Juniper JN0-633 Free Practice Questions

Q1. Click the Exhibit button.

[edit]

useu@host# run show log debug

Feb3 22:04:32 22:04:31.983991:CID-0:RT:ge-0/0/1.0:5.0.0.25/59028-

>25.0.0.25/23, tcp, flag 18

Feb3 22:04:32 22:04:31.983997:CID-0:RT: find flow: table 0x582738c0, hash 53561(0xffff), sa 5.0.0.25, da 5.0.0.25, sp 59028, dp 23, proto 6, tok 20489

Feb3 22:04:32 22:04:31.984004:CID-0:RT:Found: session id 0x14f98. sess tok 20489

Feb3 22:04:32 22:04:31.984005:CID-0:RT: flow got session. Feb3 22:04:32 22:04:31.984006:CID-0:RT: flow session id 85912

Feb3 22:04:32 22:04:31.984009:CID-0:RT: vector bits 0x2 vector 0x53a949e8 Feb3 22:04:32 22:04:31.984012:CID-0:RT: tcp sec check.

Feb3 22:04:32 22:04:31.984015:CID-0:RT:mbuf 0x4a82cd80, exit nh 0xa0010

Which two statements are true regarding the output shown in the exhibit? (Choose two.)

A. The outgoing interface is ge-0/0/1.0.

B. The packet is subject to fast-path packet processing.

C. The packet is part of the first-packet path processing.

D. TCP sequence checking is enabled.

View Answer

Q2. What is the default action for an SRX device in transparent mode to determine the outgoing interface for an unknown destination MAC address?

A. Perform packet flooding.

B. Send an ARP query.

C. Send an ICMP packet with a TTL of 1.

D. Perform a traceroute request.

View Answer

Q3. Click the Exhibit button.

-- Exhibit–

-- Exhibit --

Referring to the exhibit, a pair of SRX3600s is in an active/passive chassis cluster configured for transparent mode. Which type of traffic would traverse the secondary SRX3600 (node 1)?

A. all traffic including non-IP traffic

B. any IP traffic

C. only TCP and UDP traffic

D. only BPDU traffic

View Answer

Q4. Click the Exhibit button.

user@host> show security ike security-associations

Index State Initiator cookie Responder cookie ModeRemote Address 3271043 UP7f42284089404673 95fd8408940438d8 Main 172.31.50.2

user@host> show security ipsec security-associations

Total active tunnels: 0

user@host> show log phase2

Feb 2 14:21:18 host kmd[1088]: IKE negotiation failed with error: TS unacceptable. IKE Version: 1, VPN: vpn-1 Gateway: gate-1, Local: 172.31.50.1/500, Remote: 172.31.50.2/500, Local IKE-ID: 172.31.50.1, Remote IKE-ID: 172.31.50.2, VR-ID: 0

Feb 2 14:21:18 host kmd[1088]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: vpn-1, Peer Proposed traffic-selector local-ip: ipv4(2.2.2.2), Peer Proposed traffic-selector remote-ip: ipv4 (1.1.1.1)

Feb 2 14:21:54 host kmd[1088]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: vpn-1 Gateway: gate-1, Local:

172.31.50.1 /500, Remote: 172.31.50.2/500, Local IKE-ID: 172.31.50.1, Remote IKE-ID:

172.31.50.2 , VR-ID: 0

Feb 2 14:22:19 host kmd[1088]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: vpn-1, Peer Proposed traffic-selector local-ip:

ipv4 (2.2.

2.2), Peer Proposed traffic-selector remote-ip: ipv4(1.1.1.1)

You have recently configured an IPsec VPN between an SRX Series device and another non-Junos security device. The phase one tunnel is up but the phase two tunnel is not present.

Referring to the exhibit, what is the cause of this problem?

A. preshared key mismatch

B. mode mismatch

C. proposal mismatch

D. proxy-ID mismatch

View Answer

Q5. Click the Exhibit button.

-- Exhibit–

-- Exhibit --

Referring to the exhibit, AppTrack is only logging the session closure messages for sessions that last 1 to 3 minutes.

What is causing this behavior?

A. AppTrack is not properly configured under the [edit security application-tracking] hierarchy.

B. AppTrack only generates session update messages.

C. AppTrack only generates session closure messages.

D. AppTrack generates other messages only when the update interval is surpassed.

View Answer

Q6. You are asked to deploy dynamic VPNs between the corporate office and remote employees that work from home. The gateway device at the corporate office is a chassis cluster formed from two SRX240s.Which two statements about this deployment are true? (Choose two.)

