Q1. You are asked to implement a monitoring feature that periodically verifies that the data plane is working across your IPsec VPN.Which configuration will accomplish this task?
A. [edit security ike] user@srx# show policy policy-1 { mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$URiqPFnCBIc5QIcylLXUjH"; ## SECRET-DATA
}
gateway my-gateway { ike-policy policy-1; address 10.10.10.2; dead-peer-detection;
external-interface ge-0/0/1;
}
B. [edit security ipsec] user@srx# show
policy policy-1 { proposal-set standard;
}
vpn my-vpn {
bind-interface st0.0; dead-peer-detection; ike {
gateway my-gateway; ipsec-policy policy-1;
}
establish-tunnels immediately;
}
C. [edit security ike] user@srx# show policy policy-1 { mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$URiqPFnCBIc5QIcylLXUjH"; ## SECRET-DATA
}
gateway my-gateway { ike-policy policy-1; address 10.10.10.2; vpn-monitor;
external-interface ge-0/0/1;
}
D. [edit security ipsec] user@srx# show policy policy-1 { proposal-set standard;
}
vpn my-vpn {
bind-interface st0.0; vpn-monitor;
ike {
gateway my-gateway; ipsec-policy policy-1;
}
establish-tunnels immediately;
}
Answer: D
Explanation: Reference: https://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/monitoring-and-troubleshooting/index.html?topic- 59092.html
Q2. You want requests from the same internal transport address to be mapped to the same external transport address. Only internal hosts can initialize the session.
Which Junos configuration setting supports the requirements?
A. any-remote-host
B. target-host
C. source-host
D. address-persistent
Answer: D
Explanation:
Reference :http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig-security/understand-persistent-nat-section.html
Q3. You are troubleshooting an IPsec session and see the following IPsec security associations:
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
< 192.168.224.1 500 ESP:aes-256/sha1 d6393645 26/ unlim - 0
> 192.168.224.1 500 ESP:aes-256/sha1 153ec235 26/ unlim - 0
< 192.168.224.1 500 ESP:aes-256/sha1 f9a2db9a 3011/ unlim - 0
> 192.168.224.1 500 ESP:aes-256/sha1 153ec236 3011/ unlim - 0
What are two reasons for this behavior? (Choose two.)
A. Both peers are trying to establish IKE Phase 1 but are not successful.
B. Both peers have established SAs with one another, resulting in two IPsec tunnels.
C. The lifetime of the Phase 2 negotiation is close to expiration.
D. Both peers have establish-tunnels immediately configured.
Answer: C,D
Explanation: Reference: http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swcmdref/show-security-ipsec-security-associations.html
Q4. You have been asked to configure traffic to flow between two virtual routers (VRs) residing on two unique logical systems (LSYSs) on the same SRX5800.
How would you accomplish this task?
A. Configure a security policy that contains the context from VR1 to VR2 to permit the relevant traffic.
B. Configure a security policy that contains the context from LSYS1 to LSYS2 and relevant match conditions in the rule set to allow traffic between the IP networks in VR1 and VR2.
C. Configure logical tunnel interfaces between VR1 and VR2 and security policies that allow relevant traffic between VR1 and VR2 over that link.
D. Configure an interconnect LSYS to facilitate a connection between LSYS1 and LSYS2 and relevant policies to allow the traffic.
Answer: C
Explanation:
Reference :http://kb.juniper.net/InfoCenter/index?page=content&id=KB21260
Q5. Where does the AppSecure suite of functions occur in the security flow process on an SRX Series device?
A. services
B. security policy
C. NAT
D. session initiation
Answer: A
Q6. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
You are asked to implement NAT to translate addresses between the IPv4 and IPv6 networks shown in the exhibit.
What are three configuration requirements? (Choose three.)
A. Disable SYN checking.
B. Enable IPv6 flow mode.
C. Configure proxy ARP.
D. Configure stateless filtering.
E. Configure proxy NDP.
Answer: B,C,E
Explanation: Reference:http://forums.juniper.net/jnet/attachments/jnet/srx/16228/1/NAT64-Overview.pdf
Q7. Which two statements are true about an interconnect logical system on an SRX Series device? (Choose two.)
A. VXLAN is used to switch inter-LSYS-traffic.
B. The root and user LSYSs connect to the interconnect LSYS usingvtinterfaces.
C. VPLS is used to switch inter-LSYS traffic.
D. The root and user LSYSs connect to the interconnect LSYS usingltinterfaces.
Answer: C,D
Q8. You are deploying a standalone SRX650 in transparent mode for evaluation purposes in a potential client's network. The client will need to access the device to modify security policies and perform other various configurations.Where would you configure a Layer 3 interface to meet this requirement?
A. fxp0.0
B. vlan.1
C. irb.1
D. ge-0/0/0.0
Answer: C
Reference: http://safetynet.trapezenetworks.com/techpubs/en_US/junos12.1/information-products/topic-collections/security/software-all/layer-2/index.html?topic-52755.html
Q9. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
Host traffic is traversing through an IPsec tunnel. Users are complaining of intermittent issues with their connection.
Referring to the exhibit, what is the problem?
A. The tunnel is down due to a configuration change.
B. The do-not-fragment bit is copied to the tunnel header.
C. The MSS option on the SYN packet is set to 1300.
D. The TCP SYN check option is disabled for tunnel traffic.
Answer: B
Q10. A branch SRX Series device in flow mode is forwarding between two virtual routers using a paired set of logical tunnel interfaces. You have a server connected to one virtual router and the client is on the other virtual router.
How many security policies are needed to connect from the client to the server across the logical tunnel link?
A. 0
B. 2
C. 3
D. 1
Answer: D