Page: 1
/ 12
Total 179 questions
Which two statements are true about persistent NAT? (Choose two.)
- A. The permit target-host-port statement allows an external host to initiate a session to an internal host on any port, provided the internal host previously sent a packet to the external host.
- B. The permit target-host statement allows an external host to initiate a session to an internal host on any port, provided the internal host previously sent a packet to the external host.
- C. Port overloading must be enabled for Interface-based persistent NAT.
- D. Port overloading must be disabled for Interface-based persistent NAT.
Answer : B,D
You have configured an IPsec VPN with traffic selectors; however, your IPsec tunnel does not appear to be working properly.
What are two reasons for the problem? (Choose two.)
- A. You are configured a remote address value of 0.0.0.0/0.
- B. You are trying to use traffic selectors with policy-based VPNs.
- C. You have configured 15 traffic selectors on each SRX Series device.
- D. You are trying to use traffic selectors with route-based VPNs.
Answer : A,B
Click the Exhibit button.
-- Exhibit --
user@srx240< show route summary
Router ID.
inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
Direct: 1 routes, 1 active -
Local: 1 routes, 1 active -
StatiC. 1 routes, 1 active -
customer-A.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
Direct: 1 routes, 1 active -
Local: 1 routes, 1 active -
StatiC. 1 routes, 1 active -
customer-B.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
Direct: 1 routes, 1 active -
Local: 1 routes, 1 active -
OSPF. 1 routes, 1 active -
StatiC. 1 routes, 1 active -
customer-B.inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
Direct: 2 routes, 2 active -
Local: 2 routes, 2 active -
StatiC. 1 routes, 1 active -
-- Exhibit --
In the output, how many user-configured routing instances have active routes?
- A. 1
- B. 2
- C. 3
- D. 4
Answer : B
Reference: http://www.juniper.net/techpubs/en_US/junos11.4/topics/reference/command- summary/show-route-summary.html#jd0e185
Click the Exhibit button.
-- Exhibit --
[edit security idp]
user@srx# show | no-more
idp-policy basic {
rulebase-ips {
rule 1 {
match {
from-zone untrust;
source-address any;
to-zone trust;
destination-address any;
application default;
attacks {
custom-attacks data-inject;
then {
action {
recommended;
notification {
log-attacks;
active-policy basic;
custom-attack data-inject {
recommended-action close;
severity critical;
attack-type {
signature {
context mssql-query;
pattern "SELECT * FROM accounts";
direction client-to-server;
-- Exhibit --
You have configured the custom attack signature shown in the exhibit. This configuration is valid, but you want to improve the efficiency and performance of your IDP.
Which two commands should you use? (Choose two.)
- A. set custom attack data-inject recommended-action drop
- B. set custom-attack data-inject attack-type signature protocol-binding tcp
- C. set idp-policy basic rulebase-ips rule 1 match destination-address webserver
- D. set idp-policy basic rulebase-ips rule 1 match application any
Answer : B,C
Your company is using a dynamic VPN configuration on their SRX device. Your manager asks you to enforce password expiration policies for all VPN users.
Which authentication method meets the requirement?
- A. local password database
- B. TACACS+
- C. RADIUS
- D. LDAP
Answer : D
Explanation:
Reference : http://kb.juniper.net/InfoCenter/index?page=content&id=KB17423&actp=RSS
Click the Exhibit button.
[edit security idp-policy test]
user@host# show
rulebase-ips {
rule R3 {
match {
source-address any;
destination-address any;
attacks {
predefined-attacks FTP:USER:ROOT;
then {
action {
recommended;
terminal;
rule R4 {
match {
source-address any;
destination-address any;
attacks {
predefined-attacks HTTP:HOTMAIL:FILE-UPLOAD;
then {
action {
recommended;
You have just committed the new IDP policy shown in the exhibit. However, you notice no action is taken on traffic matching the R4 IDP rule.
Which two actions will resolve the problem? (Choose two.)
