Juniper JN0-533 Exam Questions & Answers · 12/13/2013 · B. Redundant interfaces bind to a security zone; one physical interface acts as the primary interface, and the other physical

Juniper JN0-533 Exam Questions & Answers

Number: JN0-533Passing Score: 800Time Limit: 120 minFile Version: 45.6

http://www.gratisexam.com/

Juniper JN0-533 Exam Questions & Answers

Exam Name: FWV, Specialist (JNCIS-FWV)

For Full Set of Questions please visit: http://www.realtests.com/exam/JN0-533.htm

Exam A

Exam B

QUESTION 1Which ScreenOS security feature helps protect against port scans and denial of service attacks?

A. session-based stateful firewallB. IPsec VPNsC. security policiesD. Screen options

Correct Answer: DSection: (none)Explanation

Explanation/Reference:

QUESTION 2What is the initial default username and password for all ScreenOS devices?

A. administrator/passwordB. root/passwordC. netscreen/netscreenD. admin/netscreen1

Correct Answer: CSection: (none)Explanation


QUESTION 3What is a virtual system?

A. a mechanism to logically partition a single ScreenOS device into multiple logical devicesB. a collection of subnets and interfaces sharing identical security requirementsC. a method of providing a secure connection across a networkD. a tool to protect against DoS attacks

Correct Answer: ASection: (none)Explanation


QUESTION 4What is a zone?

A. a set of rules that controls traffic from a specified source to a specified destination using a specified serviceB. a collection of subnets and interfaces sharing identical security requirementsC. a method of providing a secure connection across a networkD. a tool to protect against DoS attacks

Correct Answer: BSection: (none)Explanation


QUESTION 5What is the function of NAT?

A. It performs Layer 3 routing.B. It evaluates and redirects matching traffic into secure tunnels.C. It provides translation between IP addresses.D. It performs Layer 2 switching.



QUESTION 6On a ScreenOS device, which word appears at the beginning of configuration commands?

A. setB. configureC. enableD. commit



QUESTION 7Which action does a ScreenOS device perform first when processing a packet?

A. It checks for an existing session.B. It checks for attacks in the payload.C. It performs a route lookup.D. It performs a policy lookup.



QUESTION 8On a ScreenOS device, which three processes does the task CPU handle? (Choose three.)


A. policy evaluationB. traffic loggingC. session table clean-upD. management servicesE. broadcast packet processing

Correct Answer: BCDSection: (none)Explanation


QUESTION 9A ScreenOS device evaluates five primary elements when performing a security policy check on a new session.Which five elements are evaluated?

A. source IP address, destination IP address, source route, source port, and destination portB. source IP address, destination IP address, source port, destination port, and protocolC. source IP address, destination IP address, source port, destination port, and payloadD. destination IP address, source port, destination port, protocol, and payload



QUESTION 10You want to enable IPv6 on your ScreenOS device.Which command should you use to accomplish this goal?

A. set envar ipv6=enableB. set ipv6 enableC. set envar ipv6=yesD. set ipv6 yes



QUESTION 11

Your ScreenOS device does not have a static IP address. You want to be able to access it using its FQDN.How would you implement this task?

A. Configure a domain in DNS.B. Configure syslog.C. Configure SNMP.D. Configure DDNS.



QUESTION 12You have just installed a new ScreenOS device in your network and you want only a select range of IPaddresses to have administrative access to the device.Which choice will allow you to accomplish this?

A. Configure a manager IP.B. Configure the management interface.C. Configure a management IP on the trust interface.D. Configure new system administrators.



QUESTION 13You have two interfaces in ZoneA and traffic is passing without any policy configured. You want to control thetraffic between the two interfaces.Which two actions will allow this to happen? (Choose two.)

A. Configure interzone blocking on ZoneA and create a policy in that zone to control the traffic.B. Configure intrazone blocking on ZoneA and create a policy in that zone to control the traffic.C. Move one of the interfaces to a different zone and create an interzone policy to control the traffic.D. Move one of the interfaces to a different zone and create an intrazone policy to control the traffic.

Correct Answer: BCSection: (none)Explanation


QUESTION 14What is an aggregate interface?

A. An aggregate interface binds two physical interfaces together to create a redundant interface.B. An aggregate interface binds two or more physical interfaces that share the traffic load.C. An aggregate interface is the management interface.

D. An aggregate interface is used for VPN tunnels.



QUESTION 15Which two statements are true about redundant interfaces? (Choose two.)

A. You can bind two physical interfaces together to create one redundant interface.B. Redundant interfaces bind to a security zone; one physical interface acts as the primary interface, and the

other physical interface acts as the secondary interface.C. A redundant interface is the accumulation of two or more physical interfaces that share the same traffic

load.D. A redundant interface is the management interface for bridge mode.

Correct Answer: ABSection: (none)Explanation


QUESTION 16Which two actions are performed by a read/write vsys administrator? (Choose two.)

A. View the security associations for all virtual systems.B. Configure a vsys address book entry.C. Modify the vsys administrator login name.D. Modify the vsys read/write administrator password.

Correct Answer: BDSection: (none)Explanation


QUESTION 17When you create a new virtual system, which zone is automatically created within the vsys- specific VR?

A. trust zoneB. untrust zoneC. shared zoneD. null zone



QUESTION 18What is the purpose of a virtual system profile?

A. to limit virtual system accessB. to limit virtual system resourcesC. to limit the number of virtual system interfacesD. to limit the number of VPNs



QUESTION 19What is required to route traffic from one virtual system to another virtual system?

A. Configure the same dynamic routing protocol in each virtual system.B. Configure a virtual system profile with a shared forwarding table.C. Configure a private virtual router in each virtual system.D. Configure a shared root-level virtual router.



QUESTION 20Policy-based routing (PBR) policies can be bound to which three ScreenOS objects? (Choose three.)

A. virtual routersB. interfacesC. zonesD. security policiesE. virtual system

Correct Answer: ABCSection: (none)Explanation


QUESTION 21Policy-based routing consists of which three ScreenOS objects? (Choose three.)

