

 

Q8

16.10.100;

 

 

 

 

}

 

services {

 

ssh;

 

telnet;

 

web-management {

 

http;

 

}

 

}

 

syslog {

 

user * {

 

any emergency;

 

}

 

file messages {

 

any any;

 

authorization info;

 

}

 

file interactive-commands {

 

interactive-commands any;

 

}

 

}

 

}

 

interfaces {

 

ge-0/0/0 {

 

unit 0 {

 

family inet {

 

address 10.210.14.132/26;

 

 

 

 

}

 

}

 

}

 

ge-0/0/8 {

 

unit 0 {

 

family inet {

 

address 172.16.1.1/24;

 

}

 

}

 

}

 

ge-0/0/9 {

 

unit 0 {

 

family inet {

 

address 172.16.10.1/24;

 

}

 

}

 

}

 

}

 

security {

 

policies {

 

default-policy {

 

permit-all;

 

}

 

}

 

zones {

 

functional-zone management {

 

 

 

 

interfaces {

 

ge-0/0/0.0;

 

}

 

host-inbound-traffic {

 

system-services {

 

ssh;

 

telnet;

 

ping;

 

traceroute;

 

http;

 

snmp;

 

}

 

}

 

}

 

security-zone Trust {

 

host-inbound-traffic {

 

system-services {

 

any-service;

 

}

 

}

 

interfaces {

 

ge-0/0/9.0;

 

}

 

}

 

security-zone Untrust {

 

host-inbound-traffic {

 

 

 

 

system-services {

 

any-service;

 

}

 

}

 

interfaces {

 

ge-0/0/8.0;

 

}

 

}

 

}

 

}

 

 

Click the Exhibit button.

 

A user attempted to form a chassis cluster on an SRX240; however, the cluster did not form. While investigating the problem, you see the output shown in the exhibit.

 

What is causing the problem?

 

 

A.The cluster IDs do not match.

 

B.The configurations are not identical.

 

C.The fxp0 interface is not configured.

 

D.

D.The ge-0/0/0 interface is configured.

 

Answer: D

 

 

QUESTION 19  

 

[edit security utm]

 

user@host# show

 

 

 

 

custom-objects {

 

url-pattern {

 

blocklist {

 

value [ http://badsite.com http://blocksite.com ];

 

}

 

acceptlist {

 

value http://juniper.net;

 

}

 

}

 

custom-url-category {

 

blacklist {

 

value blocklist;

 

}

 

whitelist {

 

value acceptlist;

 

}

 

}

 

}

 

feature-profile {

 

web-filtering {

 

url-whitelist whitelist;

 

url-blacklist blacklist;

 

type juniper-local;

 

juniper-local {

 

profile web-filter {

 

custom-block-message “Site is not allowed”;

 

 

 

 

fallback-settings {

 

default log-and-permit;

 

}

 

}

 

}

 

}

 

}

 

utm-policy utm1 {

 

web-filtering {

 

http-profile web-filter;

 

}

 

}

 

 

Click the Exhibit button.

 

You set up Web filtering to allow employees to only access your internal website. You notice that employees are still able to reach websites outside of the blacklists.

 

Referring the exhibit, which parameter must be changed?

 

A.

You must define all sites you want to block using the mime-pattern parameter.

B.

You must change the fallback-settings parameter to default block.

C.

You must use integrated or redirect Web filtering instead of local list filtering.

D.

You must define all sites you want to block using the protocol-command parameter.

 

Answer: B

 

 

QUESTION 20  

 

 

 

 

user@host> request services application-identification application copy junos:AIM-HTTP- API

 

error: Can not commit to junos configure DB.

 ———————————————————————

 

could not lock modified database

 

mgd xcommit failed

 

Copy application junos:AIM-HTTP-API failed.

 

 

Click the Exhibit button.

 

You want to make a custom copy of the junos: AIM-HTTP-API application signature. However, when you attempt to copy the application signature, you receive the error shown in the exhibit.

 

What is causing the problem?

 

A.

You cannot copy nested applications.

B.

The AppID signature database is corrupt.

C.

The candidate configuration is different from the active configuration.

D.

The my:AIM-HTTP-API application signature already exists in the active configuration.

 

Answer: C

 

Free VCE & PDF File for Juniper JN0-696 Actual Tests

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

This entry was posted in JN0-696 Actual Tests (November) and tagged , , , , , , . Bookmark the permalink.