Page: 1
/ 8
Total 110 questions
Traffic is not passing the ScreenOS device due to an incorrectly configured policy. You must determine exactly which security policy the traffic is using.
Which two CLI commands should be used? (Choose two.)
- A. snoop
- B. get session
- C. debug flow basic
- D. get counter stats
Answer : B,C
Click the Exhibit button.
Which two statements are true about the exhibit? (Choose two.)
- A. It contains information regarding Phase 1 of IPsec.
- B. It contains information regarding Phase 2 of IPsec.
- C. The VPN is using certificates.
- D. The VPN is using preshared keys.
Answer : A,D
Click the Exhibit button.
Which two statements are true regarding the route shown in the exhibit? (Choose two.)
- A. 5.5.5.0/24 was configured as a source route with a next-hop IP address of 1.1.1.1 in the trust-vr.
- B. 5.5.5.0/24 was configured as a destination route with a next-hop IP address of 1.1.1.1 in the trust-vr.
- C. 5.5.5.0/24 was configured as a SIBR route with a next-hop IP address of 1.1.1.1 in the trust-vr.
- D. 5.5.5.0/24 was configured as a permanent source route.
Answer : A,D
A ScreenOS device detects a large number of sessions that match the same deep inspection attack object.What are two ways to configure the device? (Choose two.)
- A. Activate dynamic firewall policies.
- B. Close the connection and disallow further connections from the client.
- C. Close the connection and rate-limit further connections to the server.
- D. Log an alert.
Answer : B,D
Click the Exhibit button.
Given the output shown in the exhibit, which command would you use to view the number of attacks that have been blocked by the Screen options on the Untrust zone?
- A. ssg5-> get counter screen interface ethernet2/1
- B. ssg5-> get zone Untrust screen
- C. ssg5-> get counter screen zone Untrust
- D. ssg5-> get counter statistics interface ethernet2/1
Answer : C
The ScreenOS software performs virus scanning for which three protocols? (Choose three.)
- A. FTP
- B. HTTP
- C. HTTPS
- D. NetBIOS
- E. SMTP
Answer : A,B,E
HostA is in the Trust zone and has an IP address of. ServerA is a Web server in the DMZ zone and has an IP address of.
Which three configuration statements are required to allow traffic from HostA to communicate with ServerA? (Choose three.)
- A. ssg5-> set address Trust HostA /32
- B. ssg5-> set policy from DMZ to Trust ANY ANY ANY permit
- C. ssg5-> set address DMZ ServerA /32
- D. ssg5-> set policy from Trust to DMZ HostA ServerA HTTP permit
- E. ssg5-> set address Trust HostA /32
Answer : C,D,E
-- Exhibit --
ns5gt-> get int eth2
Interface ethernet2:
description ethernet2
number 8, if_info 704, if_index 0, mode route
link up, phy-link up/full-duplex
status change:7, last change:09/26/2012 23:08:22
vsys Root, zone Untrust, vr trust-vr
dhcp client disabled
PPPoE disabled -
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 171.211.111.111/30 mac 0014.f693.edc8
*manage ip 171.211.111.111, mac 0014.f693.edc8
route-deny disable
pmtu-v4 disabled
ping disabled, telnet enabled, SSH disabled, SNMP disabled
web enabled, ident-reset disabled, SSL disabled
DNS Proxy disabled, webauth disabled, g-arp enabled, webauth-ip 0.0.0.0
OSPF disabled BGP disabled RIP disabled RIPng disabled mtrace disabled
PIM: not configured IGMP not configured
MLD not configured -
NHRP disabled -
bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps] configured ingress mbw 0kbps, current bw 0kbps total allocated gbw 0kbps
DHCP-Relay disabled at interface level
DHCP-server disabled -
-- Exhibit --
You are the administrator of a NetScreen 5GT. For troubleshooting purposes, you must be able to ping untrusted interfaces.
Referring to the exhibit, how do you enable ping for interface eth2?
- A. ns5gt-> unset int eth2 manage-ip ping
- B. ns5gt-> set int eth2 manage ping
- C. ns5gt-> enable int eth2 manage ping
- D. ns5gt-> set int eth2 manage-ip ping
Answer : B
You must verify on your ScreenOS device that you have configured the correct tunnel peer and determine which IKE proposals the remote device is sending and accepting.
Which command should you use?
- A. get ike gateway
- B. get ike peer
- C. get sa active
- D. get ike active
Answer : A
What is the initial default username and password for all ScreenOS devices?
- A. administrator/password
- B. root/password
- C. netscreen/netscreen
- D. admin/netscreen1
Answer : D
Which two statements are true about policy-based VPNs as compared to route-based
IPsec VPNs when using ScreenOS devices? (Choose two.)
- A. For policy-based IPsec VPNs, you can configure 0.0.0.0/0 as the proxy ID on both VPN gateways regardless of the security policy.
- B. For route-based IPsec VPNs, you can configure 0.0.0.0/0 as the proxy ID on both VPN gateways regardless of the security policy.
- C. For route-based IPsec VPNs, the proxy ID is derived from the policy.
- D. For policy-based IPsec VPNs, the proxy ID is derived from the policy.
Answer : B,D
Which NAT has bidirectional translation by default?
- A. NAT-src
- B. NAT-dst
- C. VIP
- D. MIP
Answer : D
You want to copy an external configuration file to your ScreenOS device and have it become active only after the device reboots. How would you accomplish this goal?
- A. From the device, copy the configuration from an external TFTP server to the device's flash memory.
- B. From the device, copy the configuration from an external TFTP server to the device's RAM.
- C. From the device, copy the configuration from an external TFTP server and merge it with the current configuration.
- D. From the device, copy the configuration from the device's flash memory to an external TFTP server.
Answer : A
You want to ensure that the IKE Phase 2 key is totally independent of the IKE Phase 1 key.
Which IKE feature would you enable?
- A. Perfect Forward Secrecy
- B. Diffie-Hellman Group 5
- C. Replay Protection
- D. Rekey Protection
Answer : A
What is a virtual system?
- A. a mechanism to logically partition a single ScreenOS device into multiple logical devices
- B. a collection of subnets and interfaces sharing identical security requirements
- C. a method of providing a secure connection across a network
- D. a tool to protect against DoS attacks
Answer : C
30 days access 