Professional Documents
Culture Documents
Practice Test
Version 4.0
.co
lTe
sts
QUESTION NO: 3
Ac
tua
Answer: C
A. routers
B. interfaces
C. routing tables
D. NAT addresses
QUESTION NO: 2
Answer: B
QUESTION NO: 4
Which two steps are performed when configuring a zone? (Choose two.)
A. Define a policy for the zone.
QUESTION NO: 5
What are the two types of zones you can configure? (Choose two.)
A. system
B. trusted
C. functional
D. security
.co
Answer: C,D
sts
QUESTION NO: 6
QUESTION NO: 7
Ac
Answer: D
tua
lTe
QUESTION NO: 8
QUESTION NO: 9
What is the purpose of a zone in the Junos OS?
.co
sts
Answer: C
lTe
QUESTION NO: 10
Ac
tua
Which statement is correct for applying the SCREEN named protect to the Public zone?
sts
.co
QUESTION NO: 11
tua
Ac
Answer: C
lTe
A. Option 1
B. Option 2
C. Option 3
D. Option 4
QUESTION NO: 12
QUESTION NO: 13
Which three IP option fields can an attacker exploit to cause problems in a network? (Choose
three.)
sts
.co
lTe
Answer: A,B,E
QUESTION NO: 14
Ac
tua
You want to configure a security policy that allows traffic to a particular host. Which step must you
perform
before committing a configuration with the policy?
A. Define a static route to the host.
B. Ensure that the router can ping the host.
C. Define an address book entry for the host.
D. Ensure that the router has an ARP entry for the host.
Answer: C
QUESTION NO: 15
After a security policy is applied, which CLI command output will display the policy index number?
A. show security policy-id
B. show security flow session summary
QUESTION NO: 16
Which two statements are true for an address book entry? (Choose two.)
A. An address book entry is defined within a security policy.
B. An address book entry is defined within a zone.
C. An address book entry is applied within a security policy.
D. An address book entry is applied within a zone.
.co
Answer: B,C
QUESTION NO: 17
sts
In the Junos OS, which command do you use to reorder security policies?
QUESTION NO: 18
tua
Ac
Answer: C
lTe
A. replace
B. rename
C. insert
D. before
Which two statements describe the purpose of a security policy? (Choose two.)
A. It enables traffic counting and logging.
B. It enforces a set of rules for transit traffic.
C. It controls host inbound services on a zone.
D. It controls administrator rights to access the device.
Answer: A,B
QUESTION NO: 19
QUESTION NO: 20
Which three match criteria must each security policy include? (Choose three.)
.co
A. source address
B. source port
C. destination address
D. destination port
E. application
sts
Answer: A,C,E
lTe
QUESTION NO: 21
Ac
A. security policy
B. interface
C. routing-instance
D. IP address
tua
You are creating a destination NAT rule-set. Which two are valid for use with the from clause?
(Choose two.)
Answer: B,C
QUESTION NO: 22
Which statement is true regarding proxy ARP?
A. Proxy ARP is enabled by default on standalone Junos security devices.
B. Proxy ARP is enabled by default on high-available chassis clusters.
C. Junos security devices can forward ARP requests to a remote device when proxy ARP is
enabled.
QUESTION NO: 23
Which statement is true about interface-based source NAT?
A. PAT is a requirement.
B. It requires you to configure address entries in the junos-nat zone.
C. It requires you to configure address entries in the junos-global zone.
D. IP addresses being translated must be in the same subnet as the egress interface.
.co
Answer: A
QUESTION NO: 24
sts
Which two statements are true about pool-based destination NAT? (Choose two.)
QUESTION NO: 25
Ac
Answer: A,C
tua
lTe
QUESTION NO: 26
For a route-based VPN, which statement is true?
.co
Answer: C
sts
QUESTION NO: 27
lTe
Which statement is true about the relationship between IKE and IPsec SAs?
