While attempting to commit a configuration for a new address book, you received the error message shown below.
Zone specific address books are not allowed when there are global address books defined error: commit failed: (statements constraint check failed)
Answer : D
Zone specific address books are not allowed when there are global address books defined.
References:
http://rtoodtoo.net/address-books-explained/
Click the Exhibit button.
Answer : A
Now we must change it to juniper-enhanced as below
[edit security utm feature-profile web-filtering]
root@srx# set type juniper-enhanced
References: http://rtoodtoo.net/srx-utm-web-wiltering/
Click the Exhibit button.
Answer : A
To send security policy logs to a file named traffic-log on the SRX Series device: user@host# set system syslog file traffic-log any any user@host# set system syslog file traffic-log match "RT_FLOW_SESSION"
In the example above, traffic log messages are sent to a separate log file named traffic-log. The severity level is set to any so that the traffic log messages are captured. Only log messages that match RT_FLOW_SESSION, which identifies traffic log messages, are sent to the traffic-log file.
References:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16509&actp=search
Click the Exhibit button.
Answer : A
You have deployed AppID on your SRX Series device. You want to block all HTTP connections. However, there is a packet-monitoring device that shows the SRX
Series device is still allowing some packets through to the webservers on TCP port 80.
In this scenario, which statement is correct?
Answer : C
Note: The APPID (application identification) feature is a Junos OS feature that identifies applications as constituents of application groups in TCP/UDP/ICMP traffic.
References: http://www.juniper.net/techpubs/en_US/junos-mobility12.1/topics/concept/pcef-app-id-overview.html
Click the Exhibit button.
Answer : A
The Source address or address_set not found error message indicates that we need to create addressbook entries for 192.168.1.1 and 192.168.1.2.
Click the Exhibit button.
Answer : A
Users begin complaining that they are not able to access resources. You start your troubleshooting by reviewing the security associations.
Which two methods would you use to troubleshoot this problem? (Choose two.)
Answer : AB
A. To view information about IKE security associations (SAs) select Monitor>IPSec VPN>IKE Gateway in the J-Web user interface
Cryptography is used to secure exchanges between peers during the IKE Phase 2 negotiations
B: The show security ike security-associations command displays information about Internet Key Exchange security associations (IKE SAs).
References:
http://www.juniper.net/documentation/en_US/junos12.3x48/topics/task/verification/security-vpn-monitoring.html http://www.juniper.net/documentation/en_US/junos12.1x47/topics/reference/command-summary/show-security-ike-security-associations.html
Click the Exhibit button.
Answer : AC
SRX Getting Started - Configure Global DHCP Relay Service
A: Specify DHCP as an allowed inbound service for each interface that is associated with DHCP. In the following example, DHCP is configured as an inbound service for ge-0/0/7. user@host# set security zones security-zone trust interfaces ge-0/0/7 host-inbound-traffic system-services dhcp
C: Make sure that you have a security policy that allows the session from the DHCP server to the DHCP client apart for the policy from trust to untrust.
Example:
user@host# set security policies from-zone trust to-zone untrust policy DHCP-request match destination-address DHCP-server
References: https://kb.juniper.net/InfoCenter/index?page=content&id=KB15755&pmv=print&actp=LIST
Click the Exhibit button.
Answer : A
Example configuration:
a. First, locate the IKE Gateway using 'show security ike'
root@siteA # show security ike
...
gateway gw-siteB { <---------
ike-policy ike-phase1-policy;
address 2.2.2.2;
external-interface ge-0/0/3.0;
}
b. Then locate the IPsec VPN for that IKE Gateway using 'show security ipsec' root@siteA # show security ipsec
...
vpn ike-vpn-siteB {
bind-interface st0.0;
ike {
gateway gw-siteB; <---------
proxy-identity {
local 192.168.2.0/24;
remote 192.168.1.0/24;
service any;
}
ipsec-policy ipsec-phase2-policy;
}
establish-tunnels immediately;
}
Incorrect:
B: Proxy IDs are not related to the problem.
C: The gateway configuration is fine.
D: The name of the IKE and the IPSec policy does not have to have the same name.
Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB10093&actp=search
LAN 1 and LAN 2 are experiencing network communication problems. While troubleshooting, you add one address book to a security policy. You must verify that the address book was added to the security policy.
Which command will accomplish this task?
Answer : C
[SRX] How to confirm the address book name in the security policy is correct?
An effective method for verifying the address name values is to use the 'detail' option in the 'show security policies' command: show security policies from-zone <zone> to-zone <zone> policy-name <policy> detail
Example:
root@SiteA> show security policies from-zone trust to-zone untrust policy-name internal-net detail
References:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB10141&actp=search
Click the Exhibit button.
Answer : A
Example of working configuration:
user@host# show security nat
destination {
pool dst-nat-pool-1 {
address 192.168.1.200/32;
}
rule-set rs1 {
from interface ge-0/0/0.0;
rule r1 {
match {
destination-address 1.1.1.200/32;
}
then {
destination-nat pool dst-nat-pool-1;
}
}
}
}
References: http://www.juniper.net/documentation/en_US/junos12.1x46/topics/example/nat-security-destination-single-address-translation-configuring.html
Click the Exhibit button.
Answer : AB
Click the Exhibit button.
Answer : BD
Chassis Cluster prerequisites include:
B: The SOFTWARE on both standalone devices must be the same Junos OS version.
Verify using this command on both devices:
root> show version
Model: srx220h -
JUNOS Software Release [11.4R7.5]
D: Confirm that the HARDWARE on both devices is the same.
Verify using this command on both devices:
root@srx220> show chassis hardware detail
References: http://kb.juniper.net/InfoCenter/index?page=content&id=KB21312&actp=search
Click the Exhibit button.
Answer : C
Such as at the 10.10.10.0/24 network.
Incorrect:
B: A secondary DNS is not required.
References:
http://www.juniper.net/documentation/en_US/junos12.3x48/topics/example/vpn-security-dynamic-example-configuring.html