A. extended access listsB. match groupsC. action groupsD. address booksE. security policy

Correct Answer: ABCSection: (none)Explanation


QUESTION 22What are two routing tables contained in a virtual router? (Choose two.)

A. destination-basedB. NHTBC. source-basedD. zone-based

Correct Answer: ACSection: (none)Explanation


QUESTION 23Which dynamic routing protocol does IPv6 use?

A. RIPB. RIPngC. OSPFv2D. NHRP



QUESTION 24A routing table contains an IBGP route, a RIP route, an OSPF external Type 2 route, and an EBGP route for192.168.0.0/16.When the router receives traffic destined for, which route will the router use by default?

A. the EBGP routeB. the IBGP routeC. the OSPF routeD. the RIP route


Explanation/Reference:A route preference is a weight added to the route that influences the "best path route" traffic takes to reach itsdestination. When importing or adding a route to the routing table, the Virtual Router uses the following defaultpreference values (a lower value is preferred over a higher value):

Protocol Default PreferenceConnected 0Static 20Auto-Exported 30EBGP 40OSPF 60RIP 100Imported 140OSPF External Type 2 200IBGP 250

QUESTION 25A routing table contains an IBGP route for 192.168.0.0/24, a RIP route for 192.168.0.0/23, an OSPF route for192.168.0.0/22, and a static route for 192.168.0.0/16.When the router receives traffic destined for 192.168.0.1, which route will the router use?

A. the IBGP routeB. the OSPF routeC. the RIP routeD. the static route


Explanation/Reference:The route for the lowest netmask is chosen

QUESTION 26You are troubleshooting telnet traffic destined to IP address 10.10.10.1. You decide to run debug and want toset the flow filter.Which command will show only the telnet traffic going to the 10.10.10.1 address?

A. ssg5-serial-> set ffilter dst-ip 10.10.10.1ssg5-serial-> set ffilter dst-port 23

B. ssg5-serial-> set ffilter dst-ip 10.10.10.1 dst-port 23C. ssg5-serial-> set ffilter dst-port 23D. ssg5-serial-> set ffilter dst-ip 10.10.10.1



QUESTION 27You have enabled BGP on your ScreenOS device and configured a single EBGP peer. The CLI shows that theBGP connection is transitioning between the CONNECT and ACTIVE states, but never reaching theESTABLISHED state.What are three reasons for this behavior? (Choose three.)

A. The peer is blocking traffic destined for TCP port 179.B. The peer address is not configured correctly.C. The enable statement has not been configured for the peer.

D. The peer AS number is not configured correctly.E. BGP has not been enabled on the virtual router.

Correct Answer: ABDSection: (none)Explanation


QUESTION 28You want to set up a last resort route and prevent route lookups in either the source-based routing table or thedestination-based routing table.What should you do?

A. Disable SIBR and create a default route in the trust-vr table using the null interface as the outgoing interfacewith a higher metric than other routes.

B. Disable SIBR and create a default route in the trust-vr table using the null interface as the outgoing interfacewith a lower metric than other routes.

C. Enable SIBR and create a default route in the SIBR table using the null interface as the outgoing interfacewith a higher metric than other routes.

D. Enable SIBR and create a default route in the SIBR table using the null interface as the outgoing interfacewith a lower metric than other routes.



QUESTION 29You have the following BGP configuration in place to establish a session with a remote peer over yourethernet4 interface.

set vrouter trust-vr protocol bgp 65000set vrouter trust-vr protocol bgp enableset vrouter trust-vr protocol bgp neighbor remote-as 65500set vrouter trust-vr protocol bgp neighbor enable

Which additional statement is necessary to establish the session?

A. set interface protocol bgp enableB. set interface ethernet4 bgp enableC. set vrouter trust-vr protocol bgp interface ethernet4D. set interface ethernet4 protocol bgp



QUESTION 30What are two advantages for using the count parameter on a security policy? (Choose two.)

A. to see any NAT traffic drops for that policyB. to see how many times users log in to the ScreenOS deviceC. to count the total number of bytes of traffic for that policyD. to see if the policy is temporarily not being used

Correct Answer: CDSection: (none)Explanation


QUESTION 31How is the maximum bandwidth pool allocated when all policies share the same priority?

A. first come first servedB. round robinC. packet DSCP valueD. policy order number



QUESTION 32An SSG5 has a default configuration loaded on it.Which two statements are correct? (Choose two.)

A. Intrazone blocking is enabled for the trust zone.B. Intrazone blocking is disabled for the trust zone.C. Intrazone blocking is enabled for the untrust zone.D. Intrazone blocking is disabled for the untrust zone.



QUESTION 33What are three required policy elements? (Choose three.)

A. source addressB. protocolC. serviceD. logE. destination address

Correct Answer: ACESection: (none)Explanation


QUESTION 34What are three policy types? (Choose three.)

A. destination-based policyB. intrazone policyC. source-based policyD. interzone policyE. global zone policy

Correct Answer: BDESection: (none)Explanation


QUESTION 35In a policy, which two statements are true about the no-hw-sess command? (Choose two.)

A. It increases the load on the CPU.B. It is used for debugging.C. It increases the load on the ASIC card.D. It reduces the load on the CPU.



QUESTION 36What is the default timeout for a fully established TCP session?

A. 10 minutesB. 30 secondsC. 30 minutesD. 300 seconds



QUESTION 37Traffic is not passing the ScreenOS device due to an incorrectly configured policy. You must determine exactlywhich security policy the traffic is using.Which two CLI commands should be used? (Choose two.)

