Security, Professional (JNCIP-SEC) Version: 8.0 [ Total Questions: 175 ] Juniper JN0-633 : Practice Test Question No : 1 Click the Exhibit button. -- Exhibit [sampleXML/Juniper-JN0-633-2_2.png] -- v1, VPN: to-spoke-2 Gateway: spoke-2, Local:
Question 1
What is a benefit of using a group VPN?
- A. It provides a layer of redundancy on top of a point-to-point VPN mesh architecture.
- B. It eliminates the need for point-to-point VPN tunnels.
- C. It provides a way to grant VPN access on a per-user-group basis.
- D. It simplifies IPsec access for remote clients.
Answer : B
Explanation:
Reference : Page 4 -
http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CC kQFjAA&url=http%3A%2F%2Fwww.thomas- krenn.com%2Fredx%2Ftools%2Fmb_download.php%2Fmid.x6d7672335147784949386f3 d%2FManual_Configuring_Group_VPN_Juniper_SRX.pdf%3Futm_source%3Dthomas- krenn.com%26utm_medium%3DRSS-
Feed%26utm_content%3DConfiguring%2520Group%2520VPN%26utm_campaign%3DDo wnloads&ei=C2HrUaSWD8WJrQfXxYGYBA&usg=AFQjCNFgKnv9ZLwqZMmbzAfvGDPvo
Mz7dw&bvm=bv.49478099,d.bmk -
Question 2
For an SRX chassis cluster in transparent mode, which action occurs to signal a high availability failover to neighboring switches?
- A. the SRX chassis cluster generates Spanning Tree messages
- B. the SRX chassis cluster generates gratuitous ARPs
- C. the SRX chassis cluster flaps the former active interfaces
- D. the SRX chassis cluster uses IP address monitoring
Answer : C
Reference:
http://books.google.co.in/books?id=2HSLsTJIgEQC&pg=PA246&lpg=PA246&dq=the+SRX
+chassis+cluster+flaps+the+former+active+interfaces&source=bl&ots=_eDe_vRMyw&sig= x-
Px98kZEi4hZvGflcoybABdMRQ&hl=en&sa=X&ei=iMLzUcDSLcfRrQeQw4CYCA&ved=0CE
AQ6AEwBA#v=onepage&q=flap&f=false
Question 3
You have been asked to establish a dynamic IPsec VPN between your SRX device and a remote user. Regarding this scenario, which three statements are correct? (Choose three.)
- A. You must use preshared keys.
- B. IKE aggressive mode must be used.
- C. Only predefined proposal sets can be used.
- D. Only policy-based VPNs are supported.
- E. You can use all methods of encryption.
Answer : ABD
Explanation:
Reference :
http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/dynamic-vpn- appnote-v12.pdf
Question 4
Click the Exhibit button.
-- Exhibit
-- Exhibit --
You receive complaints from users that their Web browsing sessions keep dropping prematurely. Upon investigation, you find that the IDP policy shown in the exhibit is detecting the users' sessions as HTTP:WIN-CMD:WIN-CMD-EXE attacks, even though their sessions are not actual attacks. You must allow these sessions but still inspect for all other relevant attacks.
How would you configure your SRX device to meet this goal?
- A. Create a new security policy that allows HTTP for all users and does not apply IDP.
- B. Modify the security policy to add an application exception.
- C. Modify the IDP policy to delete this particular attack from the IDP rulebase.
- D. Modify the IDP policy to add an exempt rulebase rule to not inspect for this attack.
Answer : D
Question 5
You are asked to ensure that your IPS engine blocks attacks. You must ensure that your system continues to drop additional malicious traffic without additional IPS processing for up to 30 minutes. You must ensure that the SRX Series device does send a notification packet when the traffic is dropped.
Which statement is correct?
- A. Use the IP-Block action.
- B. Use the Drop Packet action.
- C. Use the Drop Connection action.
- D. Use the IP-Close action.
Answer : D
Question 6
You are troubleshooting an IPsec session and see the following IPsec security associations:
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
< 192.168.224.1 500 ESP:aes-256/sha1 d6393645 26/ unlim - 0
> 192.168.224.1 500 ESP:aes-256/sha1 153ec235 26/ unlim - 0
< 192.168.224.1 500 ESP:aes-256/sha1 f9a2db9a 3011/ unlim - 0
> 192.168.224.1 500 ESP:aes-256/sha1 153ec236 3011/ unlim - 0
What are two reasons for this behavior? (Choose two.)
- A. Both peers are trying to establish IKE Phase 1 but are not successful.
- B. Both peers have established SAs with one another, resulting in two IPsec tunnels.
- C. The lifetime of the Phase 2 negotiation is close to expiration.
- D. Both peers have establish-tunnels immediately configured.
Answer : CD
Reference: http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es- swcmdref/show-security-ipsec-security-associations.html
Question 7
Click the Exhibit button.
-- Exhibit
-- Exhibit --
Referring to the exhibit, which two statements are true? (Choose two.)
