Page: 1
/ 5
Total 75 questions
While attempting to commit a configuration for a new address book, you received the error message shown below.
Zone specific address books are not allowed when there are global address books defined error: commit failed: (statements constraint check failed)
How would you resolve this error?
- A. You need to add a valid address book name.
- B. You need to add a valid IP address to the address set.
- C. You need to configure the address book in the Untrust security zone
- D. You need to transition all address books to be zone based.
Answer : D
Zone specific address books are not allowed when there are global address books defined.
References:
http://rtoodtoo.net/address-books-explained/
Click the Exhibit button.
You are implementing UTM on an SRX Series device to block the advertisements and special events URL category, however, traffic for those categories is still passing through.
Referring to the exhibit, why is this happening?
- A. The set type juniper-enhanced command must be configured under the [edit security utm feature-profile web-filtering] hierarchy.
- B. The default permit parameter is configured under the [edit security utm feature-profile web-filtering juniper-enhanced profile ] hierarchy. test-webfilter
- C. Enhanced_Advertisements and Enhanced_Special_Events are not valid categories.
- D. A policy for returning traffic must be configured.
Answer : A
Now we must change it to juniper-enhanced as below
[edit security utm feature-profile web-filtering]
root@srx# set type juniper-enhanced
References: http://rtoodtoo.net/srx-utm-web-wiltering/
Click the Exhibit button.
A customer created a security policy and is not receiving any logs from permitted sessions, you are asked to obtain the logs for the customer.
Which parameter must you add to the configuration shown in the exhibit to accomplish this task?
- A. set system syslog file traffic-log any any
- B. set default-permit then log session-close
- C. set default-permit then count
- D. set system syslog file traffic-log match "traffic_session".
Answer : A
To send security policy logs to a file named traffic-log on the SRX Series device: user@host# set system syslog file traffic-log any any user@host# set system syslog file traffic-log match "RT_FLOW_SESSION"
In the example above, traffic log messages are sent to a separate log file named traffic-log. The severity level is set to any so that the traffic log messages are captured. Only log messages that match RT_FLOW_SESSION, which identifies traffic log messages, are sent to the traffic-log file.
References:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16509&actp=search
Click the Exhibit button.
Your customer reports that user1 is not able to access the protected resources on a dynamic VPN. To troubleshoot the connection issue between user1 and the protected resources you enable traceoptions.
Referring to the exhibit, which configuration steps are correct?
- A. Option A
- B. Option B
- C. Option C
- D. Option D
Answer : A
You have deployed AppID on your SRX Series device. You want to block all HTTP connections. However, there is a packet-monitoring device that shows the SRX
Series device is still allowing some packets through to the webservers on TCP port 80.
In this scenario, which statement is correct?
- A. Traffic is hitting the default fall-back option.
- B. The packet-monitoring device is allowing packets to TCP port 80.
- C. After deploying AppID, this is a normal behavior.
- D. There are new sessions matching the webservers on TCP port 80.
Answer : C
Note: The APPID (application identification) feature is a Junos OS feature that identifies applications as constituents of application groups in TCP/UDP/ICMP traffic.
References: http://www.juniper.net/techpubs/en_US/junos-mobility12.1/topics/concept/pcef-app-id-overview.html
Click the Exhibit button.
A customer wants to commit a configuration but receives the error shown in the exhibit.
What would solve the problem?
- A. Option A
- B. Option B
- C. Option C
- D. Option D
Answer : A
The Source address or address_set not found error message indicates that we need to create addressbook entries for 192.168.1.1 and 192.168.1.2.
Click the Exhibit button.
You are implementing a high availability chassis cluster on an SRX Series device. You would like to manage both devices through the J-Web utility. However, when you try to log in to the second device using SSL HTTP, you receive a message from your Web browser indicating that the message has timed out.
Why you are receiving this message?
- A. There is a firewall policy blocking traffic to the control plane.
- B. HTTP is not configured as host inbound traffic.
- C. The incoming traffic is not being allowed on the correct port.
- D. The rdp daemon is on standby on the secondary device.
Answer : A
Users begin complaining that they are not able to access resources. You start your troubleshooting by reviewing the security associations.
Which two methods would you use to troubleshoot this problem? (Choose two.)
- A. Use J-Web and select Monitor > IPsec VPN > Phase II.
- B. Issue the show security ike security-associations command.
- C. Use J-Web and select Monitor > IPsec VPN > Phase I.
- D. Issue the show command under the [edit security ike traceoptions] hierarchy.
Answer : AB
A. To view information about IKE security associations (SAs) select Monitor>IPSec VPN>IKE Gateway in the J-Web user interface
Cryptography is used to secure exchanges between peers during the IKE Phase 2 negotiations
B: The show security ike security-associations command displays information about Internet Key Exchange security associations (IKE SAs).
References:
http://www.juniper.net/documentation/en_US/junos12.3x48/topics/task/verification/security-vpn-monitoring.html http://www.juniper.net/documentation/en_US/junos12.1x47/topics/reference/command-summary/show-security-ike-security-associations.html
Click the Exhibit button.
A customer configured DHCP relay. After committing the configuration, the DHCP server does not provide addresses and you suspect that a configuration is missing. The server is connected to ge-0/0/8 and the hosts are connected to ge-0/0/7 through a switch. The server IP address is 192.18.24.38.
Referring to the exhibit, which two commands would be used to solve the problem? (Choose two.)