- A. Change the R4 rule to match on a predefined attack group.
- B. Insert the R4 rule above the R3 rule.
- C. Delete the terminal statement from the R3 rule.
- D. Change the IPS rulebase to an exempt rulebase.
Answer : C
HostA (1.1.1.1) is sending TCP traffic to HostB (2.2.2.2). You need to capture the TCP packets locally on the SRX240. Which configuration would you use to enable this capture?
- A. [edit security flow] user@srx# show traceoptions { file dump; flag basic-datapath; }
- B. [edit security] user@srx# show application-tracking { enable; } flow { traceoptions { file dump; flag basic-datapath; } }
- C. [edit firewall filter capture term one] user@srx# show from { source-address { 1.1.1.1; } destination-address { 2.2.2.2; } protocol tcp; } then { port-mirror; accept; }
- D. [edit firewall filter capture term one] user@srx# show from { source-address { 1.1.1.1; } destination-address { 2.2.2.2; } protocol tcp; } then { sample; accept; }
Answer : D
Reference: http://khurramkhalid.wordpress.com/2012/05/22/packet-capture-on-srx-devices/
Click the Exhibit button.
[edit protocols ospf area 0.0.0.0]
user@host# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote
Address -
3289542 UP 48d928408940de28 e418fc7702fe483b Main
172.31.50.1
3289543 UP eb45940484082b14 428086b100427326 Main 10.10.50.1
[edit protocols ospf area 0.0.0.0]
user@host# run show security ipsec; security-associations
Total active tunnels: 2 -
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:des/ shal 6d40899b 1360/ unlim - root 500 10.10.50.1
>131073 ESP:des/ shal 5a89400e 1360/ unlim - root 500 10.10.50.1
<131074 ESP:des/ shal c04046f 1359/ unlim - root 500 172.31.50.1
>131074 ESP:des/ shal 5508946c 1359/ unlim - root 500 172.31.50.1
[edit protocols ospf area 0.0.0.0]
user@host# run show ospf neighbor
Address Interface State ID Pri Dead 10.40.60.1 st0.0 Init 10.30.50.1 128 35
10.40.60.2 st0.0 Full 10.30.50.1 128 31
[edit protocols ospf area 0.0.0.0]
user@host# show
interface st0.0;
You have already configured a hub-and-spoke VPN with one hub device and two spoke devices. However, the hub device has one neighbor in the Init state and one neighbor in the Full state.
What would you do to resolve this problem?
- A. Configure the st0.0 interface under OSPF as a nonbroadcast multiple access interface.
- B. Configure the st0.0 interface under OSPF as a point-to-multipoint interface.
- C. Configure the st0.0 interface under OSPF as a point-to-point interface.
- D. Configure the st0.0 interface under OSPF as an unnumbered interface.
Answer : B
You are asked to troubleshoot ongoing problems with IPsec tunnels and security policy processing. Your network consists of SRX240s and SRX5600s.
Regarding this scenario, which two statements are true? (Choose two.)
- A. You must enable data plane logging on the SRX240 devices to generate security policy logs.
- B. You must enable data plane logging on the SRX5600 devices to generate security policy logs.
- C. IKE logs are written to the kmd log file by default.
- D. IPsec logs are written to the kmd log file by default.
Answer : B,D
Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB16506 http://www.google.co.in/url?sa=t&rct=j&q=IKE%20logs%20are%20written%20to%20the%2
0kmd%20log%20file%20by%20default&source=web&cd=2&ved=0CC8QFjAB&url=http%3
A%2F%2Fwww.juniper.net%2Fus%2Fen%2Flocal%2Fpdf%2Fapp-notes%2F3500175- en.pdf&ei=SNHzUZntEcaPrQfnpICYDQ&usg=AFQjCNGb-rMrVcm6cqqBLWDif54CaCTrrw
You are asked to design a solution to verify IPsec peer reachability with data path forwarding.
Which feature would meet the design requirements?