A. snoopB. get sessionC. debug flow basicD. get counter stats



QUESTION 38Given the following output, what do you know about this session?

id /s01,vsys 0,flag 18200450/4004/0083,policy 10,time 5, dip 0 module 0if 14(nspflag 0905):10.10.10.10/51112->8.8.8.8/443,6,000000000000,sess token 44,vlan 990,tun 0,vsd 0,route315,wsf 0if 8(nspflag 0904):10.10.10.10/51112<-8.8.8.8/443,6,000000000000,sess token 36,vlan 991,tun 0,vsd 0,route293,wsf 0

A. The session was denied by policy ID 10.B. The session was permitted by policy ID 10.C. The protocol used for this session is UDP protocol 6.D. This session has already timed out and is pending cleanup out of the session table.


Explanation/Reference:You can see "policy 10" in the first line and then traffic going both ways

QUESTION 39HostA is in the Trust zone and has an IP address of. ServerA is a Web server in the DMZ zone and has an IPaddress of.Which three configuration statements are required to allow traffic from HostA to communicate with ServerA?(Choose three.)

A. ssg5-> set address Trust HostA /32B. ssg5-> set policy from DMZ to Trust ANY ANY ANY permitC. ssg5-> set address DMZ ServerA /32D. ssg5-> set policy from Trust to DMZ HostA ServerA HTTP permitE. ssg5-> set address Trust HostA /32

Correct Answer: CDESection: (none)Explanation


QUESTION 40You are using debug to determine which policy is used for Web traffic from host 10.20.1.5 to server10.240.1.100.Which flow filter will only capture traffic related to this scenario?

A. id:0 src ip 10.20.1.5 dst ip 10.240.1.100id:1 src port 80

B. id:0 src ip 10.240.1.100 dst ip 10.20.1.5id:1 src port 80

C. id:0 src ip 10.240.1.100 dst ip 10.20.1.5 dst port 80D. id:0 src ip 10.20.1.5 dst ip 10.240.1.100 dst port 80




QUESTION 41You have only one public IP address available and you must allow external access to three servers on a DMZnetwork. Which two NAT types would allow you to accomplish your objective? (Choose two.)

A. MIPB. VIPC. NAT-dstD. NAT-src



QUESTION 42Your ScreenOS device is configured with multiple NAT types.What is the order of precedence in this situation?

A. interface-based NAT -> VIP -> MIP -> policy-based NATB. VIP -> MIP -> policy-based NAT -> interface-based NATC. MIP -> VIP -> interface-based NAT -> policy-based NATD. MIP -> VIP -> policy-based NAT -> interface-based NAT



QUESTION 43You must translate a range of public IP addresses to a range of internal IP addresses.

Which two mechanisms would you use to accomplish your objective? (Choose two.)

A. MIP using masksB. VIP using masksC. policy-based NAT-dstD. policy-based NAT-src



QUESTION 44Your ScreenOS device is using NAT.Which NAT function allows you to use a single IP address from an untrust zone to communicate to multiple IPaddresses in a trust zone?

A. NAT-src with PAT enabledB. NAT-dst with PAT enabledC. NAT-src using a DIP pool with PAT enabledD. NAT-dst using a DIP pool with PAT disabled



QUESTION 45Which two statements are true about NAT? (Choose two.)

A. Managed IP is one-to-one address mapping for bidirectional access.B. Mapped IP is one-to-one address mapping for bidirectional access.C. Dynamic IP is the public address that can be used for external access to your Web server.D. Dynamic IP is the public address that internal users can use to access the Internet.



QUESTION 46Which NAT has bidirectional translation by default?

A. NAT-srcB. NAT-dstC. VIPD. MIP

Correct Answer: D

Section: (none)Explanation


QUESTION 47You are using interface-based NAT for traffic passing from the trust zone to the untrust zone.What will occur?

A. The source IP address is not translated.B. The source IP address is translated to the trust interface IP address.C. The network address and port translation (NAPT) is performed on the loopback interface.D. The source IP address is translated to the untrust interface IP address.



QUESTION 48You have configured a single-port VIP to forward HTTP traffic from the untrust interface on your ScreenOSdevice to an internal Web server. You have configured a policy to allow this traffic. Traffic from the untrustinterface that matches this policy is unable to connect to the Web server.What is a solution to this problem?

A. You must reboot the ScreenOS device for the VIP to become active.B. You must ensure the ScreenOS device has a route to the Web server.C. You must ensure the Web server is directly connected to the ScreenOS device.D. You must save the ScreenOS device configuration for the VIP to become active.



QUESTION 49You must verify on your ScreenOS device that you have configured the correct tunnel peer and determinewhich IKE proposals the remote device is sending and accepting.Which command should you use?

A. get ike gatewayB. get ike peerC. get sa activeD. get ike active



QUESTION 50You are building an IPsec VPN and want to authenticate and encrypt the content.Which two Phase 1/Phase 2 (P1/P2) proposals would achieve this goal? (Choose two.)

A. P1: pre-g5-3des-sha, P2: g5-esp-3des-shaB. P1: pre-g2-aes128-sha, P2: g5-ah-aes128-shaC. P1: pre-g5-des-md5, P2: g5-ah-des-md5D. P1: pre-g2-esp128-sha, P2: g2-esp-aes128-sha

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:The other choices only have Authentication Headers (AH), which does not encrypt the content

QUESTION 51You are configuring a VPN with IKE between headquarters and a branch office that uses a dynamic public IPaddress.Which IKE mode should you use?

A. quick modeB. main modeC. aggressive modeD. wizard mode



QUESTION 52Which two statements are true about policy-based VPNs as compared to route-based IPsec VPNs when usingScreenOS devices? (Choose two.)

A. For policy-based IPsec VPNs, you can configure 0.0.0.0/0 as the proxy ID on both VPN gatewaysregardless of the security policy.

B. For route-based IPsec VPNs, you can configure 0.0.0.0/0 as the proxy ID on both VPN gateways regardlessof the security policy.

C. For route-based IPsec VPNs, the proxy ID is derived from the policy.D. For policy-based IPsec VPNs, the proxy ID is derived from the policy.



QUESTION 53You want to ensure that the IKE Phase 2 key is totally independent of the IKE Phase 1 key.Which IKE feature would you enable?

