JN0 332

Juniper JN0-332
JN0-332 Juniper Networks Certified Internet

Specialist, SEC (JNCIS-SEC)
Practice Test
Version 4.0
Juniper JN0-332: Practice Exam

QUESTION NO: 1
To verify that traffic is being processed by the correct security policy, which CLI command displays
the policy name and the specific traffic processed by the policy?
A. show security flow session
B. show security utm content-filtering statistics
C. show security policies
D. show security status
Answer: A
.co
Which command produces the output shown in the exhibit?
lTe
sts
A. show security sessions

B. show security flow
C. show security flow session
D. show security session log
QUESTION NO: 3
Ac
What does a zone contain?
tua
Answer: C
A. routers
B. interfaces
C. routing tables
D. NAT addresses
QUESTION NO: 2
Answer: B
QUESTION NO: 4
Which two steps are performed when configuring a zone? (Choose two.)
A. Define a policy for the zone.
"Pass Any Exam. Any Time." - www.actualtests.com

B. Assign logical interfaces to the zone.
C. Assign physical interfaces to the zone.
D. Define the zone as a security or functional zone.
Answer: B,D
QUESTION NO: 5
What are the two types of zones you can configure? (Choose two.)
A. system
B. trusted
C. functional
D. security
.co
Answer: C,D
sts
QUESTION NO: 6
What is the purpose of configuring the host-inbound-traffic command on a zone?
QUESTION NO: 7
Ac
Answer: D
tua
lTe
A. to allow inbound Web authentication

B. to allow all outbound traffic on the untrust zone
C. to allow all inbound traffic on the untrust zone
D. to allow specified traffic that terminates on the device
which two zones can you add interfaces? (Choose two.)

A. system
B. security
C. functional
D. user
Answer: B,C
QUESTION NO: 8

Which statement is true about a logical interface?
A. A logical interface can belong to multiple zones.
B. A logical interface can belong to multiple routing instances.
C. A logical interface can belong to only one routing instance.
D. All logical interfaces in a routing instance must belong to a single zone.
Answer: C
QUESTION NO: 9
What is the purpose of a zone in the Junos OS?
.co
A. A zone defines a group of security devices with a common management.

B. A zone defines the geographic region in which the security device is deployed.
C. A zone defines a group of network segments with similar security requirements.
D. A zone defines a group of network segments with similar class-of-service requirements.
sts
Answer: C
lTe
QUESTION NO: 10
Ac
tua
Which statement is correct for applying the SCREEN named protect to the Public zone?
sts
.co
QUESTION NO: 11
tua
Ac
Answer: C
lTe
A. Option 1
B. Option 2
C. Option 3
D. Option 4
Where do you configure SCREEN options?

A. zones on which an attack might arrive
B. zones you want to protect from attack
C. interfaces on which an attack might arrive
D. interfaces you want to protect from attack
Answer: A
QUESTION NO: 12

What are two types of network reconnaissance attacks? (Choose two.)
A. IP address sweep
B. SYN flood
C. port scanning
D. SNMP polling request
Answer: A,C
QUESTION NO: 13
Which three IP option fields can an attacker exploit to cause problems in a network? (Choose
three.)
sts
.co
A. loose source routing

B. timestamp
C. time-to-live
D. record route
E. DSCP
lTe
Answer: A,B,E
QUESTION NO: 14
Ac
tua
You want to configure a security policy that allows traffic to a particular host. Which step must you
perform
before committing a configuration with the policy?
A. Define a static route to the host.
B. Ensure that the router can ping the host.
C. Define an address book entry for the host.
D. Ensure that the router has an ARP entry for the host.
Answer: C
QUESTION NO: 15
After a security policy is applied, which CLI command output will display the policy index number?
A. show security policy-id
B. show security flow session summary

C. show security monitoring
D. show security policies
Answer: D
QUESTION NO: 16
Which two statements are true for an address book entry? (Choose two.)
A. An address book entry is defined within a security policy.
B. An address book entry is defined within a zone.
C. An address book entry is applied within a security policy.
D. An address book entry is applied within a zone.
.co
Answer: B,C
QUESTION NO: 17
sts
In the Junos OS, which command do you use to reorder security policies?
QUESTION NO: 18
tua
Ac
Answer: C
lTe
A. replace
B. rename
C. insert
D. before
Which two statements describe the purpose of a security policy? (Choose two.)
A. It enables traffic counting and logging.
B. It enforces a set of rules for transit traffic.
C. It controls host inbound services on a zone.
D. It controls administrator rights to access the device.
Answer: A,B
QUESTION NO: 19

Which two security policy actions are valid? (Choose two.)
A. deny
B. discard
C. reject
D. close
Answer: A,C
QUESTION NO: 20
Which three match criteria must each security policy include? (Choose three.)
.co
A. source address
B. source port
C. destination address
D. destination port
E. application
sts
Answer: A,C,E
lTe
QUESTION NO: 21
Ac
A. security policy
B. interface
C. routing-instance
D. IP address
tua
You are creating a destination NAT rule-set. Which two are valid for use with the from clause?
(Choose two.)
Answer: B,C
QUESTION NO: 22
Which statement is true regarding proxy ARP?
A. Proxy ARP is enabled by default on standalone Junos security devices.
B. Proxy ARP is enabled by default on high-available chassis clusters.
C. Junos security devices can forward ARP requests to a remote device when proxy ARP is
enabled.

D. Junos security devices can reply to ARP requests intended for a remote device when proxy
ARP is enabled.
Answer: D
QUESTION NO: 23
Which statement is true about interface-based source NAT?
A. PAT is a requirement.
B. It requires you to configure address entries in the junos-nat zone.
C. It requires you to configure address entries in the junos-global zone.
D. IP addresses being translated must be in the same subnet as the egress interface.
.co
Answer: A
QUESTION NO: 24
sts
Which two statements are true about pool-based destination NAT? (Choose two.)
QUESTION NO: 25
Ac
Answer: A,C
tua
lTe
A. It also supports PAT.

B. PAT is not supported.
C. It allows the use of an address pool.
D. It requires you to configure an address in the junos-global zone.
Which operational command produces the output shown in the exhibit?
A. show security nat source rule

B. show route forwarding-table
C. show security nat source pool all

D. show security nat source summary
Answer: D
QUESTION NO: 26
For a route-based VPN, which statement is true?
A. host-inbound-traffic system services ike must be enabled on the st0.x interface.

B. host-inbound-traffic system services ike must be enabled on both the st0.x interface and the
logical interface
on which ike terminates
C. host-inbound-traffic system services ike must be enabled on the logical interface on which ike
terminates.
D. host-inbound-traffic system services ike is not mandatory for route based VPNs.
.co
Answer: C
sts
QUESTION NO: 27
lTe
Which statement is true about the relationship between IKE and IPsec SAs?
QUESTION NO: 28
Ac
Answer: A
tua
A. Two IPsec SAs can map to a single IKE SA.

B. Two IKE SAs can map to a single IPsec SA.
C. When an IKE SA times out, it also tears down the IPsec SA.
D. When an IPsec SA times out, it also tears down the IKE SA.
Regarding secure tunnel (st) interfaces, which statement is true?

A. You cannot assign st interfaces to a security zone.
B. You cannot apply static NAT on an st interface logical unit.
C. st interfaces are optional when configuring a route-based VPN
D. A static route can reference the st interface logical unit as the next-hop.
Answer: D
10

QUESTION NO: 29
You want each IPsec SA to be negotiated over a unique set of Diffie-Hellman exchanges so that
even if the IKE
key is compromised, subsequent IPsec SAs cannot be compromised.
Which IPsec feature would you activate?
A. main mode IKE exchange
B. aggressive mode IKE exchange
C. perfect forward secrecy
D. VPN monitor
Answer: C
QUESTION NO: 30
.co
For IKE phase 1 negotiations, when is aggressive mode typically used?
lTe
sts
A. when one of the tunnel peers has a dynamic IP address

B. when one of the tunnel peers wants to force main mode to be used
C. when fragmentation of the IKE packet is required between the two peers
D. when one of the tunnel peers wants to specify a different phase 1 proposal
QUESTION NO: 31
tua
Answer: A
Ac
You have been tasked with installing two SRX5600 platforms in a high-availability cluster. Which
requirement
must be met for a successful installation?
A. You must enable SPC detect within the configuration.
B. You must enable active-active failover for redundancy.
C. You must ensure all SPCs use the same slot placement.
D. You must configure auto-negotiation on the control ports of both devices.
Answer: C
QUESTION NO: 32
When applying the configuration in the exhibit and initializing a chassis cluster, which statement is
correct?
11
A. Three physical interfaces are redundant.

