Q1. Click the Exhibit button.

root@host# show system login user user {

uid 2000; class operator;

authentication {

encrypted-password "$1$4s7ePrk5$9S.MZTwmXTV7sovJZFFsw1"; ## SECRET-DATA

]

}

An SRX Series device has been configured for multiple certificate-based VPNs. The IPsec security association used for data replication is currently down . The administrator is a contractor and has the permissions on the SPX Series device as shown in the exhibit

Which command set would allow the administrator to troubleshoot the cause for the VPN being down?

A. set security ipsec traceoptions file ipsec

set security ipsec traceoptions flag security-associations

B. set security ike traceoptions file ike set security ike traceoptions flag ike

C. request security pki verify-integrity-status

D. request security ike debug-enable local <ip of the local gateway> remote <ip of the remote gateway›

View Answer

Q2. Click the Exhibit button.

[edit security idp-policy test] user@host# show

rulebase-ips { rule R3 { match {

source-address any; destination-address any; attacks {

predefined-attacks FTP:USER:ROOT;

}

}

then { action {

recommended;

}

}

terminal;

}

rule R4 { match {

source-address any; destination-address any; attacks {

predefined-attacks HTTP:HOTMAIL:FILE-UPLOAD;

}

}

then { action {

recommended;

}

}

}

}

You have just committed the new IDP policy shown in the exhibit. However, you notice no action is taken on traffic matching the R4 IDP rule.

Which two actions will resolve the problem? (Choose two.)

A. Change the R4 rule to match on a predefined attack group.

B. Insert the R4 rule above the R3 rule.

C. Delete theterminalstatement from the R3 rule.

D. Change the IPS rulebase to an exempt rulebase.

View Answer

Q3. Your company provides managed services for two customers. Each customer has been segregated within its own routing instance on your SRX device. Customer A and customer B inform you that they need to be able to reach certain hosts on each other's network.

Which two configuration settings would be used to share routes between these routing instances? (Choose two.)

A. routing-group

B. instance-import

C. import-rib

D. next-table

View Answer

Q4. You are asked to implement a Dynamic IPsec VPN on your new SRX240. You are required to facilitate up to 5 simultaneous users.

Which two statements must be considered when accomplishing the task?

A. You must acquire at least three additional licenses.

B. Your devices must be in a chassis cluster.

C. You must be a policy-based VPN.

D. You must use main mode for your IKE phase 1 policy.

View Answer

Q5. Click the Exhibit button.

[edit protocols ospf area 0.0.0.0]

user@host# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address

3289542 UP 48d928408940de28 e418fc7702fe483b Main

172.31.50.1

3289543 UP eb45940484082b14 428086b100427326 Main 10.10.50.1

[edit protocols ospf area 0.0.0.0]

user@host# run show security ipsec; security-associations Total active tunnels: 2

ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway

<131073 ESP:des/ shal 6d40899b 1360/ unlim - root 500 10.10.50.1

>131073 ESP:des/ shal 5a89400e 1360/ unlim - root 500 10.10.50.1

<131074 ESP:des/ shal c04046f 1359/ unlim - root 500 172.31.50.1

>131074 ESP:des/ shal 5508946c 1359/ unlim - root 500 172.31.50.1

[edit protocols ospf area 0.0.0.0] user@host# run show ospf neighbor

Address Interface State ID Pri Dead 10.40.60.1 st0.0 Init 10.30.50.1 128 35

10.40.60.2 st0.0 Full 10.30.50.1 128 31

[edit protocols ospf area 0.0.0.0] user@host# show

interface st0.0;

You have already configured a hub-and-spoke VPN with one hub device and two spoke devices. However, the hub device has one neighbor in the Init state and one neighbor in the Full state.

What would you do to resolve this problem?

A. Configure the st0.0 interface under OSPF as a nonbroadcast multiple access interface.

B. Configure the st0.0 interface under OSPF as a point-to-multipoint interface.

C. Configure the st0.0 interface under OSPF as a point-to-point interface.

D. Configure the st0.0 interface under OSPF as an unnumbered interface.

View Answer

Q6. Which configurable SRX Series device feature allows you to capture transit traffic?

A. syslog

B. traceoptions

C. packet-capture

D. archival

View Answer

Q7. Click the Exhibit button.

-- Exhibit–

-- Exhibit --

In the exhibit, the SRX device has hosts connected to interface ge-0/0/1 and ge-0/0/6. The devices are not able to ping each other.What is causing this behavior?

A. The interfaces must be in trunk mode.

B. The interfaces need to be configured for Ethernet switching.

C. The default security policy does not apply to transparent mode.

D. A bridge domain has not been defined.

View Answer

Q8. Click the Exhibit button.

-- Exhibit–

-- Exhibit --

Referring to the exhibit, which two statements are true? (Choose two.)

A. Packets may get fragmented.

B. The tunnel automatically fragments packets based on MTU discovery.

C. The Phase 2 association will never expire.

D. The Phase 2 association will expire without traffic.

View Answer

Q9. Which two configuration components are required for enabling transparent mode on an SRX device? (Choose two.)

A. IRB

B. bridge domain

C. interface family bridge

D. interface family ethernet-switching

View Answer

Q10. You are asked to implement IPsec tunnels between your SRX devices located at various locations. You will use the public key infrastructure (PKI) to verify the identification of the endpoints.What are two certificate enrollment options available for this deployment? (Choose two.)

A. Manually generating a PKCS10 request and submitting it to an authorized CA.

B. Dynamically generating and sending a certificate request to an authorized CA using OCSP.

C. Manually generating a CRL request and submitting that request to an authorized CA.

D. Dynamically generating and sending a certificate request to an authorized CA using SCEP.

View Answer