A. Perfect Forward SecrecyB. Diffie-Hellman Group 5C. Replay ProtectionD. Rekey Protection



QUESTION 54Which two Diffie-Hellman (DH) groups are supported by ScreenOS software? (Choose two.)

A. DH Group 1: 1024-bitB. DH Group 2: 1024-bitC. DH Group 5: 1536-bitD. DH Group 15: 2048-bit



QUESTION 55How is a route-based VPN different from a policy-based VPN?

A. A route-based VPN requires manual keys for encryption and authentication.B. A route-based VPN requires static route entries for the remote peer.C. A route-based VPN is bound to a tunnel interface.D. A route-based VPN is bound to a loopback interface.



QUESTION 56Which two statements are true about VPN Monitor on a ScreenOS device? (Choose two.)

A. With a route-based VPN failure, VPN Monitor marks the tunnel interface status as down.B. With a policy-based VPN failure, VPN Monitor marks the tunnel interface status as down.C. VPN Monitor uses UDP to detect a VPN connection failure.D. VPN Monitor uses ICMP to detect a VPN connection failure.



QUESTION 57Which two authentication algorithms does AutoKey IKE use during Phase 1 negotiations? (Choose two.)

A. AES-256B. SHA2-256C. MD5D. 3DES



QUESTION 58You have created a site-to-site IPsec VPN between two devices. You want to keep the tunnel up at all times,even when no user traffic is using it.Which two configuration additions will accomplish this goal? (Choose two.)

A. set vpn "RemoteVPN" monitor source-interface ethernet0/1 destination-ipB. set vpn "RemoteVPN" monitor source-interface ethernet0/1 destination-ip rekeyC. set vpn "RemoteVPN" monitor source-interface ethernet0/1 destination-ip keepaliveD. set vpn "RemoteVPN" monitor source-interface ethernet0/1 destination-ip rekey optimized



QUESTION 59When a new session is created on the primary ScreenOS device, what are two results that happen on thebackup device? (Choose two.)

A. Session information is sent in real time from the master to the backup over the HA link.B. Session update messages are bundled together and sent over every 10 seconds to the backup over the HA

link.C. A session is created on the backup device with a timeout value of 8 times the default.D. A session is created on the backup device and is completely identical to that of the master's session.



QUESTION 60Which two statements are true about redundant interfaces on a ScreenOS device? (Choose two.)

A. With two interfaces in a redundant interface, only one link is primary at any given time.B. On high-end models with multi-ASIC cards, redundant Ethernet ports must be in the same ASIC group.

C. With two interfaces in a redundant interface, both links pass traffic at the same time.D. On high-end models with multi-ASIC cards, redundant Ethernet ports can be used on different ASIC groups.



QUESTION 61Which two protocols are used for NSRP IP tracking? (Choose two.)

A. ARPB. TCPC. UDPD. ICMP



QUESTION 62Which three types of status can a member of an NSRP cluster have? (Choose three.)

A. initialB. inactiveC. downD. inoperableE. primary backup

Correct Answer: ADESection: (none)Explanation


QUESTION 63Which two configuration elements are synchronized between the members of an NSRP cluster? (Choose two.)

A. interface IP addressesB. hostnameC. track IP configurationD. static routes



QUESTION 64The master device in an NSRP cluster experiences an interface failure on a monitored interface.By default, what happens as a result of this failure?

A. The device enters the Inoperable state.B. The device enters the IntFailure state.C. The device's NSRP priority is reduced by 255.D. The device's NSRP priority is reduced to 10 less than the primary backup.



QUESTION 65What are three valid states for an NSRP member? (Choose three.)

A. backupB. feasible successorC. ineligibleD. masterE. standby

Correct Answer: ACDSection: (none)Explanation


QUESTION 66While troubleshooting performance issues on your NetScreen cluster, you decide to failover the master deviceto its redundant peer.Which two methods will accomplish this task? (Choose two.)

A. Manually disable an NSRP-monitored interface using the set interface <interface> phy link- down command.B. Manually disable an NSRP-monitored interface using the shutdown interface <interface> command.C. Force an NSRP failover using the exec nsrp vsd-group <group ID number> mode backup command on the

master device.D. Force an NSRP failover using the exec nsrp vsd-group <group ID number> mode backup command on the

backup device.



QUESTION 67You have been making changes on an NSRP cluster and find that the ScreenOS devices are out of sync. Youwant to synchronize the devices' configurations together.Which command and process are needed to accomplish this task?

A. Run the command set nsrp sync global-config check-sum on the local device and then reset the peerdevice.

B. Run the command set nsrp sync global-config save on the backup device and then reset the backup device.C. Run the command exec nsrp sync config save on the peer device and then reset the peer device.D. Run the command exec nsrp sync global-config save on the backup device and then reset the backup

device.



QUESTION 68A monitored interface on a clustered pair of ScreenOS devices goes down and both devices became ineligibleto be master of the cluster. As a result, neither device is passing traffic.Which step would have prevented this situation?

A. Configure initial hold-down time to 10 seconds.B. Configure the preempt parameter and a higher priority on one of the devices.C. Configure the lost heartbeat interval to 1 second.D. Configure the master-always-exists parameter.



QUESTION 69You are receiving 3000 SYN packets per second from multiple outside sources to the same destination IPaddress in your network. You want the SYN proxy Screen option to engage when SYN packets exceed 2000per second, but the SYN proxy is not engaging.What is causing the problem?

A. The SYN packets are being sent to multiple destination ports.B. The alarm threshold is too high.C. The destination threshold is too high.D. The option to only generate alarms without dropping packets is set to ON.



QUESTION 70You have configured deep-packet inspection on a ScreenOS device. You have not modified the defaultthreshold values. The device detects a single session that matches an attack.Which two actions can you configure the device to take? (Choose two.)

A. Close the connection and disallow further connections from the client to the server.

B. Close the connection and rate-limit further connections to the server.C. Discard all additional packets related to the session.D. Send a TCP RST message to both the client and server.



