Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Click the Exhibit button.
-- Exhibit --
[edit forwarding-options] user@srx240# show packet-capture {
file filename my-packet-capture; maximum-capture-size 1500;
}
-- Exhibit --
Referring to the exhibit, you are attempting to perform a packet capture on an SRX240 to troubleshoot an SSH issue in your network. However, no information appears in the packet capture file.
Which firewall filter must you apply to the necessary interface to collect data for the packet
capture?
A. user@srx240# show filter pkt-capture {
term pkt-capture-term { from {
protocol tcp; port ssh;
}
then packet-mode;
}
term allow-all { then accept;
}
}
[edit firewall family inet]
B. user@srx240# show filter pkt-capture {
term pkt-capture-term { from {
protocol tcp; port ssh;
}
then {
count packet-capture;
}
}
term allow-all { then accept;
}
}
[edit firewall family inet]
C. user@srx240# show filter pkt-capture {
term pkt-capture-term { from {
protocol tcp; port ssh;
}
then {
routing-instance packet-capture;
}
}
term allow-all { then accept;
}
}
[edit firewall family inet]
D. user@srx240# show filter pkt-capture {
term pkt-capture-term { from {
protocol tcp; port ssh;
}
then { sample; accept;
}
}
term allow-all { then accept;
}
}
[edit firewall family inet]
Answer: D
Q2. You are asked to deploy a group VPN between various sites associated with your company. The gateway devices at the remote locations are SRX240 devices.
Which two statements about the new deployment are true? (Choose two.)
A. The networks at the various sites must use NAT.
B. The participating endpoints in the group VPN can belong to a chassis cluster.
C. The networks at the various sites cannot use NAT.
D. The participating endpoints in the group VPN cannot be part of a chassis cluster.
Answer: C,D
Explanation:
Reference :http://www.thomas-krenn.com/redx/tools/mb_download.php/mid.x6d7672335147784949386f3d/Manual_Confi guring_Group_VPN_Juniper_SRX.pdf http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/NT260/SRX_HA_Deployment_Guide_v1.2.pdf
Q3. What is a secure key management protocol used by IPsec?
A. AH
B. ESP
C. TCP
D. IKE
Answer: D
Q4. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
In the network shown in the exhibit, you want to forward traffic from the employees to ISP1 and ISP2. You want to forward all Web traffic to ISP1 and all other traffic to ISP2. While troubleshooting, you change your filter to forward all traffic to ISP1. However, no traffic is sent to ISP1.
What is causing this behavior?
A. The filter is applied to the wrong interface.
B. The filter should use the next-hop action instead of the routing-instance action.
C. The filter term does not have a required from statement.
D. The filter term does not have the accept statement.
Answer: A
Explanation: Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB24821
Q5. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
TCP traffic sourced from Host A destined for Host B is being redirected using filter-based forwarding to use the Red network. However, return traffic from Host B destined for Host A is using the Blue network and getting dropped by the SRX device.
Which action will resolve the issue?
A. Enable asyncronous-routing under the Blue zone.
B. Configure ge-0/0/1 to belong to the Red zone.
C. Disable RPF checking.
D. Disable TCP sequence checking.
Answer: B
Explanation: Reference:https://kb.juniper.net/InfoCenter/index?page=content&id=KB21046
Q6. Click the Exhibit button.
-- Exhibit --
user@srx# show security datapath-debug capture-file pkt-cap-file format pcap size 5m; action-profile {
pkt-cap-profile {
event np-ingress { packet-dump;
}
}
}
packet-filter pkt-filter { action-profile pkt-capture; source-prefix 1.2.3.4/32;
}
-- Exhibit --
You want to capture transit traffic passing through your SRX3600. You add the configuration shown in the exhibit but do not see entries added to the capture file.
What is causing the problem?
A. You are missing the configuration set security datapath-debug maximum-capture-size 1500.
B. You are missing the configuration set security datapath-debug packet-filter pkt-filter destination-prefix 5.6.7.8/32.
C. You must start the capture from operational mode with the command request security datapath-debug capture start.
D. You must start the capture from operational mode with the command monitor start capture.
Answer: C
Q7. Which two configuration components are required for enabling transparent mode on an SRX device? (Choose two.)
A. IRB
B. bridge domain
C. interface family bridge
D. interface family ethernet-switching
Answer: B,C
Explanation: Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB21421
Q8. You configured a custom signature attack object to match specific components of an
attack:
HTTP-request
Pattern .*\x90 90 90 … 90 Direction: client-to-server
Which client traffic would be identified as an attack?
