Juniper JN0-332
JN0-332 Juniper Networks Certified Internet
Specialist, SEC (JNCIS-SEC)
Practice TestVersion 4.0
Actu
alTe
sts.
com
QUESTION NO: 1
To verify that traffic is being processed by the correct security policy, which CLI command displays
the policy name and the specific traffic processed by the policy?
A. show security flow session
B. show security utm content-filtering statistics
C. show security policies
D. show security status
Answer: A
QUESTION NO: 2
Which command produces the output shown in the exhibit?
A. show security sessions
B. show security flow
C. show security flow session
D. show security session log
Answer: C
QUESTION NO: 3
What does a zone contain?
A. routers
B. interfaces
C. routing tables
D. NAT addresses
Answer: B
QUESTION NO: 4
Which two steps are performed when configuring a zone? (Choose two.)
A. Define a policy for the zone.
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 2
Actu
alTe
sts.
com
B. Assign logical interfaces to the zone.
C. Assign physical interfaces to the zone.
D. Define the zone as a security or functional zone.
Answer: B,D
QUESTION NO: 5
What are the two types of zones you can configure? (Choose two.)
A. system
B. trusted
C. functional
D. security
Answer: C,D
QUESTION NO: 6
What is the purpose of configuring the host-inbound-traffic command on a zone?
A. to allow inbound Web authentication
B. to allow all outbound traffic on the untrust zone
C. to allow all inbound traffic on the untrust zone
D. to allow specified traffic that terminates on the device
Answer: D
QUESTION NO: 7
which two zones can you add interfaces? (Choose two.)
A. system
B. security
C. functional
D. user
Answer: B,C
QUESTION NO: 8
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 3
Actu
alTe
sts.
com
Which statement is true about a logical interface?
A. A logical interface can belong to multiple zones.
B. A logical interface can belong to multiple routing instances.
C. A logical interface can belong to only one routing instance.
D. All logical interfaces in a routing instance must belong to a single zone.
Answer: C
QUESTION NO: 9
What is the purpose of a zone in the Junos OS?
A. A zone defines a group of security devices with a common management.
B. A zone defines the geographic region in which the security device is deployed.
C. A zone defines a group of network segments with similar security requirements.
D. A zone defines a group of network segments with similar class-of-service requirements.
Answer: C
QUESTION NO: 10
Which statement is correct for applying the SCREEN named protect to the Public zone?
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 4
Actu
alTe
sts.
com
A. Option 1
B. Option 2
C. Option 3
D. Option 4
Answer: C
QUESTION NO: 11
Where do you configure SCREEN options?
A. zones on which an attack might arrive
B. zones you want to protect from attack
C. interfaces on which an attack might arrive
D. interfaces you want to protect from attack
Answer: A
QUESTION NO: 12
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 5
Actu
alTe
sts.
com
What are two types of network reconnaissance attacks? (Choose two.)
A. IP address sweep
B. SYN flood
C. port scanning
D. SNMP polling request
Answer: A,C
QUESTION NO: 13
Which three IP option fields can an attacker exploit to cause problems in a network? (Choose
three.)
A. loose source routing
B. timestamp
C. time-to-live
D. record route
E. DSCP
Answer: A,B,E
QUESTION NO: 14
You want to configure a security policy that allows traffic to a particular host. Which step must you
perform
before committing a configuration with the policy?
A. Define a static route to the host.
B. Ensure that the router can ping the host.
C. Define an address book entry for the host.
D. Ensure that the router has an ARP entry for the host.
Answer: C
QUESTION NO: 15
After a security policy is applied, which CLI command output will display the policy index number?
A. show security policy-id
B. show security flow session summary
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 6
Actu
alTe
sts.
com
C. show security monitoring
D. show security policies
Answer: D
QUESTION NO: 16
Which two statements are true for an address book entry? (Choose two.)
A. An address book entry is defined within a security policy.
B. An address book entry is defined within a zone.
C. An address book entry is applied within a security policy.
D. An address book entry is applied within a zone.
Answer: B,C
QUESTION NO: 17
In the Junos OS, which command do you use to reorder security policies?
A. replace
B. rename
C. insert
D. before
Answer: C
QUESTION NO: 18
Which two statements describe the purpose of a security policy? (Choose two.)
A. It enables traffic counting and logging.
B. It enforces a set of rules for transit traffic.
C. It controls host inbound services on a zone.
D. It controls administrator rights to access the device.
Answer: A,B
QUESTION NO: 19
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 7
Actu
alTe
sts.
com
Which two security policy actions are valid? (Choose two.)
A. deny
B. discard
C. reject
D. close
Answer: A,C
QUESTION NO: 20
Which three match criteria must each security policy include? (Choose three.)
A. source address
B. source port
C. destination address
D. destination port
E. application
Answer: A,C,E
QUESTION NO: 21
You are creating a destination NAT rule-set. Which two are valid for use with the from clause?
(Choose two.)
A. security policy
B. interface
C. routing-instance
D. IP address
Answer: B,C
QUESTION NO: 22
Which statement is true regarding proxy ARP?
A. Proxy ARP is enabled by default on standalone Junos security devices.
B. Proxy ARP is enabled by default on high-available chassis clusters.
C. Junos security devices can forward ARP requests to a remote device when proxy ARP is
enabled.
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 8
Actu
alTe
sts.
com
D. Junos security devices can reply to ARP requests intended for a remote device when proxy
ARP is enabled.
Answer: D
QUESTION NO: 23
Which statement is true about interface-based source NAT?
A. PAT is a requirement.
B. It requires you to configure address entries in the junos-nat zone.
C. It requires you to configure address entries in the junos-global zone.
D. IP addresses being translated must be in the same subnet as the egress interface.
Answer: A
QUESTION NO: 24
Which two statements are true about pool-based destination NAT? (Choose two.)
A. It also supports PAT.
B. PAT is not supported.
C. It allows the use of an address pool.
D. It requires you to configure an address in the junos-global zone.
Answer: A,C
QUESTION NO: 25
Which operational command produces the output shown in the exhibit?
A. show security nat source rule
B. show route forwarding-table
C. show security nat source pool all
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 9
Actu
alTe
sts.
com
D. show security nat source summary
Answer: D
QUESTION NO: 26
For a route-based VPN, which statement is true?
A. host-inbound-traffic system services ike must be enabled on the st0.x interface.
B. host-inbound-traffic system services ike must be enabled on both the st0.x interface and the
logical interface
on which ike terminates
C. host-inbound-traffic system services ike must be enabled on the logical interface on which ike
terminates.
D. host-inbound-traffic system services ike is not mandatory for route based VPNs.
Answer: C
QUESTION NO: 27
Which statement is true about the relationship between IKE and IPsec SAs?
A. Two IPsec SAs can map to a single IKE SA.
B. Two IKE SAs can map to a single IPsec SA.
C. When an IKE SA times out, it also tears down the IPsec SA.
D. When an IPsec SA times out, it also tears down the IKE SA.
Answer: A
QUESTION NO: 28
Regarding secure tunnel (st) interfaces, which statement is true?
A. You cannot assign st interfaces to a security zone.
B. You cannot apply static NAT on an st interface logical unit.
C. st interfaces are optional when configuring a route-based VPN
D. A static route can reference the st interface logical unit as the next-hop.
Answer: D
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 10
Actu
alTe
sts.
com
QUESTION NO: 29
You want each IPsec SA to be negotiated over a unique set of Diffie-Hellman exchanges so that
even if the IKE
key is compromised, subsequent IPsec SAs cannot be compromised.
Which IPsec feature would you activate?
A. main mode IKE exchange
B. aggressive mode IKE exchange
C. perfect forward secrecy
D. VPN monitor
Answer: C
QUESTION NO: 30
For IKE phase 1 negotiations, when is aggressive mode typically used?
