Q71. Which feature is used for layer 2 bridging on an SRX Series device?
A. route mode
B. packet mode
C. transparent mode
D. MPLS mode
Answer: C
Q72. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
You receive complaints from users that their Web browsing sessions keep dropping prematurely. Upon investigation, you find that the IDP policy shown in the exhibit is detecting the users' sessions as HTTP:WIN-CMD:WIN-CMD-EXE attacks, even though their sessions are not actual attacks. You must allow these sessions but still inspect for all other relevant attacks.
How would you configure your SRX device to meet this goal?
A. Create a new security policy that allows HTTP for all users and does not apply IDP.
B. Modify the security policy to add an application exception.
C. Modify the IDP policy to delete this particular attack from the IDP rulebase.
D. Modify the IDP policy to add an exempt rulebase rule to not inspect for this attack.
Answer: D
Q73. Click the Exhibit button.
root@host# show system login user user {
uid 2000; class operator;
authentication {
encrypted-password "$1$4s7ePrk5$9S.MZTwmXTV7sovJZFFsw1"; ## SECRET-DATA
]
}
An SRX Series device has been configured for multiple certificate-based VPNs. The IPsec security association used for data replication is currently down . The administrator is a contractor and has the permissions on the SPX Series device as shown in the exhibit
Which command set would allow the administrator to troubleshoot the cause for the VPN being down?
A. set security ipsec traceoptions file ipsec
set security ipsec traceoptions flag security-associations
B. set security ike traceoptions file ike set security ike traceoptions flag ike
C. request security pki verify-integrity-status
D. request security ike debug-enable local <ip of the local gateway> remote <ip of the remote gateway›
Answer: C
Q74. HostA (1.1.1.1) is sending TCP traffic to HostB (2.2.2.2). You need to capture the TCP packets locally on the SRX240. Which configuration would you use to enable this capture?
A. [edit security flow] user@srx# show traceoptions {
file dump;
flag basic-datapath;
}
B. [edit security] user@srx# show application-tracking { enable;
}
flow { traceoptions { file dump;
flag basic-datapath;
}
}
C. [edit firewall filter capture term one] user@srx# show
from {
source-address { 1.1.1.1;
}
destination-address { 2.2.2.2;
}
protocol tcp;
}
then {
port-mirror; accept;
}
D. [edit firewall filter capture term one] user@srx# show
from {
source-address { 1.1.1.1;
}
destination-address { 2.2.2.2;
}
protocol tcp;
}
then { sample; accept;
}
Answer: D
Explanation: Reference:http://khurramkhalid.wordpress.com/2012/05/22/packet-capture-on-srx-devices/
Q75. Click the Exhibit button.
[edit]
useu@host# run show log debug
Feb3 22:04:32 22:04:31.983991:CID-0:RT:ge-0/0/1.0:5.0.0.25/59028-
>25.0.0.25/23, tcp, flag 18
Feb3 22:04:32 22:04:31.983997:CID-0:RT: find flow: table 0x582738c0, hash 53561(0xffff), sa 5.0.0.25, da 5.0.0.25, sp 59028, dp 23, proto 6, tok 20489
Feb3 22:04:32 22:04:31.984004:CID-0:RT:Found: session id 0x14f98. sess tok 20489
Feb3 22:04:32 22:04:31.984005:CID-0:RT: flow got session. Feb3 22:04:32 22:04:31.984006:CID-0:RT: flow session id 85912
Feb3 22:04:32 22:04:31.984009:CID-0:RT: vector bits 0x2 vector 0x53a949e8 Feb3 22:04:32 22:04:31.984012:CID-0:RT: tcp sec check.
Feb3 22:04:32 22:04:31.984015:CID-0:RT:mbuf 0x4a82cd80, exit nh 0xa0010
Which two statements are true regarding the output shown in the exhibit? (Choose two.)
A. The outgoing interface is ge-0/0/1.0.
B. The packet is subject to fast-path packet processing.
C. The packet is part of the first-packet path processing.
D. TCP sequence checking is enabled.
Answer: C,D
Q76. You configured a custom signature attack object to match specific components of an
attack:
HTTP-request
Pattern .*\x90 90 90 … 90 Direction: client-to-server
Which client traffic would be identified as an attack?
A. HTTP GET .*\x90 90 90 … 90
B. HTTP POST .*\x90 90 90 … 90
C. HTTP GET .*x909090 … 90
D. HTTP POST .*x909090 … 90
Answer: A
Explanation: Reference: http://www.juniper.net/techpubs/en_US//idp/topics/task/configuration/intrusion-detection-prevention-signature-attack-object-creating-nsm.html
Q77. You have an existing group VPN established in your internal network using the group-id 1. You have been asked to configure a second group using the group-id 2. You must ensure that the key server for group 1 participates in group 2 but is not the key server for that group.Which statement is correct regarding the group configuration on the current key server for group 1?
A. You must configure both groups at the [edit security ipsec vpn] hierarchy.
B. You must configure both groups at the [edit security group-vpn member] hierarchy.
C. You must configure both groups at the [edit security ike] hierarchy.
D. You must configure both groups at the [edit security group-vpn] hierarchy.
Answer: D
Explanation: Reference: http://www.jnpr.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/security/index.html?topic-45791.html
Q78. What are two intrusion protection mechanisms available on SRX Series Services Gateways? (Choose two.)
A. routing update detection
B. traffic anomaly detection
C. NAT anomaly protection
D. DoS protection
Answer: B,D
Explanation:
Juniper IPS system prevents Traffic Anamoly detection and DoS/DDoS attacks. Reference: http://www.juniper.net/in/en/products-services/software/router-services/ips/
Q79. You are asked to troubleshoot ongoing problems with IPsec tunnels and security policy processing. Your network consists of SRX240s and SRX5600s.
Regarding this scenario, which two statements are true? (Choose two.)
A. You must enable data plane logging on the SRX240 devices to generate security policy logs.
B. You must enable data plane logging on the SRX5600 devices to generate security policy logs.
C. IKE logs are written to the kmd log file by default.
D. IPsec logs are written to the kmd log file by default.
Answer: B,D
Explanation: Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB16506
http://www.google.co.in/url?sa=t&rct=j&q=IKE%20logs%20are%20written%20to%20the%20kmd%20log%20file%20by%20default&source=web&cd=2&ved=0CC8QFjAB&url=http%3A%2F%2Fwww.juniper.net%2Fus%2Fen%2Flocal%2Fpdf%2Fapp-notes%2F3500175-en.pdf&ei=SNHzUZntEcaPrQfnpICYDQ&usg=AFQjCNGb-rMrVcm6cqqBLWDif54CaCTrrw
Q80. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
Referring to the topology shown in the exhibit, which two configuration tasks will allow Host A to telnet to the public IP address associated with Server B? (Choose two.)
A. Configure transparent mode to bypass the NAT processing of Server B's public IP address.
B. Configure a stateless filter redirecting local traffic destined to Server B's public IP address.
C. Configure a destination NAT rule that matches local traffic destined to Server B's public IP address.
D. Configure a source NAT rule that matches local traffic destined to Server B's public IP address.
Answer: C,D
Explanation:
In this scenario wehave a host be accessible on the Internet by one address, but have it be translated to another address when it initiates connections out to the Internet.So we need to combine Source and destination NAT.
Reference:http://chimera.labs.oreilly.com/books/1234000001633/ch09.html#destination_na t