QUESTION 71A ScreenOS device detects a large number of sessions that match the same deep inspection attack object.What are two ways to configure the device? (Choose two.)

A. Activate dynamic firewall policies.B. Close the connection and disallow further connections from the client.C. Close the connection and rate-limit further connections to the server.D. Log an alert.



QUESTION 72The ScreenOS software performs virus scanning for which three protocols? (Choose three.)

A. FTPB. HTTPC. HTTPSD. NetBIOSE. SMTP

Correct Answer: ABESection: (none)Explanation


QUESTION 73You have configured integrated Web filtering in the ScreenOS software. A URL appears in the blacklist, thewhitelist, and a user-defined category. Additionally, the device can obtain categorization information from theSurfControl server.Which configuration will the device use to determine the action to take for Web requests for the URL?

A. the blacklistB. the SurfControl categorizationC. the user-defined categoryD. the whitelist

Correct Answer: A



QUESTION 74You have configured integrated Web filtering in the ScreenOS software. You find that users trying to accesshttp://www.example.com are being blocked by your Web-filtering configuration. However, you want all users tobe able to access this Web site.What are two methods to allow this traffic? (Choose two.)

A. Configure an SC-CPA exception for the URL.B. Configure the URL as part of a custom category and allow requests in that category.C. Configure the URL as part of the blacklist.D. Configure the URL as part of the whitelist.



QUESTION 75You want to enable the integrated Web-filtering feature on a ScreenOS device.Which Web-filtering technology would be used?

A. WebSenseB. McAfeeC. SymantecD. SurfControl



QUESTION 76Which two statements are correct about internal antivirus scanning? (Choose two.)

A. It includes a predefined file extension list for each protocol.B. It allows you to load-balance ICAP scan servers.C. It requires you to install a ScreenOS software license.D. It provides inbound spyware and phishing protection.



QUESTION 77

You want to copy an external configuration file to your ScreenOS device and have it become active only afterthe device reboots.How would you accomplish this goal?

A. From the device, copy the configuration from an external TFTP server to the device's flash memory.B. From the device, copy the configuration from an external TFTP server to the device's RAM.C. From the device, copy the configuration from an external TFTP server and merge it with the current

configuration.D. From the device, copy the configuration from the device's flash memory to an external TFTP server.



QUESTION 78You want to ensure that the ScreenOS device sends alert data to notify the security operation center.Which three log destinations would you set to accomplish your objective? (Choose three.)

A. e-mailB. SNMPC. consoleD. internalE. syslog

Correct Answer: ABESection: (none)Explanation


QUESTION 79You want to know the username and IP address of users who logged in to the WebUI.In which log would you find this information?

A. admin logB. event logC. traffic logD. self log



QUESTION 80You manage a ScreenOS device. A user complains that the FTP download speed is slow. You suspect a cableor an interface might be the problem.Which command provides interface error information?

A. show counter flow interface

B. get counter flow interfaceC. show counter statistics interfaceD. get counter statistics interface



QUESTION 81You want to centralize the logging for all your ScreenOS devices and you must be able to synchronize the log.Which two actions would you perform to accomplish this? (Choose two.)

A. Enable logging to the console.B. Enable logging to syslog.C. Enable NTP and set to UTC/GMT time.D. Enable logging to the USB.



QUESTION 82You have lost the admin user password for your NetScreen device. No other user accounts are configured on the device. How would you access the CLI?

A. Log in on the console using the secret name "recovery" and password "netscreen".B. Send a break to the console during the boot process and modify the configuration registers.C. Log in on the console using the serial number as the username and password.D. Log in on the console using the secret name "recovery" and the serial number as the password.



QUESTION 83-- Exhibit --

SSH V2 is activens5gt-> get int et1Interface ethernet1:description ethernet1number 2, if_info 176, if_index 0, mode natlink up, phy-link up/full-duplexstatus change:1, last change:02/06/1997 18:02:32vsys Root, zone Trust, vr trust-vrdhcp client disabledPPPoE disabled

admin mtu 0, operating mtu 1500, default mtu 1500*ip 192.168.1.1/24*manage ip 192.168.1.1,route-deny disablepmtu-v4 disabledping enabled, telnet enabled, SSH enabled, SNMP enabledweb enabled, ident-reset disabled, SSL enabledSSH is enabledSSH is ready for connectionsMaximum sessions: 3Active sessions: 3

-- Exhibit --

You are the administrator of a NetScreen 5GT. The system administrator cannot use SSH to log in to theNetScreen 5GT. Referring to the exhibit, what is the problem?

A. Interface eth1 does not permit logins using SSH.B. SSH is not enabled on the NetScreen 5GT.C. Interface eth1's link status is down.D. The maximum SSH session has been used.


Explanation/Reference:The last three lines show

"SSH is ready for connectionsMaximum sessions: 3Active sessions: 3"


set admin name "admin"set admin password "nOsYMqrbAs/McFsJrs6HwcIt3AF6yn"set admin user "User1" password "nLZwKErINPPCcphC6sFMXrJ" privilege "read-only"set admin port 8080set admin access attempts 5set admin access lock-on-failure 5set admin auth web timeout 10set admin auth server "Local"

-- Exhibit --

User1 wants to create the policy in the ScreenOS device, but is not successful.Referring to the exhibit, what is the problem?

A. The User1 account has been suspended.B. User1 does not have any account in this device.C. User1 logged in to the device with wrong port.D. User1 does not have the proper permission to create a policy.


