Juniper JN0-633 Free Practice Questions

Q1. You are asked to troubleshoot ongoing problems with IPsec tunnels and security policy processing. Your network consists of SRX240s and SRX5600s.

Regarding this scenario, which two statements are true? (Choose two.)

A. You must enable data plane logging on the SRX240 devices to generate security policy logs.

B. You must enable data plane logging on the SRX5600 devices to generate security policy logs.

C. IKE logs are written to the kmd log file by default.

D. IPsec logs are written to the kmd log file by default.

View Answer

Q2. You are asked to establish a hub-and-spoke IPsec VPN using your SRX Series device as the hub. All of your spoke devices are third-party devices.

Which statement is correct?

A. You must create a policy-based VPN on the hub device when peering with third-party devices.

B. You must always peer using loopback addresses when using non-Junos devices as your spokes.

C. You must statically configure the next-hop tunnel binding table entries for each of the third-party spoke devices.

D. You must ensure that you are using aggressive mode when incorporating third-party devices as your spokes.

View Answer

Q3. Click the Exhibit button.

[edit protocols ospf area 0.0.0.0]

user@host# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address

3289542 UP 48d928408940de28 e418fc7702fe483b Main

172.31.50.1

3289543 UP eb45940484082b14 428086b100427326 Main 10.10.50.1

[edit protocols ospf area 0.0.0.0]

user@host# run show security ipsec; security-associations Total active tunnels: 2

ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway

<131073 ESP:des/ shal 6d40899b 1360/ unlim - root 500 10.10.50.1

>131073 ESP:des/ shal 5a89400e 1360/ unlim - root 500 10.10.50.1

<131074 ESP:des/ shal c04046f 1359/ unlim - root 500 172.31.50.1

>131074 ESP:des/ shal 5508946c 1359/ unlim - root 500 172.31.50.1

[edit protocols ospf area 0.0.0.0] user@host# run show ospf neighbor

Address Interface State ID Pri Dead 10.40.60.1 st0.0 Init 10.30.50.1 128 35

10.40.60.2 st0.0 Full 10.30.50.1 128 31

[edit protocols ospf area 0.0.0.0] user@host# show

interface st0.0;

You have already configured a hub-and-spoke VPN with one hub device and two spoke devices. However, the hub device has one neighbor in the Init state and one neighbor in the Full state.

What would you do to resolve this problem?

A. Configure the st0.0 interface under OSPF as a nonbroadcast multiple access interface.

B. Configure the st0.0 interface under OSPF as a point-to-multipoint interface.

C. Configure the st0.0 interface under OSPF as a point-to-point interface.

D. Configure the st0.0 interface under OSPF as an unnumbered interface.

View Answer

Q4. Click the Exhibit button.

Traffic is being sent from Host-1 to Host-2 through an IPsec VPN. In this process, SRX-2 is using NAT to change the destination address of Host-2 from 192.168.1.1 to 10.60.60.1 SRX-1 uses the 172.31.50.1 address for its tunnel endpoint and SRX-2 uses the 10.10.50.1 address for its tunnel endpoint.

Referring to the exhibit, which statement is true?

A. The security policy on SRX-2 must permit traffic from the 172.31.50.1 destination address.

B. The security policy on SRX-2 must permit traffic from the 10.10.50.1destination address.

C. The security policy on SRX-2 must permit traffic from the 10.60.60.1 destination address.

D. The security policy on SRX-2 must permit traffic from the 192.168.1.1destination address.

View Answer

Q5. Click the Exhibit button.

IPv6 to IPv4 addresses are not being translated as shown in the exhibit. Which two configurations would resolve the problem? (Choose two.)

A. set security nat natv6v4 no-6-frag-header

B. set security nat proxy-arp interface ge-0/0/0.0

C. set security nat source port-randomization disable

D. set security nat proxy-ndp interface ge-0/0/1.0

View Answer

Q6. What are two network scanning methods? (Choose two.)

A. SYN flood

B. ping of death

C. ping sweep

D. UDP scan

View Answer

Q7. Which problem is introduced by setting the terminal parameter on an IPS rule?

A. The SRX device will stop IDP processing for future sessions.

B. The SRX device might detect more false positives.

C. The SRX device will terminate the session in which the terminal rule detected the attack.

D. The SRX device might miss attacks.

View Answer

Q8. Click the Exhibit button.

-- Exhibit --

user@srx240< show route summary Router ID.

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

Direct: 1 routes, 1 active

Local: 1 routes, 1 active

StatiC.1 routes, 1 active

customer-A.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

Direct: 1 routes, 1 active

Local: 1 routes, 1 active StatiC.1 routes, 1 active

customer-B.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

Direct: 1 routes, 1 active

Local: 1 routes, 1 active OSPF.1 routes, 1 active StatiC.1 routes, 1 active

customer-B.inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)

Direct: 2 routes, 2 active

Local: 2 routes, 2 active StatiC.1 routes, 1 active

-- Exhibit --

In the output, how many user-configured routing instances have active routes?

