JN0-332 (2)

  • View
    32

  • Download
    0

Embed Size (px)

DESCRIPTION

Exam dump for JUNOS-SEC exam

Text of JN0-332 (2)

  • Juniper JN0-332

    JN0-332 Juniper Networks Certified InternetSpecialist, SEC (JNCIS-SEC)

    Practice TestVersion 4.0

  • Actua

    lTests

    .com

    QUESTION NO: 1

    To verify that traffic is being processed by the correct security policy, which CLI command displaysthe policy name and the specific traffic processed by the policy?

    A. show security flow sessionB. show security utm content-filtering statisticsC. show security policiesD. show security status

    Answer: A

    QUESTION NO: 2

    Which command produces the output shown in the exhibit?

    A. show security sessionsB. show security flowC. show security flow sessionD. show security session log

    Answer: C

    QUESTION NO: 3

    What does a zone contain?

    A. routersB. interfacesC. routing tablesD. NAT addresses

    Answer: B

    QUESTION NO: 4

    Which two steps are performed when configuring a zone? (Choose two.)

    A. Define a policy for the zone.

    Juniper JN0-332: Practice Exam

    "Pass Any Exam. Any Time." - www.actualtests.com 2

  • Actua

    lTests

    .com

    B. Assign logical interfaces to the zone.C. Assign physical interfaces to the zone.D. Define the zone as a security or functional zone.

    Answer: B,D

    QUESTION NO: 5

    What are the two types of zones you can configure? (Choose two.)

    A. systemB. trustedC. functionalD. security

    Answer: C,D

    QUESTION NO: 6

    What is the purpose of configuring the host-inbound-traffic command on a zone?

    A. to allow inbound Web authenticationB. to allow all outbound traffic on the untrust zoneC. to allow all inbound traffic on the untrust zoneD. to allow specified traffic that terminates on the device

    Answer: D

    QUESTION NO: 7

    which two zones can you add interfaces? (Choose two.)

    A. systemB. securityC. functionalD. user

    Answer: B,C

    QUESTION NO: 8

    Juniper JN0-332: Practice Exam

    "Pass Any Exam. Any Time." - www.actualtests.com 3

  • Actua

    lTests

    .com

    Which statement is true about a logical interface?

    A. A logical interface can belong to multiple zones.B. A logical interface can belong to multiple routing instances.C. A logical interface can belong to only one routing instance.D. All logical interfaces in a routing instance must belong to a single zone.

    Answer: C

    QUESTION NO: 9

    What is the purpose of a zone in the Junos OS?

    A. A zone defines a group of security devices with a common management.B. A zone defines the geographic region in which the security device is deployed.C. A zone defines a group of network segments with similar security requirements.D. A zone defines a group of network segments with similar class-of-service requirements.

    Answer: C

    QUESTION NO: 10

    Which statement is correct for applying the SCREEN named protect to the Public zone?

    Juniper JN0-332: Practice Exam

    "Pass Any Exam. Any Time." - www.actualtests.com 4

  • Actua

    lTests

    .com

    A. Option 1B. Option 2C. Option 3D. Option 4

    Answer: C

    QUESTION NO: 11

    Where do you configure SCREEN options?

    A. zones on which an attack might arriveB. zones you want to protect from attackC. interfaces on which an attack might arriveD. interfaces you want to protect from attack

    Answer: A

    QUESTION NO: 12

    Juniper JN0-332: Practice Exam

    "Pass Any Exam. Any Time." - www.actualtests.com 5

  • Actua

    lTests

    .com

    What are two types of network reconnaissance attacks? (Choose two.)

    A. IP address sweepB. SYN floodC. port scanningD. SNMP polling request

    Answer: A,C

    QUESTION NO: 13

    Which three IP option fields can an attacker exploit to cause problems in a network? (Choosethree.)

    A. loose source routingB. timestampC. time-to-liveD. record routeE. DSCP

    Answer: A,B,E

    QUESTION NO: 14

    You want to configure a security policy that allows traffic to a particular host. Which step must youperformbefore committing a configuration with the policy?

    A. Define a static route to the host.B. Ensure that the router can ping the host.C. Define an address book entry for the host.D. Ensure that the router has an ARP entry for the host.

    Answer: C

    QUESTION NO: 15

    After a security policy is applied, which CLI command output will display the policy index number?

    A. show security policy-idB. show security flow session summary

    Juniper JN0-332: Practice Exam

    "Pass Any Exam. Any Time." - www.actualtests.com 6

  • Actua

    lTests

    .com

    C. show security monitoringD. show security policies

    Answer: D

    QUESTION NO: 16

    Which two statements are true for an address book entry? (Choose two.)