Explanation/Reference:User1 is defined with privilege "read-only"


ns5gt-> get int eth2Interface ethernet2:description ethernet2number 8, if_info 704, if_index 0, mode routelink up, phy-link up/full-duplexstatus change:7, last change:09/26/2012 23:08:22vsys Root, zone Untrust, vr trust-vrdhcp client disabledPPPoE disabledadmin mtu 0, operating mtu 1500, default mtu 1500*ip 171.211.111.111/30 mac 0014.f693.edc8*manage ip 171.211.111.111, mac 0014.f693.edc8route-deny disablepmtu-v4 disabledping disabled, telnet enabled, SSH disabled, SNMP disabledweb enabled, ident-reset disabled, SSL disabledDNS Proxy disabled, webauth disabled, g-arp enabled, webauth-ip 0.0.0.0 OSPF disabled BGP disabled RIPdisabled RIPng disabled mtrace disabledPIM: not configured IGMP not configuredMLD not configuredNHRP disabledbandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]configured ingress mbw 0kbps, current bw 0kbpstotal allocated gbw 0kbpsDHCP-Relay disabled at interface levelDHCP-server disabled

-- Exhibit --

You are the administrator of a NetScreen 5GT. For troubleshooting purposes, you must be able to pinguntrusted interfaces.

Referring to the exhibit, how do you enable ping for interface eth2?

A. ns5gt-> unset int eth2 manage-ip pingB. ns5gt-> set int eth2 manage pingC. ns5gt-> enable int eth2 manage pingD. ns5gt-> set int eth2 manage-ip ping



QUESTION 86

In the exhibit, eth3/1 is in the client-vr virtual router and eth3/2 is in the server-vr virtual router. Your policiespermit all traffic between all zones. You want to ensure Client1 can contact Server1.

In this scenario, which two statements are true? (Choose two.)

A. By default, all interface routes are automatically imported into all virtual routers.B. You can configure a static route for Server1 in the client-vr virtual router that points to eth3/2.C. You can configure a static route for Server1 in the client-vr virtual router that points to the server-vr virtual

router.D. You can configure a route export policy to export the route for Server1 to the client-vr virtual router.



QUESTION 87

Users on the 10.10.10.0/24 subnet are reporting connectivity problems. While troubleshooting, you see theoutput shown in the exhibit. What is the cause of the route flapping?

A. The autonomous system (AS) ID is incorrect.B. The interface is in the incorrect OSPF area.C. A duplicate router ID exists in the network.D. The OSPF neighbors have different hold timer values.


Explanation/Reference:Two neighbors have router ID 1.1.1.11

QUESTION 88

Which two statements are true regarding the route shown in the exhibit? (Choose two.)

A. 5.5.5.0/24 was configured as a source route with a next-hop IP address of 1.1.1.1 in the trust- vr.B. 5.5.5.0/24 was configured as a destination route with a next-hop IP address of 1.1.1.1 in the trust-vr.C. 5.5.5.0/24 was configured as a SIBR route with a next-hop IP address of 1.1.1.1 in the trust-vr.D. 5.5.5.0/24 was configured as a permanent source route.



QUESTION 89

Which two statements are true about the default route configuration based on the output shown in the exhibit?(Choose two.)

A. A default route is configured in the trust-vr with a next-hop IP address of 1.1.1.1.

B. A default route is configured in the trust-vr with a next hop of ethernet3/1.C. A default route is configured in the trust-vr with a next hop of the untrust-vr.D. A default route is configured in the untrust-vr with a next-hop IP address of 1.1.1.1.



QUESTION 90

You are setting up security policies to allow access to the servers on the 1.1.1.0/24 subnet.

Referring to the exhibit, which two host addresses will be able to access the Web servers using FTP? (Choosetwo.)

A. 10.1.3.5B. 10.1.2.1C. 10.1.2.13D. 10.1.1.1


Explanation/Reference:10.1.2.1 can't access because the object 10.1.2.0/24 is actually configured with a /32 netmask

QUESTION 91

Network traffic with a source IP of 192.168.100.60, destination IP of 8.8.8.8, and a destination port of 80 is sentthrough the ScreenOS device. The inbound zone is Trust, the outbound zone is Untrust.

Based on the policy configuration shown in the exhibit, what happens to this traffic?

A. The traffic is denied by default policy.B. Traffic is denied by policy ID 3.C. Traffic is permitted by the global policy.D. Traffic is permitted by policy ID 2.


Explanation/Reference:Question asks for source 192.168.100.60 and policies 1 and 2 use 192.168.100.50

QUESTION 92

Given the policy and address information for the three hosts shown in the exhibit, which two statements arecorrect? (Choose two.)

A. HTTP traffic from HostC to HostA will be silently discarded.B. HTTP traffic from HostC to HostA will result in a RST sent to HostC.C. HTTP traffic from HostA to HostB will be allowed.D. HTTP traffic from HostA to HostB will be rejected.


Explanation/Reference:The global policy's action is explicit Reject, not Drop


ssg20-> set address "Trust" "192.168.1.0/32" 10.20.1.0 255.255.255.0ssg20-> set address "Untrust" "10.204.1.0/24" 10.204.1.0 255.255.255.0ssg20-> set address "Untrust" "192.168.1.0/24" 192.168.1.0 255.255.255.255ssg20-> get policy id 1name:"none" (id 1), zone Trust -> Untrust,action Permit, status "enabled"src "192.168.1.0/32", dst "192.168.1.0/24", serv "FTP"Rules on this VPN policy: 0nat off, Web filtering : disabledvpn unknown vpn, policy flag 00000000, session backup: on, idle reset: ontraffic shaping off, scheduler n/a, serv flag 00log no, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0total octets 0, counter(session/packet/octet) 0/0/0priority 7, diffserv marking Offtadapter: state off, gbw/mbw 0/0 policing (no)No AuthenticationNo User, User Group or Group expression set

-- Exhibit --

FTP connections from host 10.20.1.10 to server 192.168.1.100 are not working. You produce the output shownin the exhibit. What is causing the traffic problem?

A. The policy's source address is incorrect.

B. The policy's destination address is incorrect.C. The policy's service is incorrect.D. The policy does not have the FTP ALG enabled.


Explanation/Reference:192.168.1.0/24 is defined with a /32 netmask

QUESTION 94

In the exhibit, you have configured the MIP address 1.1.8.64 on a ScreenOS device.

Which statement is correct?

