Download pdf - JUNIPER JN0-533 EXAM QUESTIONS & ANSWERS · 2014. 6. 4. · Juniper JN0-533 Exam A. MIP B. VIP C. NAT-dst D. NAT-src Correct Answer: BC Section: (none) Explanation QUESTION 8 Your

JUNIPER JN0-533 EXAM QUESTIONS & ANSWERS

Number: JN0-533Passing Score: 800Time Limit: 120 minFile Version: 39.8

http://www.gratisexam.com/

JUNIPER JN0-533 EXAM QUESTIONS & ANSWERS

Exam Name: FWV, Specialist (JNCIS-FWV)

Test-Papers

QUESTION 1Your ScreenOS device does not have a static IP address. You want to be able to access it using its FQDN.How would you implement this task?

A. Configure a domain in DNS.B. Configure syslog.C. Configure SNMP.D. Configure DDNS.

Correct Answer: DSection: (none)Explanation

QUESTION 2You have just installed a new ScreenOS device in your network and you want only a select range of IPaddresses to have administrative access to the device. Which choice will allow you to accomplish this?

A. Configure a manager IP.B. Configure the management interface.C. Configure a management IP on the trust interface.D. Configure new system administrators.

Correct Answer: ASection: (none)Explanation

QUESTION 3A routing table contains an IBGP route for 192.168.0.0/24, a RIP route for 192.168.0.0/23, an OSPF route for192.168.0.0/22, and a static route for 192.168.0.0/16. When the router receives traffic destined for 192.168.0.1,which route will the router use?

A. the IBGP routeB. the OSPF routeC. the RIP routeD. the static route


QUESTION 4You are troubleshooting telnet traffic destined to IP address 10.10.10.1. You decide to run debug and want toset the flow filter. Which command will show only the telnet traffic going to the 10.10.10.1 address?

A. ssg5-serial-> set ffilter dst-ip 10.10.10.1ssg5-serial-> set ffilter dst-port 23

B. ssg5-serial-> set ffilter dst-ip 10.10.10.1 dst-port 23C. ssg5-serial-> set ffilter dst-port 23D. ssg5-serial-> set ffilter dst-ip 10.10.10.1

Correct Answer: BSection: (none)Explanation

QUESTION 5"First Test, First Pass" - www.lead2pass.com 4Juniper JN0-533 Exam


You have enabled BGP on your ScreenOS device and configured a single EBGP peer. The CLI shows that theBGP connection is transitioning between the CONNECT and ACTIVE states, but never reaching theESTABLISHED state. What are three reasons for this behavior? (Choose three.)

A. The peer is blocking traffic destined for TCP port 179.B. The peer address is not configured correctly.C. The enable statement has not been configured for the peer.D. The peer AS number is not configured correctly.E. BGP has not been enabled on the virtual router.

Correct Answer: ABDSection: (none)Explanation

Explanation/Reference:

QUESTION 6You want to set up a last resort route and prevent route lookups in either the source-based routing table or thedestination-based routing table. What should you do?

A. Disable SIBR and create a default route in the trust-vr table using the null interface as the outgoing interfacewith a higher metric than other routes.

B. Disable SIBR and create a default route in the trust-vr table using the null interface as the outgoing interfacewith a lower metric than other routes.

C. Enable SIBR and create a default route in the SIBR table using the null interface as the outgoing interfacewith a higher metric than other routes.

D. Enable SIBR and create a default route in the SIBR table using the null interface as the outgoing interfacewith a lower metric than other routes.

Correct Answer: CSection: (none)Explanation

QUESTION 7You have only one public IP address available and you must allow external access to three servers on a DMZnetwork. Which two NAT types would allow you to accomplish your objective? (Choose two.)

"First Test, First Pass" - www.lead2pass.com 5

Juniper JN0-533 Exam

A. MIPB. VIPC. NAT-dstD. NAT-src

Correct Answer: BCSection: (none)Explanation

QUESTION 8Your ScreenOS device is configured with multiple NAT types.What is the order of precedence in this situation?

A. interface-based NAT -> VIP -> MIP -> policy-based NATB. VIP -> MIP -> policy-based NAT -> interface-based NATC. MIP -> VIP -> interface-based NAT -> policy-based NATD. MIP -> VIP -> policy-based NAT -> interface-based NAT


QUESTION 9Your ScreenOS device is using NAT. Which NAT function allows you to use a single IP address from an untrustzone to communicate to multiple IP addresses in a trust zone?

