Which two statements are true about persistent NAT? (Choose two.)
Answer : B,D
You have configured an IPsec VPN with traffic selectors; however, your IPsec tunnel does not appear to be working properly.
What are two reasons for the problem? (Choose two.)
Answer : A,B
Click the Exhibit button.
-- Exhibit --
user@srx240< show route summary
Router ID.
inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
Direct: 1 routes, 1 active -
Local: 1 routes, 1 active -
StatiC. 1 routes, 1 active -
customer-A.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
Direct: 1 routes, 1 active -
Local: 1 routes, 1 active -
StatiC. 1 routes, 1 active -
customer-B.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
Direct: 1 routes, 1 active -
Local: 1 routes, 1 active -
OSPF. 1 routes, 1 active -
StatiC. 1 routes, 1 active -
customer-B.inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
Direct: 2 routes, 2 active -
Local: 2 routes, 2 active -
StatiC. 1 routes, 1 active -
-- Exhibit --
In the output, how many user-configured routing instances have active routes?
Answer : B
Reference: http://www.juniper.net/techpubs/en_US/junos11.4/topics/reference/command- summary/show-route-summary.html#jd0e185
Click the Exhibit button.
-- Exhibit --
[edit security idp]
user@srx# show | no-more
idp-policy basic {
rulebase-ips {
rule 1 {
match {
from-zone untrust;
source-address any;
to-zone trust;
destination-address any;
application default;
attacks {
custom-attacks data-inject;
then {
action {
recommended;
notification {
log-attacks;
active-policy basic;
custom-attack data-inject {
recommended-action close;
severity critical;
attack-type {
signature {
context mssql-query;
pattern "SELECT * FROM accounts";
direction client-to-server;
-- Exhibit --
You have configured the custom attack signature shown in the exhibit. This configuration is valid, but you want to improve the efficiency and performance of your IDP.
Which two commands should you use? (Choose two.)
Answer : B,C
Your company is using a dynamic VPN configuration on their SRX device. Your manager asks you to enforce password expiration policies for all VPN users.
Which authentication method meets the requirement?
Answer : D
Explanation:
Reference : http://kb.juniper.net/InfoCenter/index?page=content&id=KB17423&actp=RSS
Click the Exhibit button.
[edit security idp-policy test]
user@host# show
rulebase-ips {
rule R3 {
match {
source-address any;
destination-address any;
attacks {
predefined-attacks FTP:USER:ROOT;
then {
action {
recommended;
terminal;
rule R4 {
match {
source-address any;
destination-address any;
attacks {
predefined-attacks HTTP:HOTMAIL:FILE-UPLOAD;
then {
action {
recommended;
You have just committed the new IDP policy shown in the exhibit. However, you notice no action is taken on traffic matching the R4 IDP rule.
Which two actions will resolve the problem? (Choose two.)
Answer : C
HostA (1.1.1.1) is sending TCP traffic to HostB (2.2.2.2). You need to capture the TCP packets locally on the SRX240. Which configuration would you use to enable this capture?
Answer : D
Reference: http://khurramkhalid.wordpress.com/2012/05/22/packet-capture-on-srx-devices/
Click the Exhibit button.
[edit protocols ospf area 0.0.0.0]
user@host# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote
Address -
3289542 UP 48d928408940de28 e418fc7702fe483b Main
172.31.50.1
3289543 UP eb45940484082b14 428086b100427326 Main 10.10.50.1
[edit protocols ospf area 0.0.0.0]
user@host# run show security ipsec; security-associations
Total active tunnels: 2 -
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:des/ shal 6d40899b 1360/ unlim - root 500 10.10.50.1
>131073 ESP:des/ shal 5a89400e 1360/ unlim - root 500 10.10.50.1
<131074 ESP:des/ shal c04046f 1359/ unlim - root 500 172.31.50.1
>131074 ESP:des/ shal 5508946c 1359/ unlim - root 500 172.31.50.1
[edit protocols ospf area 0.0.0.0]
user@host# run show ospf neighbor
Address Interface State ID Pri Dead 10.40.60.1 st0.0 Init 10.30.50.1 128 35
10.40.60.2 st0.0 Full 10.30.50.1 128 31
[edit protocols ospf area 0.0.0.0]
user@host# show
interface st0.0;
You have already configured a hub-and-spoke VPN with one hub device and two spoke devices. However, the hub device has one neighbor in the Init state and one neighbor in the Full state.
