Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. In the IPS packet processing flow on an SRX Series device, when does application identification occur?
A. before fragmentation processing
B. after protocol decoding
C. before SSL decryption
D. after attack signature matching
Answer: A
Q2. Your company's network has seen an increase in Facebook-related traffic. You have been asked to restrict the amount of Facebook-related traffic to less than 100 Mbps regardless of congestion.
What are three components used to accomplish this task? (Choose three.)
A. IDP policy
B. application traffic control
C. application firewall
A. D. security policy
E. application signature
Answer: B,D,E
Explanation:
An IDP policy defines how your device handles the networktraffic.It will not limit the rate. Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig-security/idp-policy-overview-section.html)
Application Firewallenforces protocol and policy control at Layer 7. It inspects the actual content of the payload and ensures that it conforms to the policy, rather thanlimiting the rate.
Reference:http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/application-firewall-overview.html
Q3. A security administrator has configured an IPsec tunnel between two SRX devices. The
devices are configured with OSPF on the st0 interface and an external interface destined to the IPsec endpoint. The adminstrator notes that the IPsec tunnel and OSPF adjacency keep going up and down. Which action would resolve this issue?
A. Create a firewall filter on the st0 interface to permit IP protocol 89.
B. Configure the IPsec tunnel to accept multicast traffic.
C. Create a /32 static route to the IPsec endpoint through the external interface.
D. Increase the OSPF metric of the external interface.
Answer: C
Explanation: Reference: http://packetsneverlie.blogspot.in/2013/03/route-based-ipsec-vpn-with-ospf.html
Q4. What are the three types of attack objects used in an IPS engine? (Choose three.)
A. signature
B. chargen
C. compound
D. component
E. anomaly
Answer: A,C,E
Explanation: Reference:http://www.juniper.net/techpubs/en_US/idp5.0/topics/concept/intrusion-detection-prevention-idp-rulebase-attack-object-using.html
Q5. You are using destination NAT to translate the address of your HTTPS server to a private address on your SRX Series device. You have decided to implement IDP SSL decryption. Upon enabling the decryption, you notice sessions are not decrypted.
Which action resolves the problem?
A. Replace the server SSL certificate to use the public address.
B. Reboot the SRX Series device.
C. Increase the SSLsession-id-cache-timeoutvalue to any value greater than 5000 seconds.
D. Enable the IDPsensor-configurationdetector to detect address translation.
Answer: D
Q6. Which AppSecure module provides Quality of Service?
A. AppTrack
B. AppFW
C. AppID
D. AppQoS
Answer: D
Q7. Click the Exhibit button.
-- Exhibit -- security { nat { destination {
pool Web-Server { address 10.0.1.5/32;
}
rule-set From-Internet { from zone Untrust;
rule To-Web-Server { match {
source-address 0.0.0.0/0; destination-address 172.16.1.7/32;
}
then {
destination-nat pool Web-Server;
}
}
}
}
}
zones {
security-zone Untrust { address-book {
address Web-Server-External 172.16.1.7/32; address Web-Server-Internal 10.0.1.5/32;
}
interfaces { ge-0/0/0.0;
}
}
security-zone DMZ { address-book {
address Web-Server-External 172.16.1.7/32; address Web-Server-Internal 10.0.1.5/32;
}
interfaces { ge-0/0/1.0;
}
}
}
}
-- Exhibit --
You are migrating from one external address block to a different external address block. You want to enable a smooth transition to the new address block. You temporarily want to allow external users to contact the Web server using both the existing external address as well as the new external address 192.168.1.1.
How do you accomplish this goal?
A. Add address 192.168.1.1/32 under [edit security nat destination pool Web-Server].
B. Change the address Web-Server-Ext objects to be address-set objects that include both addresses.
C. Change the destination address under [edit security nat destination rule-set From- Internet rule To-Web-Server match] to include both 172.16.1.7/32 and 192.168.1.2/32.
D. Create a new rule for the new address in the [edit security nat destination rule-set From- Internet] hierarchy.
Answer: D
Explanation: Reference:http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/nat-security- source-and-destination-nat-translation-configuring.html
Q8. How does the SRX5800, in transparent mode, signal failover to the connected switches?