A. NAT-src with PAT enabledB. NAT-dst with PAT enabledC. NAT-src using a DIP pool with PAT enabledD. NAT-dst using a DIP pool with PAT disabled


QUESTION 10Which NAT has bidirectional translation by default?

A. NAT-srcB. NAT-dstC. VIPD. MIP


QUESTION 11You have configured a single-port VIP to forward HTTP traffic from the untrust interface on your ScreenOS

device to an internal Web server. You have configured a policy to allow this traffic. Traffic from the untrustinterface that matches this policy is unable to connect to the Web server.What is a solution to this problem?

A. You must reboot the ScreenOS device for the VIP to become active.B. You must ensure the ScreenOS device has a route to the Web server.C. You must ensure the Web server is directly connected to the ScreenOS device.D. You must save the ScreenOS device configuration for the VIP to become active.



You are building an IPsec VPN and want to authenticate and encrypt the content. Which two Phase 1/Phase 2(P1/P2) proposals would achieve this goal? (Choose two.)

A. P1: pre-g5-3des-sha, P2: g5-esp-3des-shaB. P1: pre-g2-aes128-sha, P2: g5-ah-aes128-shaC. P1: pre-g5-des-md5, P2: g5-ah-des-md5D. P1: pre-g2-esp128-sha, P2: g2-esp-aes128-sha

Correct Answer: ADSection: (none)Explanation

QUESTION 13You are configuring a VPN with IKE between headquarters and a branch office that uses a dynamic public IPaddress. Which IKE mode should you use?

A. quick modeB. main modeC. aggressive modeD. wizard mode


QUESTION 14You want to ensure that the IKE Phase 2 key is totally independent of the IKE Phase 1 key.Which IKE feature would you enable?

A. Perfect Forward SecrecyB. Diffie-Hellman Group 5C. Replay ProtectionD. Rekey Protection

Correct Answer: A

Section: (none)Explanation

QUESTION 15Which two Diffie-Hellman (DH) groups are supported by ScreenOS software? (Choose two.)

A. DH Group 1: 1024-bit"First Test, First Pass" - www.lead2pass.com 8Juniper JN0-533 Exam

B. DH Group 2: 1024-bitC. DH Group 5: 1536-bitD. DH Group 15: 2048-bit


QUESTION 16How is a route-based VPN different from a policy-based VPN?

A. A route-based VPN requires manual keys for encryption and authentication.B. A route-based VPN requires static route entries for the remote peer.C. A route-based VPN is bound to a tunnel interface.D. A route-based VPN is bound to a loopback interface.


QUESTION 17Which two statements are true about VPN Monitor on a ScreenOS device? (Choose two.)

A. With a route-based VPN failure, VPN Monitor marks the tunnel interface status as down.B. With a policy-based VPN failure, VPN Monitor marks the tunnel interface status as down.C. VPN Monitor uses UDP to detect a VPN connection failure.D. VPN Monitor uses ICMP to detect a VPN connection failure.


QUESTION 18Which two authentication algorithms does AutoKey IKE use during Phase 1 negotiations? (Choose two.)

A. AES-256B. SHA2-256C. MD5D. 3DES

Correct Answer: BCSection: (none)

Explanation

QUESTION 19You have configured deep-packet inspection on a ScreenOS device. You have not modified the defaultthreshold values. The device detects a single session that matches an attack. Which two actions can youconfigure the device to take? (Choose two.)

A. Close the connection and disallow further connections from the client to the server.B. Close the connection and rate-limit further connections to the server.C. Discard all additional packets related to the session.D. Send a TCP RST message to both the client and server.

Correct Answer: CDSection: (none)Explanation

QUESTION 20A ScreenOS device detects a large number of sessions that match the same deep inspection attack object.What are two ways to configure the device? (Choose two.)

A. Activate dynamic firewall policies.B. Close the connection and disallow further connections from the client.C. Close the connection and rate-limit further connections to the server.D. Log an alert.

Correct Answer: BDSection: (none)Explanation

QUESTION 21The ScreenOS software performs virus scanning for which three protocols? (Choose three.)