A. You must remove the SRX240s from the chassis cluster before enabling the dynamic VPNs.

B. The remote clients can run Windows XP, Windows Vista, Windows 7, or OS X operating systems.

C. If more than two dynamic VPN tunnels are required, you must purchase and install a new license.

D. The remote users can be authenticated by the SRX240s or a configured RADIUS server.

View Answer

Q7. Click the Exhibit button.

user @host> show bgp summary logical-system LSYS1 Groups : 11 Peers : 10 Down peers: 1

Table Tot. Paths Act Paths Suppressed History Damp State Pending

inet.0 141 129 0 0 0 Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...

192.168.64.12 65008 11153 11459 0 26 3d

3:10:43 9/10/10/0 0/0/0/0

192.168.72.12 65009 11171 11457 0 26 3d

3:10:39 11/12/12/0 0/0/0/0

192.168.80.12 65010 9480 9729 0 27 3d

3:10:42 11/12/12/0 0/0/0/0

192.168.88.12 65011 11171 11457 0 25 3d

3:10:31 12/13/13/0 0/0/0/0

192.168.96.12 65012 9479 9729 0 26 3d

3:10:34 12/13/13/0 0/0/0/0

192.168.10.12 65013 111689 11460 0 27 3d

3:10:46 9/10/10/0 0/0/0/0

192.168.11.12 65014 111688 11458 0 25 3d

3:10:42 9/10/10/0 0/0/0/0

192.168.12.12 65015 111687 11457 0 25 3d

3:10:38 9/10/10/0 0/0/0/0

192.68.11.12 650168 9478 9729 0 25 3d

3:10:42 9/10/10/0 0/0/0/0

192.168.13.12 65017 111687 11457 0 27 3d

3:10:30 9/10/10/0 0/0/0/0

192.168.16.12 65017 111687 11457 0 27 1w3d2h

Connect

user@host> show interfaces ge-0/0/7.0 extensive

Logical interface ge-0/0/7.0 (Index 76) (SNMP ifIndex 548) (Generation 141)

...

Security: Zone: log

Allowed host-inbound traffic : bootp dns dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rloqin rpm rsh snmp

snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp

Flow Statistics: Flow Input statistics: Self packets: 0

ICMP packets: 0

VPN packets: 0

Multicast packets: 0

Bytes permitted by policy: 0

Connections established: 0 Flow Output statistics: Multicast packets: 0

Bytes permitted by policy: 0

Flow error statistics (Packets dropped due to): Address spoofing: 0

Authentication failed: 0 Incoming NAT errors: 0

Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0

No parent for a gate: 0

No one interested in self pakets: 0 No minor session: 0

No more sessions: 589723 No NAT gate: 0

No route present: 0

No SA for incoming SPI: 0 No tunnel found: 0

No session for a gate: 0

No zone or NULL zone binding 0 Policy denied: 0

Security association not active: 0

TCP sequence number out of window: 0 Syn-attack protection: 0

User authentication errors: 0

Protocol inet, MTU: 1500, Generation: 1685, Route table: 0 Flags: Sendbcast-pkt-to-re

Addresses, F1ags: Is-Preferred Is-Primary

Destination: 10.5.123/24, Local: 10.5.123.3, Broadcast: 10.5.123.255, Generation: 156

Protocol multiservice, MTU: Unlimited, Generation: 1686, Route table: 0 Policer: Input: default_arp_policer  

...

An SRX Series device has been configured with a logical system LSYS1. One of the BGP peers is down.

Referring to the exhibit, which statement explains this problem?

A. The LSYS license only allows up to ten BGP peerings.

B. The maximum number of allowed flows is set to low.

C. The allocated memory is not sufficient for this LSYS.

D. The minimum number of flows is set to high.

View Answer

Q8. Click the Exhibit button.

Referring to the exhibit, you must send traffic from Host-1 to Host-2. These two hosts can only communicate with IPv4.

Which feature would you use to permit communication between Host-1 and Host-2?

A. 6rd

B. DS-Lite

C. NAT46

D. NAT444

View Answer

Q9. Microsoft has altered the way their Web-based Hotmail application works. You want to update your application firewall policy to correctly identify the altered Hotmail application.

Which two steps must you take to modify the application? (Choose two.)