A. when one of the tunnel peers has a dynamic IP address
B. when one of the tunnel peers wants to force main mode to be used
C. when fragmentation of the IKE packet is required between the two peers
D. when one of the tunnel peers wants to specify a different phase 1 proposal
Answer: A
QUESTION NO: 31
You have been tasked with installing two SRX5600 platforms in a high-availability cluster. Which
requirement
must be met for a successful installation?
A. You must enable SPC detect within the configuration.
B. You must enable active-active failover for redundancy.
C. You must ensure all SPCs use the same slot placement.
D. You must configure auto-negotiation on the control ports of both devices.
Answer: C
QUESTION NO: 32
When applying the configuration in the exhibit and initializing a chassis cluster, which statement is
correct?
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 11
Actu
alTe
sts.
com
A. Three physical interfaces are redundant.
B. You must define an additional redundancy group.
C. node 0 will immediately become primary for redundancy group 1.
D. You must issue an operational command and reboot the system for the above configuration to
take effect.
Answer: D
QUESTION NO: 33
What are three benefits of using chassis clustering? (Choose three.)
A. Provides stateful session failover for sessions.
B. Increases security capabilities for IPsec sessions.
C. Provides active-passive control and data plane redundancy.
D. Enables automated fast-reroute capabilities.
E. Synchronizes configuration files and session state.
Answer: A,C,E
QUESTION NO: 34
What are two interfaces created when enabling a chassis cluster? (Choose two.)
A. st0
B. fxp1
C. fab0
D. reth0
Answer: C,D
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 12
Actu
alTe
sts.
com
QUESTION NO: 35
Which three components can be downloaded and installed directly from Juniper Networks update
server to an
SRX Series device? (Choose three.)
A. signature package
B. PCRE package
C. detector engine
D. policy templates
E. dynamic attack detection package
Answer: A,C,D
QUESTION NO: 36
Which two statements are true regarding IDP? (Choose two.)
A. IDP can be used in conjunction with other Junos security features such as SCREEN options,
zones, and
security policy.
B. IDP cannot be used in conjunction with other Junos security features such as SCREEN options,
zones, and
security policy.
C. IDP inspects traffic up to the Presentation Layer.
D. IDP inspects traffic up to the Application Layer.
Answer: A,D
QUESTION NO: 37
Which two statements are true regarding firewall user authentication? (Choose two.)
A. Firewall user authentication is performed only for traffic that is accepted by a security policy.
B. Firewall user authentication is performed only for traffic that is denied by a security policy.
C. Firewall user authentication provides an additional method of controlling user access to the
Junos security
device itself.
D. Firewall user authentication provides an additional method of controlling user access to remote
networks.
Answer: A,D
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 13
Actu
alTe
sts.
com
QUESTION NO: 38
Which two external authentication server types are supported by the Junos OS for firewall user
authentication?
(Choose two.)
A. RADIUS
B. TACAS+
C. LDAP
D. IIS
Answer: A,C
QUESTION NO: 39
Which type of logging is supported for UTM logging to an external syslog server on branch SRX
Series devices?
A. binary syslog
B. CHARGEN
C. WELF (structured) syslog
D. standard (unstructured) syslog
Answer: C
QUESTION NO: 40
Which two statements describe full file-based antivirus protection? (Choose two.)
A. By default, the signature database is updated every 60 minutes.
B. By default, the signature database is updated once daily.
C. The signature database targets only critical viruses and malware.
D. The signature database can detect polymorphic virus types.
Answer: A,D
QUESTION NO: 41
What would the configuration shown in the exhibit enforce?
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 14
Actu
alTe
sts.
com
A. All traffic of MIME type video will be scanned.
B. All traffic of MIME type video will not be scanned.
C. All traffic of MIME type video/mpeg will be scanned.
D. All traffic of MIME type video/mpeg will not be scanned.
Answer: C
QUESTION NO: 42
If the policy server becomes unreachable, which two actions are available for connections that
should be
inspected by Web filtering when using integrated or redirect Web filtering?
(Choose two.)
A. Permit connections with logging.
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 15
Actu
alTe
sts.
com
B. Drop connections.
C. Redirect connections to a different policy server.
D. Use the existing Web cache.
Answer: A,B
QUESTION NO: 43
Which statement is true about blacklists?
A. Blacklists can be created by creating a url-pattern and then associating the url-pattern with a
url-blacklist.
B. Blacklists can be created by creating a url-pattern and then associating the url-pattern with a
custom-urlcategory
and then associating the custom-url-category with a url-blacklist.
C. Blacklists are defined as a separate list and need not be associated with a URL category.
D. Blacklists can either be associated with either a custom-url-category or a url-pattern.
Answer: C
QUESTION NO: 44
Regarding zone types, which statement is true?
A. You cannot assign an interface to a functional zone.
B. You can specifiy a functional zone in a security policy.
C. Security zones must have a scheduler applied.
D. You can use a security zone for traffic destined for the device itself.
Answer: D
QUESTION NO: 45
Regarding attacks, which statement is correct?
A. Both DoS and propagation attacks exploit and take control of all unprotected network devices.
B. Propagation attacks focus on suspicious packet formation using the DoS SYN-ACK-ACK proxy
flood.
C. DoS attacks are directed at the network protection devices, while propagation attacks are
directed at the servers.
D. DoS attacks are exploits in nature, while propagation attacks use trust relationships to take
control of the devices.
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 16
Actu
alTe
sts.
com
Answer: D
QUESTION NO: 46
Click the Exhibit button.
[edit schedulers]
user@host# show
scheduler now {
monday all-day;
tuesday exclude;
wednesday {
start-time 07:00:00 stop-time 18:00:00;
}
thursday {
start-time 07:00:00 stop-time 18:00:00;
}}
[edit security policies from-zone Private to-zone External]
user@host# show
policy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn myTunnel;
}}}
scheduler-name now;
Based on the configuration shown in the exhibit, what are the actions of the security policy?
A. The policy will always permit transit packets and use the IPsec VPN myTunnel.
B. The policy will permit transit packets only on Monday, and use the IPsec VPN Mytunnel.
C. The policy will permit transit packets and use the IPsec VPN myTunnel all day Monday and
Wednesday 7am to 6pm, and Thursday 7am to 6pm.
D. The policy will always permit transit packets, but will only use the IPsec VPN myTunnel all
day Monday and Wednesday 7am to 6pm, and Thursday 7am to 6pm.
Answer: C
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 17
Actu
alTe
sts.
com
QUESTION NO: 47
Which two statements are true regarding proxy ARP? (Choose two.)
A. Proxy ARP is enabled by default.
B. Proxy ARP is not enabled by default.
C. JUNOS security devices can forward ARP requests to a remote device when proxy ARP is
enabled.
D. JUNOS security devices can reply to ARP requests intended for a remote device when
proxy ARP is enabled.
Answer: B,D
QUESTION NO: 48
Which statement regarding the implementation of an IDP policy template is true?
A. IDP policy templates are automatically installed as the active IDP policy.
B. IDP policy templates are enabled using a commit script.
C. IDP policy templates can be downloaded without an IDP license.
D. IDP policy templates are included in the factory-default configuration.
Answer: B
QUESTION NO: 49
Click the Exhibit button.
[edit groups]
user@host# show
node0 {
system {
host-name NODE0;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 1.1.1.1/24;
}}}}}
node1 {
system {
host-name NODE1;
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 18
Actu
alTe
sts.
com
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 1.1.1.2/24;
}}}}}
In the exhibit, what is the function of the configuration statements?
A. This section is where you define all chassis clustering configuration.
B. This configuration is required for members of a chassis cluster to talk to each other.
C. You can apply this configuration in the chassis cluster to make configuration easier.
D. This section is where unique node configuration is applied.
Answer: D
QUESTION NO: 50
Which two statements describe the difference between JUNOS Software for security
platforms and a traditional router? (Choose two.)
A. JUNOS Software for security platforms supports NAT and PAT; a traditional router does not
support NAT or PAT.
B. JUNOS Software for security platforms does not forward traffic by default; a traditional router
forwards traffic by default.
C. JUNOS Software for security platforms uses session-based forwarding; a traditional router
uses packet-based forwarding.