A. FTPB. HTTPC. HTTPSD. NetBIOSE. SMTP

Correct Answer: ABESection: (none)Explanation

QUESTION 22You have configured integrated Web filtering in the ScreenOS software. You find that users trying to accesshttp://www.example.com are being blocked by your Web-filtering configuration. However, you want all users tobe able to access this Web site. What are two methods to allow this traffic? (Choose two.)

A. Configure an SC-CPA exception for the URL.B. Configure the URL as part of a custom category and allow requests in that category.C. Configure the URL as part of the blacklist.D. Configure the URL as part of the whitelist.


QUESTION 23You want to enable the integrated Web-filtering feature on a ScreenOS device.Which Web-filtering technology would be used?

A. WebSenseB. McAfeeC. SymantecD. SurfControl


QUESTION 24Which two statements are correct about internal antivirus scanning? (Choose two.)

A. It includes a predefined file extension list for each protocol.B. It allows you to load-balance ICAP scan servers.C. It requires you to install a ScreenOS software license.D. It provides inbound spyware and phishing protection.


QUESTION 25You want to copy an external configuration file to your ScreenOS device and have it become active only afterthe device reboots. How would you accomplish this goal?

A. From the device, copy the configuration from an external TFTP server to the device's flash memory.B. From the device, copy the configuration from an external TFTP server to the device's RAM.C. From the device, copy the configuration from an external TFTP server and merge it with the current

configuration.D. From the device, copy the configuration from the device's flash memory to an external TFTP server.


QUESTION 26You want to ensure that the ScreenOS device sends alert data to notify the security operation center. Whichthree log destinations would you set to accomplish your objective? (Choose three.)

"First Test, First Pass" - www.lead2pass.com 11Juniper JN0-533 Exam

A. e-mail

B. SNMPC. consoleD. internalE. syslog

Correct Answer: ABESection: (none)Explanation

QUESTION 27You want to know the username and IP address of users who logged in to the WebUI. In which log would youfind this information?

A. admin logB. event logC. traffic logD. self log


QUESTION 28You manage a ScreenOS device. A user complains that the FTP download speed is slow. You suspect a cableor an interface might be the problem. Which command provides interface error information?

A. show counter flow interfaceB. get counter flow interfaceC. show counter statistics interfaceD. get counter statistics interface


QUESTION 29You want to centralize the logging for all your ScreenOS devices and you must be able to synchronize the log.Which two actions would you perform to accomplish this? (Choose two.)

A. Enable logging to the console.B. Enable logging to syslog.C. Enable NTP and set to UTC/GMT time.D. Enable logging to the USB.


QUESTION 30You have lost the admin user password for your NetScreen device. No other user accounts are configured onthe device. How would you access the CLI?

A. Log in on the console using the secret name "recovery" and password "netscreen".B. Send a break to the console during the boot process and modify the configuration registers.C. Log in on the console using the serial number as the username and password.


D. Log in on the console using the secret name "recovery" and the serial number as the password.


QUESTION 31You are the administrator of a NetScreen 5GT. The system administrator cannot use SSH to log in to theNetScreen 5GT. Referring to the exhibit, what is the problem?

SSH V2 is activens5gt-> get int et1Interface ethernet1:description ethernet1number 2, if_info 176, if_index 0, mode natlink up, phy-link up/full-duplexstatus change:1, last change:02/06/1997 18:02:32vsys Root, zone Trust, vr trust-vrdhcp client disabledPPPoE disabledadmin mtu 0, operating mtu 1500, default mtu 1500*ip 192.168.1.1/24*manage ip 192.168.1.1,route-deny disablepmtu-v4 disabledping enabled, telnet enabled, SSH enabled, SNMP enabledweb enabled, ident-reset disabled, SSL enabledSSH is enabledSSH is ready for connectionsMaximum sessions: 3Active sessions: 3

A. Interface eth1 does not permit logins using SSH.B. SSH is not enabled on the NetScreen 5GT.C. Interface eth1's link status is down.D. The maximum SSH session has been used.