B. You must define an additional redundancy group.
C. node 0 will immediately become primary for redundancy group 1.
D. You must issue an operational command and reboot the system for the above configuration to
take effect.
sts
.co
Answer: D
QUESTION NO: 33
lTe
What are three benefits of using chassis clustering? (Choose three.)
Answer: A,C,E
Ac
tua
A. Provides stateful session failover for sessions.

B. Increases security capabilities for IPsec sessions.
C. Provides active-passive control and data plane redundancy.
D. Enables automated fast-reroute capabilities.
E. Synchronizes configuration files and session state.
QUESTION NO: 34
What are two interfaces created when enabling a chassis cluster? (Choose two.)
A. st0
B. fxp1
C. fab0
D. reth0
Answer: C,D
12

QUESTION NO: 35
Which three components can be downloaded and installed directly from Juniper Networks update
server to an
SRX Series device? (Choose three.)
A. signature package
B. PCRE package
C. detector engine
D. policy templates
E. dynamic attack detection package
Answer: A,C,D
QUESTION NO: 36
.co
Which two statements are true regarding IDP? (Choose two.)
QUESTION NO: 37
Ac
Answer: A,D
tua
lTe
sts
A. IDP can be used in conjunction with other Junos security features such as SCREEN options,
zones, and
security policy.
B. IDP cannot be used in conjunction with other Junos security features such as SCREEN options,
zones, and
security policy.
C. IDP inspects traffic up to the Presentation Layer.
D. IDP inspects traffic up to the Application Layer.
Which two statements are true regarding firewall user authentication? (Choose two.)
A. Firewall user authentication is performed only for traffic that is accepted by a security policy.
B. Firewall user authentication is performed only for traffic that is denied by a security policy.
C. Firewall user authentication provides an additional method of controlling user access to the
Junos security
device itself.
D. Firewall user authentication provides an additional method of controlling user access to remote
networks.
Answer: A,D
13
QUESTION NO: 38
Which two external authentication server types are supported by the Junos OS for firewall user
authentication?
(Choose two.)
A. RADIUS
B. TACAS+
C. LDAP
D. IIS
Answer: A,C
.co
QUESTION NO: 39
QUESTION NO: 40
lTe
Ac
Answer: C
tua
A. binary syslog
B. CHARGEN
C. WELF (structured) syslog
D. standard (unstructured) syslog
sts
Which type of logging is supported for UTM logging to an external syslog server on branch SRX
Series devices?
Which two statements describe full file-based antivirus protection? (Choose two.)
A. By default, the signature database is updated every 60 minutes.
B. By default, the signature database is updated once daily.
C. The signature database targets only critical viruses and malware.
D. The signature database can detect polymorphic virus types.
Answer: A,D
QUESTION NO: 41
What would the configuration shown in the exhibit enforce?
14
tua
lTe
sts
.co
Ac
A. All traffic of MIME type video will be scanned.

B. All traffic of MIME type video will not be scanned.
C. All traffic of MIME type video/mpeg will be scanned.
D. All traffic of MIME type video/mpeg will not be scanned.
Answer: C
QUESTION NO: 42
If the policy server becomes unreachable, which two actions are available for connections that
should be
inspected by Web filtering when using integrated or redirect Web filtering?
(Choose two.)
A. Permit connections with logging.
15

B. Drop connections.
C. Redirect connections to a different policy server.
D. Use the existing Web cache.
Answer: A,B
QUESTION NO: 43
Which statement is true about blacklists?
.co
A. Blacklists can be created by creating a url-pattern and then associating the url-pattern with a
url-blacklist.
B. Blacklists can be created by creating a url-pattern and then associating the url-pattern with a
custom-urlcategory
and then associating the custom-url-category with a url-blacklist.
C. Blacklists are defined as a separate list and need not be associated with a URL category.
D. Blacklists can either be associated with either a custom-url-category or a url-pattern.
sts
Answer: C
lTe
QUESTION NO: 44
Regarding zone types, which statement is true?
Answer: D
Ac
tua
A. You cannot assign an interface to a functional zone.

B. You can specifiy a functional zone in a security policy.
C. Security zones must have a scheduler applied.
D. You can use a security zone for traffic destined for the device itself.
QUESTION NO: 45
Regarding attacks, which statement is correct?
A. Both DoS and propagation attacks exploit and take control of all unprotected network devices.
B. Propagation attacks focus on suspicious packet formation using the DoS SYN-ACK-ACK proxy
flood.
C. DoS attacks are directed at the network protection devices, while propagation attacks are
directed at the servers.
D. DoS attacks are exploits in nature, while propagation attacks use trust relationships to take
control of the devices.
16

Answer: D
QUESTION NO: 46
Ac
tua
lTe
sts
.co
Click the Exhibit button.

[edit schedulers]
user@host# show
scheduler now {
monday all-day;
tuesday exclude;
wednesday {
start-time 07:00:00 stop-time 18:00:00;
}
thursday {
}}
[edit security policies from-zone Private to-zone External]
user@host# show
policy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn myTunnel;
}}}
scheduler-name now;
Based on the configuration shown in the exhibit, what are the actions of the security policy?
A. The policy will always permit transit packets and use the IPsec VPN myTunnel.
B. The policy will permit transit packets only on Monday, and use the IPsec VPN Mytunnel.
C. The policy will permit transit packets and use the IPsec VPN myTunnel all day Monday and
Wednesday 7am to 6pm, and Thursday 7am to 6pm.
D. The policy will always permit transit packets, but will only use the IPsec VPN myTunnel all
day Monday and Wednesday 7am to 6pm, and Thursday 7am to 6pm.
Answer: C
17

QUESTION NO: 47
Which two statements are true regarding proxy ARP? (Choose two.)
A. Proxy ARP is enabled by default.
B. Proxy ARP is not enabled by default.
C. JUNOS security devices can forward ARP requests to a remote device when proxy ARP is
enabled.
D. JUNOS security devices can reply to ARP requests intended for a remote device when
proxy ARP is enabled.
Answer: B,D
QUESTION NO: 48
.co
Which statement regarding the implementation of an IDP policy template is true?
sts
A. IDP policy templates are automatically installed as the active IDP policy.
B. IDP policy templates are enabled using a commit script.
C. IDP policy templates can be downloaded without an IDP license.
D. IDP policy templates are included in the factory-default configuration.

