Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. You want to implement an IPsec VPN on an SRX device using PKI certificates for authentication. As part of the implementation, you are required to ensure that the certificate submission, renewal, and retrieval processes are handled automatically from the certificate authority.Regarding this scenario, which statement is correct?
A. You can use SCEP to accomplish this behavior.
B. You can use OCSP to accomplish this behavior.
C. You can use CRL to accomplish this behavior.
D. You can use SPKI to accomplish this behavior.
Answer: A
Explanation: Reference: Page 9
http://www.juniper.net/techpubs/en_US/junos/information-products/topic-collections/nce/pki-conf-trouble/configuring-and-troubleshooting-public-key- infrastructure.pdf
Q2. Click the Exhibit button.
user@key-server> show security group-vpn server ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address
97 UP bb224408940cc5d 435b9404284083c2 Main 192.168.11.1
98 UP 242c840089404d15 ab19284089408ba8 Main 192.168.11.2
user@key-server> show security group-vpn server ipsec security-associations Group: group-1, Group Id: 1
Total IPsec SAs: 1
IPsec SA Algorithm SPI Lifetime
group-l-sa ESP:3des/shal 1343991c 2736 Group: group-2, Group id: 2
Total IPsec SAs: 1
IPsec SA Algorithm SPI Lifetime
group-2-sa ESP:3des/shal 13be9e9 2741 Group: group-3, Group Id: 3
Total IPsec SAs: 1
IPsec SA Algorithm SPI Lifetime
group-3-sa ESP:3des/shal 20709057 2741 Group: group-4, Group Id: 4
Total IPsec SAs: 1
IPsec SA Algorithm SPI Lifetime
group-4-sa ESP:3des/shal 5111c2e1 2741
Which statement is correct regarding the outputs shown in the exhibit?
A. Two established peers are in the group VPNs.
B. One established peer is in the group VPNs.
C. No established peer is in the group VPNs.
D. Four established peers are in the group VPNs.
Answer: A
Q3. A local user complains that they cannot connect to an FTP server on the DMZ network. You investigate and confirm that the security policy allows FTP traffic from the trust zone to the DMZ zone.
What are two reasons for this problem? (Choose two.)
A. The FTP server has no route back to the local network.
B. No route is configured to the DMZ network.
C. No security policy exists for traffic from the DMZ zone to the trust zone.
D. The FTP ALG is disabled.
Answer: A,D
Q4. You are asked to implement a point-to-multipoint hub-and-spoke topology in a mixed vendor environment. The hub device is running the Junos OS and the spoke devices are different vendor devices.Regarding this scenario, which statement is correct?
A. The NHTB table must be statically defined.
B. The NHTB table is automatically created during Phase 2.
C. The NHTB table is automatically created during Phase 1.
D. The NHTB table must be imported from each spoke.
Answer: A
Explanation: Referencehttp://www.juniper.net/techpubs/en_US/junos/topics/example/vpn-hub-spoke- nhtb-example-configuring.html
Q5. You are attempting to establish an IPsec VPN between two SRX devices. However, there is another device between the SRX devices that does not pass traffic that is using UDP port 4500.
How would you resolve this problem?
A. Enable NAT-T.
B. Disable NAT-T.
C. Disable PAT.
D. Enable PAT.
Answer: B
Explanation:
NAT-T also uses UDP por4t 500 (by default) rather than the standard UDP. So disabling NAT-T will resolve this issue.
Reference : https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&cad=rja&ved=0CHsQFjAJ&url=http%3A%2F%2Fchimera.labs.oreilly.com%2Fbooks%2F1234000001633%2Fch10.html&ei=NZrtUZHHO4vJrQezmoCwAw&usg=AFQjCNGU05bAtnFu1vXNgssixHtCBoNBnw&sig2=iKzzPNQqiH2xrsjveXIleA&bvm=bv.49478099,d.bmk
Q6. You have recently deployed a dynamic VPN. The remote users are complaining that communications with devices on the same subnet as the SRX device are intermittent and often fail. The tunnel is stable and up, and communications with remote devices on different subnets work without any issues.Which configuration setting would resolve this issue?