QUESTION 32User1 wants to create the policy in the ScreenOS device, but is not successful.Referring to the exhibit, what is the problem?

set admin name "admin"set admin password "nOsYMqrbAs/McFsJrs6HwcIt3AF6yn"set admin user "User1" password "nLZwKErINPPCcphC6sFMXrJ" privilege "read-only"set admin port 8080set admin access attempts 5

set admin access lock-on-failure 5set admin auth web timeout 10set admin auth server "Local"

A. The User1 account has been suspended.B. User1 does not have any account in this device.


C. User1 logged in to the device with wrong port.D. User1 does not have the proper permission to create a policy.


QUESTION 33You are the administrator of a NetScreen 5GT. For troubleshooting purposes, you must be able to pinguntrusted interfaces.Referring to the exhibit, how do you enable ping for interface eth2?

ns5gt-> get int eth2Interface ethernet2:description ethernet2number 8, if_info 704, if_index 0, mode routelink up, phy-link up/full-duplexstatus change:7, last change:09/26/2012 23:08:22vsys Root, zone Untrust, vr trust-vrdhcp client disabledPPPoE disabledadmin mtu 0, operating mtu 1500, default mtu 1500*ip 171.211.111.111/30 mac 0014.f693.edc8*manage ip 171.211.111.111, mac 0014.f693.edc8route-deny disablepmtu-v4 disabledping disabled, telnet enabled, SSH disabled, SNMP disabled web enabled, ident-reset disabled, SSL disabledDNS Proxy disabled, webauth disabled, g-arp enabled, webauth-ip 0.0.0.0 OSPF disabled BGP disabled RIPdisabled RIPng disabled mtrace disabled PIM: not configured IGMP not configuredMLD not configuredNHRP disabledbandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps] configured ingress mbw 0kbps,current bw 0kbpstotal allocated gbw 0kbpsDHCP-Relay disabled at interface levelDHCP-server disabled

A. ns5gt-> unset int eth2 manage-ip pingB. ns5gt-> set int eth2 manage pingC. ns5gt-> enable int eth2 manage pingD. ns5gt-> set int eth2 manage-ip ping


QUESTION 34In the exhibit, eth3/1 is in the client-vr virtual router and eth3/2 is in the server-vr virtual router. Your policies

permit all traffic between all zones. You want to ensure Client1 can contact Server1. In this scenario, which twostatements are true? (Choose two.)


A. By default, all interface routes are automatically imported into all virtual routers.B. You can configure a static route for Server1 in the client-vr virtual router that points to eth3/2.C. You can configure a static route for Server1 in the client-vr virtual router that points to the server-vr virtual

router.D. You can configure a route export policy to export the route for Server1 to the client-vr virtual router.


QUESTION 35Referring to the output shown in the exhibit, which NAT configuration is being used?

A. interface-based NATB. DIPC. source-based NATD. VIP


Explanation/Reference:Explanation:


You can see packet originally aimed at 2.2.2.2 and then the destination changes to 192.168.1.4

QUESTION 36Referring to the exhibit, what does the log show?

A. The device is using VIP.B. The device is using DIP ID 4.C. The device is using source NAT.D. The device is using destination NAT.


Explanation/Reference:Explanation:The source IP of the outgoing packets is not the same as the destination IP of the incoming responses.

QUESTION 37Referring to the exhibit, what is the appropriate VPN monitor status?

A. The VPN is active and the peer is down.B. The VPN is active and VPN Monitor is not configured for the peer.C. The VPN is active and the peer is up.D. The VPN is inactive and VPN Monitor is not configured for the peer.


Explanation/Reference:Explanation:"A/-" shows the VPN active, but monitor is unavailable (likely because the other end is not a screenOS device)

QUESTION 38What is shown in the exhibit?

"First Test, First Pass" - www.lead2pass.com 16

Juniper JN0-533 Exam

A. a route-based VPNB. a global policyC. a policy-based VPND. a policy with counting enabled


Explanation/Reference:Explanation:The "Tunnel" action is specific to policy-based VPN

QUESTION 39The exhibit displays output from the event log of a ScreenOS device. Given the information shown in theexhibit, which two statements are correct? (Choose two.)

A. The VPN initiator is sending a proxy ID of:local: 10.20.1.0/24 remote:10.204.1.0/24service:ANY

B. The VPN contains a proxy ID mismatch.C. Phase 2 negotiations completed successfully.D. Phase 1 negotiations completed successfully.


QUESTION 40Which two statements are true about the exhibit? (Choose two.)