- A. set security zones security-zone trust interfaces ge-0/0/7 host-inbound-traffic system-services dhcp
- B. set security policies from-zone untrust to-zone trust policy DHCP-reply match destination-address 192.18.24.38
- C. set security policies from-zone trust to-zone untrust policy DHCP-request match source-address 192.18.24.38
- D. set security zones security-zone untrust interfaces ge-0/0/8 host-inbound-traffic system-services dhcp
Answer : AC
SRX Getting Started - Configure Global DHCP Relay Service
A: Specify DHCP as an allowed inbound service for each interface that is associated with DHCP. In the following example, DHCP is configured as an inbound service for ge-0/0/7. user@host# set security zones security-zone trust interfaces ge-0/0/7 host-inbound-traffic system-services dhcp
C: Make sure that you have a security policy that allows the session from the DHCP server to the DHCP client apart for the policy from trust to untrust.
Example:
user@host# set security policies from-zone trust to-zone untrust policy DHCP-request match destination-address DHCP-server
References: https://kb.juniper.net/InfoCenter/index?page=content&id=KB15755&pmv=print&actp=LIST
Click the Exhibit button.
You configured a route-based VPN, but users complain that they cannot pass traffic through it.
Referring to the exhibit, what is causing the problem?
- A. The external interface should be ge-0/0/0.1.
- B. The local and remote proxy IDs do not match.
- C. The gateway is not configured properly.
- D. The name of the IKE policy should be the same as the IPsec policy.
Answer : A
Example configuration:
a. First, locate the IKE Gateway using 'show security ike'
root@siteA # show security ike
...
gateway gw-siteB { <---------
ike-policy ike-phase1-policy;
address 2.2.2.2;
external-interface ge-0/0/3.0;
}
b. Then locate the IPsec VPN for that IKE Gateway using 'show security ipsec' root@siteA # show security ipsec
...
vpn ike-vpn-siteB {
bind-interface st0.0;
ike {
gateway gw-siteB; <---------
proxy-identity {
local 192.168.2.0/24;
remote 192.168.1.0/24;
service any;
}
ipsec-policy ipsec-phase2-policy;
}
establish-tunnels immediately;
}
Incorrect:
B: Proxy IDs are not related to the problem.
C: The gateway configuration is fine.
D: The name of the IKE and the IPSec policy does not have to have the same name.
Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB10093&actp=search
LAN 1 and LAN 2 are experiencing network communication problems. While troubleshooting, you add one address book to a security policy. You must verify that the address book was added to the security policy.
Which command will accomplish this task?
- A. show security policies from-zone trust to-zone untrust policy-name address-book.
- B. show security policies from-zone trust to-zone untrust policy-name t-u count 1 start 1
- C. show security policies from-zone trust to-zone untrust policy-name internal-net detail
- D. show security policies from-zone trust to-zone untrust policy-name ipsubnets detail | except ip
Answer : C
[SRX] How to confirm the address book name in the security policy is correct?
An effective method for verifying the address name values is to use the 'detail' option in the 'show security policies' command: show security policies from-zone <zone> to-zone <zone> policy-name <policy> detail
Example:
root@SiteA> show security policies from-zone trust to-zone untrust policy-name internal-net detail
References:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB10141&actp=search
Click the Exhibit button.
A customer is using a destination NAT to a remote webserver, but the configuration is not working.
Referring to the exhibit, which configuration changes will resolve this problem?
- A. Option A
- B. Option B
- C. Option C
- D. Option D
Answer : A
Example of working configuration:
user@host# show security nat
destination {
pool dst-nat-pool-1 {
address 192.168.1.200/32;
}
rule-set rs1 {
from interface ge-0/0/0.0;
rule r1 {
match {
destination-address 1.1.1.200/32;
}
then {
destination-nat pool dst-nat-pool-1;
}
}
}
}
References: http://www.juniper.net/documentation/en_US/junos12.1x46/topics/example/nat-security-destination-single-address-translation-configuring.html
Click the Exhibit button.
You are troubleshooting an IPsec VPN which is not establishing.
Which two issues would cause the message shown in the exhibit? (Choose two.)
- A. mismatched peer ID type
- B. Phase 2 proposal mismatch
- C. mismatched pre-shared key
- D. incorrect peer address
Answer : AB
Click the Exhibit button.
You recently configured a chassis cluster between two branch SRX Series devices and realize that the cluster is not functional, with node device status lost.
Referring to the exhibit, which two actions will correct this problem? (Choose two.)
- A. Confirm both devices are synchronized with the local NTP.
- B. Confirm that the software on both devices is the same Junos OS version.
- C. Confirm both devices are running with the same security policies.
- D. Confirm that the hardware on both devices is the same.
Answer : BD
Chassis Cluster prerequisites include:
B: The SOFTWARE on both standalone devices must be the same Junos OS version.
Verify using this command on both devices:
root> show version
Model: srx220h -
JUNOS Software Release [11.4R7.5]
D: Confirm that the HARDWARE on both devices is the same.
Verify using this command on both devices:
root@srx220> show chassis hardware detail
References: http://kb.juniper.net/InfoCenter/index?page=content&id=KB21312&actp=search
Click the Exhibit button.
A customer has requested that you set up a dynamic VPN to allow users to reach the internal network. After running the configuration shown in the exhibit, users are sometimes unable to connect to the network. They cannot ping other IP addresses and they are getting IP conflicts within the network.
What must you change in the configuration to solve this problem?
- A. The dyn-vpn-address-pool network address needs to be an address book.
- B. The configuration is missing a secondary DNS.
- C. The dyn-vpn-address-pool network address needs to be configured on a separate subnet.
- D. The configuration needs to be applied to a different interface.
Answer : C
Such as at the 10.10.10.0/24 network.
Incorrect:
B: A secondary DNS is not required.
References:
http://www.juniper.net/documentation/en_US/junos12.3x48/topics/example/vpn-security-dynamic-example-configuring.html
30 days access 