[edit groups]
user@host# show
node0 {
system {
host-name NODE0;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 1.1.1.1/24;
}}}}}
node1 {
system {
host-name NODE1;
Ac
QUESTION NO: 49
tua
lTe
Answer: B
18

}
interfaces {
fxp0 {
unit 0 {
family inet {
address 1.1.1.2/24;
}}}}}
In the exhibit, what is the function of the configuration statements?
A. This section is where you define all chassis clustering configuration.
B. This configuration is required for members of a chassis cluster to talk to each other.
C. You can apply this configuration in the chassis cluster to make configuration easier.
D. This section is where unique node configuration is applied.
.co
Answer: D
QUESTION NO: 50
sts
Which two statements describe the difference between JUNOS Software for security
platforms and a traditional router? (Choose two.)
Answer: B,C
Ac
tua
lTe
A. JUNOS Software for security platforms supports NAT and PAT; a traditional router does not
support NAT or PAT.
B. JUNOS Software for security platforms does not forward traffic by default; a traditional router
forwards traffic by default.
C. JUNOS Software for security platforms uses session-based forwarding; a traditional router
uses packet-based forwarding.
D. JUNOS Software for security platforms performs route lookup for every packet; a traditional
router performs route lookup only for the first packet.
QUESTION NO: 51
Which two statements describe the difference between JUNOS Software for security
platforms and a traditional router? (Choose two.)
A. JUNOS Software for security platforms supports NAT and PAT; a traditional router does not
support NAT or PAT.
B. JUNOS Software for security platforms secures traffic by default; a traditional router does
not secure traffic by default.
19

C. JUNOS Software for security platforms allows for session-based forwarding; a traditional
router uses packet-based forwarding.
D. JUNOS Software for security platforms separates broadcast domains; a traditional router
does not separate broadcast domains.
Answer: B,C
QUESTION NO: 52
A traditional router is better suited than a firewall device for which function?
A. VPN establishment
B. packet-based forwarding
C. stateful packet processing
D. Network Address Translation
.co
Answer: B
sts
QUESTION NO: 53
lTe
Which three functions are provided by JUNOS Software for security platforms? (Choose
three.)
Answer: A,D,E
Ac
tua
A. VPN establishment
B. stateful ARP lookups
C. Dynamic ARP inspection
D. Network Address Translation
E. inspection of packets at higher levels (Layer 4 and above)
QUESTION NO: 54
What are two components of the JUNOS Software architecture? (Choose two.)
A. Linux kernel
B. routing protocol daemon
C. session-based forwarding module
D. separate routing and security planes
Answer: B,C
20
QUESTION NO: 55
Which two functions of JUNOS Software are handled by the data plane? (Choose two.)
A. NAT
B. OSPF
C. SNMP
D. SCREEN options
Answer: A,D
QUESTION NO: 56
sts
.co
Host A opens a Telnet connection to Host B. Host A then opens another Telnet connection to Host
B. These connections are the only communication between Host A and Host B. The security policy
configuration permits both connections.
How many flows exist between Host A and Host B?
tua
QUESTION NO: 57
Ac
Answer: D
lTe
A. 1
B. 2
C. 3
D. 4
Which two statements about JUNOS Software packet handling are correct? (Choose two.)
A. JUNOS Software applies service ALGs only for the first packet of a flow.
B. JUNOS Software uses fast-path processing only for the first packet of a flow.
C. JUNOS Software performs route and policy lookup only for the first packet of a flow.
D. JUNOS Software applies SCREEN options for both first and consecutive packets of a flow.
Answer: C,D
QUESTION NO: 58
In JUNOS Software, which three packet elements can be inspected to determine if a session
already exists? (Choose three.)
21

A. IP protocol
B. IP time-to-live
C. source and destination IP address
D. source and destination MAC address
E. source and destination TCP/UDP port
Answer: A,C,E
QUESTION NO: 59
By default, which condition would cause a session to be removed from the session table?
.co
A. Route entry for the session changed.

B. Security policy for the session changed.
C. The ARP table entry for the source IP address timed out.
D. No traffic matched the session during the timeout period.
sts
Answer: D
QUESTION NO: 60
Answer: B
tua
Ac
A. 30 seconds
B. 1 minute
C. 5 minutes
D. 30 minutes
lTe
What is the default session timeout for UDP sessions?
QUESTION NO: 61
What is the purpose of a zone in JUNOS Software?
A. A zone defines a group of security devices with a common management.
B. A zone defines the geographic region in which the security device is deployed.
C. A zone defines a group of network segments with similar security requirements.
D. A zone defines a group of network segments with similar class-of-service requirements.
Answer: C
22

QUESTION NO: 62
Users can define policy to control traffic flow between which two components? (Choose
two.)
A. from a zone to the device itself
B. from a zone to the same zone
C. from a zone to a different zone
D. from one interface to another interface
Answer: B,C
QUESTION NO: 63
.co
sts
lTe
tua
Ac
A. [edit security zones]

user@host# show
security-zone red {
interfaces {
ge-0/0/1.0;
ge-0/0/3.0;
}}
security-zone blue {
interfaces {
ge-0/0/2.0;
ge-0/0/3.102;
}}
B. [edit security zones]
user@host# show
security-zone red {
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
}}
security-zone blue {
interfaces {
ge-0/0/1.0;
ge-0/0/3.0;
}}
C. [edit routing-instances]
user@host# show
red {
Which two configurations are valid? (Choose two.)
23
.co
interface ge-0/0/3.0;
}
blue {
}
D. [edit routing-instances]
user@host# show
red {
}
blue {
}
sts
Answer: A,D
lTe
QUESTION NO: 64
Answer: A,B
Ac
A. family inet
B. a security zone
C. a routing instance
D. host-inbound-traffic
tua
Which two configuration options must be present for IPv4 transit traffic to pass between the ge0/0/0.0 and ge-0/0/2.0 interfaces? (Choose two.)
QUESTION NO: 65
Which zone is a system-defined zone?
A. null zone
B. trust zone
C. untrust zone
D. management zone
24

Answer: A
QUESTION NO: 66
Which type of zone is used by traffic transiting the device?
A. transit zone
B. default zone
C. security zone
D. functional zone
Answer: C
QUESTION NO: 67
sts
.co
You want to allow your device to establish OSPF adjacencies with a neighboring device
connected to interface ge-0/0/3.0. Interface ge-0/0/3.0 is a member of the HR zone.
Under which configuration hierarchy must you permit OSPF traffic?
tua
QUESTION NO: 68
Ac
Answer: D
lTe
A. [edit security policies from-zone HR to-zone HR]

B. [edit security zones functional-zone management protocols]
C. [edit security zones protocol-zone HR host-inbound-traffic]
D. [edit security zones security-zone HR host-inbound-traffic protocols]
Which two statements regarding firewall user authentication client groups are true?
(Choose two.)
A. Individual clients are configured under client groups in the configuration hierarchy.
B. Client groups are configured under individual clients in the configuration hierarchy.
C. Client groups are referenced in security policy in the same manner in which individual clients
are referenced.
D. Client groups are used to simplify configuration by enabling firewall user authentication without
security policy.
Answer: B,C
25

QUESTION NO: 69
You want to allow all hosts on interface ge-0/0/0.0 to be able to ping the device's ge0/0/0.0 IP address.
Where do you configure this functionality?
A. [edit interfaces]
B. [edit security zones]
C. [edit system services]
D. [edit security interfaces]
Answer: B
QUESTION NO: 70
.co
You want to create an out-of-band management zone and assign the ge-0/0/0.0 interface
to that zone.
From the [edit] hierarchy, which command do you use to configure this assignment?
lTe
sts
A. set security zones management interfaces ge-0/0/0.0

B. set zones functional-zone management interfaces ge-0/0/0.0
C. set security zones functional-zone management interfaces ge-0/0/0.0
D. set security zones functional-zone out-of-band interfaces ge-0/0/0.0
Ac
QUESTION NO: 71
tua
Answer: C
You are not able to telnet to the interface IP address of your device from a PC on the same
subnet.
What is causing the problem?
A. Telnet is not being permitted by self policy.
B. Telnet is not being permitted by security policy.
C. Telnet is not allowed because it is not considered secure.
D. Telnet is not enabled as a host-inbound service on the zone.
Answer: D
QUESTION NO: 72
26

Referring to the exhibit, you are not able to telnet to 192.168.10.1 from client PC 192.168.10.10.
What is causing the problem?
sts
.co
A. Telnet is not being permitted by self policy.

B. Telnet is not being permitted by security policy.
C. Telnet is not allowed because it is not considered secure.
D. Telnet is not enabled as a host-inbound service on the zone.
lTe
Answer: D
QUESTION NO: 73
Ac
tua
Based on the exhibit, client PC 192.168.10.10 cannot ping 1.1.1.2.

