Q1. Click the Exhibit button.
-- Exhibit --
user@srx> show security flow session
Session ID.7724, Policy namE.default-permit/4, Timeout: 2 In: 1.1.70.6/17 --> 100.0.0.1/2326;icmp, IF.ge-0/0/3
Out: 10.1.10.5/2326 --> 1.1.70.6/17;icmp, IF.ge-0/0/2
Session ID.18408, Policy namE.default-permit/4, Timeout: 2 In: 10.1.10.5/64513 --> 1.1.70.6/512;icmp, IF.ge-0/0/2.0 Out: 1.1.70.6/512 --> 100.0.0.1/64513;icmp, IF.ge-0/0/3.10
-- Exhibit --
A user has reported a traffic drop issue between a host with the 10.1.10.5 internal IP address and a host with the 1.1.70.6 IP address. The traffic transits an SRX240 acting as a NAT translator. You are investigating the issue on the SRX240 using the output shown in the exhibit.
Regarding this scenario, which two statements are true? (Choose two.)
A. The sessions shown indicate interface-based NAT processing.
B. The sessions shown indicate static NAT processing.
C. ICMP traffic is passing in both directions.
D. ICMP traffic is passing in one direction.
Answer: B,C
Q2. Click the Exhibit button
[edit security]
user@host# show policies global {
policy new-policy { match {
source-address any; destination-address any; application junos-https;
}
then { permit {
application-services { application-firewall { rule-set appfw;
}
}
}
}
}
}
[edit security]
user@host# show application-firewall rule-sets appfw {
rule 1 { match {
dynamic-application junos:SSL;
}
then { permit;
}
}
rule 2 { match {
dynamic-application junos:HTTP;
}
then { reject;
}
}
default-rule { permit;
}
}
Referring to the exhibit, which two statements are correct? (Choose two.)
A. HTTP traffic is permitted.
B. HTTP traffic is dropped.
C. HTTPS traffic is permitted.
D. HTTPS traffic is dropped.
Answer: B,C
Q3. Which statement is true regarding dual-stack lite?
A. The softwire is an IPv4 tunnel over an IPv6 network.
B. The softwire initiator (SI) encapsulates IPv6 packets in IPv4.
C. The softwire concentrator (SC) decapsulates softwire packets.
D. SRX devices support the softwire concentrator and softwire initiator functionality.
Answer: C
Explanation: Reference:http://www.juniper.net/techpubs/en_US/junos/topics/concept/ipv6-ds-lite- overview.html
Q4. Referring to the following output, which command would you enter in the CLI to produce this result?
Pic2/1
Ruleset Application Client-to-server Rate(bps) Server-to-client Rate(bps) http-App-QoS HTTP ftp-C2S 200 ftp-C2S 200
http-App-QoS HTTP ftp-C2S 200 ftp-C2S 200
ftp-App-QoS FTP ftp-C2S 100 ftp-C2S 100
A. show class-of-service interface ge-2/1/0
B. show interface flow-statistics ge-2/1/0
C. show security flow statistics
D. show class-of-service applications-traffic-control statistics rate-limiter
Answer: D
Explanation: Reference
http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/reference/command-summary/show-class-of-service-application-traffic-control-statistics-rate-limiter.html
Q5. You have configured static NAT for a Web server in your DMZ. Both internal and external users can reach the Web server using its IP address. However, only internal users are able to reach the Web server using its DNS name. External users receive an error message from their browser.
Which action would solve this problem?
A. Modify the security policy.
B. Disable Web filtering.
C. Use destination NAT instead of static NAT.
D. Use DNS doctoring.
Answer: D
Explanation:
Reference :http://www.networker.co.in/2013/03/dns-doctoring.html
Q6. Click the Exhibit button.
user@host# run show security flow session
Session ID: 28, Policy name: allow/5, Timeout: 2, Valid
In: 172.168.1.2/24800 --> 66.168.100.100/8001; tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 64 Out: 10.168.100.1/8001 --> 172.168.1.2/24800; tcp, If: ge-0/0/6.0, Pkts: 1, Bytes: 40
Your customer is unable to reach your HTTP server that is connected to the ge-0/0/6 interface. The HTTP server has an address of 10.168.100.1 on port 80 internally, but is accessed publicly using interface ge-0/0/3 with the address 66.168.100.100 on port 8001.
Referring to the exhibit, what is causing this problem?
A. The traffic is originated with incorrect IP address from the customer.
B. The traffic is translated with the incorrect IP address for the HTTP server.
C. The traffic is translated with the incorrect port number for the HTTP server.
D. The traffic is originated with the incorrect port number from the customer.
Answer: C
Q7. Your company has added a connection to a new ISP and you have been asked to send specific traffic to the new ISP. You have decided to implement filter-based forwarding. You have configured new routing instances with type forwarding. You must direct traffic into each instance.Which step would accomplish this goal?
A. Add a firewall filter to the ingress interface that specifies the intended routing instance as the action.
B. Create a routing policy to direct the traffic to the required forwarding instances.
C. Configure the ingress and egress interfaces in each forwarding instance.
D. Create a static default route for each ISP in inet.0, each pointing to a different forwarding instance.
Answer: A
Explanation:
Reference :http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223
Q8. Which statement is true regarding the dynamic VPN feature for Junos devices?
A. Only route-based VPNs are supported.
B. Aggressive mode is not supported.
C. Preshared keys for Phase 1 must be used.
D. It is supported on all SRX devices.
Answer: C
Explanation: Reference:http://www.juniper.net/techpubs/en_US/junos12.1x45/information-products/pathway-pages/security/security-vpn-dynamic.pdf
Q9. You want to create a custom IDP signature for a new HTTP attack on your SRX device. You have the exact string that identifies the attack.Which two additional elements do you need to define your custom signature? (Choose two.)
A. service context
B. protocol number
C. direction
D. source IP address of the attacker
Answer: A,C
Explanation: Reference: http://rtoodtoo.net/2011/09/22/how-to-write-srx-idp-custom-attacksignature/
Q10. Which statement is true about NAT?
A. When you implement destination NAT, the router does not apply ALG services.
B. When you implement destination NAT, the router skips source NAT rules for the initiating traffic flow.
C. When you implement static NAT, each packet must go through a route lookup.
D. When you implement static NAT, the router skips destination NAT rules for the initiating traffic flow.
Answer: D
Explanation: The NAT type determines the order in which NAT rules are processed. During the first packet processing for a flow, NAT rules are applied in the following order:
✑ Static NAT rules
✑ Destination NAT rules
✑ Route lookup
Reference :http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-42804.html