Guaranteed of JN0-633 actual exam materials and testing software for Juniper certification for IT candidates, Real Success Guaranteed with Updated JN0-633 pdf dumps vce Materials. 100% PASS Security, Professional (JNCIP-SEC) exam Today!
Q91. Which statement is true about NAT?
A. When you implement destination NAT, the router does not apply ALG services.
B. When you implement destination NAT, the router skips source NAT rules for the initiating traffic flow.
C. When you implement static NAT, each packet must go through a route lookup.
D. When you implement static NAT, the router skips destination NAT rules for the initiating traffic flow.
Answer: D
Explanation: The NAT type determines the order in which NAT rules are processed. During the first packet processing for a flow, NAT rules are applied in the following order:
✑ Static NAT rules
✑ Destination NAT rules
✑ Route lookup
Reference :http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-42804.html
Q92. You have been asked to establish a dynamic IPsec VPN between your SRX device and a remote user.Regarding this scenario, which three statements are correct? (Choose three.)
A. You must use preshared keys.
B. IKE aggressive mode must be used.
C. Only predefined proposal sets can be used.
D. Only policy-based VPNs are supported.
E. You can use all methods of encryption.
Answer: A,B,D
Explanation: Reference
http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/dynamic-vpn-appnote-v12.pdf
Q93. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
Referring to the exhibit, which feature allows the hosts in the Trust and DMZ zones to route to either ISP, based on source address?
A. source NAT
B. static NAT
C. filter-based forwarding
D. source-based routing
Answer: C
Explanation: Reference:http://www.juniper.net/techpubs/en_US/junos12.2/topics/example/logical-systems-filter-based-forwarding.html
Q94. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
Referring to the exhibit, the session close log was generated by the application firewall rule set HTTP.
Why did the session close?
A. The application identification engine was unable to determine which application was in use, which caused the SRX device to close the session.
B. The host with the IP address of 192.168.1.123 received a TCP segment with the FIN flag set from the host with the IP address of 65.197.244.218.
C. The SRX device was unable to determine the user and role in the allotted time, which caused the session to close.
D. The host with the IP address of 192.168.1.123 sent a TCP segment with the FIN flag set to the host with the IP address of 65.197.244.218.
Answer: D
Explanation:
Reference:http://netscreen.com/techpubs/software/junos/junos92/syslog- messages/download/rt.pdf
Q95. What are three techniques to mark DSCP values on an SRX Series device? (Choose three.)
A. IDP attack action-based DSCP rewriters
B. 802.11Q
C. VLAN rewrite
D. ALG-based DSCP rewriters
E. Layer 7 application-based DSCP rewriters.
Answer: A,D,E
Q96. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
TCP traffic sourced from Host A destined for Host B is being redirected using filter-based forwarding to use the Red network. However, return traffic from Host B destined for Host A is using the Blue network and getting dropped by the SRX device.
Which action will resolve the issue?
A. Enable asyncronous-routing under the Blue zone.
B. Configure ge-0/0/1 to belong to the Red zone.
C. Disable RPF checking.
D. Disable TCP sequence checking.
Answer: B
Explanation: Reference:https://kb.juniper.net/InfoCenter/index?page=content&id=KB21046
Q97. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
Referring to the exhibit, AppTrack is only logging the session closure messages for sessions that last 1 to 3 minutes.
What is causing this behavior?
A. AppTrack is not properly configured under the [edit security application-tracking] hierarchy.
B. AppTrack only generates session update messages.
C. AppTrack only generates session closure messages.
D. AppTrack generates other messages only when the update interval is surpassed.
Answer: D
Explanation:
Reference :http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-45952.html
Q98. You are responding to a proposal request from an enterprise with multiple branch offices. All branch offices connect to a single SRX device at a centralized location. The request requires each office to be segregated on the central SRX device with separate IP networks and security considerations. No single office should be able to starve the CPU from other branch offices on the central SRX device due to the number of flow sessions. However, connectivity between offices must be maintained.Which three features are required to accomplish this goal? (Choose three.)
A. Logical Systems
B. Interconnect Logical System
C. Virtual Tunnel Interface
D. Logical Tunnel Interface
E. Virtual Routing Instance
Answer: A,B,D
Explanation:
Reference :http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/logical-systems-interfaces.html
http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/logical-systems-config/index.html?topic-57390.html
Q99. Click the Exhibit button.