QUESTION NO: 28
Ac
Answer: A
tua
10
QUESTION NO: 30
.co
lTe
sts
QUESTION NO: 31
tua
Answer: A
Ac
You have been tasked with installing two SRX5600 platforms in a high-availability cluster. Which
requirement
must be met for a successful installation?
A. You must enable SPC detect within the configuration.
B. You must enable active-active failover for redundancy.
C. You must ensure all SPCs use the same slot placement.
D. You must configure auto-negotiation on the control ports of both devices.
Answer: C
QUESTION NO: 32
When applying the configuration in the exhibit and initializing a chassis cluster, which statement is
correct?
"Pass Any Exam. Any Time." - www.actualtests.com
11
sts
.co
Answer: D
QUESTION NO: 33
lTe
Answer: A,C,E
Ac
tua
QUESTION NO: 34
What are two interfaces created when enabling a chassis cluster? (Choose two.)
A. st0
B. fxp1
C. fab0
D. reth0
Answer: C,D
12
QUESTION NO: 36
.co
QUESTION NO: 37
Ac
Answer: A,D
tua
lTe
sts
A. IDP can be used in conjunction with other Junos security features such as SCREEN options,
zones, and
security policy.
B. IDP cannot be used in conjunction with other Junos security features such as SCREEN options,
zones, and
security policy.
C. IDP inspects traffic up to the Presentation Layer.
D. IDP inspects traffic up to the Application Layer.
Which two statements are true regarding firewall user authentication? (Choose two.)
A. Firewall user authentication is performed only for traffic that is accepted by a security policy.
B. Firewall user authentication is performed only for traffic that is denied by a security policy.
C. Firewall user authentication provides an additional method of controlling user access to the
Junos security
device itself.
D. Firewall user authentication provides an additional method of controlling user access to remote
networks.
Answer: A,D
13
QUESTION NO: 38
Which two external authentication server types are supported by the Junos OS for firewall user
authentication?
(Choose two.)
A. RADIUS
B. TACAS+
C. LDAP
D. IIS
Answer: A,C
.co
QUESTION NO: 39
QUESTION NO: 40
lTe
Ac
Answer: C
tua
A. binary syslog
B. CHARGEN
C. WELF (structured) syslog
D. standard (unstructured) syslog
sts
Which type of logging is supported for UTM logging to an external syslog server on branch SRX
Series devices?
Which two statements describe full file-based antivirus protection? (Choose two.)
A. By default, the signature database is updated every 60 minutes.
B. By default, the signature database is updated once daily.
C. The signature database targets only critical viruses and malware.
D. The signature database can detect polymorphic virus types.
Answer: A,D
QUESTION NO: 41
What would the configuration shown in the exhibit enforce?
14
tua
lTe
sts
.co
Ac
QUESTION NO: 42
If the policy server becomes unreachable, which two actions are available for connections that
should be
inspected by Web filtering when using integrated or redirect Web filtering?
(Choose two.)
A. Permit connections with logging.
15
QUESTION NO: 43
Which statement is true about blacklists?
.co
A. Blacklists can be created by creating a url-pattern and then associating the url-pattern with a
url-blacklist.
B. Blacklists can be created by creating a url-pattern and then associating the url-pattern with a
custom-urlcategory
and then associating the custom-url-category with a url-blacklist.
C. Blacklists are defined as a separate list and need not be associated with a URL category.
D. Blacklists can either be associated with either a custom-url-category or a url-pattern.
sts
Answer: C
lTe
QUESTION NO: 44
Answer: D
Ac
tua
QUESTION NO: 45
Regarding attacks, which statement is correct?
A. Both DoS and propagation attacks exploit and take control of all unprotected network devices.
B. Propagation attacks focus on suspicious packet formation using the DoS SYN-ACK-ACK proxy
flood.
C. DoS attacks are directed at the network protection devices, while propagation attacks are
directed at the servers.
D. DoS attacks are exploits in nature, while propagation attacks use trust relationships to take
control of the devices.