A. It contains information regarding Phase 1 of IPsec.B. It contains information regarding Phase 2 of IPsec.C. The VPN is using certificates.D. The VPN is using preshared keys.


QUESTION 41Referring to the exhibit, which three statements are true? (Choose three.)

NS5200(M)-> get nsrpnsrp version: 2.0cluster info:cluster iD. 1, namE. 5200local unit iD. 8000208active units discovereD.index: 0, unit iD. 8014208, ctrl maC. 0010db000085, data maC.0010db000086index: 1, unit iD. 8337344, ctrl maC. 0010db0000c5, data maC.

0010db0000c6total number of units: 2VSD group info:init hold timE. 5heartbeat lost thresholD. 3heartbeat interval: 200(ms)master always exist: enabledgroup priority preempt holddown inelig master PB other members 0 50 yes 45 no myself 8330044total number of vsd groups: 1Total iteration= ,time=878546093,max=4900,min=170,average=18 RTO mirror info:

"FirstTest, FirstPass" - www.lead2pass.com 18Juniper JN0-533 Exam

run time object synC. enabledping session synC. enabledcoldstart sync donensrp data packet forwarding is enablednsrp link info:control channel: ha1 (ifnum: 5) maC. 0010db000085 statE. up data channel: ha2 (ifnum: 6) maC.0010db000086 statE. upha secondary path link not availableNSRP encryption: disabledNSRP authentication: disableddevice based nsrp monitoring thresholD. 255, weighted sum: 0, not faileddevice based nsrp monitor interfacE. ethernet2/1(weight 255, UP) ethernet2/3(weight 255, UP)ethernet2/4(weight 255, UP) ethernet2/5(weight 255, UP)ethernet2/2(weight 255, UP)device based nsrp monitor zonE.device based nsrp track ip: (weight: 255, disabled)number of gratuitous arps: 4 (default)config synC. enabledtrack ip: disabled

A. This cluster is configured as an active/active cluster.B. RTO sync is enabled.C. No secondary path is configured.D. master-always-exists is enabled.E. Only one interface is used for both the control and data links.

Correct Answer: BCDSection: (none)Explanation

QUESTION 42Referring to the exhibit, both clustered devices are in a master state.What is the cause of this situation?


NSPROD1(M)-> get nsrp ha-linktotal_ha_port = 2

probe on ha-link is disabledunused channel: ethernet8 (ifnum: 11) maC. 0010db1d1e8b statE. down unused channel: ethernet7 (ifnum: 10)maC. 0010db1d1e8a statE. down ha control link not availableha data link not availableha secondary path link not available

A. The cluster is not configured for NSRP.B. The cluster is in the process of failing over from the primary node to the secondary node.C. Probes on the HA links have been disabled, causing the HA links to go down.D. The control and the data link is down.


Explanation/Reference:

QUESTION 43A host in the untrust zone sends 1000 SYN packets in a single second to a host in your trust zone destined forport 80.


Referring to the exhibit, which statement describes the behavior of the ScreenOS device?

ssg5-> get conf | include synset zone untrust screen syn-flood attack-threshold 625set zone untrust screen syn-flood alarm-threshold 250set zone untrust screen syn-flood timeout 20set zone untrust screen syn-flood queue-size 1000set zone untrust screen syn-floodset flow syn-proxy syn-cookie

A. It will maintain this state for all 1000 connection attempts.B. It will begin to drop the SYN packets.C. It will block further connection attempts from this host for 20 seconds.D. It will reply with SYN-ACK packets.


QUESTION 44Given the output shown in the exhibit, which command would you use to view the number of attacks that havebeen blocked by the Screen options on the Untrust zone?

A. ssg5-> get counter screen interface ethernet2/1B. ssg5-> get zone Untrust screenC. ssg5-> get counter screen zone UntrustD. ssg5-> get counter statistics interface ethernet2/1


QUESTION 45Based on the output shown in the exhibit, in which log were these events displayed?