What would you do to resolve this problem?
Answer : B
You are asked to troubleshoot ongoing problems with IPsec tunnels and security policy processing. Your network consists of SRX240s and SRX5600s.
Regarding this scenario, which two statements are true? (Choose two.)
Answer : B,D
Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB16506 http://www.google.co.in/url?sa=t&rct=j&q=IKE%20logs%20are%20written%20to%20the%2
0kmd%20log%20file%20by%20default&source=web&cd=2&ved=0CC8QFjAB&url=http%3
A%2F%2Fwww.juniper.net%2Fus%2Fen%2Flocal%2Fpdf%2Fapp-notes%2F3500175- en.pdf&ei=SNHzUZntEcaPrQfnpICYDQ&usg=AFQjCNGb-rMrVcm6cqqBLWDif54CaCTrrw
You are asked to design a solution to verify IPsec peer reachability with data path forwarding.
Which feature would meet the design requirements?
Answer : D
Explanation:
Reference : http://forums.juniper.net/t5/SRX-Services-Gateway/dead-peer-detection-VS-
VPN-monitor-in-IPSEC/td-p/176671
You have a group IPsec VPN established with a single key server and five client devices.
Regarding this scenario, which statement is correct?
Answer : D
Explanation:
Reference : http://www.thomas-
krenn.com/redx/tools/mb_download.php/mid.x6d7672335147784949386f3d/Manual_Confi guring_Group_VPN_Juniper_SRX.pdf
Click the Exhibit button.
-- Exhibit
Answer : C
Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos- security-swconfig-security/config-idp-ips-rulebase-section.html#config-idp-ips-rulebase- section
Click the Exhibit button.
user@host> monitor traffic interface ge-0/0/3
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/3, capture size 96 bytes
Reverse lookup for 172.168.3.254 failed (check DNS reachability). Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lockups on IP addresses.
19:24:16.320907 In arp who-has 172.168.3.254 tell 172.168.3.1 19.24:17.322751 In arp who has 172.168.3.254 tell 172.168.3.1 19.24:18.328895 In arp who-has 172.168.3.254 tell
172.168.3.1
19.24:18.332956 In arn who has 172.168.3.254 tell 172.168.3.1
A new server has been set up in your environment. The administrator suspects that the firewall is blocking the traffic from the new server. Previously existing servers in the VLAN are working correctly. After reviewing the logs, you do not see any traffic for the new server.
Referring to the exhibit, what is the cause of the problem?
Answer : C
You are attempting to establish an IPsec VPN between two SRX devices. However, there is another device between the SRX devices that does not pass traffic that is using UDP port 4500.
How would you resolve this problem?
Answer : B
Explanation:
NAT-T also uses UDP port 4500 (by default) rather than the standard UDP. So disabling
NAT-T will resolve this issue.
Reference :
https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&cad=rja&ved=0C
HsQFjAJ&url=http%3A%2F%2Fchimera.labs.oreilly.com%2Fbooks%2F1234000001633%
2Fch10.html&ei=NZrtUZHHO4vJrQezmoCwAw&usg=AFQjCNGU05bAtnFu1vXNgssixHtC
BoNBnw&sig2=iKzzPNQqiH2xrsjveXIleA&bvm=bv.49478099,d.bmk
An SRX Series device is configured for inline tap mode.
What will occur if Drop Packet is selected?
Answer : D