D. JUNOS Software for security platforms performs route lookup for every packet; a traditional
router performs route lookup only for the first packet.
Answer: B,C
QUESTION NO: 51
Which two statements describe the difference between JUNOS Software for security
platforms and a traditional router? (Choose two.)
A. JUNOS Software for security platforms supports NAT and PAT; a traditional router does not
support NAT or PAT.
B. JUNOS Software for security platforms secures traffic by default; a traditional router does
not secure traffic by default.
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 19
Actu
alTe
sts.
com
C. JUNOS Software for security platforms allows for session-based forwarding; a traditional
router uses packet-based forwarding.
D. JUNOS Software for security platforms separates broadcast domains; a traditional router
does not separate broadcast domains.
Answer: B,C
QUESTION NO: 52
A traditional router is better suited than a firewall device for which function?
A. VPN establishment
B. packet-based forwarding
C. stateful packet processing
D. Network Address Translation
Answer: B
QUESTION NO: 53
Which three functions are provided by JUNOS Software for security platforms? (Choose
three.)
A. VPN establishment
B. stateful ARP lookups
C. Dynamic ARP inspection
D. Network Address Translation
E. inspection of packets at higher levels (Layer 4 and above)
Answer: A,D,E
QUESTION NO: 54
What are two components of the JUNOS Software architecture? (Choose two.)
A. Linux kernel
B. routing protocol daemon
C. session-based forwarding module
D. separate routing and security planes
Answer: B,C
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 20
Actu
alTe
sts.
com
QUESTION NO: 55
Which two functions of JUNOS Software are handled by the data plane? (Choose two.)
A. NAT
B. OSPF
C. SNMP
D. SCREEN options
Answer: A,D
QUESTION NO: 56
Host A opens a Telnet connection to Host B. Host A then opens another Telnet connection to Host
B. These connections are the only communication between Host A and Host B. The security policy
configuration permits both connections.
How many flows exist between Host A and Host B?
A. 1
B. 2
C. 3
D. 4
Answer: D
QUESTION NO: 57
Which two statements about JUNOS Software packet handling are correct? (Choose two.)
A. JUNOS Software applies service ALGs only for the first packet of a flow.
B. JUNOS Software uses fast-path processing only for the first packet of a flow.
C. JUNOS Software performs route and policy lookup only for the first packet of a flow.
D. JUNOS Software applies SCREEN options for both first and consecutive packets of a flow.
Answer: C,D
QUESTION NO: 58
In JUNOS Software, which three packet elements can be inspected to determine if a session
already exists? (Choose three.)
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 21
Actu
alTe
sts.
com
A. IP protocol
B. IP time-to-live
C. source and destination IP address
D. source and destination MAC address
E. source and destination TCP/UDP port
Answer: A,C,E
QUESTION NO: 59
By default, which condition would cause a session to be removed from the session table?
A. Route entry for the session changed.
B. Security policy for the session changed.
C. The ARP table entry for the source IP address timed out.
D. No traffic matched the session during the timeout period.
Answer: D
QUESTION NO: 60
What is the default session timeout for UDP sessions?
A. 30 seconds
B. 1 minute
C. 5 minutes
D. 30 minutes
Answer: B
QUESTION NO: 61
What is the purpose of a zone in JUNOS Software?
A. A zone defines a group of security devices with a common management.
B. A zone defines the geographic region in which the security device is deployed.
C. A zone defines a group of network segments with similar security requirements.
D. A zone defines a group of network segments with similar class-of-service requirements.
Answer: C
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 22
Actu
alTe
sts.
com
QUESTION NO: 62
Users can define policy to control traffic flow between which two components? (Choose
two.)
A. from a zone to the device itself
B. from a zone to the same zone
C. from a zone to a different zone
D. from one interface to another interface
Answer: B,C
QUESTION NO: 63
Which two configurations are valid? (Choose two.)
A. [edit security zones]
user@host# show
security-zone red {
interfaces {
ge-0/0/1.0;
ge-0/0/3.0;
}}
security-zone blue {
interfaces {
ge-0/0/2.0;
ge-0/0/3.102;
}}
B. [edit security zones]
user@host# show
security-zone red {
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
}}
security-zone blue {
interfaces {
ge-0/0/1.0;
ge-0/0/3.0;
}}
C. [edit routing-instances]
user@host# show
red {
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 23
Actu
alTe
sts.
com
interface ge-0/0/3.0;
interface ge-0/0/2.102;
}
blue {
interface ge-0/0/0.0;
interface ge-0/0/3.0;
}
D. [edit routing-instances]
user@host# show
red {
interface ge-0/0/3.0;
interface ge-0/0/3.102;
}
blue {
interface ge-0/0/0.0;
interface ge-0/0/2.0;
}
Answer: A,D
QUESTION NO: 64
Which two configuration options must be present for IPv4 transit traffic to pass between the ge-
0/0/0.0 and ge-0/0/2.0 interfaces? (Choose two.)
A. family inet
B. a security zone
C. a routing instance
D. host-inbound-traffic
Answer: A,B
QUESTION NO: 65
Which zone is a system-defined zone?
A. null zone
B. trust zone
C. untrust zone
D. management zone
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 24
Actu
alTe
sts.
com
Answer: A
QUESTION NO: 66
Which type of zone is used by traffic transiting the device?
A. transit zone
B. default zone
C. security zone
D. functional zone
Answer: C
QUESTION NO: 67
You want to allow your device to establish OSPF adjacencies with a neighboring device
connected to interface ge-0/0/3.0. Interface ge-0/0/3.0 is a member of the HR zone.
Under which configuration hierarchy must you permit OSPF traffic?
A. [edit security policies from-zone HR to-zone HR]
B. [edit security zones functional-zone management protocols]
C. [edit security zones protocol-zone HR host-inbound-traffic]
D. [edit security zones security-zone HR host-inbound-traffic protocols]
Answer: D
QUESTION NO: 68
Which two statements regarding firewall user authentication client groups are true?
(Choose two.)
A. Individual clients are configured under client groups in the configuration hierarchy.
B. Client groups are configured under individual clients in the configuration hierarchy.
C. Client groups are referenced in security policy in the same manner in which individual clients
are referenced.
D. Client groups are used to simplify configuration by enabling firewall user authentication without
security policy.
Answer: B,C
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 25
Actu
alTe
sts.
com
QUESTION NO: 69
You want to allow all hosts on interface ge-0/0/0.0 to be able to ping the device's ge-
0/0/0.0 IP address.
Where do you configure this functionality?
A. [edit interfaces]
B. [edit security zones]
C. [edit system services]
D. [edit security interfaces]
Answer: B
QUESTION NO: 70
You want to create an out-of-band management zone and assign the ge-0/0/0.0 interface
to that zone.
From the [edit] hierarchy, which command do you use to configure this assignment?
A. set security zones management interfaces ge-0/0/0.0
B. set zones functional-zone management interfaces ge-0/0/0.0
C. set security zones functional-zone management interfaces ge-0/0/0.0
D. set security zones functional-zone out-of-band interfaces ge-0/0/0.0
Answer: C
QUESTION NO: 71
You are not able to telnet to the interface IP address of your device from a PC on the same
subnet.
What is causing the problem?
A. Telnet is not being permitted by self policy.
B. Telnet is not being permitted by security policy.
C. Telnet is not allowed because it is not considered secure.
D. Telnet is not enabled as a host-inbound service on the zone.
Answer: D
QUESTION NO: 72
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 26
Actu
alTe
sts.
com
Click the Exhibit button.
Referring to the exhibit, you are not able to telnet to 192.168.10.1 from client PC 192.168.10.10.
What is causing the problem?
A. Telnet is not being permitted by self policy.
B. Telnet is not being permitted by security policy.
C. Telnet is not allowed because it is not considered secure.
D. Telnet is not enabled as a host-inbound service on the zone.
Answer: D
QUESTION NO: 73
Click the Exhibit button.