"Pass Any Exam. Any Time." - www.actualtests.com
16
QUESTION NO: 46
Ac
tua
lTe
sts
.co
17
QUESTION NO: 48
.co
sts
A. IDP policy templates are automatically installed as the active IDP policy.
B. IDP policy templates are enabled using a commit script.
C. IDP policy templates can be downloaded without an IDP license.
D. IDP policy templates are included in the factory-default configuration.
Ac
QUESTION NO: 49
tua
lTe
Answer: B
18
.co
Answer: D
QUESTION NO: 50
sts
Which two statements describe the difference between JUNOS Software for security
platforms and a traditional router? (Choose two.)
Answer: B,C
Ac
tua
lTe
A. JUNOS Software for security platforms supports NAT and PAT; a traditional router does not
support NAT or PAT.
B. JUNOS Software for security platforms does not forward traffic by default; a traditional router
forwards traffic by default.
C. JUNOS Software for security platforms uses session-based forwarding; a traditional router
uses packet-based forwarding.
D. JUNOS Software for security platforms performs route lookup for every packet; a traditional
router performs route lookup only for the first packet.
QUESTION NO: 51
Which two statements describe the difference between JUNOS Software for security
platforms and a traditional router? (Choose two.)
A. JUNOS Software for security platforms supports NAT and PAT; a traditional router does not
support NAT or PAT.
B. JUNOS Software for security platforms secures traffic by default; a traditional router does
not secure traffic by default.
19
QUESTION NO: 52
A traditional router is better suited than a firewall device for which function?
A. VPN establishment
B. packet-based forwarding
C. stateful packet processing
D. Network Address Translation
.co
Answer: B
sts
QUESTION NO: 53
lTe
Which three functions are provided by JUNOS Software for security platforms? (Choose
three.)
Answer: A,D,E
Ac
tua
A. VPN establishment
B. stateful ARP lookups
C. Dynamic ARP inspection
D. Network Address Translation
E. inspection of packets at higher levels (Layer 4 and above)
QUESTION NO: 54
What are two components of the JUNOS Software architecture? (Choose two.)
A. Linux kernel
B. routing protocol daemon
C. session-based forwarding module
D. separate routing and security planes
Answer: B,C
20
QUESTION NO: 55
Which two functions of JUNOS Software are handled by the data plane? (Choose two.)
A. NAT
B. OSPF
C. SNMP
D. SCREEN options
Answer: A,D
QUESTION NO: 56
sts
.co
Host A opens a Telnet connection to Host B. Host A then opens another Telnet connection to Host
B. These connections are the only communication between Host A and Host B. The security policy
configuration permits both connections.
How many flows exist between Host A and Host B?
tua
QUESTION NO: 57
Ac
Answer: D
lTe
A. 1
B. 2
C. 3
D. 4
Which two statements about JUNOS Software packet handling are correct? (Choose two.)
A. JUNOS Software applies service ALGs only for the first packet of a flow.
B. JUNOS Software uses fast-path processing only for the first packet of a flow.
C. JUNOS Software performs route and policy lookup only for the first packet of a flow.
D. JUNOS Software applies SCREEN options for both first and consecutive packets of a flow.
Answer: C,D
QUESTION NO: 58
In JUNOS Software, which three packet elements can be inspected to determine if a session
already exists? (Choose three.)
"Pass Any Exam. Any Time." - www.actualtests.com
21
QUESTION NO: 59
By default, which condition would cause a session to be removed from the session table?
.co
sts
Answer: D
QUESTION NO: 60
Answer: B
tua
Ac
A. 30 seconds
B. 1 minute
C. 5 minutes
D. 30 minutes
lTe
QUESTION NO: 61
What is the purpose of a zone in JUNOS Software?