Which is a potential cause for this problem?
A. The untrust zone does not have a management policy configured.
B. The trust zone does not have ping enabled as a host-inbound-traffic service.
C. The security policy from the trust zone to the untrust zone does not permit ping.
27

D. No security policy exists for the ICMP reply packet from the untrust zone to the trust zone.
Answer: C
QUESTION NO: 74
Ac
tua
lTe
sts
.co

[edit security zones security-zone HR]
user@host# show
host-inbound-traffic {
system-services {
ping;
ssh;
https;
}}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0 {
system-services {
ping;
}}}
ge-0/0/2.0 {
system-services {
ping;
ftp;
}}}
ge-0/0/3.0 {
system-services {
all;
ssh {
except;
}}}
}}
All system services have been enabled.
Given the configuration shown in the exhibit, which interface allows both ping and SSH traffic?
A. ge-0/0/0.0
B. ge-0/0/1.0
28

C. ge-0/0/2.0
D. ge-0/0/3.0
Answer: A
QUESTION NO: 75
Ac
tua
lTe
sts
.co
A. [edit security zones functional-zone management]

user@host# show
interfaces {
ge-0/0/0.0 {
protocols {
bgp;
ospf;
vrrp;
}}}}
protocols {
all;
vrrp {
except;
}}}
B. [edit security zones functional-zone management]
user@host# show
protocols {
bgp;
ospf;
}}
C. [edit security zones security-zone trust]
user@host# show
interfaces {
ge-0/0/0.0 {
protocols {
ospf;

user@host> show interfaces ge-0/0/0.0 | match host-inbound
Allowed host-inbound traffic : bgp ospf
Which configuration would result in the output shown in the exhibit?
29
bgp;
}}}}
D. [edit security zones security-zone trust]
user@host# show
protocols {
bgp;
}}
interfaces {
all {
protocols {
ospf;
}}}}
.co
Answer: C
sts
QUESTION NO: 76
lTe
user@host> show interfaces ge-0/0/0.0 | match host-inbound

Allowed host-inbound traffic : ping ssh telnet
tua
Which configuration would result in the output shown in the exhibit?
Ac
A. [edit security zones security-zone trust]

user@host# show
system-services {
ping;
telnet;
}}
interfaces {
ge-0/0/0.0 {
system-services {
ssh;
telnet;
}}}}
B. [edit security zones functional-zone management]
user@host# show
30
Ac
tua
lTe
sts
.co
interfaces {
all;
}
system-services {
all;
ftp {
except;
}}}
C. [edit security zones functional-zone management]
user@host# show
interfaces {
all {
system-services {
ping;
}}}}
system-services {
telnet;
ssh;
}}
D. [edit security zones security-zone trust]
user@host# show
system-services {
ssh;
ping;
telnet;
}}
interfaces {
ge-0/0/3.0 {
system-services {
ping;
}}}
ge-0/0/0.0;
}
Answer: D
31

QUESTION NO: 77
.co
sts
lTe
Ac
tua
[edit security]
user@host# show
zones {
security-zone ZoneA {
tcp-rst;
system-services {
ping;
telnet;
}}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0;
}}
security-zone ZoneB {
interfaces {
ge-0/0/3.0;
}}}
policies {
from-zone ZoneA to-zone ZoneB {
policy A-to-B {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}}}}
In the exhibit, a host attached to interface ge-0/0/0.0 sends a SYN packet to open a Telnet
connection to the device's ge-0/0/1.0 IP address.
What does the device do?
A. The device sends back a TCP reset packet.
B. The device silently discards the packet.
C. The device forwards the packet out the ge-0/0/1.0 interface.
32

D. The device responds with a TCP SYN/ACK packet and opens the connection.
Answer: B
QUESTION NO: 78
Which two commands can be used to monitor firewall user authentication? (Choose two.)
A. show access firewall-authentication
B. show security firewall-authentication users
C. show security audit log
D. show security firewall-authentication history
Answer: B,D
.co
QUESTION NO: 79
sts
Which two statements regarding external authentication servers for firewall user
authentication are true? (Choose two.)
Answer: B,D
Ac
tua
lTe
A. Up to three external authentication server types can be used simultaneously.

B. Only one external authentication server type can be used simultaneously.
C. If the local password database is not configured in the authentication order, and the
configured authentication server is unreachable, authentication is not performed.
D. If the local password database is not configured in the authentication order, and the
configured authentication server rejects the authentication request, authentication is not
performed.
QUESTION NO: 80
Which two external authentication server types are supported by JUNOS Software for
firewall user authentication? (Choose two.)
A. RADIUS
B. TACACS+
C. LDAP
D. IIS
Answer: A,C
33
QUESTION NO: 81
.co
[edit security zones security-zone trust]

user@host# show
system-services {
all;
}}
interfaces {
ge-0/0/0.0;
}
Referring to the exhibit, which two traffic types are permitted when the destination is the ge0/0/0.0 IP address? (Choose two.)
lTe
sts
A. Telnet
B. OSPF
C. ICMP
D. RIP
QUESTION NO: 82
tua
Answer: A,C
Ac
Which two statements about the use of SCREEN options are correct? (Choose two.)
A. SCREEN options are deployed at the ingress and egress sides of a packet flow.
B. Although SCREEN options are very useful, their use can result in more session creation.
C. SCREEN options offer protection against various attacks at the ingress zone of a packet
flow.
D. SCREEN options examine traffic prior to policy processing, thereby resulting in fewer
resouces used for malicious packet processing.
Answer: C,D
QUESTION NO: 83
Which two statements about the use of SCREEN options are correct? (Choose two.)
34

A. SCREEN options offer protection against various attacks.
B. SCREEN options are deployed prior to route and policy processing in first path packet
processing.
C. SCREEN options are deployed at the ingress and egress sides of a packet flow.
D. When you deploy SCREEN options, you must take special care to protect OSPF.
Answer: A,B
QUESTION NO: 84
What are three main phases of an attack? (Choose three.)
.co
A. DoS
B. exploit
C. propagation
D. port scanning
E. reconnaissance
sts
Answer: B,C,E
lTe
QUESTION NO: 85
Answer: C
Ac
A. DoS
B. SYN flood
C. port scanning
D. IP address sweep
tua
An attacker sends a low rate of TCP SYN segments to hosts, hoping that at least one port replies.
Which type of an attack does this scenario describe?
QUESTION NO: 86
profile ftp-users {
client nancy {
firewall-user {
password "$9$lJ8vLNdVYZUHKMi.PfzFcyrvX7"; ## SECRET-DATA
}}
client walter {
firewall-user {
35

password "$9$a1UqfTQnApB36pBREKv4aJUk.5QF"; ## SECRET-DATA
}}
session-options {
client-group ftp-group;
}}
firewall-authentication {
pass-through {
default-profile ftp-users;
ftp {
banner {
login "JUNOS Rocks!";
}}}}
Given the configuration shown in the exhibit, which configuration object would be used to
associate both Nancy and Walter with firewall user authentication within a security policy?
sts
.co
A. ftp-group
B. ftp-users
C. firewall-user
D. nancy and walter
lTe
Answer: A
tua
QUESTION NO: 87
Ac
Prior to applying SCREEN options to drop traffic, you want to determine how your configuration
will affect traffic.
Which mechanism would you configure to achieve this objective?
A. the log option for the particular SCREEN option
B. the permit option for the particular SCREEN option
C. the SCREEN option, because it does not drop traffic by default
D. the alarm-without-drop option for the particular SCREEN option
Answer: D
QUESTION NO: 88
You must configure a SCREEN option that would protect your device from a session table flood.
Which configuration meets this requirement?
36
Answer: D
.co
sts
lTe
tua
Ac
A. [edit security screen]

user@hostl# show
ids-option protectFromFlood {
icmp {
ip-sweep threshold 5000;
flood threshold 2000;
}}
B. [edit security screen]
user@hostl# show
tcp {
syn-flood {
attack-threshold 2000;
destination-threshold 2000;
}}}
C. [edit security screen]
user@hostl# show
udp {
flood threshold 5000;
}}
D. [edit security screen]
user@hostl# show
limit-session {
source-ip-based 1200;
destination-ip-based 1200;
}}
QUESTION NO: 89
You are required to configure a SCREEN option that enables IP source route option
detection.
Which two configurations meet this requirement? (Choose two.)
A. [edit security screen]
user@host# show
ip {
loose-source-route-option;
37
lTe
sts
.co
strict-source-route-option;
}}
B. [edit security screen]
user@host# show
ip {
source-route-option;
}}
C. [edit security screen]
user@host# show
ip {
record-route-option;
security-option;
}}
D. [edit security screen]
user@host# show
ip {
strict-source-route-option;
record-route-option;
}}
QUESTION NO: 90
tua
Answer: A,B
Ac
Which parameters are valid SCREEN options for combating operating system probes?
A. syn-fin, syn-flood, and tcp-no-frag
B. syn-fin, port-scan, and tcp-no-flag
C. syn-fin, fin-no-ack, and tcp-no-frag
D. syn-fin, syn-ack-ack-proxy, and tcp-no-frag
Answer: C
QUESTION NO: 91
Which two firewall user authentication objects can be referenced in a security policy?
(Choose two.)
38

A. access profile
B. client group
C. client
D. default profile
Answer: B,C
QUESTION NO: 92
Which statement describes the behavior of a security policy?
A. The implicit default security policy permits all traffic.