- A. Packets may get fragmented.
- B. The tunnel automatically fragments packets based on MTU discovery.
- C. The Phase 2 association will never expire.
- D. The Phase 2 association will expire without traffic.
Answer : A,D
Question 8
Which feature is used for layer 2 bridging on an SRX Series device?
- A. route mode
- B. packet mode
- C. transparent mode
- D. MPLS mode
Answer : C
Question 9
Click the Exhibit button.
-- Exhibit
-- Exhibit --
An attacker is using a nonstandard port for HTTP for reconnaissance into your network.
Referring to the exhibit, which two statements are true? (Choose two.)
- A. The IPS engine will not detect the application due to the nonstandard port.
- B. The IPS engine will detect the application regardless of the nonstandard port.
- C. The IPS engine will perform application identification until the session is established.
- D. The IPS engine will perform application identification until it processes the first 256 bytes of the packet.
Answer : BD
Reference: https://www.juniper.net/techpubs/en_US/idp/topics/example/simple/intrusion- detection-prevention-idp-rulebase-default-service-usage.html
Question 10
Click the Exhibit button.
-- Exhibit --
[edit security idp]
user@srx# show
security-package {
url https://services.netscreen.com/cgi-bin/index.cgi;
automatic {
start-time "2012-12-11.01:00:00 +0000";
interval 120;
enable;
-- Exhibit --
You have configured your SRX device to download and install attack signature updates as shown in the exhibit. You discover that updates are not being downloaded.
What are two reasons for this behavior? (Choose two.)
- A. No security policy is configured to allow the SRX device to contact the update server.
- B. The SRX device does not have a DNS server configured.
- C. The management zone interface does not have an IP address configured.
- D. The SRX device has no Internet connectivity.
Answer : BD
Explanation:
Configuration is correct. Only reason is that SRZ device is not able to connect to definition server.
Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB16491
Question 11
You are using destination NAT to translate the address of your HTTPS server to a private address on your SRX Series device. You have decided to implement IDP SSL decryption.
Upon enabling the decryption, you notice sessions are not decrypted.
Which action resolves the problem?
- A. Replace the server SSL certificate to use the public address.
- B. Reboot the SRX Series device.
- C. Increase the SSL session-id-cache-timeout value to any value greater than 5000 seconds.
- D. Enable the IDP sensor-configuration detector to detect address translation.
Answer : D
Question 12
You are asked to secure your companys Web presence. This includes using an SRX
Series device to inspect SSL traffic going to the Web servers in your DMZ.
Which two actions are required to accomplish this task? (Choose two.)
- A. Load your Web server’s private key in the IDP configuration.
- B. Load your Web server’s public key in the IDP configuration.
- C. Generate a root certificate on the SRX Series device for your Web servers.
- D. Specify the number of sessions in the SSL sensor configuration.
Answer : A,D
Question 13
You have recently deployed a dynamic VPN. The remote users are complaining that communications with devices on the same subnet as the SRX device are intermittent and often fail. The tunnel is stable and up, and communications with remote devices on different subnets work without any issues. Which configuration setting would resolve this issue?
- A. adding local-redirect at the [edit security nat] hierarchy
- B. adding local-redirect at the [edit interfaces <interface-name>] hierarchy
- C. adding proxy-arp at the [edit security nat] hierarchy
- D. adding proxy-arp at the [edit interfaces <interface-name>] hierarchy
Answer : C
Explanation:
Reference : http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf
Question 14
Click the Exhibit button.
-- Exhibit --
[edit security]
user@srx# show idp
application-ddos Webserver {
service http;
connection-rate-threshold 1000;
context http-get-url {
hit-rate-threshold 60000;
value-hit-rate-threshold 30000;
time-binding-count 10;
time-binding-period 25;
-- Exhibit --
You are using AppDoS to protect your network against a bot attack, but noticed an approved application has falsely triggered the configured IDP action of drop. You adjusted your AppDoS configuration as shown in the exhibit. However, the approved traffic is still dropped.
What are two reasons for this behavior? (Choose two.)
- A. The approved traffic results in 50,000 HTTP GET requests per minute.
- B. The approved traffic results in 25 HTTP GET requests within 10 seconds from a single host.
- C. The active IDP policy has not been defined in the security configuration.
- D. The IDP action is still in effect due to the timeout configuration.
Answer : A,D
Reference: http://www.juniper.net/techpubs/software/junos-security/junos- security10.0/junos-security-swconfig-security/appddos-protection-overview.html http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security- swconfig-security/appddos-proctecting-against.html#appddos-proctecting-against
Question 15
You must ensure that your Layer 2 traffic is secured on your SRX Series device in transparent mode.
What must be considered when accomplishing this task?
- A. Layer 2 interfaces must use the ethernet-switching protocol family.
- B. Security policies are not supported when operating in transparent mode.
- C. Screens are not supported in your security zones with transparent mode.
- D. You must reboot your device after configuring transparent mode.
Answer : D