A. A zone defines a group of security devices with a common management.
B. A zone defines the geographic region in which the security device is deployed.
C. A zone defines a group of network segments with similar security requirements.
D. A zone defines a group of network segments with similar class-of-service requirements.
Answer: C
22
QUESTION NO: 63
.co
sts
lTe
tua
Ac
23
.co
interface ge-0/0/3.0;
interface ge-0/0/2.102;
}
blue {
interface ge-0/0/0.0;
interface ge-0/0/3.0;
}
D. [edit routing-instances]
user@host# show
red {
interface ge-0/0/3.0;
interface ge-0/0/3.102;
}
blue {
interface ge-0/0/0.0;
interface ge-0/0/2.0;
}
sts
Answer: A,D
lTe
QUESTION NO: 64
Answer: A,B
Ac
A. family inet
B. a security zone
C. a routing instance
D. host-inbound-traffic
tua
Which two configuration options must be present for IPv4 transit traffic to pass between the ge0/0/0.0 and ge-0/0/2.0 interfaces? (Choose two.)
QUESTION NO: 65
Which zone is a system-defined zone?
A. null zone
B. trust zone
C. untrust zone
D. management zone
24
QUESTION NO: 66
Which type of zone is used by traffic transiting the device?
A. transit zone
B. default zone
C. security zone
D. functional zone
Answer: C
QUESTION NO: 67
sts
.co
You want to allow your device to establish OSPF adjacencies with a neighboring device
connected to interface ge-0/0/3.0. Interface ge-0/0/3.0 is a member of the HR zone.
Under which configuration hierarchy must you permit OSPF traffic?
tua
QUESTION NO: 68
Ac
Answer: D
lTe
Which two statements regarding firewall user authentication client groups are true?
(Choose two.)
A. Individual clients are configured under client groups in the configuration hierarchy.
B. Client groups are configured under individual clients in the configuration hierarchy.
C. Client groups are referenced in security policy in the same manner in which individual clients
are referenced.
D. Client groups are used to simplify configuration by enabling firewall user authentication without
security policy.
Answer: B,C
25
QUESTION NO: 70
.co
You want to create an out-of-band management zone and assign the ge-0/0/0.0 interface
to that zone.
From the [edit] hierarchy, which command do you use to configure this assignment?
lTe
sts
Ac
QUESTION NO: 71
tua
Answer: C
You are not able to telnet to the interface IP address of your device from a PC on the same
subnet.
What is causing the problem?
A. Telnet is not being permitted by self policy.
B. Telnet is not being permitted by security policy.
C. Telnet is not allowed because it is not considered secure.
D. Telnet is not enabled as a host-inbound service on the zone.
Answer: D
QUESTION NO: 72
26
Referring to the exhibit, you are not able to telnet to 192.168.10.1 from client PC 192.168.10.10.
What is causing the problem?
sts
.co
lTe
Answer: D
QUESTION NO: 73
Ac
tua
27
QUESTION NO: 74
Ac
tua
lTe
sts
.co
28
QUESTION NO: 75
Ac
tua
lTe
sts
.co
29
bgp;
}}}}
D. [edit security zones security-zone trust]
user@host# show
host-inbound-traffic {
protocols {
bgp;
}}
interfaces {
all {
host-inbound-traffic {
protocols {
ospf;
}}}}
.co
Answer: C
sts
QUESTION NO: 76
Click the Exhibit button.
lTe
tua
Ac
30
Ac
tua
lTe
sts
.co
interfaces {
all;
}
host-inbound-traffic {
system-services {
all;
ftp {
except;
}}}
C. [edit security zones functional-zone management]
user@host# show
interfaces {
all {
host-inbound-traffic {
system-services {
ping;
}}}}
host-inbound-traffic {
system-services {
telnet;
ssh;
}}
D. [edit security zones security-zone trust]
user@host# show
host-inbound-traffic {
system-services {
ssh;
ping;
telnet;
}}
interfaces {
ge-0/0/3.0 {
host-inbound-traffic {
system-services {
ping;
}}}
ge-0/0/0.0;
}
Answer: D
31
.co
sts
lTe
Ac
tua
[edit security]
user@host# show
zones {
security-zone ZoneA {
tcp-rst;
host-inbound-traffic {
system-services {
ping;
telnet;
}}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0;
}}
security-zone ZoneB {
interfaces {
ge-0/0/3.0;
}}}
policies {
from-zone ZoneA to-zone ZoneB {
policy A-to-B {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}}}}
In the exhibit, a host attached to interface ge-0/0/0.0 sends a SYN packet to open a Telnet
connection to the device's ge-0/0/1.0 IP address.