A. It performs one-to-one address translation and maps 1.1.8.64 to 10.1.10.64.B. It performs one-to-many address translation and maps 1.1.8.64 to a range from 10.1.10.64 to 10.1.10.71.C. It performs range address translation and maps 1.1.8.64 to 10.1.10.64, 1.1.8.65 to 10.1.10.65, etc..D. It performs address translation using a random IP address from the pool for 10.1.10.64/29.


Explanation/Reference:A /29 netmask is used

QUESTION 95

In the network shown in the exhibit, you have been asked to enable users in the Untrust zone to contactServer1 on TCP port 80 using IP address 1.1.1.1. You also need to allow Server1 to make connections to hostsin the Untrust zone. When Server1 makes connections to the Untrust zone, the source address of its trafficshould be translated to 1.1.1.1.

What would you use to configure this behavior?

A. MIPB. VIPC. DIPD. SIBR




ssg5(M)-> get conf | incl ethernet1/2set interface "ethernet1/2" zone "Untrust"set interface ethernet1/2 ip 10.0.0.1/24set interface ethernet1/2 routeset interface "ethernet1/2" description "Internet Connection 1"set interface ethernet1/2 ip manageableset interface ethernet1/2 manage ping

-- Exhibit --

You need to add a DIP pool to the interface shown in the exhibit. The DIP pool has been assigned the IPaddresses 20.20.20.1 through 20.20.20.10.

Which command would you use to accomplish this task?

A. set interface ethernet1/2 ext ip 20.20.20.1 255.255.255.0 dip 1 20.20.20.1 20.20.20.10B. set interface ethernet1/2 ext ip 10.0.0.1 255.255.255.0 dip 1 20.20.20.1 20.20.20.10C. set interface ethernet1/2 dip 1 20.20.20.1 20.20.20.10D. set interface ethernet1/2 secondary ip 20.20.20.1 255.255.255.0 dip 1 20.20.20.1 20.20.20.10




ns5gt-> get intInterfaces in vsys Root:Name IP Address Zone MAC VLAN State VSDeth1 192.168.1.1/24 Trust 0014.f693.edc2 - U -eth2 2.2.2.2/30 Untrust 0014.f693.edc8 - U -ns5gt-> get db stream****** .0: <Trust/ethernet1> packet received [69]******ipid = 22281(5709), @059ff214packet passed sanity check.flow_decap_vector IPv4 processethernet1:192.168.1.102/52380->4.2.2.2/53,17<Root>no session foundflow_first_sanity_check: in <ethernet1>, out <N/A>chose interface ethernet1 as incoming nat if.flow_first_routing: in <ethernet1>, out <N/A>search route to (ethernet1, 192.168.1.102->4.2.2.2) in vr trust-vr for vsd-0/flag-0/ifp-null[ Dest] 7.route 4.2.2.2->2.2.2.1, to ethernet2routed (x_dst_ip 4.2.2.2) from ethernet1 (ethernet1 in 0) to ethernet2Permitted by policy 1dip id = 2, 192.168.1.102/52380->2.2.2.2/2157choose interface ethernet2 as outgoing phy ifno loop on ifp ethernet2.routed (x_dst_ip 4.2.2.2) from ethernet1 (ethernet1 in 0) to ethernet2policy search from zone 2-> zone 1

-- Exhibit --

Referring to the debug output shown in the exhibit, which NAT configuration is being used?

A. MIPB. destination-based NATC. source-based NATD. VIP


Explanation/Reference:You can see DIP 2 translating 192.168.1.102 to 2.2.2.2

QUESTION 98

You configure NAT on your ScreenOS device to route the services shown in the exhibit to the internaladdresses. Which commands will you use to configure this scenario?

A. ssg5-> set interface ethernet3 vip 1.1.1.3 53 dns 10.1.1.3 ssg5-> set interface ethernet3 vip 1.1.1.3 80 http 10.1.1.4 ssg5-> set interface ethernet3 vip 1.1.1.3 5983 ldap 10.1.1.4 ssg5-> set interface ethernet3 vip 1.1.1.3 5631 pcanywhere 10.1.1.5 ssg5-> set interface ethernet3 mip 1.1.1.3 53 dns 10.1.1.3

B. ssg5-> set interface ethernet3 mip 1.1.1.3 80 http 10.1.1.4 ssg5-> set interface ethernet3 mip 1.1.1.3 5631 pcanywhere 10.1.1.4 ssg5-> set interface ethernet3 mip 1.1.1.3 5983 ldap 10.1.1.5 ssg5-> set interface ethernet3 dip 1.1.1.3 53 dns 10.1.1.3

C. ssg5-> set interface ethernet3 dip 1.1.1.3 80 http 10.1.1.4 ssg5-> set interface ethernet3 dip 1.1.1.3 5631 pcanywhere 10.1.1.4 ssg5-> set interface ethernet3 dip 1.1.1.3 5983 ldap 10.1.1.5 ssg5-> set interface ethernet3 vip 1.1.1.3 53 dns 10.1.1.3

D. ssg5-> set interface ethernet3 vip 1.1.1.3 80 http 10.1.1.4 ssg5-> set interface ethernet3 vip 1.1.1.3 5631 pcanywhere 10.1.1.4 ssg5-> set interface ethernet3 vip 1.1.1.3 5983 ldap 10.1.1.5


Explanation/Reference:Other answers use various NAT method where only VIP should be used

QUESTION 99

Referring to the output shown in the exhibit, which NAT configuration is being used?

A. interface-based NATB. DIPC. source-based NATD. VIP


Explanation/Reference:You can see packet originally aimed at 2.2.2.2 and then the destination changes to 192.168.1.4

QUESTION 100

Referring to the exhibit, what does the log show?

A. The device is using VIP.B. The device is using DIP ID 4.C. The device is using source NAT.D. The device is using destination NAT.


Explanation/Reference:The source IP of the outgoing packets is not the same as the destination IP of the incoming responses.

QUESTION 101

Referring to the exhibit, what is the appropriate VPN monitor status?