B. Traffic destined to the device itself always requires a security policy.
C. Traffic destined to the device's incoming interface does not require a security policy.
D. The factory-default configuration permits all traffic from all interfaces.
.co
Answer: C
sts
QUESTION NO: 93
tua
lTe
A network administrator wants to permit Telnet traffic initiated from the address book entry
the10net in a zone called UNTRUST to the address book entry Server in a zone called TRUST.
However, the administrator does not want the server to be able to initiate any type of traffic
from the TRUST zone to the UNTRUST zone.
Which configuration would correctly accomplish this task?
Ac
A. from-zone UNTRUST to-zone TRUST {

policy DenyServer {
match {
source-address any;
application any;
}
then {
deny;
}}}
from-zone TRUST to-zone UNTRUST {
policy AllowTelnetin {
match {
source-address the10net;
destination-address Server;
application junos-telnet;
39
.co
sts
Ac
tua
lTe
}
then {
permit;
}}}
B. from-zone TRUST to-zone UNTRUST {
policy DenyServer {
match {
source-address Server;
application any;
}
then {
deny;
}
}}
from-zone UNTRUST to-zone TRUST {
match {
}
then {
permit;
}}}
C. from-zone UNTRUST to-zone TRUST {
match {
application junos-ftp;
}
then {
permit;
}}}
D. from-zone TRUST to-zone UNTRUST {
policy DenyServer {
match {
source-address Server;
application any;
}
40

then {
permit;
}}}
from-zone UNTRUST to-zone TRUST {
match {
}
then {
permit;
}}}
.co
Answer: B
lTe
Ac
tua

[edit security policies]
user@host# show
from-zone trust to-zone untrust {
policy AllowHTTP{
match {
source-address HOSTA;
application junos-ftp;
}
then {
permit;
}}
policy AllowHTTP2{
match {
source-address any;
destination-address HOSTA;
application junos-http;
}
then {
permit;
}}
policy AllowHTTP3{
match {
sts
QUESTION NO: 94
41

source-address any;
application any;
}
then {
permit;
}}}
A flow of HTTP traffic needs to go from HOSTA to HOSTB. Assume that traffic will initiate from
HOSTA and that HOSTA is in zone trust and HOSTB is in zone untrust.
What will happen to the traffic given the configuration in the exhibit?
A. The traffic will be permitted by policy AllowHTTP.

B. The traffic will be permitted by policy AllowHTTP3.
C. The traffic will be permitted by policy AllowHTTP2.
D. The traffic will be dropped as no policy match will be found.
.co
Answer: B
sts
QUESTION NO: 95
lTe
Which three advanced permit actions within security policies are valid? (Choose three.)
Ac
Answer: A,C,E
tua
A. Mark permitted traffic for firewall user authentication.

B. Mark permitted traffic for SCREEN options.
C. Associate permitted traffic with an IPsec tunnel.
D. Associate permitted traffic with a NAT rule.
E. Mark permitted traffic for IDP processing.
QUESTION NO: 96
Under which configuration hierarchy is an access profile configured for firewall user
authentication?
A. [edit access]
B. [edit security access]
C. [edit firewall access]
D. [edit firewall-authentication]
Answer: A
42

QUESTION NO: 97
Your task is to provision the JUNOS security platform to permit transit packets from the
Private zone to the External zone by using an IPsec VPN and log information at the time of
session close.
Which configuration meets this requirement?
Ac
tua
lTe
sts
.co
A. [edit security policies from-zone Private to-zone External]

user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn VPN;
}
}
log {
session-init;
}}}
B. [edit security policies from-zone Private to-zone External]
user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn VPN;
}}
count {
session-close;
}}}
C. [edit security policies from-zone Private to-zone External]
user@host# show
43
Answer: C
Ac
tua
lTe
sts
.co
match {
}
then {
permit {
tunnel {
ipsec-vpn VPN;
}}
log {
session-close;
}}}
D. [edit security policies from-zone Private to-zone External]
user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn VPN;
log;
count session-close;
}}}}
QUESTION NO: 98
You want to create a security policy allowing traffic from any host in the Trust zone to
hostb.example.com (172.19.1.1) in the Untrust zone.
How do you create this policy?
A. Specify the IP address (172.19.1.1/32) as the destination address in the policy.
B. Specify the DNS entry (hostb.example.com.) as the destination address in the policy.
C. Create an address book entry in the Trust zone for the 172.19.1.1/32 prefix and reference
this entry in the policy.
44

D. Create an address book entry in the Untrust zone for the 172.19.1.1/32 prefix and reference
this entry in the policy.
Answer: D
QUESTION NO: 99
What is the purpose of an address book?
A. It holds security policies for particular hosts.
B. It holds statistics about traffic to and from particular hosts.
C. It defines hosts in a zone so they can be referenced by policies.
D. It maps hostnames to IP addresses to serve as a backup to DNS resolution.
.co
Answer: C
QUESTION NO: 100
Ac
tua
lTe
sts

[edit schedulers]
user@host# show
scheduler now {
monday all-day;
tuesday exclude;
wednesday {
}
thursday {
}}
[edit security policies from-zone Private to-zone External]
user@host# show
match {
}
then {
permit {
tunnel {
ipsec-vpn myTunnel;
45

}}}
scheduler-name now;
}
Based on the configuration shown in the exhibit, what will happen to the traffic matching the
security policy?
A. The traffic is permitted through the myTunnel IPsec tunnel only on Tuesdays.
B. The traffic is permitted through the myTunnel IPsec tunnel daily, with the exception of Mondays.
C. The traffic is permitted through the myTunnel IPsec tunnel all day on Mondays and
Wednesdays between 7:00 am and 6:00 pm, and Thursdays between 7:00 am and 6:00 pm.
D. The traffic is permitted through the myTunnel IPsec tunnel all day on Mondays and
Wednesdays between 6:01 pm and 6:59 am, and Thursdays between 6:01 pm and 6:59 am.
.co
Answer: C
QUESTION NO: 101
sts
Which configuration keyword ensures that all in-progress sessions are re-evaluated upon
committing a security policy change?
QUESTION NO: 102
tua
Ac
Answer: A
lTe
A. policy-rematch
B. policy-evaluate
C. rematch-policy
D. evaluate-policy

user@host# show
from-zone Private to-zone External {
policy MyTraffic {
match {
source-address myHosts;
application [ junos-ftp junos-bgp ];
}
then {
permit {
46

tunnel {
ipsec-vpn vpnTunnel;
}}}}}
policy-rematch;
In the exhibit, you decided to change myHosts addresses.
What will happen to the new sessions matching the policy and in-progress sessions that had
already matched the policy?
A. New sessions will be evaluated. In-progress sessions will be re-evaluated.

