Security, Specialist (JNCIS-SEC) v7.0 (JN0-333)

Page:    1 / 5   
Total 64 questions

Which two statements about security policy actions are true? (Choose two.)

  • A. The log action implies an accept action.
  • B. The log action requires an additional terminating action.
  • C. The countaction implies an accept action.
  • D. The count action requires an additional terminating action.


Answer : B,D

Click the Exhibit button.


You notice that your SRX Series device is not blocking HTTP traffic as expected.
Referring to the exhibit, what should you do to solve the problem?

  • A. Commit the configuration.
  • B. Reboot the SRX Series device.
  • C. Configure the SRX Series device to operate in packet-based mode.
  • D. Move thedeny-httppolicy to the bottom of the policy list.


Answer : B

Clients at a remote office are accessing a website that is against your company Internet policy. You change the action of the security policy that controls HTTP access from permit to deny on the remote office SRX Series device. After committing the policy change, you notice that new users cannot access the website but users that have existing sessions on the device still have access. You want to block all user sessions immediately.
Which change would you make on the SRX Series device to accomplish this task?

  • A. Add theset security flow tcp-session rst-invalidate-sessionoption to the configuration and commit the change.
  • B. Add theset security policies policy-rematchparameter to the configuration and commit the change.
  • C. Add thesecurity flow tcp-session strict-syn-checkoption to the configuration and commit the change.
  • D. Issue thecommit fullcommand from the top of the configuration hierarchy.


Answer : B

Click the Exhibit button.


Host A is attempting to connect to Host B using the domain name, which is tied to a public
IP address. All attempts to connect to Host B have failed. You have examined the configuration on your SRX340 and determined that a NAT policy is required.
Referring to the exhibit, which two NAT types will allow Host A to connect to Host B?
(Choose two.)

  • A. source NAT
  • B. NAT-T
  • C. destination NAT
  • D. static NAT


Answer : C,D

Which three statements describes traditional firewalls? (Choose three.)

  • A. A traditional firewall performs stateless packet processing.
  • B. A traditional firewall offers encapsulation, authentication, and encryption.
  • C. A traditional firewall performs stateful packet processing.
  • D. A traditional firewall forwards all traffic by default.
  • E. A traditional firewall performs NAT and PAT.


Answer : B,C,E

Which statement describes the function of NAT?

  • A. NAT encrypts transit traffic in a tunnel.
  • B. NAT detects various attacks on traffic entering a security device.
  • C. NAT translates a public address to a private address.
  • D. NAT restricts or permits users individually or ina group.


Answer : C

Click the Exhibit button.


The inside server must communicate with the external DNS server. The internal DNS server address is 10.100.75.75. The external DNS server address is 75.75.76.76. Traffic from the inside server to the DNS server fails.
Referring to the exhibit, what is causing the problem?

  • A. The security policy must match the translated destination address.
  • B. Source and static NAT cannot be configured at the same time.
  • C. The static NAT rule must use the global address book entry name for the DNS server.
  • D. The security policy must match the translated source and translated destination address.


Answer : D

You are asked to support source NAT for an application that requires that its original source port not be changed.
Which configuration would satisfy the requirement?

  • A. Configure a source NAT rule that references an IP address pool with interface proxy ARP enabled.
  • B. Configure the egress interface to source NAT fixed-port status.
  • C. Configure a source NAT rule that references an IP address pool with theport no- translationparameter enabled.
  • D. Configure a source NAT rule that sets the egress interface to theoverloadstatus.


Answer : C

Click the Exhibit button.


Which feature is enabled with destination NAT as shown in the exhibit?

  • A. NAT overload
  • B. block allocation
  • C. port translation
  • D. NAT hairprinting


Answer : C

Which statement is true about Perfect Forward Secrecy (PFS)?

  • A. PFS is used to resolve compatibilityissues with third-party IPsec peers.
  • B. PFS is implemented during Phase 1 of IKE negotiations and decreases the amount of time required for IKE negotiations to complete.
  • C. PFS increases security by forcing the peers to perform a second DH exchange duringPhase 2.
  • D. PFS increases the IPsec VPN encryption key length and uses RSA or DSA certificates.


Answer : C

Click the exhibit button.


Referring to the exhibit, which statement is true?

  • A. Packets entering the interface are being dropped because of a statelessfilter.
  • B. Packets entering the interface matching an ALG are getting dropped.
  • C. TCP packets entering the interface are failing the TCP sequence check.
  • D. Packets entering the interface are getting dropped because the interface is not bound to a zone.


Answer : D

Which two statements are true when implementing source NAT on an SRX Series device?
(Choose two.)

  • A. Source NAT is applied before the security policy search.
  • B. Source NAT is applied after the route table lookup.
  • C. Source NAT is applied before the route table lookup.
  • D. Source NAT is applied after the security policy search.


Answer : B,D

You want to ensure that any certificates used in your IPsec implementation do not expire while in use by your SRX Series devices.
In this scenario, what must be enabled on your devices?

  • A. RSA
  • B. TLS
  • C. SCEP
  • D. CRL


Answer : C

Which statement is true about high availability (HA) chassis clusters for the SRX Series device?

  • A. Cluster nodes require an upgrade to HA compliant Routing Engines.
  • B. Cluster nodes must be connected through a Layer 2 switch.
  • C. There can be active/passive or active/active clusters.
  • D. HA clusters must use NAT to prevent overlapping subnets between the nodes.


Answer : C

You want to protect your SRX Series device from the ping-of-death attack coming from the untrust security zone.
How would you accomplish this task?

  • A. Configure thehost-inbound-traffic system-services ping exceptparameter in the untrust security zone.
  • B. Configure theapplication trackingparameter in the untrust security zone.
  • C. Configure afrom-zone untrust to-zonetrustsecurity policy that blocks ICMP traffic.
  • D. Configure the appropriate screen and apply it to the[edit security zone security-zone untrust]hierarchy.


Answer : D

Page:    1 / 5   
Total 64 questions