Based on the exhibit, client PC 192.168.10.10 cannot ping 1.1.1.2.
Which is a potential cause for this problem?
A. The untrust zone does not have a management policy configured.
B. The trust zone does not have ping enabled as a host-inbound-traffic service.
C. The security policy from the trust zone to the untrust zone does not permit ping.
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 27
Actu
alTe
sts.
com
D. No security policy exists for the ICMP reply packet from the untrust zone to the trust zone.
Answer: C
QUESTION NO: 74
Click the Exhibit button.
[edit security zones security-zone HR]
user@host# show
host-inbound-traffic {
system-services {
ping;
ssh;
https;
}}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
}}}
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
ping;
ftp;
}}}
ge-0/0/3.0 {
host-inbound-traffic {
system-services {
all;
ssh {
except;
}}}
}}
All system services have been enabled.
Given the configuration shown in the exhibit, which interface allows both ping and SSH traffic?
A. ge-0/0/0.0
B. ge-0/0/1.0
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 28
Actu
alTe
sts.
com
C. ge-0/0/2.0
D. ge-0/0/3.0
Answer: A
QUESTION NO: 75
Click the Exhibit button.
user@host> show interfaces ge-0/0/0.0 | match host-inbound
Allowed host-inbound traffic : bgp ospf
Which configuration would result in the output shown in the exhibit?
A. [edit security zones functional-zone management]
user@host# show
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
protocols {
bgp;
ospf;
vrrp;
}}}}
host-inbound-traffic {
protocols {
all;
vrrp {
except;
}}}
B. [edit security zones functional-zone management]
user@host# show
host-inbound-traffic {
protocols {
bgp;
ospf;
}}
C. [edit security zones security-zone trust]
user@host# show
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
protocols {
ospf;
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 29
Actu
alTe
sts.
com
bgp;
}}}}
D. [edit security zones security-zone trust]
user@host# show
host-inbound-traffic {
protocols {
bgp;
}}
interfaces {
all {
host-inbound-traffic {
protocols {
ospf;
}}}}
Answer: C
QUESTION NO: 76
Click the Exhibit button.
user@host> show interfaces ge-0/0/0.0 | match host-inbound
Allowed host-inbound traffic : ping ssh telnet
Which configuration would result in the output shown in the exhibit?
A. [edit security zones security-zone trust]
user@host# show
host-inbound-traffic {
system-services {
ping;
telnet;
}}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ssh;
telnet;
}}}}
B. [edit security zones functional-zone management]
user@host# show
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 30
Actu
alTe
sts.
com
interfaces {
all;
}
host-inbound-traffic {
system-services {
all;
ftp {
except;
}}}
C. [edit security zones functional-zone management]
user@host# show
interfaces {
all {
host-inbound-traffic {
system-services {
ping;
}}}}
host-inbound-traffic {
system-services {
telnet;
ssh;
}}
D. [edit security zones security-zone trust]
user@host# show
host-inbound-traffic {
system-services {
ssh;
ping;
telnet;
}}
interfaces {
ge-0/0/3.0 {
host-inbound-traffic {
system-services {
ping;
}}}
ge-0/0/0.0;
}
Answer: D
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 31
Actu
alTe
sts.
com
QUESTION NO: 77
Click the Exhibit button.
[edit security]
user@host# show
zones {
security-zone ZoneA {
tcp-rst;
host-inbound-traffic {
system-services {
ping;
telnet;
}}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0;
}}
security-zone ZoneB {
interfaces {
ge-0/0/3.0;
}}}
policies {
from-zone ZoneA to-zone ZoneB {
policy A-to-B {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}}}}
In the exhibit, a host attached to interface ge-0/0/0.0 sends a SYN packet to open a Telnet
connection to the device's ge-0/0/1.0 IP address.
What does the device do?
A. The device sends back a TCP reset packet.
B. The device silently discards the packet.
C. The device forwards the packet out the ge-0/0/1.0 interface.
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 32
Actu
alTe
sts.
com
D. The device responds with a TCP SYN/ACK packet and opens the connection.
Answer: B
QUESTION NO: 78
Which two commands can be used to monitor firewall user authentication? (Choose two.)
A. show access firewall-authentication
B. show security firewall-authentication users
C. show security audit log
D. show security firewall-authentication history
Answer: B,D
QUESTION NO: 79
Which two statements regarding external authentication servers for firewall user
authentication are true? (Choose two.)
A. Up to three external authentication server types can be used simultaneously.
B. Only one external authentication server type can be used simultaneously.
C. If the local password database is not configured in the authentication order, and the
configured authentication server is unreachable, authentication is not performed.
D. If the local password database is not configured in the authentication order, and the
configured authentication server rejects the authentication request, authentication is not
performed.
Answer: B,D
QUESTION NO: 80
Which two external authentication server types are supported by JUNOS Software for
firewall user authentication? (Choose two.)
A. RADIUS
B. TACACS+
C. LDAP
D. IIS
Answer: A,C
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 33
Actu
alTe
sts.
com
QUESTION NO: 81
Click the Exhibit button.
[edit security zones security-zone trust]
user@host# show
host-inbound-traffic {
system-services {
all;
}}
interfaces {
ge-0/0/0.0;
}
Referring to the exhibit, which two traffic types are permitted when the destination is the ge-
0/0/0.0 IP address? (Choose two.)
A. Telnet
B. OSPF
C. ICMP
D. RIP
Answer: A,C
QUESTION NO: 82
Which two statements about the use of SCREEN options are correct? (Choose two.)
A. SCREEN options are deployed at the ingress and egress sides of a packet flow.
B. Although SCREEN options are very useful, their use can result in more session creation.
C. SCREEN options offer protection against various attacks at the ingress zone of a packet
flow.
D. SCREEN options examine traffic prior to policy processing, thereby resulting in fewer
resouces used for malicious packet processing.
Answer: C,D
QUESTION NO: 83
Which two statements about the use of SCREEN options are correct? (Choose two.)
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 34
Actu
alTe
sts.
com
A. SCREEN options offer protection against various attacks.
B. SCREEN options are deployed prior to route and policy processing in first path packet
processing.
C. SCREEN options are deployed at the ingress and egress sides of a packet flow.
D. When you deploy SCREEN options, you must take special care to protect OSPF.
Answer: A,B
QUESTION NO: 84
What are three main phases of an attack? (Choose three.)
A. DoS
B. exploit
C. propagation
D. port scanning
E. reconnaissance
Answer: B,C,E
QUESTION NO: 85
An attacker sends a low rate of TCP SYN segments to hosts, hoping that at least one port replies.
Which type of an attack does this scenario describe?
A. DoS
B. SYN flood
C. port scanning
D. IP address sweep
Answer: C
QUESTION NO: 86
Click the Exhibit button.
profile ftp-users {
client nancy {
firewall-user {
password "$9$lJ8vLNdVYZUHKMi.PfzFcyrvX7"; ## SECRET-DATA
}}
client walter {
firewall-user {
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 35
Actu
alTe
sts.
com
password "$9$a1UqfTQnApB36pBREKv4aJUk.5QF"; ## SECRET-DATA
}}
session-options {
client-group ftp-group;
}}
firewall-authentication {
pass-through {
default-profile ftp-users;
ftp {
banner {
login "JUNOS Rocks!";
}}}}
Given the configuration shown in the exhibit, which configuration object would be used to
associate both Nancy and Walter with firewall user authentication within a security policy?
A. ftp-group
B. ftp-users
C. firewall-user
D. nancy and walter
Answer: A
QUESTION NO: 87
Prior to applying SCREEN options to drop traffic, you want to determine how your configuration
will affect traffic.
Which mechanism would you configure to achieve this objective?
A. the log option for the particular SCREEN option
B. the permit option for the particular SCREEN option
C. the SCREEN option, because it does not drop traffic by default
D. the alarm-without-drop option for the particular SCREEN option
Answer: D
QUESTION NO: 88
You must configure a SCREEN option that would protect your device from a session table flood.
Which configuration meets this requirement?