B. New sessions will be evaluated. All in-progress sessions will continue.
C. New sessions will be evaluated. All in-progress sessions will be dropped.
D. New sessions will halt until all in-progress sessions are re-evaluated. In-progress sessions will
be re-evaluated and possibly dropped.
.co
Answer: A
sts
QUESTION NO: 103
lTe
Using a policy with the policy-rematch flag enabled, what happens to the existing and new
sessions when you change the policy action from permit to deny?
Answer: A
Ac
tua
A. The new sessions matching the policy are denied. The existing sessions are dropped.
B. The new sessions matching the policy are denied. The existing sessions, not being allowed to
carry any traffic, simply timeout.
C. The new sessions matching the policy might be allowed through if they match another
policy. The existing sessions are dropped.
D. The new sessions matching the policy are denied. The existing sessions continue until they
are completed or their timeout is reached.
QUESTION NO: 104

user@hostl# show
from-zone Private to-zone External {
policy MyTraffic {
match {
source-address myHosts;
47

application [ junos-ftp junos-bgp ];
}
then {
permit {
tunnel {
ipsec-vpn vpnTunnel;
}}}}}
policy-rematch;
In the configuration shown in the exhibit, you decided to eliminate the junos-ftp application
from the match condition of the policy MyTraffic.
What will happen to the existing FTP and BGP sessions?
.co
A. The existing FTP and BGP sessions will continue.

B. The existing FTP and BGP sessions will be re-evaluated and only FTP sessions will be
dropped.
C. The existing FTP and BGP sessions will be re-evaluated and all sessions will be dropped.
D. The existing FTP sessions will continue and only the existing BGP sessions will be dropped.
sts
Answer: B
lTe
QUESTION NO: 105
Ac
tua

[edit security policies from-zone HR to-zone trust]
user@host# show
policy two {
match {
source-address subnet_a;
destination-address host_b;
application [ junos-telnet junos-ping ];
}
then {
reject;
}} policy one {
match {
source-address host_a;
destination-address subnet_b;
application any;
}
then {
permit;
}}
48

host_a is in subnet_a and host_b is in subnet_b.
Given the configuration shown in the exhibit, which statement is true about traffic from host_a
to host_b?
A. DNS traffic is denied.
B. Telnet traffic is denied.
C. SMTP traffic is denied.
D. Ping traffic is permitted.
Answer: B
.co
Ac
tua
lTe
sts

[edit security policies from-zone HR to-zone trust]
user@host# show
policy one {
match {
source-address any;
application [ junos-http junos-ftp ];
}
then {
permit;
}}
policy two {
match {
source-address host_a;
destination-address host_b;
application [ junos-http junos-smtp ];
}
then {
deny;
}}
Assume the default-policy has not been configured.
QUESTION NO: 106
Given the configuration shown in the exhibit, which two statements about traffic from host_a in the
HR zone to host_b in the trust zone are true? (Choose two.)
A. DNS traffic is denied.
B. HTTP traffic is denied.
49

C. FTP traffic is permitted.
D. SMTP traffic is permitted.
Answer: A,C
QUESTION NO: 107

What are two uses of NAT? (Choose two.)
A. conserving public IP addresses
B. allowing stateful packet inspection
C. preventing unauthorized connections from outside the network
D. allowing networks with overlapping private address space to communicate
.co
Answer: A,D
Which two are uses of NAT? (Choose two.)
sts
QUESTION NO: 108
QUESTION NO: 109
Ac
Answer: A,B
tua
lTe
A. enabling network migrations

B. conserving public IP addresses
C. allowing stateful packet inspection
D. preventing unauthorized connections from outside the network
Which three methods of source NAT does JUNOS Software support? (Choose three.)
A. interface-based source NAT
B. source NAT with address shifting
C. source NAT using static source pool
D. interface-based source NAT without PAT
E. source NAT with address shifting and PAT
Answer: A,B,C
QUESTION NO: 110
50

Which statement describes the behavior of source NAT with address shifting?
A. Source NAT with address shifting translates both the source IP address and the source port of
a packet.
B. Source NAT with address shifting defines a one-to-one mapping from an original source IP
address to a translated source IP address.
C. Source NAT with address shifting can translate multiple source IP addresses to the same
translated IP address.
D. Source NAT with address shifting allows inbound connections to be initiated to the static source
pool IP addresses.
Answer: B
QUESTION NO: 111
.co
What are three configuration objects used to build JUNOS IDP rules? (Choose three.)
lTe
sts
A. zone objects
B. policy objects
C. attack objects
D. detect objects?
E. application objects?
QUESTION NO: 112
tua
Answer: A,C,E
Ac
Which two statements are true regarding firewall user authentication? (Choose two.)
A. When configured for pass-through firewall user authentication, the user must first open a
connection to the JUNOS security platform before connecting to a remote network resource.
B. When configured for Web firewall user authentication only, the user must first open a
connection to the JUNOS security platform before connecting to a remote network resource.
C. If a JUNOS security device is configured for pass-through firewall user authentication, new
sessions are automatically intercepted to perform authentication.
D. If a JUNOS security device is configured for Web firewall user authentication, new sessions are
automatically intercepted to perform authentication.
Answer: B,C
51

QUESTION NO: 113
Interface ge-0/0/2.0 of your device is attached to the Internet and is configured with an IP address
and network mask of 71.33.252.17/24. A webserver with IP address 10.20.20.1 is running an
HTTP service on TCP port 8080. The webserver is attached to the ge-0/0/0.0 interface of your
device. You must use NAT to make the webserver reachable from the Internet using port
translation.
Which type of NAT must you configure?
A. source NAT with address shifting
B. pool-based source NAT
C. static destination NAT
D. pool-based destination NAT
.co
Answer: D
QUESTION NO: 114
sts
Which two statements about static NAT are true? (Choose two.)
QUESTION NO: 115
Ac
Answer: B,D
tua
lTe
A. Static NAT can only be used with destination NAT.

B. Static NAT rules take precedence over overlapping dynamic NAT rules.
C. Dynamic NAT rules take precedence over overlapping static NAT rules.
D. A reverse mapping is automatically created.
Which statement is true about source NAT?

A. Source NAT works only with source pools.
B. Destination NAT is required to translate the reply traffic.
C. Source NAT does not require a security policy to function.
D. The egress interface IP address can be used for source NAT.
Answer: D
QUESTION NO: 116
52

Which two statements are true about overflow pools? (Choose two.)
A. Overflow pools do not support PAT.
B. Overflow pools can not use the egress interface IP address for NAT.
C. Overflow pools must use PAT.
D. Overflow pools can contain the egress interface IP address or separate IP addresses.
Answer: C,D
QUESTION NO: 117

Which statement is true regarding proxy ARP?
sts
.co
A. Proxy ARP is enabled by default on stand-alone JUNOS security devices.

B. Proxy ARP is enabled by default on chassis clusters.
C. JUNOS security devices can forward ARP requests to a remote device when proxy ARP is
enabled.
D. JUNOS security devices can reply to ARP requests intended for a remote device when proxy
ARP is enabled.
lTe
Answer: D
QUESTION NO: 118
tua
Which configuration shows a pool-based source NAT without PAT'?
Ac
A. [edit security nat source]

user@host# show
pool A {
address { 207.17.137.1/32 to 207.17.137.254/32;
}}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
source-address 10.1.10.0/24;
}
then {
source-nat pool A;
port no-translation;
}}
53
.co
Ac
tua
lTe
sts
}
B. [edit security nat source]
user@host# show
pool A {
address { 207.17.137.1/32 to 207.17.137.254/32;
}
overflow-pool interface;
}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
}
then {
source-nat pool A;
}}}
C. [edit security nat source]
user@host# show
pool A {
address {207.17.137.1/32 to 207.17.137.254/32;
}
}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
}
then {
source-nat pool A;
}}}
D. [edit security nat source]
user@host# show
pool A {
address {207.17.137.1/32 to 207.17.137.254/32;
}
overflow-pool interface;
54

}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
}
then {
source-nat pool A;
}}}
Answer: C
.co
QUESTION NO: 119
Ac
tua
lTe
sts

