Q1. You want to route traffic between two newly created virtual routers without the use of logical systems using the configuration options on the SRX5800.

Which two methods of forwarding, between virtual routers, would you recommend? (Choose two.)

A. Use a static route to forward traffic across virtual routers using the next-table option. Enable the return route by using a RIB group.

B. Create static routes in each virtual router using thenext-tablecommand.

C. Use a RIB group to share the internal routing protocol routes from the master routing instance. 

D. Connect a direct cable between boo physical interfaces, one in each virtual router and use static routes with thenext-hopcommand.

View Answer

Q2. Click the Exhibit button.

-- Exhibit -- [edit security]

user@srx# show idp {

idp-policy NewPolicy { rulebase-exempt { rule 1 {

description AllowExternalRule; match {

source-address any; destination-address

}

}

}

}

}

-- Exhibit --

You are performing the initial IDP installation on your new SRX device. You have configured the IDP exempt rulebase as shown in the exhibit, but the commit is not successful.

Referring to the exhibit, what solves the issue?

A. You must configure the destination zone match.

B. You must configure the IPS exempt accept action.

C. You must configure the IPS rulebase.

D. You must configure the IPS engine flow action to ignore.

View Answer

Q3. Click the Exhibit button.

user@key-server> show security group-vpn server ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address

97 UP bb224408940cc5d 435b9404284083c2 Main 192.168.11.1

98 UP 242c840089404d15 ab19284089408ba8 Main 192.168.11.2

user@key-server> show security group-vpn server ipsec security-associations Group: group-1, Group Id: 1

Total IPsec SAs: 1

IPsec SA Algorithm SPI Lifetime

group-l-sa ESP:3des/shal 1343991c 2736 Group: group-2, Group id: 2

Total IPsec SAs: 1

IPsec SA Algorithm SPI Lifetime

group-2-sa ESP:3des/shal 13be9e9 2741 Group: group-3, Group Id: 3

Total IPsec SAs: 1

IPsec SA Algorithm SPI Lifetime

group-3-sa ESP:3des/shal 20709057 2741 Group: group-4, Group Id: 4

Total IPsec SAs: 1

IPsec SA Algorithm SPI Lifetime

group-4-sa ESP:3des/shal 5111c2e1 2741

Which statement is correct regarding the outputs shown in the exhibit?

A. Two established peers are in the group VPNs.

B. One established peer is in the group VPNs.

C. No established peer is in the group VPNs.

D. Four established peers are in the group VPNs.

View Answer

Q4. What is a secure key management protocol used by IPsec?

A. AH

B. ESP

C. TCP

D. IKE

View Answer

Q5. Click the Exhibit button.

-- Exhibit–

-- Exhibit --

Host A cannot resolve the www.target.host.com Web page when using its configured DNS server. As shown in the exhibit, Host A's configured DNS server and the Web server hosting the www.target.host.com Web page are in the same subnet. You have verified bidirectional reachability between Host A and the Web server hosting the Web page.

What would cause this behavior on the SRX device in Company B's network?

A. DNS replication is enabled.

B. DNS doctoring is enabled.

C. DNS replication is disabled.

D. DNS doctoring is disabled.

View Answer

Q6. Click the Exhibit button.

-- Exhibit --

[edit security idp] user@srx# show | no-more idp-policy basic {

rulebase-ips { rule 1 { match {

from-zone untrust; source-address any; to-zone trust;

destination-address any; application default; attacks {

custom-attacks data-inject;

}

}

then { action {

recommended;

}

notification { log-attacks;

}

}

}

}

}

active-policy basic; custom-attack data-inject {

recommended-action close; severity critical;

attack-type { signature {

context mssql-query;

pattern "SELECT * FROM accounts"; direction client-to-server;

}

}

}

-- Exhibit --

You have configured the custom attack signature shown in the exhibit. This configuration is valid, but you want to improve the efficiency and performance of your IDP.

Which two commands should you use? (Choose two.)

A. set custom attack data-inject recommended-action drop

B. set custom-attack data-inject attack-type signature protocol-binding tcp

C. set idp-policy basic rulebase-ips rule 1 match destination-address webserver

D. set idp-policy basic rulebase-ips rule 1 match application any

View Answer

Q7. You have installed a new IPS license on your SRX device and successfully downloaded the attack signature database. However, when you run the command to install the database, the database fails to install.What are two reasons for the failure? (Choose two.)

A. The file system on the SRX device has insufficient free space to install the database.

B. The downloaded signature database is corrupt.

C. The previous version of the database must be uninstalled first.

D. The SRX device does not have the high memory option installed.

View Answer

Q8. As an SRX administrator, you must find all encrypted sessions on an SRX Series device. Which command would you use to accomplish this task?

A. show security flow session tunnel

B. show security ike tunnel-map

C. show security ike security-associations

D. show security flow session encrypted

View Answer

Q9. An external host is attacking your network. The host sends an HTTP request to a Web server, but does not include the version of HTTP in the request.

Which type of attack is being performed?

A. signature-based attack

B. application identification

C. anomaly

D. fingerprinting

View Answer

Q10. Which two statements are true regarding DNS doctoring? (Choose two.)

A. DNS doctoring translates the DNS CNAME payload.

B. DNS doctoring for IPv4 is supported on SRX devices.

C. DNS doctoring for IPv4 and IPv6 is supported on SRX devices.

D. DNS doctoring translates the DNS A-record.

View Answer