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 36
Actu
alTe
sts.
com
A. [edit security screen]
user@hostl# show
ids-option protectFromFlood {
icmp {
ip-sweep threshold 5000;
flood threshold 2000;
}}
B. [edit security screen]
user@hostl# show
ids-option protectFromFlood {
tcp {
syn-flood {
attack-threshold 2000;
destination-threshold 2000;
}}}
C. [edit security screen]
user@hostl# show
ids-option protectFromFlood {
udp {
flood threshold 5000;
}}
D. [edit security screen]
user@hostl# show
ids-option protectFromFlood {
limit-session {
source-ip-based 1200;
destination-ip-based 1200;
}}
Answer: D
QUESTION NO: 89
You are required to configure a SCREEN option that enables IP source route option
detection.
Which two configurations meet this requirement? (Choose two.)
A. [edit security screen]
user@host# show
ids-option protectFromFlood {
ip {
loose-source-route-option;
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 37
Actu
alTe
sts.
com
strict-source-route-option;
}}
B. [edit security screen]
user@host# show
ids-option protectFromFlood {
ip {
source-route-option;
}}
C. [edit security screen]
user@host# show
ids-option protectFromFlood {
ip {
record-route-option;
security-option;
}}
D. [edit security screen]
user@host# show
ids-option protectFromFlood {
ip {
strict-source-route-option;
record-route-option;
}}
Answer: A,B
QUESTION NO: 90
Which parameters are valid SCREEN options for combating operating system probes?
A. syn-fin, syn-flood, and tcp-no-frag
B. syn-fin, port-scan, and tcp-no-flag
C. syn-fin, fin-no-ack, and tcp-no-frag
D. syn-fin, syn-ack-ack-proxy, and tcp-no-frag
Answer: C
QUESTION NO: 91
Which two firewall user authentication objects can be referenced in a security policy?
(Choose two.)
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 38
Actu
alTe
sts.
com
A. access profile
B. client group
C. client
D. default profile
Answer: B,C
QUESTION NO: 92
Which statement describes the behavior of a security policy?
A. The implicit default security policy permits all traffic.
B. Traffic destined to the device itself always requires a security policy.
C. Traffic destined to the device's incoming interface does not require a security policy.
D. The factory-default configuration permits all traffic from all interfaces.
Answer: C
QUESTION NO: 93
A network administrator wants to permit Telnet traffic initiated from the address book entry
the10net in a zone called UNTRUST to the address book entry Server in a zone called TRUST.
However, the administrator does not want the server to be able to initiate any type of traffic
from the TRUST zone to the UNTRUST zone.
Which configuration would correctly accomplish this task?
A. from-zone UNTRUST to-zone TRUST {
policy DenyServer {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}}}
from-zone TRUST to-zone UNTRUST {
policy AllowTelnetin {
match {
source-address the10net;
destination-address Server;
application junos-telnet;
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 39
Actu
alTe
sts.
com
}
then {
permit;
}}}
B. from-zone TRUST to-zone UNTRUST {
policy DenyServer {
match {
source-address Server;
destination-address any;
application any;
}
then {
deny;
}
}}
from-zone UNTRUST to-zone TRUST {
policy AllowTelnetin {
match {
source-address the10net;
destination-address Server;
application junos-telnet;
}
then {
permit;
}}}
C. from-zone UNTRUST to-zone TRUST {
policy AllowTelnetin {
match {
source-address the10net;
destination-address Server;
application junos-ftp;
}
then {
permit;
}}}
D. from-zone TRUST to-zone UNTRUST {
policy DenyServer {
match {
source-address Server;
destination-address any;
application any;
}
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 40
Actu
alTe
sts.
com
then {
permit;
}}}
from-zone UNTRUST to-zone TRUST {
policy AllowTelnetin {
match {
source-address the10net;
destination-address Server;
application junos-telnet;
}
then {
permit;
}}}
Answer: B
QUESTION NO: 94
Click the Exhibit button.
[edit security policies]
user@host# show
from-zone trust to-zone untrust {
policy AllowHTTP{
match {
source-address HOSTA;
destination-address any;
application junos-ftp;
}
then {
permit;
}}
policy AllowHTTP2{
match {
source-address any;
destination-address HOSTA;
application junos-http;
}
then {
permit;
}}
policy AllowHTTP3{
match {
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 41
Actu
alTe
sts.
com
source-address any;
destination-address any;
application any;
}
then {
permit;
}}}
A flow of HTTP traffic needs to go from HOSTA to HOSTB. Assume that traffic will initiate from
HOSTA and that HOSTA is in zone trust and HOSTB is in zone untrust.
What will happen to the traffic given the configuration in the exhibit?
A. The traffic will be permitted by policy AllowHTTP.
B. The traffic will be permitted by policy AllowHTTP3.
C. The traffic will be permitted by policy AllowHTTP2.
D. The traffic will be dropped as no policy match will be found.
Answer: B
QUESTION NO: 95
Which three advanced permit actions within security policies are valid? (Choose three.)
A. Mark permitted traffic for firewall user authentication.
B. Mark permitted traffic for SCREEN options.
C. Associate permitted traffic with an IPsec tunnel.
D. Associate permitted traffic with a NAT rule.
E. Mark permitted traffic for IDP processing.
Answer: A,C,E
QUESTION NO: 96
Under which configuration hierarchy is an access profile configured for firewall user
authentication?
A. [edit access]
B. [edit security access]
C. [edit firewall access]
D. [edit firewall-authentication]
Answer: A
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 42
Actu
alTe
sts.
com
QUESTION NO: 97
Your task is to provision the JUNOS security platform to permit transit packets from the
Private zone to the External zone by using an IPsec VPN and log information at the time of
session close.
Which configuration meets this requirement?
A. [edit security policies from-zone Private to-zone External]
user@host# show
policy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn VPN;
}
}
log {
session-init;
}}}
B. [edit security policies from-zone Private to-zone External]
user@host# show
policy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn VPN;
}}
count {
session-close;
}}}
C. [edit security policies from-zone Private to-zone External]
user@host# show
policy allowTransit {
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 43
Actu
alTe
sts.
com
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn VPN;
}}
log {
session-close;
}}}
D. [edit security policies from-zone Private to-zone External]
user@host# show
policy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn VPN;
log;
count session-close;
}}}}
Answer: C
QUESTION NO: 98
You want to create a security policy allowing traffic from any host in the Trust zone to
hostb.example.com (172.19.1.1) in the Untrust zone.
How do you create this policy?
A. Specify the IP address (172.19.1.1/32) as the destination address in the policy.
B. Specify the DNS entry (hostb.example.com.) as the destination address in the policy.
C. Create an address book entry in the Trust zone for the 172.19.1.1/32 prefix and reference
this entry in the policy.
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 44
Actu
alTe
sts.
com
D. Create an address book entry in the Untrust zone for the 172.19.1.1/32 prefix and reference
this entry in the policy.
Answer: D
QUESTION NO: 99
What is the purpose of an address book?
A. It holds security policies for particular hosts.
B. It holds statistics about traffic to and from particular hosts.
C. It defines hosts in a zone so they can be referenced by policies.
D. It maps hostnames to IP addresses to serve as a backup to DNS resolution.
Answer: C
QUESTION NO: 100
Click the Exhibit button.
[edit schedulers]
user@host# show
scheduler now {
monday all-day;
tuesday exclude;
wednesday {
start-time 07:00:00 stop-time 18:00:00;
}
thursday {
start-time 07:00:00 stop-time 18:00:00;
}}
[edit security policies from-zone Private to-zone External]
user@host# show
policy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn myTunnel;
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 45
Actu
alTe
sts.
com
}}}
scheduler-name now;
}
Based on the configuration shown in the exhibit, what will happen to the traffic matching the
security policy?
A. The traffic is permitted through the myTunnel IPsec tunnel only on Tuesdays.
B. The traffic is permitted through the myTunnel IPsec tunnel daily, with the exception of Mondays.
C. The traffic is permitted through the myTunnel IPsec tunnel all day on Mondays and
Wednesdays between 7:00 am and 6:00 pm, and Thursdays between 7:00 am and 6:00 pm.