A. adding local-redirect at the [edit security nat] hierarchy
B. adding local-redirect at the [edit interfaces <interface-name>] hierarchy
C. adding proxy-arp at the [edit security nat] hierarchy
D. adding proxy-arp at the [edit interfaces <interface-name>] hierarchy
Answer: C
Explanation:
Reference : http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf
Q7. Click the Exhibit button.
user@host> show log message
Feb4 00:04:17 host rpd[4516]: EVENT <UpDowm> st0.0 index 76 <Up Broadcast Multicast>
Feb4 00:04:17 host-kmd[1391]: KMD_PM_SA ESTABLISHED: Local gateway: 192.168.10.1, Remote gateway: 192.168.10.3, Local ID: ipv4_subnet(any:0, [0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Direction: inbound, SPI: 0x8d5816fd, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Feb4 00:04:17 host rpd[4516]: EVENT UpDown st0.0 index 76 10.10.10.1/24 –
> (null) <Up Broadcast Multicast>
Feb4 00:04:17 host kmd[1391]: KMD_PM_SA_ESTABLISHED: Local gateway: 192.168.10.1, Remote gateway: 192.168.10.3, Local ID: ipv4_subnet(any:0, [0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Direction: outbound, SPI: 0x77f07d5c, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Feb4 00:04:17 host kmd[1391]: KMD_VPN_UP_ALARM_USER: VPNto-spoke-1 from 192.168.10.3 is up. Local-ip: 192.168.10.1, gateway name: spoke-1, vpn name:
to-spoke-1, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip:
10.10.10.3, Local IKE-ID: 192.168.10.1, Remote IKE-ID: 192.168.10.3, XAUTH
username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID:ipv4_subnet,(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:11,[0..7]=0.0.0.0/0)
Feb4 00:04:17 host mib2d[1385]: SNMP_TRAP_LINK_UP: ifIndex 539, ifAdminSiLatus up(1), ifOperStatus up(1), ifName st0.0
Feb4 00:04:17 host kmd[1391]: KMD_PM_SA_ESTABLTSHED: Local gateway: 192.168.10.1, Remote gateway: 192.168.10.5, Local ID: ipv4 subnet(any:0, [0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Direction: inbound, SPI: 0x2790a42c, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Feb4 00:04:17 host kmd[1391]: KMD_PM_SA_ESTABLISHED: Local gateway: 192.168.10.1, Remote gateway: 192.168.10.5, Local ID: ipv4_subnet(any:0, [0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Direction: outbound, SPI: 0x2df17ea8, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Feb4 00:04:17 host kmd[1391]: KMD_VPN_UP_ALARM_USER: VPN to-spoke-3 from 192.168.10.5 is up. Local-ip: 192.168.10.1, gateway name: spoke-3, vpn name:
to-spoke-3, tunnel-id: 131076, local tunnel-if: st0.0, remote tunnel-ip:
Not-Available, Local IKE-ID: 192.168.10.1, Remote IKE-ID: 192.168.10.5,
XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic- selector local TD: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0._7]=0.0.0.0/0)
Feb4 00:04:17 host kmd[1391]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: to-spoke-2 Gateway: spoke-2, Local: 192.168.10.1/500, Remote: 192.168.10.4/500, Local IKE-ID: Not-Available,
Remote Not-Available, VR-ID: 0
Referring to the exhibit, which statement is correct?
A. The phase 1 security association for theto-spoke-3VPN is failing.
B. The phase 2 security association for theto-spoke-1VPN is failing.
C. The phase 2 security association for theto-spoke-3VPN is failing.
D. The phase 1 security association for theto-spoke-2VPN is failing.
Answer: B
Q8. You have been asked to configure traffic to flow between two virtual routers (VRs) residing on two unique logical systems (LSYSs) on the same SRX5800.
How would you accomplish this task?
A. Configure a security policy that contains the context from VR1 to VR2 to permit the relevant traffic.
B. Configure a security policy that contains the context from LSYS1 to LSYS2 and relevant match conditions in the rule set to allow traffic between the IP networks in VR1 and VR2.
C. Configure logical tunnel interfaces between VR1 and VR2 and security policies that allow relevant traffic between VR1 and VR2 over that link.
D. Configure an interconnect LSYS to facilitate a connection between LSYS1 and LSYS2 and relevant policies to allow the traffic.
Answer: C
Explanation:
Reference :http://kb.juniper.net/InfoCenter/index?page=content&id=KB21260
Q9. You are asked to secure your company’s Web presence. This includes using an SRX Series device to inspect SSL traffic going to the Web servers in your DMZ.
Which two actions are required to accomplish this task? (Choose two.)
A. Load your Web server’s private key in the IDP configuration.
B. Load your Web server’s public key in the IDP configuration.
C. Generate a root certificate on the SRX Series device for your Web servers.
D. Specify the number of sessions in the SSL sensor configuration.
Answer: A,D
Q10. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
Referring to the topology shown in the exhibit, which two configuration tasks will allow Host A to telnet to the public IP address associated with Server B? (Choose two.)
A. Configure transparent mode to bypass the NAT processing of Server B's public IP address.
B. Configure a stateless filter redirecting local traffic destined to Server B's public IP address.
C. Configure a destination NAT rule that matches local traffic destined to Server B's public IP address.
D. Configure a source NAT rule that matches local traffic destined to Server B's public IP address.
Answer: C,D
Explanation:
In this scenario wehave a host be accessible on the Internet by one address, but have it be translated to another address when it initiates connections out to the Internet.So we need to combine Source and destination NAT.
