Juniper jn0-333 Free Practice Questions

NEW QUESTION 1
You want to ensure that any certificates used in your IPsec implementation do not expire while in use by your SRX Series devices.
In this scenario, what must be enabled on your devices?

• A. RSA
• B. TLS
• C. SCEP
• D. CRL

Answer: C

NEW QUESTION 2
A link from the branch SRX Series device chassis cluster to the Internet requires more bandwidth. In this scenario, which command would you issue to begin provisioning a second link?

• A. set chassis cluster reth-count 2
• B. set interfaces fab0 fabric-options member-interfaces ge-0/0/1
• C. set interfaces ge-0/0/1 gigether-options redundant-parent reth1
• D. set chassis cluster redundancy-group 1 node 1 priority 1

Answer: B

NEW QUESTION 3
In a chassis cluster, which two characteristics are true regarding reth interfaces? (Choose two.)

• A. A reth interface inherits its failover properties from a redundancy group.
• B. Reth interfaces must be the same type of interface.
• C. Reth interfaces must be in the same slots on each node.
• D. A reth interface goes down if one of its child interfaces become unavailable.

Answer: AB

NEW QUESTION 4
Click the exhibit button.

Referring to the exhibit, which statement is true?

• A. Packets entering the interface are being dropped because of a stateless filter.
• B. Packets entering the interface matching an ALG are getting dropped.
• C. TCP packets entering the interface are failing the TCP sequence check.
• D. Packets entering the interface are getting dropped because the interface is not bound to a zone.

Answer: D

NEW QUESTION 5
Click the Exhibit button.

Which feature is enabled with destination NAT as shown in the exhibit?

• A. NAT overload
• B. block allocation
• C. port translation
• D. NAT hairpinning

Answer: D

NEW QUESTION 6
Your internal webserver uses port 8088 for inbound connections. You want to allow external HTTP traffic to connect to the webserver.
Which two actions would accomplish this task? (Choose two.)

• A. Create a custom application for port 8088 and create a security policy that permits the custom-http application.
• B. Remap port 80 to port 8088 in the junos-http application and create a security policy that permits the junos-http application.
• C. Use destination NAT to remap incoming traffic from port 80 to port 8088.
• D. Create an Application Layer Gateway to permit HTTP traffic on port 8088.

Answer: AC

NEW QUESTION 7
Which two statements are true about global security policies? (Choose two.)

• A. Global security policies are evaluated before regular security policies.
• B. Global security policies can be configured to match addresses across multiple zones.
• C. Global security policies can match traffic regardless of security zones.
• D. Global security policies do not support IPv6 traffic.

Answer: BC

NEW QUESTION 8
You recently configured an IPsec VPN between two SRX Series devices. You notice that the Phase1 negotiation succeeds and the Phase 2 negotiation fails.
Which two configuration parameters should you verify are correct? (Choose two.)

• A. Verify that the IKE gateway proposals on the initiator and responder are the same.
• B. Verify that the VPN tunnel configuration references the correct IKE gateway.
• C. Verify that the IKE initiator is configured for main mode.
• D. Verify that the IPsec policy references the correct IKE proposals.

Answer: AB

NEW QUESTION 9
Click the Exhibit button.
You are trying to create a security policy on your SRX Series device that permits HTTP traffic from your private 172.25.11.0/24 subnet to the Internet. You create a policy named permit – http between the trust and untrust zones that permits HTTP traffic.
When you issue a commit command to apply the configuration changes, the commit fails with the error shown in the exhibit.
Which two actions would correct the error? (Choose two.)

• A. Create a custom application named http at the [edit applications] hierarchy.
• B. Execute the Junos commit full command to override the error and apply the configuration.
• C. Modify the security policy to use the built-in junos-http application.
• D. Issue the rollback 1 command from the top of the configuration hierarchy and attempt the commit again.

Answer: BC

NEW QUESTION 10
Click the Exhibit button.

Referring to the exhibit, which statement is true?

• A. TCP packets entering the interface are failing the TCP sequence check.
• B. Packets entering the interface are being dropped due to a stateless filter.
• C. Packets entering the interface are getting dropped because there is no route to the destination.
• D. Packets entering the interface matching an ALG are getting dropped.

Answer: C

NEW QUESTION 11
Clients at a remote office are accessing a website that is against your company Internet policy. You change the action of the security policy that controls HTTP access from permit to deny on the remote office SRX Series device. After committing the policy change, you notice that new users cannot access the website but users that have existing sessions on the device still have access. You want to block all user sessions immediately.
Which change would you make on the SRX Series device to accomplish this task?