D. The traffic is permitted through the myTunnel IPsec tunnel all day on Mondays and
Wednesdays between 6:01 pm and 6:59 am, and Thursdays between 6:01 pm and 6:59 am.
Answer: C
QUESTION NO: 101
Which configuration keyword ensures that all in-progress sessions are re-evaluated upon
committing a security policy change?
A. policy-rematch
B. policy-evaluate
C. rematch-policy
D. evaluate-policy
Answer: A
QUESTION NO: 102
Click the Exhibit button.
[edit security policies]
user@host# show
from-zone Private to-zone External {
policy MyTraffic {
match {
source-address myHosts;
destination-address ExtServers;
application [ junos-ftp junos-bgp ];
}
then {
permit {
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 46
Actu
alTe
sts.
com
tunnel {
ipsec-vpn vpnTunnel;
}}}}}
policy-rematch;
In the exhibit, you decided to change myHosts addresses.
What will happen to the new sessions matching the policy and in-progress sessions that had
already matched the policy?
A. New sessions will be evaluated. In-progress sessions will be re-evaluated.
B. New sessions will be evaluated. All in-progress sessions will continue.
C. New sessions will be evaluated. All in-progress sessions will be dropped.
D. New sessions will halt until all in-progress sessions are re-evaluated. In-progress sessions will
be re-evaluated and possibly dropped.
Answer: A
QUESTION NO: 103
Using a policy with the policy-rematch flag enabled, what happens to the existing and new
sessions when you change the policy action from permit to deny?
A. The new sessions matching the policy are denied. The existing sessions are dropped.
B. The new sessions matching the policy are denied. The existing sessions, not being allowed to
carry any traffic, simply timeout.
C. The new sessions matching the policy might be allowed through if they match another
policy. The existing sessions are dropped.
D. The new sessions matching the policy are denied. The existing sessions continue until they
are completed or their timeout is reached.
Answer: A
QUESTION NO: 104
Click the Exhibit button.
[edit security policies]
user@hostl# show
from-zone Private to-zone External {
policy MyTraffic {
match {
source-address myHosts;
destination-address ExtServers;
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 47
Actu
alTe
sts.
com
application [ junos-ftp junos-bgp ];
}
then {
permit {
tunnel {
ipsec-vpn vpnTunnel;
}}}}}
policy-rematch;
In the configuration shown in the exhibit, you decided to eliminate the junos-ftp application
from the match condition of the policy MyTraffic.
What will happen to the existing FTP and BGP sessions?
A. The existing FTP and BGP sessions will continue.
B. The existing FTP and BGP sessions will be re-evaluated and only FTP sessions will be
dropped.
C. The existing FTP and BGP sessions will be re-evaluated and all sessions will be dropped.
D. The existing FTP sessions will continue and only the existing BGP sessions will be dropped.
Answer: B
QUESTION NO: 105
Click the Exhibit button.
[edit security policies from-zone HR to-zone trust]
user@host# show
policy two {
match {
source-address subnet_a;
destination-address host_b;
application [ junos-telnet junos-ping ];
}
then {
reject;
}} policy one {
match {
source-address host_a;
destination-address subnet_b;
application any;
}
then {
permit;
}}
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 48
Actu
alTe
sts.
com
host_a is in subnet_a and host_b is in subnet_b.
Given the configuration shown in the exhibit, which statement is true about traffic from host_a
to host_b?
A. DNS traffic is denied.
B. Telnet traffic is denied.
C. SMTP traffic is denied.
D. Ping traffic is permitted.
Answer: B
QUESTION NO: 106
Click the Exhibit button.
[edit security policies from-zone HR to-zone trust]
user@host# show
policy one {
match {
source-address any;
destination-address any;
application [ junos-http junos-ftp ];
}
then {
permit;
}}
policy two {
match {
source-address host_a;
destination-address host_b;
application [ junos-http junos-smtp ];
}
then {
deny;
}}
Assume the default-policy has not been configured.
Given the configuration shown in the exhibit, which two statements about traffic from host_a in the
HR zone to host_b in the trust zone are true? (Choose two.)
A. DNS traffic is denied.
B. HTTP traffic is denied.
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 49
Actu
alTe
sts.
com
C. FTP traffic is permitted.
D. SMTP traffic is permitted.
Answer: A,C
QUESTION NO: 107
What are two uses of NAT? (Choose two.)
A. conserving public IP addresses
B. allowing stateful packet inspection
C. preventing unauthorized connections from outside the network
D. allowing networks with overlapping private address space to communicate
Answer: A,D
QUESTION NO: 108
Which two are uses of NAT? (Choose two.)
A. enabling network migrations
B. conserving public IP addresses
C. allowing stateful packet inspection
D. preventing unauthorized connections from outside the network
Answer: A,B
QUESTION NO: 109
Which three methods of source NAT does JUNOS Software support? (Choose three.)
A. interface-based source NAT
B. source NAT with address shifting
C. source NAT using static source pool
D. interface-based source NAT without PAT
E. source NAT with address shifting and PAT
Answer: A,B,C
QUESTION NO: 110
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 50
Actu
alTe
sts.
com
Which statement describes the behavior of source NAT with address shifting?
A. Source NAT with address shifting translates both the source IP address and the source port of
a packet.
B. Source NAT with address shifting defines a one-to-one mapping from an original source IP
address to a translated source IP address.
C. Source NAT with address shifting can translate multiple source IP addresses to the same
translated IP address.
D. Source NAT with address shifting allows inbound connections to be initiated to the static source
pool IP addresses.
Answer: B
QUESTION NO: 111
What are three configuration objects used to build JUNOS IDP rules? (Choose three.)
A. zone objects
B. policy objects
C. attack objects
D. detect objects?
E. application objects?
Answer: A,C,E
QUESTION NO: 112
Which two statements are true regarding firewall user authentication? (Choose two.)
A. When configured for pass-through firewall user authentication, the user must first open a
connection to the JUNOS security platform before connecting to a remote network resource.
B. When configured for Web firewall user authentication only, the user must first open a
connection to the JUNOS security platform before connecting to a remote network resource.
C. If a JUNOS security device is configured for pass-through firewall user authentication, new
sessions are automatically intercepted to perform authentication.
D. If a JUNOS security device is configured for Web firewall user authentication, new sessions are
automatically intercepted to perform authentication.
Answer: B,C
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 51
Actu
alTe
sts.
com
QUESTION NO: 113
Interface ge-0/0/2.0 of your device is attached to the Internet and is configured with an IP address
and network mask of 71.33.252.17/24. A webserver with IP address 10.20.20.1 is running an
HTTP service on TCP port 8080. The webserver is attached to the ge-0/0/0.0 interface of your
device. You must use NAT to make the webserver reachable from the Internet using port
translation.
Which type of NAT must you configure?
A. source NAT with address shifting
B. pool-based source NAT
C. static destination NAT
D. pool-based destination NAT
Answer: D
QUESTION NO: 114
Which two statements about static NAT are true? (Choose two.)
A. Static NAT can only be used with destination NAT.
B. Static NAT rules take precedence over overlapping dynamic NAT rules.
C. Dynamic NAT rules take precedence over overlapping static NAT rules.
D. A reverse mapping is automatically created.
Answer: B,D
QUESTION NO: 115
Which statement is true about source NAT?
A. Source NAT works only with source pools.
B. Destination NAT is required to translate the reply traffic.
C. Source NAT does not require a security policy to function.
D. The egress interface IP address can be used for source NAT.
Answer: D
QUESTION NO: 116
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 52
Actu
alTe
sts.
com
Which two statements are true about overflow pools? (Choose two.)
A. Overflow pools do not support PAT.
B. Overflow pools can not use the egress interface IP address for NAT.
C. Overflow pools must use PAT.
D. Overflow pools can contain the egress interface IP address or separate IP addresses.
Answer: C,D
QUESTION NO: 117
Which statement is true regarding proxy ARP?