A. It initiates spanning-tree BPDUs.
B. It sends out gratuitous ARPs.
C. It flaps the impaired interfaces.
D. It uses an IP address monitoring configuration.
Answer: B
Q9. You want to configure in-band management of an SRX device in transparent mode. Which command is required to enable this functionality?
A. set interfaces irb unit 1 family inet address
B. set interfaces vlan unit 1 family inet address
C. set interfaces ge-0/0/0 unit 0 family inet address
D. set interfaces ge-0/0/0 unit 0 family bridge address
Answer: A
Explanation: Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB23823
Q10. You are asked to merge the corporate network with the network from a recently acquired company. Both networks use the same private IPv4 address space (172.25.126.0/24). An SRX device serves as the gateway for each network.Which solution allows you to merge the two networks without adjusting the current address assignments?
A. source NAT
B. persistent NAT
C. double NAT
D. NAT444
Answer: C
Explanation:
Reference :http://class10e.com/juniper/what-should-you-do-to-meet-the-requirements/
Q11. Click the Exhibit button.
user@host> show services application-identification application-system—cache Application System Cache Configurations:
Application-cache: off nested-application-cache: on cache-unknown-result: on
cache-entry-timeout: 3600 seconds
You are using the application identification feature on your SRX Series device. The help desk reports that users are complaining about slow Internet connectivity. You issue the command shown in the exhibit.
What must you do to correct the problem?
A. Modify the configuration with thedelete services application-identification no-application- system-cachecommand and commit the change.
B. Modify the configuration with thedelete services application-identification no-clear- application-system-cachecommand and commit the change.
C. Reboot the SRX Series device.
D. Modify the configuration with thedelete services application-identification no-application
–identificationcommand and commit the change.
Answer: B
Q12. An SRX Series device is configured for inline tap mode. What will occur if Drop Packet is selected?
A. The SRX Series device drops a matching packet before it can reach its destination but does not close the connection.
B. The SRX Series device will ignore the action Drop Packet.
C. The SRX Series device closes the connection and sends an RST packet to both the client and the server.
D. The SRX Series device drops a matching packet associated with the connection, preventing traffic for the connection from reaching its destination.
Answer: D
Q13. You are asked to configure class of service (CoS) on an SRX device running in transparent mode. Which command would you use?
A. set interfaces ge-0/0/0 unit 0 classifiers dscp priority-app
B. set class-of-service interfaces ge-0/0/0 unit 0 classifiers dscp priority-app
C. set class-of-service interfaces ge-0/0/0 unit 0 classifiers ieee-802.1 priority-app
D. set interfaces ge-0/0/0 unit 0 classifiers inet-precedence priority-app
Answer: C
Explanation: Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB23234
Q14. You are responding to a proposal request from an enterprise with multiple branch offices. All branch offices connect to a single SRX device at a centralized location. The request requires each office to be segregated on the central SRX device with separate IP networks and security considerations. No single office should be able to starve the CPU from other branch offices on the central SRX device due to the number of flow sessions. However, connectivity between offices must be maintained.Which three features are required to accomplish this goal? (Choose three.)
A. Logical Systems
B. Interconnect Logical System
C. Virtual Tunnel Interface
D. Logical Tunnel Interface
E. Virtual Routing Instance
Answer: A,B,D
Explanation:
Reference :http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/logical-systems-interfaces.html
http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/logical-systems-config/index.html?topic-57390.html
Q15. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
You have been asked to block YouTube video streaming for internal users. You have implemented the configuration shown in the exhibit, however users are still able to stream videos.
What must be modified to correct the problem?
A. The application firewall rule needs to be applied to an IDP policy.
B. You must create a custom application to block YouTube streaming.
C. The application firewall rule needs to be applied to the security policy.
D. You must apply the dynamic application to the security policy
Answer: C
Explanation: Reference:http://www.redelijkheid.com/blog/2013/5/10/configure-application-firewalling-on