A. The VPN is active and the peer is down.B. The VPN is active and VPN Monitor is not configured for the peer.C. The VPN is active and the peer is up.D. The VPN is inactive and VPN Monitor is not configured for the peer.


Explanation/Reference:"A/-" shows the VPN active, but monitor is unavailable (likely because the other end is not a screenOS device)

QUESTION 102

What is shown in the exhibit?

A. a route-based VPNB. a global policyC. a policy-based VPND. a policy with counting enabled


Explanation/Reference:The "Tunnel" action is specific to policy-based VPN

QUESTION 103

The exhibit displays output from the event log of a ScreenOS device.

Given the information shown in the exhibit, which two statements are correct? (Choose two.)

A. The VPN initiator is sending a proxy ID of:local: 10.20.1.0/24remote:10.204.1.0/24service:ANY

B. The VPN contains a proxy ID mismatch.C. Phase 2 negotiations completed successfully.

D. Phase 1 negotiations completed successfully.



QUESTION 104

Which two statements are true about the exhibit? (Choose two.)

A. It contains information regarding Phase 1 of IPsec.B. It contains information regarding Phase 2 of IPsec.C. The VPN is using certificates.D. The VPN is using preshared keys.




NS5200(M)-> get nsrpnsrp version: 2.0cluster info:cluster iD. 1, namE. 5200local unit iD. 8000208active units discovereD.index: 0, unit iD. 8014208, ctrl maC. 0010db000085, data maC. 0010db000086 index: 1, unit iD. 8337344, ctrl

maC. 0010db0000c5, data maC. 0010db0000c6total number of units: 2VSD group info:init hold timE. 5heartbeat lost thresholD. 3heartbeat interval: 200(ms)master always exist: enabledgroup priority preempt holddown inelig master PB other members0 50 yes 45 no myself 8330044total number of vsd groups: 1Total iteration= ,time=878546093,max=4900,min=170,average=18RTO mirror info:run time object synC. enabledping session synC. enabledcoldstart sync donensrp data packet forwarding is enablednsrp link info:control channel: ha1 (ifnum: 5) maC. 0010db000085 statE. updata channel: ha2 (ifnum: 6) maC. 0010db000086 statE. upha secondary path link not availableNSRP encryption: disabledNSRP authentication: disableddevice based nsrp monitoring thresholD. 255, weighted sum: 0, not faileddevice based nsrp monitor interfacE. ethernet2/1(weight 255, UP) ethernet2/3(weight 255, UP) ethernet2/4(weight 255, UP) ethernet2/5(weight 255, UP) ethernet2/2(weight 255, UP)device based nsrp monitor zonE.device based nsrp track ip: (weight: 255, disabled)number of gratuitous arps: 4 (default)config synC. enabledtrack ip: disabled

-- Exhibit --

Referring to the exhibit, which three statements are true? (Choose three.)

A. This cluster is configured as an active/active cluster.B. RTO sync is enabled.C. No secondary path is configured.D. master-always-exists is enabled.E. Only one interface is used for both the control and data links.

Correct Answer: BCDSection: (none)Explanation



NSPROD1(M)-> get nsrp ha-linktotal_ha_port = 2probe on ha-link is disabledunused channel: ethernet8 (ifnum: 11) maC. 0010db1d1e8b statE. downunused channel: ethernet7 (ifnum: 10) maC. 0010db1d1e8a statE. downha control link not availableha data link not availableha secondary path link not available

-- Exhibit --

Referring to the exhibit, both clustered devices are in a master state.

What is the cause of this situation?

A. The cluster is not configured for NSRP.B. The cluster is in the process of failing over from the primary node to the secondary node.C. Probes on the HA links have been disabled, causing the HA links to go down.D. The control and the data link is down.


Explanation/Reference:ha control link not availableha data link not available


ssg5-> get conf | include synset zone untrust screen syn-flood attack-threshold 625set zone untrust screen syn-flood alarm-threshold 250set zone untrust screen syn-flood timeout 20set zone untrust screen syn-flood queue-size 1000set zone untrust screen syn-floodset flow syn-proxy syn-cookie

-- Exhibit --

A host in the untrust zone sends 1000 SYN packets in a single second to a host in your trust zone destined forport 80.

Referring to the exhibit, which statement describes the behavior of the ScreenOS device?

A. It will maintain this state for all 1000 connection attempts.B. It will begin to drop the SYN packets.C. It will block further connection attempts from this host for 20 seconds.D. It will reply with SYN-ACK packets.



QUESTION 108

Given the output shown in the exhibit, which command would you use to view the number of attacks that havebeen blocked by the Screen options on the Untrust zone?

A. ssg5-> get counter screen interface ethernet2/1B. ssg5-> get zone Untrust screenC. ssg5-> get counter screen zone UntrustD. ssg5-> get counter statistics interface ethernet2/1




Date Time Module Level Type Description2012-11-30 12:49:41 system warn 00528 SSH: Password authentication failed for admin user 'firewall-user' athost 10.210.62.67.2012-11-30 12:49:41 system warn 00518 ADM: Local admin authentication failed for login name firewall-user:invalid login name2012-11-30 12:49:28 system info 00536 IKE 66.129.232.26 Phase 1: Retransmission limit has been reached.2012-11-30 12:42:23 system notif 00531 The system clock was updated from primary NTP server type209.244.0.5 with an adjustment of 234 ms. Authentication was None. Update mode was Automatic

-- Exhibit --

Based on the output shown in the exhibit, in which log were these events displayed?

A. eventB. selfC. loginD. traffic

Correct Answer: A


Explanation/Reference:All logs come from the "system" module

QUESTION 110

Referring to the exhibit, what does this output show?

A. the number of supported physical interfaces on the deviceB. the number of supported route tables on the deviceC. the number of supported VRs on the deviceD. the amount of system memory on the device




Documents

Juniper JN0-533 Exam Questions & Answers · 12/13/2013 · B. Redundant interfaces bind to a security zone; one physical interface acts as the primary interface, and the other physical