[edit security nat source]
user@host# show
rule-set 1 {
from interface ge-0/0/2.0;
to zone untrust;
rule 1A {
match {
destination-address 1.1.70.0/24;
}
then {
source-nat interface;
}}}
Which type of source NAT is configured in the exhibit?
A. interface-based source NAT
B. static source NAT
C. pool-based source NAT with PAT
D. pool-based source NAT without PAT
Answer: A
QUESTION NO: 120

[edit security nat destination]
55
user@host# show
pool A {
address 10.1.10.5/32;
}
rule-set 1 {
from zone untrust;
rule 1A {
match {
destination-address 100.0.0.1/32;
}
then {
destination-nat pool A;
}}}
Which type of source NAT is configured in the exhibit?
sts
.co
A. static destination NAT

B. static source NAT
C. pool-based destination NAT without PAT
D. pool-based destination NAT with PAT
lTe
Answer: C
QUESTION NO: 121
tua
Which statement is true about a NAT rule action of off?
Ac
A. The NAT action of off is only supported for destination NAT rule-sets.
B. The NAT action of off is only supported for source NAT rule-sets.
C. The NAT action of off is useful for detailed control of NAT.
D. The NAT action of off is useful for disabling NAT when a pool is exhausted.
Answer: C
QUESTION NO: 122

Which statement accurately describes firewall user authentication?
A. Firewall user authentication provides another layer of security in a network.
B. Firewall user authentication provides a means for accessing a JUNOS Software-based security
device.
C. Firewall user authentication enables session-based forwarding.
56

D. Firewall user authentication is used as a last resort security method in a network.
Answer: A
QUESTION NO: 123

Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by ESP?
(Choose three.)
A. data integrity
B. data confidentiality
C. data authentication
D. outer IP header confidentiality
E. outer IP header authentication
.co
Answer: A,B,C
sts
QUESTION NO: 124
Answer: A,C,E
Ac
tua
A. data integrity
B. data confidentiality
C. data authentication
D. outer IP header confidentiality
E. outer IP header authentication
lTe
Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by
AH? (Choose three.)
QUESTION NO: 125

Which two statements regarding asymmetric key encryption are true? (Choose two.)
A. The same key is used for encryption and decryption.
B. It is commonly used to create digital certificate signatures.
C. It uses two keys: one for encryption and a different key for decryption.
D. An attacker can decrypt data if the attacker captures the key used for encryption.
Answer: B,C
57

QUESTION NO: 126
Which two statements about the Diffie-Hellman (DH) key exchange process are correct?
(Choose two.)
A. In the DH key exchange process, the session key is never passed across the network.
B. In the DH key exchange process, the public and private keys are mathematically related using
the DH algorithm.
C. In the DH key exchange process, the session key is passed across the network to the peer for
confirmation.
D. In the DH key exchange process, the public and private keys are not mathematically related,
ensuring higher security.
Answer: A,B
.co
QUESTION NO: 127
sts
Which two statements about the Diffie-Hellman (DH) key exchange process are correct?
(Choose two.)
tua
lTe
A. In the DH key exchange process, the public key values are exchanged across the network.
B. In the DH key exchange process, the private key values are exchanged across the network.
C. In the DH key exchange process, each device creates unique public and private keys that
are mathematically related by the DH algorithm.
D. In the DH key exchange process, each device creates a common public and a unique
private key that are mathematically related by the DH algorithm.
QUESTION NO: 128
Ac
Answer: A,B
Which three parameters are configured in the IKE policy? (Choose three.)
A. mode
B. preshared key
C. external interface
D. security proposals
E. dead peer detection settings
Answer: A,B,D
58

QUESTION NO: 129
Which two parameters are configured in IPsec policy? (Choose two.)
A. mode
B. IKE gateway
C. security proposal
D. Perfect Forward Secrecy
Answer: C,D
QUESTION NO: 130
sts
.co
A. IKE SA is bidirectional.
B. IPsec SA is bidirectional.
C. IKE SA is established during phase 2 negotiations.
D. IPsec SA is established during phase 2 negotiations.
Regarding an IPsec security association (SA), which two statements are true? (Choose
two.)
lTe
Answer: A,C
tua
QUESTION NO: 131
Which operational mode command displays all active IPsec phase 2 security associations?
Ac
A. show ike security-associations

B. show ipsec security-associations
C. show security ike security-associations
D. show security ipsec security-associations
Answer: D
QUESTION NO: 132

Two VPN peers are negotiating IKE phase 1 using main mode.
Which message pair in the negotiation contains the phase 1 proposal for the peers?
A. message 1 and 2
B. message 3 and 4
C. message 5 and 6
59

D. message 7 and 8
Answer: A
QUESTION NO: 133

Which attribute is required for all IKE phase 2 negotiations?
A. proxy-ID
B. preshared key
C. Diffie-Hellman group key
D. main or aggressive mode
Answer: A
.co
QUESTION NO: 134
Ac
QUESTION NO: 135
tua
Answer: C
lTe
A. proxy-ID
B. phase 2 proposal
C. Diffie-Hellman group key
D. security protocol (ESP or AH)
sts
Which attribute is optional for IKE phase 2 negotiations?
A route-based VPN is required for which scenario?

A. when the remote VPN peer is behind a NAT device
B. when multiple networks need to be reached across the tunnel and GRE cannot be used
C. when the remote VPN peer is a dialup or remote access client
D. when a dynamic routing protocol is required across the VPN and GRE cannot be used
Answer: D
QUESTION NO: 136

A policy-based IPsec VPN is ideal for which scenario?
60

A. when you want to conserve tunnel resources
B. when the remote peer is a dialup or remote access client
C. when you want to configure a tunnel policy with an action of deny
D. when a dynamic routing protocol such as OSPF must be sent across the VPN
Answer: B
QUESTION NO: 137

Regarding a route-based versus policy-based IPsec VPN, which statement is true?
.co
A. A route-based VPN generally uses less resources than a policy-based VPN.

B. A route-based VPN cannot have a deny action in a policy; a policy-based VPN can have a deny
action.
C. A route-based VPN is better suited for dialup or remote access compared to a policy-based
VPN.
D. A route-based VPN uses a policy referencing the IPsec VPN; a policy-based VPN policy does
not use a policy referencing the IPsec VPN.
lTe
sts
Answer: A
QUESTION NO: 138
tua
Which two configuration elements are required for a route-based VPN? (Choose two.)
Answer: A,C
Ac
A. secure tunnel interface

B. security policy to permit the IKE traffic
C. a route for the tunneled transit traffic
D. tunnel policy for transit traffic referencing the IPsec VPN
QUESTION NO: 139

Which two configuration elements are required for a policy-based VPN? (Choose two.)
A. IKE gateway
B. secure tunnel interface
C. security policy to permit the IKE traffic
D. security policy referencing the IPsec VPN tunnel
61

Answer: A,D
QUESTION NO: 140
.co

[edit security policies from-zone trust to-zone untrust]
user@host# show
policy tunnel-traffic {
match {
source-address local-net;
destination-address remote-net;
application any;
then {
permit;
}}
You need to alter the security policy shown in the exhibit to send matching traffic to an IPsec
VPN tunnel. Which command causes traffic to be sent through an IPsec VPN named remotevpn?
QUESTION NO: 141
Ac
Answer: D
tua
lTe
sts
A. [edit security policies from-zone trust to-zone untrust]

user@host# set policy tunnel-traffic then tunnel remote-vpn
B. [edit security policies from-zone trust to-zone untrust]
user@host# set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn
C. [edit security policies from-zone trust to-zone untrust]
user@host# set policy tunnel-traffic then permit ipsec-vpn remote-vpn
D. [edit security policies from-zone trust to-zone untrust]
user@host# set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn

[edit security policies from-zone trust to-zone untrust]
user@host# show
policy tunnel-traffic {
match {
source-address local-net;
destination-address remote-net;
application any;
then {
permit;
62