A. 1

B. 2

C. 3

D. 4

View Answer

Q9. You have implemented a tunnel in your network using DS-Lite. The tunnel is formed between one of the SRX devices in your network and a DS-Lite-compatible CPE device in your customer's network.Which two statements are true about this scenario? (Choose two.)

A. The SRX device will serve as the softwire initiator and the customer CPE device will serve as the softwire concentrator.

B. The SRX device will serve as the softwire concentrator and the customer CPE device will serve as the softwire initiator.

C. The infrastructure network supporting the tunnel will be based on IPv4.

D. The infrastructure network supporting the tunnel will be based on IPv6.

View Answer

Q10. Click the Exhibit button.

-- Exhibit–

-- Exhibit --

Host A cannot resolve the www.target.host.com Web page when using its configured DNS server. As shown in the exhibit, Host A's configured DNS server and the Web server hosting the www.target.host.com Web page are in the same subnet. You have verified bidirectional reachability between Host A and the Web server hosting the Web page.

What would cause this behavior on the SRX device in Company B's network?

A. DNS replication is enabled.

B. DNS doctoring is enabled.

C. DNS replication is disabled.

D. DNS doctoring is disabled.

View Answer

Q11. What are two intrusion protection mechanisms available on SRX Series Services Gateways? (Choose two.)

A. routing update detection

B. traffic anomaly detection

C. NAT anomaly protection

D. DoS protection

View Answer

Q12. You are asked to implement the AppFW feature on an SRX Series device. Which three tasks must be performed to make the feature work? (Choose three.)

A. Configure a firewall filter that includes the application-firewall policy.

B. Install an IPS license.

C. Install an AppSecure license.

D. Configure a security policy that includes the application-firewall policy.

E. Configure an application-firewall policy.

View Answer

Q13. Which statement is true regarding destination NAT?

A. Destination NAT changes the content of the source IP address field.

B. Destination NAT changes the content of the destination IP address field.

C. Destination NAT matches on the destination IP address and changes the source IP address.

D. Destination NAT matches on the destination IP address and changes the source port.

View Answer

Q14. You have recently deployed a dynamic VPN. Some remote users are complaining that they

cannot authenticate through the SRX device at the corporate network. The SRX device serves as the tunnel endpoint for the dynamic VPN.What are two reasons for this problem? (Choose two.)

A. The supported number of users has been exceeded for the applied license.

B. The users are connecting to the portal using Windows Vista.

C. The SRX device does not have the required user account definitions.

D. The SRX device does not have the required access profile definitions.

View Answer

Q15. Click the Exhibit button.

user@host> show interfaces routing-instance all ge* terse InterfaceAdmin Link Proto LocalInstance

ge-0/0/0.0 up up inet 172.16.12.205/24 default ge-0/0/1.0 up up inet 5.0.0.5/24

iso A

ge-0/0/2.0 up up inet 25.0.0.5/24 iso B

user@host> show security flow session

Session ID: 82274, Policy name: default-policy-00/2, Timeout: 1770, Valid In: 5.0.0.25/61935 --> 25.0.0.25/23;tcp, If: ge-0/0/1.0, Pkts: 31, Bytes: 1781 Out: 25.0.0.25/23 --> 5.0.0.25/61935;tcp, If: ge-0/0/2.0, Pkts: 23, Bytes: 1452

Total sessions: 3 user@host> show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, + = Both

0.0.0.0/0 *[Static/5] 04:08:52

> to 172.16.12.1 via ge-0/0/0.0 172.16.12.0/24 *[Direct/0] 04:08:52

via ge-0/0/0.0

172.16.12.205/32 *[Local/0] 4w4d 23:04:29

Loca1 via ge-0/0/0.0

224.0.0.5/32 *[OSPF/10] 14:37:35, metric 1

MultiRecv

A. inet.0: 4 destinations, 4 routes {4 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both 5.0.0.0/24 5 *[Direct/0] 00:05:04

> via ge-0/0/1.0

5.0.0.5/32 *[Local/0] 00:05:04

Local via ge-0/0/1.0 25.0.0.0/24 *[Direct/0] 00:02:37

> via ge-0/0/2.0

B. inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both 5.0.0.25/32 *[Static/5] 00:02:38

to table A.inet.0

25.0.0.0/24 *[Direct/0] 00:02:37

> via ge-0/0/2.0

25.0.0.5/32 *[Local/0] 00:02:37

Local via ge-0/0/2.0

Which statement is true about the outputs shown in the exhibit?

C. The routing instances A and B are connected using anltinterface.

D. Routing instance A’s routes are shared with routing instance B.

E. Routing instance B’s routes are shared with routing instance A.

F. The routing instances A and B are connected using avtinterface.

View Answer