[edit protocols ospf area 0.0.0.0]
user@host# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address
3289542 UP 48d928408940de28 e418fc7702fe483b Main
172.31.50.1
3289543 UP eb45940484082b14 428086b100427326 Main 10.10.50.1
[edit protocols ospf area 0.0.0.0]
user@host# run show security ipsec; security-associations Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:des/ shal 6d40899b 1360/ unlim - root 500 10.10.50.1
>131073 ESP:des/ shal 5a89400e 1360/ unlim - root 500 10.10.50.1
<131074 ESP:des/ shal c04046f 1359/ unlim - root 500 172.31.50.1
>131074 ESP:des/ shal 5508946c 1359/ unlim - root 500 172.31.50.1
[edit protocols ospf area 0.0.0.0] user@host# run show ospf neighbor
Address Interface State ID Pri Dead 10.40.60.1 st0.0 Init 10.30.50.1 128 35
10.40.60.2 st0.0 Full 10.30.50.1 128 31
[edit protocols ospf area 0.0.0.0] user@host# show
interface st0.0;
You have already configured a hub-and-spoke VPN with one hub device and two spoke devices. However, the hub device has one neighbor in the Init state and one neighbor in the Full state.
What would you do to resolve this problem?
A. Configure the st0.0 interface under OSPF as a nonbroadcast multiple access interface.
B. Configure the st0.0 interface under OSPF as a point-to-multipoint interface.
C. Configure the st0.0 interface under OSPF as a point-to-point interface.
D. Configure the st0.0 interface under OSPF as an unnumbered interface.
Answer: B
Q100. Click the Exhibit button.
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:<1.1.1.100/51303->1.1.1.30/3389;6>
matched filter MatchTraffic:
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:packet [48] ipid = 5015, @423d7e9e Feb 2
09:00:02 09:00:00.1872004:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 13, common flag Ox0, mbuf Ox423d7d00
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: flow process pak fast ifl 72 In_ifp fe-0/0/7.0
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: fe-0/0/7.0:1.1.1.100/51303- >1.1.1.30/3389,
top, flag 2 syn
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: find flow: table Ox5258d7b0, hash 17008(Oxffff), sa 1.1.1.100, da 1.1.1.30, sp 51303, dp 3389, proto 6, tok
448
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: flow_first_create_session
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: flow first_in_dst_nat: in <fe-0/0/7.0>, out
<N/A> dst_adr 1.1.1.30, sp 51303, dp 3389
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: chose interface fe-0/0/7.0 as incoming nat if. Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_rule_dst_xlate: packet 1.1.1.100-
>1.1.1.30 nsp2 0.0.0.0->192.168.224.30.
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_routing: call flow_route_lookup() src_ip 1.1.1.100, x_dst_ip 192.168.224.30, in ifp fe-0/0/7.0, out ifp N/A sp 51303, dp 3389, ip_proto 6, tos 0
Feb 2 09:00:02 09:00:00.1872004:CID-O:RT:Doing DESTINATION addr route-lookup Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: routed (x_dst_ip 192 168.224.30)
from untrust (fe-0/0/7.0 in 0) to ge-0/0/0.0, Next-hop: 192.168.224.30
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: policy search from zone untrust-> zone trust Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: policy has timeout 900
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: app 0, timeout 1800s, curr ageout 20s
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_src_xlate: src nat 0.0.0.0(51303) to
192.168.224.30(3389) returns status 1, rule/pool id 1/2. Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: dip id = 2/0, 1.1.1.100/51303->192.168.224.3/48810
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: choose interface ge-0/0/0.0 as outgoing phy if Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/0.0, addr:
192.168.224.30, rtt_idx:0
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:sm_flow_interest_check: app_id 0, policy 9, app_svc_en 0, flags Ox2. not interested
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:sm_flow_interest_check: app_id 1, policy 9, app_svc_en 0, flags Ox2. not interested
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_service_lookup():
natp(Ox51ee4680): app_id, 0(0).
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: service lookup identified service O. Referring to the exhibit, which two statements are correct? (Choose two.)
A. The packet being inspected is a UDP packet.
B. The incoming interface is fe-0/0/7.
C. This traffic matches an existing flow.
D. Source NAT is being used.
Answer: B,C