A. user@srx> request services application-identification application copy junos:HOTMAIL

B. user@srx> request services application-identification application enable junos:HOTMAIL

C. user@srx# edit services custom application-identification my:HOTMAIL

D. user@srx# edit services application-identification my:HOTMAIL

View Answer

Q10. You must configure a central SRX device connected to two branch offices with overlapping IP address space. The branch office connections to the central SRX device must reside in separate routing instances.Which two components are required? (Choose two.)

A. virtual routing instance

B. forwarding instance

C. static NAT

D. persistent NAT

View Answer

Q11. Where does the AppSecure suite of functions occur in the security flow process on an SRX Series device?

A. services

B. security policy

C. NAT

D. session initiation

View Answer

Q12. -- Exhibit -- [edit]

user@srx# run show route

inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 01:09:08

> to 172.18.1.1 via ge-0/0/3.0 10.210.14.128/27 *[Direct/0] 8w6d 15:43:09

> via ge-0/0/0.0

10.210.14.135/32 *[Local/0] 11w0d 06:43:04

Local via ge-0/0/0.0

172.18.1.0/30 *[Direct/0] 8w6d 15:43:01

> via ge-0/0/3.0

172.18.1.2/32 *[Local/0] 11w0d 06:43:03

Local via ge-0/0/3.0 172.19.1.0/24 *[Direct/0] 03:46:56

> via ge-0/0/1.0

172.19.1.1/32 *[Local/0] 03:46:56

Local via ge-0/0/1.0 172.20.105.0/24 *[Direct/0] 03:46:56

> via ge-0/0/4.105

172.20.105.1/32 *[Local/0] 03:46:56

Local via ge-0/0/4.105

192.168.30.1/32 *[Direct/0] 4d 03:44:41

> via lo0.0

fbf.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:00:11

> to 172.19.1.2 via ge-0/0/1.0 172.19.1.0/24 *[Direct/0] 00:00:11

> via ge-0/0/1.0

[edit]

user@srx# show routing-instances fbf {

routing-options { static {

route 0.0.0.0/0 next-hop 172.19.1.2;

}

}

}

[edit]

user@srx# show routing-options interface-routes {

rib-group inet fbf-int;

}

static {

route 0.0.0.0/0 next-hop 172.18.1.1;

}

rib-groups { fbf-int {

import-rib [ inet.0 fbf.inet.0 ]; import-policy fbf-pol;

}

}

[edit]

user@srx# show policy-options policy-statement fbf-pol term 1 {

from interface ge-0/0/1.0; to rib fbf.inet.0;

then accept;

}

term 2 {

then reject;

}

-- Exhibit --

Referring to the exhibit, you notice that filter-based forwarding is not working. What is the reason for this behavior?

A. The RIB group is configured incorrectly.

B. The routing policy is configured incorrectly.

C. The routing instance is configured incorrectly.

D. The default static routes are configured incorrectly.

View Answer

Q13. Click the Exhibit button.

root@host# show system login user user {

uid 2000; class operator;

authentication {

encrypted-password "$1$4s7ePrk5$9S.MZTwmXTV7sovJZFFsw1"; ## SECRET-DATA

]

}

An SRX Series device has been configured for multiple certificate-based VPNs. The IPsec security association used for data replication is currently down . The administrator is a contractor and has the permissions on the SPX Series device as shown in the exhibit

Which command set would allow the administrator to troubleshoot the cause for the VPN being down?

A. set security ipsec traceoptions file ipsec

set security ipsec traceoptions flag security-associations

B. set security ike traceoptions file ike set security ike traceoptions flag ike

C. request security pki verify-integrity-status

D. request security ike debug-enable local <ip of the local gateway> remote <ip of the remote gateway›

View Answer

Q14. You want to create a custom IDP signature for a new HTTP attack on your SRX device. You have the exact string that identifies the attack.Which two additional elements do you need to define your custom signature? (Choose two.)

A. service context

B. protocol number

C. direction

D. source IP address of the attacker

View Answer

Q15. Given the following session output:

Session ID., Policy namE.default-policy-00/2, StatE.Active, Timeout: 1794, Valid

In: 2001:660:1000:8c00::b/1053 --> 2001:660:1000:9002::aafe/80;tcp, IF.reth0.0, Pkts: 4,

Bytes: 574

Out: 192.168.203.10/80 --> 192.168.203.1/24770;tcp, IF.reth1.0, Pkts: 3, Bytes:

Which statement is correct about the security flow session output?

A. This session is about to expire.

B. NAT64 is used.

C. Proxy NDP is used for this session.

D. The IPv4 Web server runs services on TCP port 24770.

View Answer