Juniper JN0-633 Free Practice Questions

Q1. Click the Exhibit button.

-- Exhibit–

-- Exhibit --

In the network shown in the exhibit, you want to forward traffic from the employees to ISP1 and ISP2. You want to forward all Web traffic to ISP1 and all other traffic to ISP2. However, your configuration is not producing the expected results. Part of the configuration is shown in the exhibit. When you run the show route table isp1 command, you do not see the

default route listed.

What is causing this behavior?

A. The autonomous system number is incorrect, which is preventing the device from receiving a default route from ISP1.

B. The device is not able to resolve the next-hop.

C. The isp1 routing instance is configured with an incorrect instance-type.

D. The show route table isp1 command does not display the default route unless you add the exact 0.0.0.0/0 option.

View Answer

Q2. Click the Exhibit button.

-- Exhibit–

-- Exhibit --

An attacker is using a nonstandard port for HTTP for reconnaissance into your network. Referring to the exhibit, which two statements are true? (Choose two.)

A. The IPS engine will not detect the application due to the nonstandard port.

B. The IPS engine will detect the application regardless of the nonstandard port.

C. The IPS engine will perform application identification until the session is established.

D. The IPS engine will perform application identification until it processes the first 256 bytes of the packet.

View Answer

Q3. For an SRX chassis cluster in transparent mode, which action occurs to signal a high availability failover to neighboring switches?

A. the SRX chassis cluster generates Spanning Tree messages

B. the SRX chassis cluster generates gratuitous ARPs

C. the SRX chassis cluster flaps the former active interfaces

D. the SRX chassis cluster uses IP address monitoring

View Answer

Q4. What are two AppSecure modules? (Choose two.)

A. AppDoS

B. AppFlow

C. AppTrack

D. AppNAT

View Answer

Q5. HostA (1.1.1.1) is sending TCP traffic to HostB (2.2.2.2). You need to capture the TCP packets locally on the SRX240. Which configuration would you use to enable this capture?

A. [edit security flow] user@srx# show traceoptions {

file dump;

flag basic-datapath;

}

B. [edit security] user@srx# show application-tracking { enable;

}

flow { traceoptions { file dump;

flag basic-datapath;

}

}

C. [edit firewall filter capture term one] user@srx# show

from {

source-address { 1.1.1.1;

}

destination-address { 2.2.2.2;

}

protocol tcp;

}

then {

port-mirror; accept;

}

D. [edit firewall filter capture term one] user@srx# show

from {

source-address { 1.1.1.1;

}

destination-address { 2.2.2.2;

}

protocol tcp;

}

then { sample; accept;

}

View Answer

Q6. You are asked to deploy dynamic VPNs between the corporate office and remote employees that work from home. The gateway device at the corporate office consists of a pair of SRX650s in a chassis cluster.Which two statements about the deployment are true? (Choose two.)

A. The SRX650s must be separated as standalone devices to support the dynamic VPNs.

B. The remote clients must install client software to establish a tunnel with the corporate network.

C. The remote clients must reside behind an SRX device configured as the local tunnel endpoint.

D. The SRX650 must have HTTP or HTTPS enabled to aid in the client software distribution process.

View Answer

Q7. Click the Exhibit button.

-- Exhibit --

[edit security idp] user@srx# show security-package {

url https://services.netscreen.com/cgi-bin/index.cgi; automatic {

start-time "2012-12-11.01:00:00 +0000";

interval 120; enable;

}

}

-- Exhibit --

You have configured your SRX device to download and install attack signature updates as shown in the exhibit. You discover that updates are not being downloaded.

What are two reasons for this behavior? (Choose two.)

A. No security policy is configured to allow the SRX device to contact the update server.

B. The SRX device does not have a DNS server configured.

C. The management zone interface does not have an IP address configured.

D. The SRX device has no Internet connectivity.

View Answer

Q8. You are troubleshooting an SRX240 acting as a NAT translator for transit traffic. Traffic is dropping at the SRX240 in your network.Which three tools would you use to troubleshoot the issue? (Choose three.)

A. security flow traceoptions

B. monitor interface traffic

C. show security flow session

D. monitor traffic interface

E. debug flow basic

View Answer

Q9. You are performing AppSecure traffic processing to enforce AppFW.

What happens when traffic matching an established security session is newly detected as a different application?

A. The security processing facility of the data plane re-examines the whitelist or blacklist referenced in the security policy to see if the new application is permitted.

B. The newly detected application will not be permitted and session will be torn down unless a specific match exists against the exempt rulebase.

C. Zone-based firewall rules will be re-parsed to determine if a rule exists that permits the newly detected application.

D. The application will not be permitted if doing so would violate the session limit in the screen properties applied to that zone.

View Answer

Q10. Your company provides managed services for two customers. Each customer has been segregated within its own routing instance on your SRX device. Customer A and customer B inform you that they need to be able to reach certain hosts on each other's network.

Which two configuration settings would be used to share routes between these routing instances? (Choose two.)

A. routing-group

B. instance-import

C. import-rib

D. next-table

View Answer

Q11. You are asked to allow access to an external application for an internal host subject to address translation. The application requires multiple sessions initiated from the internal host and expects all the sessions to originate from the same source IP address.

Which Junos feature meets this objective?

A. destination NAT with address persistence

B. source NAT with address persistence

C. static NAT with port translation

D. interface-based persistent NAT

View Answer

Q12. You are using the AppDoS feature to control against malicious bot client attacks. The bot clients are using file downloads to attack your server farm. You have configured a context value rate of 10,000 hits in 60 seconds.At which threshold will the bot clients no longer be classified as malicious?

A. 5000 hits in 60 seconds

B. 8000 hits in 60 seconds

C. 7500 hits in 60 seconds

D. 9999 hits in 60 seconds

View Answer

Q13. Your manager asks you to show which attacks have been detected on your SRX Series device using the IPS feature.

Which command would you use to accomplish this task?

A. show security idp attack detail

B. show security idp attack table

C. show security idp memory

D. show security idp counters

View Answer

Q14. Click the Exhibit button.

-- Exhibit–

-- Exhibit --

Referring to the exhibit, the application firewall configuration fails to commit. What must you do to allow the configuration to commit?

A. Each firewall rule set must only have one rule.

B. A firewall rule set cannot mix dynamic applications and dynamic application groups.

C. The action in the rules must be different than the action in the default rule.

D. The action in the default rule must be set to deny.

View Answer

Q15. You are asked to apply individual upload and download bandwidth limits to YouTube traffic. Where in the configuration would you create the necessary bandwidth limits?

A. under the [edit security application-firewall] hierarchy

B. under the [edit security policies] hierarchy

C. under the [edit class-of-service] hierarchy

D. under the [edit firewall policer <policer-name>] hierarchy

View Answer