A. Proxy ARP is enabled by default on stand-alone JUNOS security devices.
B. Proxy ARP is enabled by default on chassis clusters.
C. JUNOS security devices can forward ARP requests to a remote device when proxy ARP is
enabled.
D. JUNOS security devices can reply to ARP requests intended for a remote device when proxy
ARP is enabled.
Answer: D
QUESTION NO: 118
Which configuration shows a pool-based source NAT without PAT'?
A. [edit security nat source]
user@host# show
pool A {
address { 207.17.137.1/32 to 207.17.137.254/32;
}}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
source-address 10.1.10.0/24;
}
then {
source-nat pool A;
port no-translation;
}}
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 53
Actu
alTe
sts.
com
}
B. [edit security nat source]
user@host# show
pool A {
address { 207.17.137.1/32 to 207.17.137.254/32;
}
overflow-pool interface;
}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
source-address 10.1.10.0/24;
}
then {
source-nat pool A;
port no-translation;
}}}
C. [edit security nat source]
user@host# show
pool A {
address {207.17.137.1/32 to 207.17.137.254/32;
}
port no-translation;
}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
source-address 10.1.10.0/24;
}
then {
source-nat pool A;
}}}
D. [edit security nat source]
user@host# show
pool A {
address {207.17.137.1/32 to 207.17.137.254/32;
}
overflow-pool interface;
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 54
Actu
alTe
sts.
com
}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
source-address 10.1.10.0/24;
}
then {
source-nat pool A;
}}}
Answer: C
QUESTION NO: 119
Click the Exhibit button.
[edit security nat source]
user@host# show
rule-set 1 {
from interface ge-0/0/2.0;
to zone untrust;
rule 1A {
match {
destination-address 1.1.70.0/24;
}
then {
source-nat interface;
}}}
Which type of source NAT is configured in the exhibit?
A. interface-based source NAT
B. static source NAT
C. pool-based source NAT with PAT
D. pool-based source NAT without PAT
Answer: A
QUESTION NO: 120
Click the Exhibit button.
[edit security nat destination]
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 55
Actu
alTe
sts.
com
user@host# show
pool A {
address 10.1.10.5/32;
}
rule-set 1 {
from zone untrust;
rule 1A {
match {
destination-address 100.0.0.1/32;
}
then {
destination-nat pool A;
}}}
Which type of source NAT is configured in the exhibit?
A. static destination NAT
B. static source NAT
C. pool-based destination NAT without PAT
D. pool-based destination NAT with PAT
Answer: C
QUESTION NO: 121
Which statement is true about a NAT rule action of off?
A. The NAT action of off is only supported for destination NAT rule-sets.
B. The NAT action of off is only supported for source NAT rule-sets.
C. The NAT action of off is useful for detailed control of NAT.
D. The NAT action of off is useful for disabling NAT when a pool is exhausted.
Answer: C
QUESTION NO: 122
Which statement accurately describes firewall user authentication?
A. Firewall user authentication provides another layer of security in a network.
B. Firewall user authentication provides a means for accessing a JUNOS Software-based security
device.
C. Firewall user authentication enables session-based forwarding.
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 56
Actu
alTe
sts.
com
D. Firewall user authentication is used as a last resort security method in a network.
Answer: A
QUESTION NO: 123
Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by ESP?
(Choose three.)
A. data integrity
B. data confidentiality
C. data authentication
D. outer IP header confidentiality
E. outer IP header authentication
Answer: A,B,C
QUESTION NO: 124
Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by
AH? (Choose three.)
A. data integrity
B. data confidentiality
C. data authentication
D. outer IP header confidentiality
E. outer IP header authentication
Answer: A,C,E
QUESTION NO: 125
Which two statements regarding asymmetric key encryption are true? (Choose two.)
A. The same key is used for encryption and decryption.
B. It is commonly used to create digital certificate signatures.
C. It uses two keys: one for encryption and a different key for decryption.
D. An attacker can decrypt data if the attacker captures the key used for encryption.
Answer: B,C
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 57
Actu
alTe
sts.
com
QUESTION NO: 126
Which two statements about the Diffie-Hellman (DH) key exchange process are correct?
(Choose two.)
A. In the DH key exchange process, the session key is never passed across the network.
B. In the DH key exchange process, the public and private keys are mathematically related using
the DH algorithm.
C. In the DH key exchange process, the session key is passed across the network to the peer for
confirmation.
D. In the DH key exchange process, the public and private keys are not mathematically related,
ensuring higher security.
Answer: A,B
QUESTION NO: 127
Which two statements about the Diffie-Hellman (DH) key exchange process are correct?
(Choose two.)
A. In the DH key exchange process, the public key values are exchanged across the network.
B. In the DH key exchange process, the private key values are exchanged across the network.
C. In the DH key exchange process, each device creates unique public and private keys that
are mathematically related by the DH algorithm.
D. In the DH key exchange process, each device creates a common public and a unique
private key that are mathematically related by the DH algorithm.
Answer: A,B
QUESTION NO: 128
Which three parameters are configured in the IKE policy? (Choose three.)
A. mode
B. preshared key
C. external interface
D. security proposals
E. dead peer detection settings
Answer: A,B,D
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 58
Actu
alTe
sts.
com
QUESTION NO: 129
Which two parameters are configured in IPsec policy? (Choose two.)
A. mode
B. IKE gateway
C. security proposal
D. Perfect Forward Secrecy
Answer: C,D
QUESTION NO: 130
Regarding an IPsec security association (SA), which two statements are true? (Choose
two.)
A. IKE SA is bidirectional.
B. IPsec SA is bidirectional.
C. IKE SA is established during phase 2 negotiations.
D. IPsec SA is established during phase 2 negotiations.
Answer: A,C
QUESTION NO: 131
Which operational mode command displays all active IPsec phase 2 security associations?
A. show ike security-associations
B. show ipsec security-associations
C. show security ike security-associations
D. show security ipsec security-associations
Answer: D
QUESTION NO: 132
Two VPN peers are negotiating IKE phase 1 using main mode.
Which message pair in the negotiation contains the phase 1 proposal for the peers?
A. message 1 and 2
B. message 3 and 4
C. message 5 and 6
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 59
Actu
alTe
sts.
com
D. message 7 and 8
Answer: A
QUESTION NO: 133
Which attribute is required for all IKE phase 2 negotiations?
A. proxy-ID
B. preshared key
C. Diffie-Hellman group key
D. main or aggressive mode
Answer: A
QUESTION NO: 134
Which attribute is optional for IKE phase 2 negotiations?
A. proxy-ID
B. phase 2 proposal
C. Diffie-Hellman group key
D. security protocol (ESP or AH)
Answer: C
QUESTION NO: 135
A route-based VPN is required for which scenario?
A. when the remote VPN peer is behind a NAT device
B. when multiple networks need to be reached across the tunnel and GRE cannot be used
C. when the remote VPN peer is a dialup or remote access client
D. when a dynamic routing protocol is required across the VPN and GRE cannot be used
Answer: D
QUESTION NO: 136
A policy-based IPsec VPN is ideal for which scenario?
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 60
Actu
alTe
sts.
com
A. when you want to conserve tunnel resources
B. when the remote peer is a dialup or remote access client
C. when you want to configure a tunnel policy with an action of deny
D. when a dynamic routing protocol such as OSPF must be sent across the VPN
Answer: B
QUESTION NO: 137
Regarding a route-based versus policy-based IPsec VPN, which statement is true?
A. A route-based VPN generally uses less resources than a policy-based VPN.
B. A route-based VPN cannot have a deny action in a policy; a policy-based VPN can have a deny
action.
C. A route-based VPN is better suited for dialup or remote access compared to a policy-based
VPN.
D. A route-based VPN uses a policy referencing the IPsec VPN; a policy-based VPN policy does
not use a policy referencing the IPsec VPN.
Answer: A
QUESTION NO: 138
Which two configuration elements are required for a route-based VPN? (Choose two.)