• A. Add the set security flow tcp-session rst-invalidate-session option to the configuration and commit the change.
• B. Add the set security policies policy-rematch parameter to the configuration and commit the change.
• C. Add the security flow tcp-session strict-syn-check option to the configuration and commit the change.
• D. Issue the commit full command from the top of the configuration hierarchy.

Answer: B

NEW QUESTION 12
What are three valid virtual interface types for a vSRX? (Choose three.)

• A. SR-IOV
• B. fxp0
• C. eth0
• D. VMXNET 3
• E. virtio

Answer: ABD

NEW QUESTION 13
You recently configured an IPsec VPN between two SRX Series devices. You notice that the Phase 1 negotiation succeeds and the Phase 2 negotiation fails.
Which two configuration parameters should you verify are correct? (Choose two.)

• A. Verify that the IKE gateway proposals on the initiator and responder are the same.
• B. Verify that the VPN tunnel configuration references the correct IKE gateway.
• C. Verify that the IPsec policy references the correct IKE proposals.
• D. Verify that the IKE initiator is configured for main mode.

Answer: AC

NEW QUESTION 14
Which two statements about security policy actions are true? (Choose two.)

• A. The log action implies an accept action.
• B. The log action requires an additional terminating action.
• C. The count action implies an accept action.
• D. The count action requires an additional terminating action.

Answer: BD

NEW QUESTION 15
Click the Exhibit button.
You are configuring an OSPF session between two SRX Series devices. The session will not come up. Referring to the exhibit, which configuration change will solve this problem?

• A. Configure a loopback interface and add it to the trust zone.
• B. Configure the host-inbound-traffic protocols ospf parameter in the trust security zone.
• C. Configure the application junos-ospf parameter in the allow-trusted-traffic security policy.
• D. Configure the host-inbound-traffic system-services any-service parameter in the trust security zone.

Answer: A

NEW QUESTION 16
Click the exhibit button.

You are configuring security policies with Junos Space Security Director. Referring to the exhibit, which two statements are true? (Choose two.)

• A. The host device has three rules assigned to it.
• B. The policy assigned to the host device is published.
• C. The policy assigned to the host device requires publishing.
• D. The host device has two rules assigned to it.

Answer: BD

NEW QUESTION 17
What are two valid zones available on an SRX Series device? (Choose two.)

• A. security zones
• B. policy zones
• C. transit zones
• D. functional zones

Answer: AD

NEW QUESTION 18
You have configured source NAT with port address translation. You also need to guarantee that the same IP address is assigned from the source NAT pool to a specific host for multiple concurrent sessions.
Which NAT parameter would meet this requirement?

• A. port block-allocation
• B. port range twin-port
• C. address-persistent
• D. address-pooling paired

Answer: D

NEW QUESTION 19
Click the Exhibit button.

Host A is attempting to connect to Host B using the domain name, which is tied to a public IP address. All attempts to connect to Host B have failed. You have examined the configuration on your SRX340 and determined that a NAT policy is required.
Referring to the exhibit, which two NAT types will allow Host A to connect to Host B? (Choose two.)

• A. source NAT
• B. NAT-T
• C. destination NAT
• D. static NAT

Answer: CD

NEW QUESTION 20
What is the correct ordering of Junos policy evaluation from first to last?

• A. global policy > zone-based policy > default policy
• B. default policy > zone-based policy > global policy
• C. global policy > default policy > zone-based policy
• D. zone-based policy > global policy > default policy

Answer: D

NEW QUESTION 21
Your network includes IPsec tunnels. One IPsec tunnel transits an SRX Series device with NAT configured. You must ensure that the IPsec tunnels function properly.
Which statement is correct in this scenario?

• A. Persistent NAT should be enabled.
• B. NAT-T should be enabled.
• C. Destination NAT should be configured.
• D. A source address pool should be configured.

Answer: B

NEW QUESTION 22
Which two modes are supported during the Phase 1 IKE negotiations used to establish an IPsec tunnel? (Choose two.)

• A. transport mode
• B. aggressive mode
• C. main mode
• D. tunnel mode

Answer: BC

NEW QUESTION 23
You are asked to change when your SRX high availability failover occurs. One network interface is considered more important than others in the high availability configuration. You want to prioritize failover based on the state of that interface.
Which configuration would accomplish this task?

• A. Create a VRRP group configuration that lists the reth’s IP address as the VIP while using each physical interface that make up the reth definition of each SRX HA pair.
• B. Configure IP monitoring of the important interface’s IP address and adjust the heartbeat interval and heartbeat threshold to the shortest settings.
• C. Create a separate redundancy group to isolate the important interface; set the priority of the new redundancy group to 255.
• D. Configure interface monitor inside the redundancy group that contains the important physical interface; adjust the weight associated with the monitored interface to 255.

Answer: D

NEW QUESTION 24
......