    A. An address book entry is defined within a security policy.B. An address book entry is defined within a zone.C. An address book entry is applied within a security policy.D. An address book entry is applied within a zone.

    Answer: B,C

    QUESTION NO: 17

    In the Junos OS, which command do you use to reorder security policies?

    A. replaceB. renameC. insertD. before

    Answer: C

    QUESTION NO: 18

    Which two statements describe the purpose of a security policy? (Choose two.)

    A. It enables traffic counting and logging.B. It enforces a set of rules for transit traffic.C. It controls host inbound services on a zone.D. It controls administrator rights to access the device.

    Answer: A,B

    QUESTION NO: 19

    Juniper JN0-332: Practice Exam

    "Pass Any Exam. Any Time." - www.actualtests.com 7

  • Actua

    lTests

    .com

    Which two security policy actions are valid? (Choose two.)

    A. denyB. discardC. rejectD. close

    Answer: A,C

    QUESTION NO: 20

    Which three match criteria must each security policy include? (Choose three.)

    A. source addressB. source portC. destination addressD. destination portE. application

    Answer: A,C,E

    QUESTION NO: 21

    You are creating a destination NAT rule-set. Which two are valid for use with the from clause?(Choose two.)

    A. security policyB. interfaceC. routing-instanceD. IP address

    Answer: B,C

    QUESTION NO: 22

    Which statement is true regarding proxy ARP?

    A. Proxy ARP is enabled by default on standalone Junos security devices.B. Proxy ARP is enabled by default on high-available chassis clusters.C. Junos security devices can forward ARP requests to a remote device when proxy ARP isenabled.

    Juniper JN0-332: Practice Exam

    "Pass Any Exam. Any Time." - www.actualtests.com 8

  • Actua

    lTests

    .com

    D. Junos security devices can reply to ARP requests intended for a remote device when proxyARP is enabled.

    Answer: D

    QUESTION NO: 23

    Which statement is true about interface-based source NAT?

    A. PAT is a requirement.B. It requires you to configure address entries in the junos-nat zone.C. It requires you to configure address entries in the junos-global zone.D. IP addresses being translated must be in the same subnet as the egress interface.

    Answer: A

    QUESTION NO: 24

    Which two statements are true about pool-based destination NAT? (Choose two.)

    A. It also supports PAT.B. PAT is not supported.C. It allows the use of an address pool.D. It requires you to configure an address in the junos-global zone.

    Answer: A,C

    QUESTION NO: 25

    Which operational command produces the output shown in the exhibit?

    A. show security nat source ruleB. show route forwarding-tableC. show security nat source pool all

    Juniper JN0-332: Practice Exam

    "Pass Any Exam. Any Time." - www.actualtests.com 9

  • Actua

    lTests

    .com

    D. show security nat source summary

    Answer: D

    QUESTION NO: 26

    For a route-based VPN, which statement is true?

    A. host-inbound-traffic system services ike must be enabled on the st0.x interface.B. host-inbound-traffic system services ike must be enabled on both the st0.x interface and thelogical interfaceon which ike terminatesC. host-inbound-traffic system services ike must be enabled on the logical interface on which iketerminates.D. host-inbound-traffic system services ike is not mandatory for route based VPNs.

    Answer: C

    QUESTION NO: 27

    Which statement is true about the relationship between IKE and IPsec SAs?

    A. Two IPsec SAs can map to a single IKE SA.B. Two IKE SAs can map to a single IPsec SA.C. When an IKE SA times out, it also tears down the IPsec SA.D. When an IPsec SA times out, it also tears down the IKE SA.

    Answer: A

    QUESTION NO: 28

    Regarding secure tunnel (st) interfaces, which statement is true?

    A. You cannot assign st interfaces to a security zone.B. You cannot apply static NAT on an st interface logical unit.C. st interfaces are optional when configuring a route-based VPND. A static route can reference the st interface logical unit as the next-hop.

    Answer: D

    Juniper JN0-332: Practice Exam

    "Pass Any Exam. Any Time." - www.actualtests.com 10

  • Actua

    lTests

    .com

    QUESTION NO: 29

    You want each IPsec SA to be negotiated over a unique set of Diffie-Hellman exchanges so thateven if the IKEkey is compromised, subsequent IPsec SAs cannot be compromised.Which IPsec feature would you activate?

    A. main mode IKE exchangeB. aggressive mode IKE exchangeC. perfect forward secrecyD. VPN monitor

    Answer: C

    QUESTION NO: 30

    For IKE phase 1 negotiations, when is aggressive mode typically used?

    A. when one of the tunnel peers has a