What does the device do?
A. The device sends back a TCP reset packet.
B. The device silently discards the packet.
C. The device forwards the packet out the ge-0/0/1.0 interface.
"Pass Any Exam. Any Time." - www.actualtests.com
32
QUESTION NO: 78
Which two commands can be used to monitor firewall user authentication? (Choose two.)
A. show access firewall-authentication
B. show security firewall-authentication users
C. show security audit log
D. show security firewall-authentication history
Answer: B,D
.co
QUESTION NO: 79
sts
Which two statements regarding external authentication servers for firewall user
authentication are true? (Choose two.)
Answer: B,D
Ac
tua
lTe
QUESTION NO: 80
Which two external authentication server types are supported by JUNOS Software for
firewall user authentication? (Choose two.)
A. RADIUS
B. TACACS+
C. LDAP
D. IIS
Answer: A,C
33
QUESTION NO: 81
Click the Exhibit button.
.co
lTe
sts
A. Telnet
B. OSPF
C. ICMP
D. RIP
QUESTION NO: 82
tua
Answer: A,C
Ac
Which two statements about the use of SCREEN options are correct? (Choose two.)
A. SCREEN options are deployed at the ingress and egress sides of a packet flow.
B. Although SCREEN options are very useful, their use can result in more session creation.
C. SCREEN options offer protection against various attacks at the ingress zone of a packet
flow.
D. SCREEN options examine traffic prior to policy processing, thereby resulting in fewer
resouces used for malicious packet processing.
Answer: C,D
QUESTION NO: 83
Which two statements about the use of SCREEN options are correct? (Choose two.)
34
QUESTION NO: 84
What are three main phases of an attack? (Choose three.)
.co
A. DoS
B. exploit
C. propagation
D. port scanning
E. reconnaissance
sts
Answer: B,C,E
lTe
QUESTION NO: 85
Answer: C
Ac
A. DoS
B. SYN flood
C. port scanning
D. IP address sweep
tua
An attacker sends a low rate of TCP SYN segments to hosts, hoping that at least one port replies.
Which type of an attack does this scenario describe?
QUESTION NO: 86
Click the Exhibit button.
profile ftp-users {
client nancy {
firewall-user {
password "$9$lJ8vLNdVYZUHKMi.PfzFcyrvX7"; ## SECRET-DATA
}}
client walter {
firewall-user {
"Pass Any Exam. Any Time." - www.actualtests.com
35
Given the configuration shown in the exhibit, which configuration object would be used to
associate both Nancy and Walter with firewall user authentication within a security policy?
sts
.co
A. ftp-group
B. ftp-users
C. firewall-user
D. nancy and walter
lTe
Answer: A
tua
QUESTION NO: 87
Ac
Prior to applying SCREEN options to drop traffic, you want to determine how your configuration
will affect traffic.
Which mechanism would you configure to achieve this objective?
A. the log option for the particular SCREEN option
B. the permit option for the particular SCREEN option
C. the SCREEN option, because it does not drop traffic by default
D. the alarm-without-drop option for the particular SCREEN option
Answer: D
QUESTION NO: 88
You must configure a SCREEN option that would protect your device from a session table flood.
Which configuration meets this requirement?
36
Answer: D
.co
sts
lTe
tua
Ac
QUESTION NO: 89
You are required to configure a SCREEN option that enables IP source route option
detection.
Which two configurations meet this requirement? (Choose two.)