A. HTTP GET .*\x90 90 90 … 90
B. HTTP POST .*\x90 90 90 … 90
C. HTTP GET .*x909090 … 90
D. HTTP POST .*x909090 … 90
Answer: A
Explanation: Reference: http://www.juniper.net/techpubs/en_US//idp/topics/task/configuration/intrusion-detection-prevention-signature-attack-object-creating-nsm.html
Q9. Which statement is true regarding the dynamic VPN feature for Junos devices?
A. Only route-based VPNs are supported.
B. Aggressive mode is not supported.
C. Preshared keys for Phase 1 must be used.
D. It is supported on all SRX devices.
Answer: C
Explanation: Reference:http://www.juniper.net/techpubs/en_US/junos12.1x45/information-products/pathway-pages/security/security-vpn-dynamic.pdf
Q10. Click the Exhibit button.
user@host> show security flow session extensive Session ID: 1173, Status: Normal
Flag: Ox0
Policy name: two/6
Source NAT pool: interface, Application: junos-ftp/1 Dynamic application: junos:UNKNOWN,
Application traffic control rule-set: INVALID, Rule: INVALID Maximum timeout: 1800, Current timeout: 1756
Session State: Valid
Start time: 4859, Duration: 99
In: 172.20.103.10/56457 --> 10.210.14.130/21;tcp,
Interface: vlan.103,
Session token: Ox8, Flag: Ox21
Route: 0x100010, Gateway: 172.20.103.10, Tunnel: 0
Port sequence: 0, FIN sequence: 0, FIN state: 0,
Pkts: 12, Bytes: 549
Out: 10.210.14.130/21 --> 10.210.14.133/18698;tcp,
Interface: ge-0/0/0.0,
Session token: 0x7, Flag: Ox20
Route: Oxf0010, Gateway: 10.210 14.130, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 8, Bytes: 514
Total sessions: 1
A user complains that they are unable to download files using FTP. They are able to connect to the remote site, but cannot download any files. You investigate and execute the show security flow session extensive command to receive the result shown in the exhibit.
What is the cause of the problem?
A. The NAT translation is incorrect.
B. The FTP ALG has been disabled.
C. Passive mode FTP is not enabled.
D. The FTP session is using the wrong port number.
Answer: B
Q11. Which two statements are true regarding DNS doctoring? (Choose two.)
A. DNS doctoring translates the DNS CNAME payload.
B. DNS doctoring for IPv4 is supported on SRX devices.
C. DNS doctoring for IPv4 and IPv6 is supported on SRX devices.
D. DNS doctoring translates the DNS A-record.
Answer: B,D
Explanation:
Reference :http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/security/index.html?topic-61847.html
Q12. As an SRX administrator, you must find all encrypted sessions on an SRX Series device. Which command would you use to accomplish this task?
A. show security flow session tunnel
B. show security ike tunnel-map
C. show security ike security-associations
D. show security flow session encrypted
Answer: D
Q13. You have an existing group VPN established in your internal network using the group-id 1. You have been asked to configure a second group using the group-id 2. You must ensure that the key server for group 1 participates in group 2 but is not the key server for that group.Which statement is correct regarding the group configuration on the current key server for group 1?
A. You must configure both groups at the [edit security ipsec vpn] hierarchy.
B. You must configure both groups at the [edit security group-vpn member] hierarchy.
C. You must configure both groups at the [edit security ike] hierarchy.
D. You must configure both groups at the [edit security group-vpn] hierarchy.
Answer: D
Explanation: Reference: http://www.jnpr.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/security/index.html?topic-45791.html
Q14. Which configuration statement would allow the SRX Series device to match a signature only on the first match, and not subsequent signature matches in a connection?
A. user@host# set security idp idp-policy test rulebase-ips rule 1 then action recommended
B. user@host# set security idp idp-policy test rulebase-ips rule 1 then action ignore- connection
C. user@host# set security idp idp-policy test rulebase-ips rule 1 then action no-action
D. user@host# set security idp idp-policy test rulebase-ips rule 1 then action drop-connection
Answer: B
Q15. Which QoS function is supported in transparent mode?
A. 802.1p
B. DSCP
C. IP precedence
D. MPLS EXP
Answer: A
Explanation: Reference: http://chimera.labs.oreilly.com/books/1234000001633/ch06.html