Q1. -- Exhibit -- [edit]
user@srx# run show route
inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 01:09:08
> to 172.18.1.1 via ge-0/0/3.0 10.210.14.128/27 *[Direct/0] 8w6d 15:43:09
> via ge-0/0/0.0
10.210.14.135/32 *[Local/0] 11w0d 06:43:04
Local via ge-0/0/0.0
172.18.1.0/30 *[Direct/0] 8w6d 15:43:01
> via ge-0/0/3.0
172.18.1.2/32 *[Local/0] 11w0d 06:43:03
Local via ge-0/0/3.0 172.19.1.0/24 *[Direct/0] 03:46:56
> via ge-0/0/1.0
172.19.1.1/32 *[Local/0] 03:46:56
Local via ge-0/0/1.0 172.20.105.0/24 *[Direct/0] 03:46:56
> via ge-0/0/4.105
172.20.105.1/32 *[Local/0] 03:46:56
Local via ge-0/0/4.105
192.168.30.1/32 *[Direct/0] 4d 03:44:41
> via lo0.0
fbf.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:00:11
> to 172.19.1.2 via ge-0/0/1.0 172.19.1.0/24 *[Direct/0] 00:00:11
> via ge-0/0/1.0
[edit]
user@srx# show routing-instances fbf {
routing-options { static {
route 0.0.0.0/0 next-hop 172.19.1.2;
}
}
}
[edit]
user@srx# show routing-options interface-routes {
rib-group inet fbf-int;
}
static {
route 0.0.0.0/0 next-hop 172.18.1.1;
}
rib-groups { fbf-int {
import-rib [ inet.0 fbf.inet.0 ]; import-policy fbf-pol;
}
}
[edit]
user@srx# show policy-options policy-statement fbf-pol term 1 {
from interface ge-0/0/1.0; to rib fbf.inet.0;
then accept;
}
term 2 {
then reject;
}
-- Exhibit --
Referring to the exhibit, you notice that filter-based forwarding is not working. What is the reason for this behavior?
A. The RIB group is configured incorrectly.
B. The routing policy is configured incorrectly.
C. The routing instance is configured incorrectly.
D. The default static routes are configured incorrectly.
Answer: C
Explanation:
Bydefault, wehave a static route in a routing instancesendingthe default route to 172.19.1.2.Wewant to hijack traffic matching a particular filter and send the traffic to a different next-hop, 172.18.1.1. Weshouldcreate your rib group by importing FIRST the table belonging to your virtual router and SECOND the table for the forwarding instancethat has the next-hop specified.
Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223
Q2. You want to implement persistent NAT for an internal resource so that external hosts are able to initiate communications to the resource, without the internal resource having previously sent packets to the external hosts.Which configuration setting will accomplish this goal?
A. persistent-nat permit target-host
B. persistent-nat permit any-remote-host
C. persistent-nat permit target-host-port
D. address-persistent
Answer: B
Explanation:
Reference :http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig-security/understand-persistent-nat-section.html
Q3. You are performing AppSecure traffic processing to enforce AppFW.
What happens when traffic matching an established security session is newly detected as a different application?
A. The security processing facility of the data plane re-examines the whitelist or blacklist referenced in the security policy to see if the new application is permitted.
B. The newly detected application will not be permitted and session will be torn down unless a specific match exists against the exempt rulebase.
C. Zone-based firewall rules will be re-parsed to determine if a rule exists that permits the newly detected application.
D. The application will not be permitted if doing so would violate the session limit in the screen properties applied to that zone.
Answer: B
Q4. Your manager asks you to show which attacks have been detected on your SRX Series device using the IPS feature.
Which command would you use to accomplish this task?
A. show security idp attack detail
B. show security idp attack table
C. show security idp memory
D. show security idp counters
Answer: B
Q5. Which problem is introduced by setting the terminal parameter on an IPS rule?
A. The SRX device will stop IDP processing for future sessions.
B. The SRX device might detect more false positives.
C. The SRX device will terminate the session in which the terminal rule detected the attack.
D. The SRX device might miss attacks.
Answer: D
Explanation: Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-42464.html
Q6. You are asked to ensure traffic from your executive staff does not use the same ISP connection as your other traffic.
Which three actions are required to accomplish this task? (Choose three)
A. Create a firewall filter to match this traffic and send this traffic to the routing instance.
B. Create a routing instance and define the type asno-forwarding.
C. Assign the outgoing interface to theno-forwardinginstance.
D. Create a routing instance and define the type asforwarding.
E. Create a RIB group to share routes between the main instance and the routing instance.
Answer: A,D,E
Q7. You have configured an IPsec VPN with traffic selectors; however, your IPsec tunnel does not appear to be working properly.
What are two reasons for the problem? (Choose two.)
A. You are configured a remote address value of 0.0.0.0/0.
B. You are trying to use traffic selectors with policy-based VPNs.
C. You have configured 15 traffic selectors on each SRX Series device.
D. You are trying to use traffic selectors with route-based VPNs.
Answer: A,B
Q8. Click the Exhibit button.
IPv6 to IPv4 addresses are not being translated as shown in the exhibit. Which two configurations would resolve the problem? (Choose two.)
A. set security nat natv6v4 no-6-frag-header
B. set security nat proxy-arp interface ge-0/0/0.0
C. set security nat source port-randomization disable
D. set security nat proxy-ndp interface ge-0/0/1.0
Answer: D
Q9. In the IPS packet processing flow on an SRX Series device, when does application identification occur?
A. before fragmentation processing
B. after protocol decoding
C. before SSL decryption
D. after attack signature matching
Answer: A
Q10. You are asked to establish a baseline for your company's network traffic to determine the bandwidth usage per application. You want to undertake this task on the central SRX device that connects all segments together.What are two ways to accomplish this goal? (Choose two.)
A. Configure a mirror port on the SRX device to capture all traffic on a data collection server for further investigation.
B. Use interface packet counters for all permitted and denied traffic and calculate the values using Junos scripts.
C. Send SNMP traps with bandwidth usage to a central SNMP server.
D. Enable AppTrack on the SRX device and configure a remote syslog server to receive AppTrack messages.
Answer: A,D
Explanation:
AppTrack is used for visibility for application usage and bandwidth Reference:http://www.juniper.net/us/en/local/pdf/datasheets/1000327-en.pdf