A. [edit security screen]
user@host# show
ids-option protectFromFlood {
ip {
loose-source-route-option;
"Pass Any Exam. Any Time." - www.actualtests.com
37
lTe
sts
.co
strict-source-route-option;
}}
B. [edit security screen]
user@host# show
ids-option protectFromFlood {
ip {
source-route-option;
}}
C. [edit security screen]
user@host# show
ids-option protectFromFlood {
ip {
record-route-option;
security-option;
}}
D. [edit security screen]
user@host# show
ids-option protectFromFlood {
ip {
strict-source-route-option;
record-route-option;
}}
QUESTION NO: 90
tua
Answer: A,B
Ac
Which parameters are valid SCREEN options for combating operating system probes?
A. syn-fin, syn-flood, and tcp-no-frag
B. syn-fin, port-scan, and tcp-no-flag
C. syn-fin, fin-no-ack, and tcp-no-frag
D. syn-fin, syn-ack-ack-proxy, and tcp-no-frag
Answer: C
QUESTION NO: 91
Which two firewall user authentication objects can be referenced in a security policy?
(Choose two.)
38
QUESTION NO: 92
Which statement describes the behavior of a security policy?
.co
Answer: C
sts
QUESTION NO: 93
tua
lTe
A network administrator wants to permit Telnet traffic initiated from the address book entry
the10net in a zone called UNTRUST to the address book entry Server in a zone called TRUST.
However, the administrator does not want the server to be able to initiate any type of traffic
from the TRUST zone to the UNTRUST zone.
Which configuration would correctly accomplish this task?
Ac
39
.co
sts
Ac
tua
lTe
}
then {
permit;
}}}
B. from-zone TRUST to-zone UNTRUST {
policy DenyServer {
match {
source-address Server;
destination-address any;
application any;
}
then {
deny;
}
}}
from-zone UNTRUST to-zone TRUST {
policy AllowTelnetin {
match {
source-address the10net;
destination-address Server;
application junos-telnet;
}
then {
permit;
}}}
C. from-zone UNTRUST to-zone TRUST {
policy AllowTelnetin {
match {
source-address the10net;
destination-address Server;
application junos-ftp;
}
then {
permit;
}}}
D. from-zone TRUST to-zone UNTRUST {
policy DenyServer {
match {
source-address Server;
destination-address any;
application any;
}
40
.co
Answer: B
lTe
Ac
tua
sts
QUESTION NO: 94
41
.co
Answer: B
sts
QUESTION NO: 95
lTe
Which three advanced permit actions within security policies are valid? (Choose three.)
Ac
Answer: A,C,E
tua
QUESTION NO: 96
Under which configuration hierarchy is an access profile configured for firewall user
authentication?
A. [edit access]
B. [edit security access]
C. [edit firewall access]
D. [edit firewall-authentication]
Answer: A
42
Ac
tua
lTe
sts
.co
43
Answer: C
Ac
tua
lTe
sts
.co
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn VPN;
}}
log {
session-close;
}}}
D. [edit security policies from-zone Private to-zone External]
user@host# show
policy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn VPN;
log;
count session-close;
}}}}
QUESTION NO: 98
You want to create a security policy allowing traffic from any host in the Trust zone to
hostb.example.com (172.19.1.1) in the Untrust zone.
How do you create this policy?
A. Specify the IP address (172.19.1.1/32) as the destination address in the policy.
B. Specify the DNS entry (hostb.example.com.) as the destination address in the policy.
C. Create an address book entry in the Trust zone for the 172.19.1.1/32 prefix and reference
this entry in the policy.
44
QUESTION NO: 99
What is the purpose of an address book?