A. secure tunnel interface
B. security policy to permit the IKE traffic
C. a route for the tunneled transit traffic
D. tunnel policy for transit traffic referencing the IPsec VPN
Answer: A,C
QUESTION NO: 139
Which two configuration elements are required for a policy-based VPN? (Choose two.)
A. IKE gateway
B. secure tunnel interface
C. security policy to permit the IKE traffic
D. security policy referencing the IPsec VPN tunnel
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 61
Actu
alTe
sts.
com
Answer: A,D
QUESTION NO: 140
Click the Exhibit button.
[edit security policies from-zone trust to-zone untrust]
user@host# show
policy tunnel-traffic {
match {
source-address local-net;
destination-address remote-net;
application any;
then {
permit;
}}
You need to alter the security policy shown in the exhibit to send matching traffic to an IPsec
VPN tunnel. Which command causes traffic to be sent through an IPsec VPN named remotevpn?
A. [edit security policies from-zone trust to-zone untrust]
user@host# set policy tunnel-traffic then tunnel remote-vpn
B. [edit security policies from-zone trust to-zone untrust]
user@host# set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn
C. [edit security policies from-zone trust to-zone untrust]
user@host# set policy tunnel-traffic then permit ipsec-vpn remote-vpn
D. [edit security policies from-zone trust to-zone untrust]
user@host# set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn
Answer: D
QUESTION NO: 141
Click the Exhibit button.
[edit security policies from-zone trust to-zone untrust]
user@host# show
policy tunnel-traffic {
match {
source-address local-net;
destination-address remote-net;
application any;
then {
permit;
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 62
Actu
alTe
sts.
com
}}
Which command is needed to change this policy to a tunnel policy for a policy-based VPN?
A. set policy tunnel-traffic then tunnel remote-vpn
B. set policy tunnel-traffic then permit tunnel remote-vpn
C. set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn permit
D. set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn
Answer: D
QUESTION NO: 142
Click the Exhibit button.
[edit security]
user@host# show
ike {
policy ike-policy1 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$GFjm5OBEclM5QCuO1yrYgo"; ## SECRET-DATA
}
gateway remote-ike {
ike-policy ike-policy1;
address 172.19.51.170;
external-interface ge-0/0/3.0;
}}
ipsec {
policy vpn-policy1 {
proposal-set standard;
}
vpn remote-vpn {
ike {
gateway remote-ike;
ipsec-policy vpn-policy1;
}}}
Assuming you want to configure a route-based VPN, which command is required to bind the VPN
to secure tunnel interface st0.0?
A. set ipsec vpn remote-vpn bind-interface st0.0
B. set ike gateway remote-ike bind-interface st0.0
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 63
Actu
alTe
sts.
com
C. set ike policy ike-policy1 bind-interface st0.0
D. set ipsec policy vpn-policy1 bind-interface st0.0
Answer: A
QUESTION NO: 143
Which two traffic types trigger pass-through firewall user authentication? (Choose two.)
A. SSH
B. Telnet
C. ICMP
D. OSPF
E. HTTP
Answer: B,E
QUESTION NO: 144
Which IDP policy action drops a packet before it can reach its destination, but does not close the
connection?
A. discard-packet
B. drop-traffic
C. discard-traffic
D. drop-packet
Answer: D
QUESTION NO: 145
Which two statements are true regarding high-availability chassis clustering? (Choose
two.)
A. A chassis cluster consists of two devices.
B. A chassis cluster consists of two or more devices.
C. Devices participating in a chassis cluster can be different models.
D. Devices participating in a chassis cluster must be the same models.
Answer: A,D
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 64
Actu
alTe
sts.
com
QUESTION NO: 146
You are implementing an IDP policy template from Juniper Networks.
Which three steps are included in this process? (Choose three.)
A. activating a JUNOS Software commit script?
B. configuring an IDP groups statement
C. setting up a chassis cluster
D. downloading the IDP policy templates
E. installing the policy templates
Answer: A,D,E
QUESTION NO: 147
Which three statements are true when working with high-availability clusters? (Choose
three.)
A. The valid cluster-id range is between 0 and 255.
B. JUNOS security devices can belong to more than one cluster if cluster virtualization is
enabled.
C. If the cluster-id value is set to 0 on a JUNOS security device, the device will not participate
in the cluster.
D. A reboot is required if the cluster-id or node value is changed.
E. JUNOS security devices can belong to one cluster only.
Answer: C,D,E
QUESTION NO: 148
You have been tasked with performing an update to the IDP attack database.
Which three requirements are included as part of this task? (Choose three.)
A. The IDP security package must be installed after it is downloaded.
B. The device must be rebooted to complete the update.
C. The device must be connected to a network.
D. An IDP license must be installed on your device.
E. You must be logged in as the root user.
Answer: A,C,D
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 65
Actu
alTe
sts.
com
QUESTION NO: 149
What is a redundancy group in JUNOS Software?
A. a set of chassis clusters that fail over as a group
B. a set of devices that participate in a chassis cluster
C. a set of VRRP neighbors that fail over as a group
D. a set of chassis cluster objects that fail over as a group
Answer: D
QUESTION NO: 150
What is the functionality of redundant interfaces (reth) in a chassis cluster?
A. reth interfaces are used only for VRRP.
B. reth interfaces are the same as physical interfaces.
C. reth interfaces are pseudo-interfaces that are considered the parent interface for two physical
interfaces.
D. Each cluster member has a reth interface that can be used to share session state information
with the other cluster members.
Answer: C
QUESTION NO: 151
When devices are in cluster mode, which new interfaces are created?
A. No new interface is created.
B. Only the st interface is created.
C. fxp1, fab0, and fab1 are created.
D. st, fxp1, reth, fab0, and fab1 are created.
Answer: C
QUESTION NO: 152
In a chassis cluster with two SRX 5800 devices, the interface ge-13/0/0 belongs to which device?
A. This interface is a system-created interface.
B. This interface belongs to node 0 of the cluster.
C. This interface belongs to node 1 of the cluster.
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 66
Actu
alTe
sts.
com
D. This interface will not exist because SRX 5800 devices have only 12 slots.
Answer: C
QUESTION NO: 153
Which IDP policy action closes the connection and sends an RST packet to both the client and the
server?
A. close-connection
B. terminate-connection
C. close-client-and-server
D. terminate-session
Answer: C
QUESTION NO: 154
Which statement is true regarding redundancy groups?
A. The preempt option determines the primary and secondary roles for redundancy group 0 during
a failure and recovery scenario.
B. When priority settings are equal and the members participating in a cluster are initialized at the
same time, the primary role for redundancy group 0 is assigned to node 1.
C. The primary role can be shared for redundancy group 0 when the active-active option is
enabled.
D. Redundancy group 0 manages the control plane failover between the nodes of a cluster.
Answer: D
QUESTION NO: 155
Which two statements are true regarding redundancy groups? (Choose two.)
A. When priority settings are equal and the members participating in a cluster are initialized at the
same time, the primary role for redundancy group 0 is assigned to node 0.
B. The preempt option determines the primary and secondary roles for redundancy group 0 during
a failure and recovery scenario.
C. Redundancy group 0 manages the control plane failover between the nodes of a cluster.
D. The primary role can be shared for redundancy group 0 when the active-active option is
enabled.
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 67
Actu
alTe
sts.
com
Answer: A,C
QUESTION NO: 156
Which three options represent IDP policy match conditions? (Choose three.)
A. service
B. to-zone
C. attacks
D. port
E. destination-address
Answer: B,C,E
QUESTION NO: 157
Which three options represent IDP policy match conditions? (Choose three.)
A. protocol
B. source-address
C. port
D. application
E. attacks
Answer: B,D,E
QUESTION NO: 158
What are three configuration objects used to build JUNOS IDP rules? (Choose three.)
A. zone objects
B. policy objects
C. attack objects
D. alert and notify objects
E. network and address objects
Answer: A,C,E
Juniper JN0-332: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 68