}}
Which command is needed to change this policy to a tunnel policy for a policy-based VPN?
A. set policy tunnel-traffic then tunnel remote-vpn
B. set policy tunnel-traffic then permit tunnel remote-vpn
C. set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn permit
D. set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn
Answer: D
QUESTION NO: 142
Ac
tua
lTe
sts
.co

[edit security]
user@host# show
ike {
policy ike-policy1 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$GFjm5OBEclM5QCuO1yrYgo"; ## SECRET-DATA
}
gateway remote-ike {
ike-policy ike-policy1;
address 172.19.51.170;
external-interface ge-0/0/3.0;
}}
ipsec {
policy vpn-policy1 {
proposal-set standard;
}
vpn remote-vpn {
ike {
gateway remote-ike;
ipsec-policy vpn-policy1;
}}}
Assuming you want to configure a route-based VPN, which command is required to bind the VPN
to secure tunnel interface st0.0?
A. set ipsec vpn remote-vpn bind-interface st0.0
B. set ike gateway remote-ike bind-interface st0.0
63

C. set ike policy ike-policy1 bind-interface st0.0
D. set ipsec policy vpn-policy1 bind-interface st0.0
Answer: A
QUESTION NO: 143

Which two traffic types trigger pass-through firewall user authentication? (Choose two.)
A. SSH
B. Telnet
C. ICMP
D. OSPF
E. HTTP
.co
Answer: B,E
sts
QUESTION NO: 144
QUESTION NO: 145
tua
Answer: D
Ac
A. discard-packet
B. drop-traffic
C. discard-traffic
D. drop-packet
lTe
Which IDP policy action drops a packet before it can reach its destination, but does not close the
connection?
Which two statements are true regarding high-availability chassis clustering? (Choose
two.)
A. A chassis cluster consists of two devices.
B. A chassis cluster consists of two or more devices.
C. Devices participating in a chassis cluster can be different models.
D. Devices participating in a chassis cluster must be the same models.
Answer: A,D
64

QUESTION NO: 146
You are implementing an IDP policy template from Juniper Networks.
Which three steps are included in this process? (Choose three.)
A. activating a JUNOS Software commit script?
B. configuring an IDP groups statement
C. setting up a chassis cluster
D. downloading the IDP policy templates
E. installing the policy templates
Answer: A,D,E
QUESTION NO: 147
.co
Which three statements are true when working with high-availability clusters? (Choose
three.)
QUESTION NO: 148
Ac
Answer: C,D,E
tua
lTe
sts
A. The valid cluster-id range is between 0 and 255.

B. JUNOS security devices can belong to more than one cluster if cluster virtualization is
enabled.
C. If the cluster-id value is set to 0 on a JUNOS security device, the device will not participate
in the cluster.
D. A reboot is required if the cluster-id or node value is changed.
E. JUNOS security devices can belong to one cluster only.
You have been tasked with performing an update to the IDP attack database.
Which three requirements are included as part of this task? (Choose three.)
A. The IDP security package must be installed after it is downloaded.
B. The device must be rebooted to complete the update.
C. The device must be connected to a network.
D. An IDP license must be installed on your device.
E. You must be logged in as the root user.
Answer: A,C,D
65

QUESTION NO: 149
What is a redundancy group in JUNOS Software?
A. a set of chassis clusters that fail over as a group
B. a set of devices that participate in a chassis cluster
C. a set of VRRP neighbors that fail over as a group
D. a set of chassis cluster objects that fail over as a group
Answer: D
QUESTION NO: 150
What is the functionality of redundant interfaces (reth) in a chassis cluster?
sts
.co
A. reth interfaces are used only for VRRP.

B. reth interfaces are the same as physical interfaces.
C. reth interfaces are pseudo-interfaces that are considered the parent interface for two physical
interfaces.
D. Each cluster member has a reth interface that can be used to share session state information
with the other cluster members.
tua
QUESTION NO: 151
lTe
Answer: C
When devices are in cluster mode, which new interfaces are created?
Ac
A. No new interface is created.

B. Only the st interface is created.
C. fxp1, fab0, and fab1 are created.
D. st, fxp1, reth, fab0, and fab1 are created.
Answer: C
QUESTION NO: 152

In a chassis cluster with two SRX 5800 devices, the interface ge-13/0/0 belongs to which device?
A. This interface is a system-created interface.
B. This interface belongs to node 0 of the cluster.
C. This interface belongs to node 1 of the cluster.
66

D. This interface will not exist because SRX 5800 devices have only 12 slots.
Answer: C
QUESTION NO: 153

Which IDP policy action closes the connection and sends an RST packet to both the client and the
server?
A. close-connection
B. terminate-connection
C. close-client-and-server
D. terminate-session
.co
Answer: C
QUESTION NO: 154
sts
Which statement is true regarding redundancy groups?
Answer: D
Ac
tua
lTe
A. The preempt option determines the primary and secondary roles for redundancy group 0 during
a failure and recovery scenario.
B. When priority settings are equal and the members participating in a cluster are initialized at the
same time, the primary role for redundancy group 0 is assigned to node 1.
C. The primary role can be shared for redundancy group 0 when the active-active option is
enabled.
D. Redundancy group 0 manages the control plane failover between the nodes of a cluster.
QUESTION NO: 155

Which two statements are true regarding redundancy groups? (Choose two.)
A. When priority settings are equal and the members participating in a cluster are initialized at the
same time, the primary role for redundancy group 0 is assigned to node 0.
B. The preempt option determines the primary and secondary roles for redundancy group 0 during
a failure and recovery scenario.
C. Redundancy group 0 manages the control plane failover between the nodes of a cluster.
D. The primary role can be shared for redundancy group 0 when the active-active option is
enabled.
67

Answer: A,C
QUESTION NO: 156

Which three options represent IDP policy match conditions? (Choose three.)
A. service
B. to-zone
C. attacks
D. port
E. destination-address
Answer: B,C,E
.co
QUESTION NO: 157
Which three options represent IDP policy match conditions? (Choose three.)
lTe
tua
QUESTION NO: 158
Ac
Answer: B,D,E
sts
A. protocol
B. source-address
C. port
D. application
E. attacks
What are three configuration objects used to build JUNOS IDP rules? (Choose three.)
A. zone objects
B. policy objects
C. attack objects
D. alert and notify objects
E. network and address objects
Answer: A,C,E
68

JN0 332

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

JN0 332

Uploaded by

Copyright:

Available Formats

Juniper JN0-332

JN0-332 Juniper Networks Certified Internet

Juniper JN0-332: Practice Exam

Which command produces the output shown in the exhibit?

A. show security sessions

What does a zone contain?

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332: Practice Exam

What is the purpose of configuring the host-inbound-traffic command on a zone?

A. to allow inbound Web authentication

which two zones can you add interfaces? (Choose two.)

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332: Practice Exam

A. A zone defines a group of security devices with a common management.

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332: Practice Exam

Where do you configure SCREEN options?

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332: Practice Exam

A. loose source routing

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332: Practice Exam

A. It also supports PAT.

Which operational command produces the output shown in the exhibit?

A. show security nat source rule

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332: Practice Exam

A. host-inbound-traffic system services ike must be enabled on the st0.x interface.

A. Two IPsec SAs can map to a single IKE SA.

Regarding secure tunnel (st) interfaces, which statement is true?

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332: Practice Exam

For IKE phase 1 negotiations, when is aggressive mode typically used?

A. when one of the tunnel peers has a dynamic IP address

Juniper JN0-332: Practice Exam

A. Three physical interfaces are redundant.

What are three benefits of using chassis clustering? (Choose three.)

A. Provides stateful session failover for sessions.

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332: Practice Exam

Which two statements are true regarding IDP? (Choose two.)

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332: Practice Exam

A. All traffic of MIME type video will be scanned.

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332: Practice Exam

Regarding zone types, which statement is true?

A. You cannot assign an interface to a functional zone.

Juniper JN0-332: Practice Exam

Click the Exhibit button.

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332: Practice Exam

Which statement regarding the implementation of an IDP policy template is true?

Click the Exhibit button.

"Pass Any Exam. Any Time." - www.actualtests.com

Juniper JN0-332: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com