A. It holds security policies for particular hosts.
B. It holds statistics about traffic to and from particular hosts.
C. It defines hosts in a zone so they can be referenced by policies.
D. It maps hostnames to IP addresses to serve as a backup to DNS resolution.
.co
Answer: C
Ac
tua
lTe
sts
45
.co
Answer: C
sts
Which configuration keyword ensures that all in-progress sessions are re-evaluated upon
committing a security policy change?
tua
Ac
Answer: A
lTe
A. policy-rematch
B. policy-evaluate
C. rematch-policy
D. evaluate-policy
46
.co
Answer: A
sts
lTe
Using a policy with the policy-rematch flag enabled, what happens to the existing and new
sessions when you change the policy action from permit to deny?
Answer: A
Ac
tua
A. The new sessions matching the policy are denied. The existing sessions are dropped.
B. The new sessions matching the policy are denied. The existing sessions, not being allowed to
carry any traffic, simply timeout.
C. The new sessions matching the policy might be allowed through if they match another
policy. The existing sessions are dropped.
D. The new sessions matching the policy are denied. The existing sessions continue until they
are completed or their timeout is reached.
47
.co
sts
Answer: B
lTe
Ac
tua
48
.co
Ac
tua
lTe
sts
Given the configuration shown in the exhibit, which two statements about traffic from host_a in the
HR zone to host_b in the trust zone are true? (Choose two.)
A. DNS traffic is denied.
B. HTTP traffic is denied.
49
.co
Answer: A,D
sts
Ac
Answer: A,B
tua
lTe
Which three methods of source NAT does JUNOS Software support? (Choose three.)
A. interface-based source NAT
B. source NAT with address shifting
C. source NAT using static source pool
D. interface-based source NAT without PAT
E. source NAT with address shifting and PAT
Answer: A,B,C
50
.co
What are three configuration objects used to build JUNOS IDP rules? (Choose three.)
lTe
sts
A. zone objects
B. policy objects
C. attack objects
D. detect objects?
E. application objects?
tua
Answer: A,C,E
Ac
Which two statements are true regarding firewall user authentication? (Choose two.)
A. When configured for pass-through firewall user authentication, the user must first open a
connection to the JUNOS security platform before connecting to a remote network resource.
B. When configured for Web firewall user authentication only, the user must first open a
connection to the JUNOS security platform before connecting to a remote network resource.
C. If a JUNOS security device is configured for pass-through firewall user authentication, new
sessions are automatically intercepted to perform authentication.
D. If a JUNOS security device is configured for Web firewall user authentication, new sessions are
automatically intercepted to perform authentication.
Answer: B,C
51
.co
Answer: D
sts
Which two statements about static NAT are true? (Choose two.)
Ac
Answer: B,D
tua
lTe
52
sts
.co
lTe
Answer: D
tua
Ac
53
.co
Ac
tua
lTe
sts
}
B. [edit security nat source]
user@host# show
pool A {
address { 207.17.137.1/32 to 207.17.137.254/32;
}
overflow-pool interface;
}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
source-address 10.1.10.0/24;
}
then {
source-nat pool A;
port no-translation;
}}}
C. [edit security nat source]
user@host# show
pool A {
address {207.17.137.1/32 to 207.17.137.254/32;
}
port no-translation;
}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
source-address 10.1.10.0/24;
}
then {
source-nat pool A;
}}}
D. [edit security nat source]
user@host# show
pool A {
address {207.17.137.1/32 to 207.17.137.254/32;
}
overflow-pool interface;
54
Answer: C
.co
Ac
tua
lTe
sts
55
user@host# show
pool A {
address 10.1.10.5/32;
}
rule-set 1 {
from zone untrust;
rule 1A {
match {
destination-address 100.0.0.1/32;
}
then {
destination-nat pool A;
}}}
Which type of source NAT is configured in the exhibit?
sts
.co
lTe
Answer: C
tua
Ac
A. The NAT action of off is only supported for destination NAT rule-sets.
B. The NAT action of off is only supported for source NAT rule-sets.
C. The NAT action of off is useful for detailed control of NAT.
D. The NAT action of off is useful for disabling NAT when a pool is exhausted.
Answer: C
56
A. data integrity
B. data confidentiality
C. data authentication
D. outer IP header confidentiality
E. outer IP header authentication
.co
Answer: A,B,C
sts
Answer: A,C,E
Ac
tua
A. data integrity
B. data confidentiality
C. data authentication
D. outer IP header confidentiality
E. outer IP header authentication
lTe
Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by
AH? (Choose three.)