- A. DPD over Phase 1 SA
- B. DPD over Phase 2 SA
- C. VPN monitoring over Phase 1 SA
- D. VPN monitoring over Phase 2 SA
Answer : D
Explanation:
Reference : http://forums.juniper.net/t5/SRX-Services-Gateway/dead-peer-detection-VS-
VPN-monitor-in-IPSEC/td-p/176671
You have a group IPsec VPN established with a single key server and five client devices.
Regarding this scenario, which statement is correct?
- A. There is one unique Phase 1 security association and five unique Phase 2 security associations used for this group.
- B. There is one unique Phase 1 security association and one unique Phase 2 security association used for this group.
- C. There are five unique Phase 1 security associations and five unique Phase 2 security associations used for this group.
- D. There are five unique Phase 1 security associations and one unique Phase 2 security association used for this group.
Answer : D
Explanation:
Reference : http://www.thomas-
krenn.com/redx/tools/mb_download.php/mid.x6d7672335147784949386f3d/Manual_Confi guring_Group_VPN_Juniper_SRX.pdf
Click the Exhibit button.
-- Exhibit
-- Exhibit --
You have configured an IDP policy as shown in the exhibit. The configuration commits successfully. Which traffic will be examined for attacks?
- A. only originating traffic from source to destination in a session
- B. only reply traffic from destination to source in a session
- C. both originating and reply traffic between hosts in a session
- D. recommended traffic between the source and destination hosts
Answer : C
Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos- security-swconfig-security/config-idp-ips-rulebase-section.html#config-idp-ips-rulebase- section
Click the Exhibit button.
user@host> monitor traffic interface ge-0/0/3
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/3, capture size 96 bytes
Reverse lookup for 172.168.3.254 failed (check DNS reachability). Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lockups on IP addresses.
19:24:16.320907 In arp who-has 172.168.3.254 tell 172.168.3.1 19.24:17.322751 In arp who has 172.168.3.254 tell 172.168.3.1 19.24:18.328895 In arp who-has 172.168.3.254 tell
172.168.3.1
19.24:18.332956 In arn who has 172.168.3.254 tell 172.168.3.1
A new server has been set up in your environment. The administrator suspects that the firewall is blocking the traffic from the new server. Previously existing servers in the VLAN are working correctly. After reviewing the logs, you do not see any traffic for the new server.
Referring to the exhibit, what is the cause of the problem?
- A. The server is in the wrong VLAN.
- B. The server has been misconfigured with the wrong IP address.
- C. The firewall has been misconfigured with the incorrect routing-instance.
- D. The firewall has a filter enabled to block traffic from the server.
Answer : C
You are attempting to establish an IPsec VPN between two SRX devices. However, there is another device between the SRX devices that does not pass traffic that is using UDP port 4500.
How would you resolve this problem?
- A. Enable NAT-T.
- B. Disable NAT-T.
- C. Disable PAT.
- D. Enable PAT.
Answer : B
Explanation:
NAT-T also uses UDP port 4500 (by default) rather than the standard UDP. So disabling
NAT-T will resolve this issue.
Reference :
https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&cad=rja&ved=0C
HsQFjAJ&url=http%3A%2F%2Fchimera.labs.oreilly.com%2Fbooks%2F1234000001633%
2Fch10.html&ei=NZrtUZHHO4vJrQezmoCwAw&usg=AFQjCNGU05bAtnFu1vXNgssixHtC
BoNBnw&sig2=iKzzPNQqiH2xrsjveXIleA&bvm=bv.49478099,d.bmk
An SRX Series device is configured for inline tap mode.
What will occur if Drop Packet is selected?
- A. The SRX Series device drops a matching packet before it can reach its destination but does not close the connection.
- B. The SRX Series device will ignore the action Drop Packet.
- C. The SRX Series device closes the connection and sends an RST packet to both the client and the server.
- D. The SRX Series device drops a matching packet associated with the connection, preventing traffic for the connection from reaching its destination.
Answer : D