Reference:http://chimera.labs.oreilly.com/books/1234000001633/ch09.html#destination_na t
Q11. Which statement is true about NAT?
A. When you implement destination NAT, the router does not apply ALG services.
B. When you implement destination NAT, the router skips source NAT rules for the initiating traffic flow.
C. When you implement static NAT, each packet must go through a route lookup.
D. When you implement static NAT, the router skips destination NAT rules for the initiating traffic flow.
Answer: D
Explanation: The NAT type determines the order in which NAT rules are processed. During the first packet processing for a flow, NAT rules are applied in the following order:
✑ Static NAT rules
✑ Destination NAT rules
✑ Route lookup
Reference :http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-42804.html
Q12. You are asked to implement IPsec tunnels between your SRX devices located at various locations. You will use the public key infrastructure (PKI) to verify the identification of the endpoints.What are two certificate enrollment options available for this deployment? (Choose two.)
A. Manually generating a PKCS10 request and submitting it to an authorized CA.
B. Dynamically generating and sending a certificate request to an authorized CA using OCSP.
C. Manually generating a CRL request and submitting that request to an authorized CA.
D. Dynamically generating and sending a certificate request to an authorized CA using SCEP.
Answer: A,D
Explanation: Reference:Page 9
http://www.juniper.net/techpubs/en_US/junos/information-products/topic-collections/nce/pki-conf-trouble/configuring-and-troubleshooting-public-key- infrastructure.pdf
Q13. You recently implemented application firewall rules on an SRX device to act upon encrypted traffic. However, the encrypted traffic is not being correctly identified.
Which two actions will help the SRX device correctly identify the encrypted traffic? (Choose two.)
A. Enable heuristics to detect the encrypted traffic.
B. Disable the application system cache.
C. Use the junos:UNSPECIFIED-ENCRYPTED application signature.
D. Use the junos:SPECIFIED-ENCRYPTED application signature.
Answer: A,C
Explanation: Reference:http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/encrypted-p2p-heuristics-detection.html
Q14. Click the Exhibit button.
-- Exhibit --
user@srx> show security flow session
Session ID.7724, Policy namE.default-permit/4, Timeout: 2 In: 1.1.70.6/17 --> 100.0.0.1/2326;icmp, IF.ge-0/0/3
Out: 10.1.10.5/2326 --> 1.1.70.6/17;icmp, IF.ge-0/0/2
Session ID.18408, Policy namE.default-permit/4, Timeout: 2 In: 10.1.10.5/64513 --> 1.1.70.6/512;icmp, IF.ge-0/0/2.0 Out: 1.1.70.6/512 --> 100.0.0.1/64513;icmp, IF.ge-0/0/3.10
-- Exhibit --
A user has reported a traffic drop issue between a host with the 10.1.10.5 internal IP address and a host with the 1.1.70.6 IP address. The traffic transits an SRX240 acting as a NAT translator. You are investigating the issue on the SRX240 using the output shown in the exhibit.
Regarding this scenario, which two statements are true? (Choose two.)
A. The sessions shown indicate interface-based NAT processing.
B. The sessions shown indicate static NAT processing.
C. ICMP traffic is passing in both directions.
D. ICMP traffic is passing in one direction.
Answer: B,C
Q15. Click the Exhibit button.
{primarynode0}[edit security idp idp-policy test-ips-policy] user@host# show
rulebase-ips { rule r1 { match {
source-address any; attacks {
predefined-attack-groups “HTTP - All”;
}
}
then { action {
drop-packet;
}
}
terminal;
}
rule r2 { match {
source-address 172.16.0.0/12; attacks {
predefined-attack-groups “FTP - All”;
}
then { action { no-action;
}
}
}
rule r3 { match {
source-address 172.16.0.0/12; attacks {
predefined-attack-groups “TELNET - All”;
}
}
then { action { no-action;
}
}
}
rule r4 { match {
source-address any; attacks {
predefined-attack-groups “FTP - All”;
}
}
then { action {
drop-packet;
}
}
}
}
A user with IP address 172.301.100 initiates an FTP session to a host with IP address 10.100.1.50 through an SRX Series device and is subject to the IPS policy shown in the exhibit.
If the user tries to execute thecd ~rootcommand, which statement is correct?
A. The FTP command will be denied with the offending packet dropped and the session will be closed by the SRX device.
B. The FTP command will be denied with the offending packet dropped and the rest of the FTP session will be inspected by the IPS policy.
C. The FTP command will be allowed to execute and the rest of the FTP session will be ignored by the IPS policy.
D. The FTP command will be allowed to execute but any other attacks executed during the session will be inspected.
Answer: D