57
Answer: A,B
.co
sts
Which two statements about the Diffie-Hellman (DH) key exchange process are correct?
(Choose two.)
tua
lTe
A. In the DH key exchange process, the public key values are exchanged across the network.
B. In the DH key exchange process, the private key values are exchanged across the network.
C. In the DH key exchange process, each device creates unique public and private keys that
are mathematically related by the DH algorithm.
D. In the DH key exchange process, each device creates a common public and a unique
private key that are mathematically related by the DH algorithm.
Ac
Answer: A,B
Which three parameters are configured in the IKE policy? (Choose three.)
A. mode
B. preshared key
C. external interface
D. security proposals
E. dead peer detection settings
Answer: A,B,D
58
sts
.co
A. IKE SA is bidirectional.
B. IPsec SA is bidirectional.
C. IKE SA is established during phase 2 negotiations.
D. IPsec SA is established during phase 2 negotiations.
Regarding an IPsec security association (SA), which two statements are true? (Choose
two.)
lTe
Answer: A,C
tua
Which operational mode command displays all active IPsec phase 2 security associations?
Ac
59
Answer: A
.co
Ac
tua
Answer: C
lTe
A. proxy-ID
B. phase 2 proposal
C. Diffie-Hellman group key
D. security protocol (ESP or AH)
sts
60
.co
lTe
sts
Answer: A
tua
Which two configuration elements are required for a route-based VPN? (Choose two.)
Answer: A,C
Ac
61
.co
Ac
Answer: D
tua
lTe
sts
62
Ac
tua
lTe
sts
.co
63
A. SSH
B. Telnet
C. ICMP
D. OSPF
E. HTTP
.co
Answer: B,E
sts
tua
Answer: D
Ac
A. discard-packet
B. drop-traffic
C. discard-traffic
D. drop-packet
lTe
Which IDP policy action drops a packet before it can reach its destination, but does not close the
connection?
Which two statements are true regarding high-availability chassis clustering? (Choose
two.)
A. A chassis cluster consists of two devices.
B. A chassis cluster consists of two or more devices.
C. Devices participating in a chassis cluster can be different models.
D. Devices participating in a chassis cluster must be the same models.
Answer: A,D
64
.co
Which three statements are true when working with high-availability clusters? (Choose
three.)
Ac
Answer: C,D,E
tua
lTe
sts
You have been tasked with performing an update to the IDP attack database.
Which three requirements are included as part of this task? (Choose three.)
A. The IDP security package must be installed after it is downloaded.
B. The device must be rebooted to complete the update.
C. The device must be connected to a network.
D. An IDP license must be installed on your device.
E. You must be logged in as the root user.
Answer: A,C,D
65
sts
.co
tua
lTe
Answer: C
When devices are in cluster mode, which new interfaces are created?
Ac
66
.co
Answer: C
sts
Answer: D
Ac
tua
lTe
A. The preempt option determines the primary and secondary roles for redundancy group 0 during
a failure and recovery scenario.
B. When priority settings are equal and the members participating in a cluster are initialized at the
same time, the primary role for redundancy group 0 is assigned to node 1.
C. The primary role can be shared for redundancy group 0 when the active-active option is
enabled.
D. Redundancy group 0 manages the control plane failover between the nodes of a cluster.
67
Answer: B,C,E
.co
Which three options represent IDP policy match conditions? (Choose three.)
lTe
tua
Ac
Answer: B,D,E
sts
A. protocol
B. source-address
C. port
D. application
E. attacks
What are three configuration objects used to build JUNOS IDP rules? (Choose three.)
A. zone objects
B. policy objects
C. attack objects
D. alert and notify objects
E. network and address objects
Answer: A,C,E
68