Date Time Module Level Type Description2012-11-30 12:49:41 system warn 00528 SSH: Password authentication failedfor admin user 'firewall-user' at host10.210.62.67.2012-11-30 12:49:41 system warn 00518 ADM: Local admin authentication

"FirstTest, FirstPass" - www.lead2pass.com 20Juniper JN0-533 Exam

failedfor login name firewall-user: invalidlogin name2012-11-30 12:49:28 system info 00536 IKE 66.129.232.26 Phase 1:Retransmission limit has been reached.2012-11-30 12:42:23 system notif 00531 The system clock was updated fromprimary NTP server type 209.244.0.5with an adjustment of 234 ms.Authentication was None. Update modewas Automatic

A. eventB. selfC. loginD. traffic


QUESTION 46Referring to the exhibit, what does this output show?

A. the number of supported physical interfaces on the deviceB. the number of supported route tables on the deviceC. the number of supported VRs on the deviceD. the amount of system memory on the device



QUESTION 47Which ScreenOS security feature helps protect against port scans and denial of service attacks?

A. session-based stateful firewallB. IPsec VPNsC. security policiesD. Screen options


QUESTION 48What is the initial default username and password for all ScreenOS devices?

A. administrator/passwordB. root/passwordC. netscreen/netscreenD. admin/netscreen1


QUESTION 49What is a virtual system?

A. a mechanism to logically partition a single ScreenOS device into multiple logical devicesB. a collection of subnets and interfaces sharing identical security requirementsC. a method of providing a secure connection across a networkD. a tool to protect against DoS attacks


QUESTION 50What is a zone?

A. a set of rules that controls traffic from a specified source to a specified destination using a specified serviceB. a collection of subnets and interfaces sharing identical security requirementsC. a method of providing a secure connection across a networkD. a tool to protect against DoS attacks


QUESTION 51What is the function of NAT?

A. It performs Layer 3 routing.B. It evaluates and redirects matching traffic into secure tunnels.


C. It provides translation between IP addresses.D. It performs Layer 2 switching.

Correct Answer: C


QUESTION 52On a ScreenOS device, which word appears at the beginning of configuration commands?

A. setB. configureC. enableD. commit


QUESTION 53Which action does a ScreenOS device perform first when processing a packet?

A. It checks for an existing session.B. It checks for attacks in the payload.C. It performs a route lookup.D. It performs a policy lookup.


QUESTION 54On a ScreenOS device, which three processes does the task CPU handle? (Choose three.)

A. policy evaluationB. traffic loggingC. session table clean-upD. management servicesE. broadcast packet processing

Correct Answer: BCDSection: (none)Explanation

QUESTION 55A ScreenOS device evaluates five primary elements when performing a security policy check on a new session.Which five elements are evaluated?

A. source IP address, destination IP address, source route, source port, and destination portB. source IP address, destination IP address, source port, destination port, and protocolC. source IP address, destination IP address, source port, destination port, and payloadD. destination IP address, source port, destination port, protocol, and payload

Correct Answer: BSection: (none)

Explanation


You want to enable IPv6 on your ScreenOS device. Whichcommand should you use to accomplish this goal?

A. set envar ipv6=enableB. set ipv6 enableC. set envar ipv6=yesD. set ipv6 yes


QUESTION 57You have two interfaces in ZoneA and traffic is passing without any policy configured. You want to control thetraffic between the two interfaces. Which two actions will allow this to happen? (Choose two.)

A. Configure interzone blocking on ZoneA and create a policy in that zone to control the traffic.B. Configure intrazone blocking on ZoneA and create a policy in that zone to control the traffic.C. Move one of the interfaces to a different zone and create an interzone policy to control the traffic.D. Move one of the interfaces to a different zone and create an intrazone policy to control the traffic.


QUESTION 58What is an aggregate interface?

A. An aggregate interface binds two physical interfaces together to create a redundant interface.B. An aggregate interface binds two or more physical interfaces that share the traffic load.C. An aggregate interface is the management interface.D. An aggregate interface is used for VPN tunnels.


QUESTION 59Which two statements are true about redundant interfaces? (Choose two.)

A. You can bind two physical interfaces together to create one redundant interface.B. Redundant interfaces bind to a security zone; one physical interface acts as the primary interface, and the

other physical interface acts as the secondary interface.C. A redundant interface is the accumulation of two or more physical interfaces that share the same traffic

load.

D. A redundant interface is the management interface for bridge mode.

Correct Answer: ABSection: (none)Explanation

QUESTION 60Which two actions are performed by a read/write vsys administrator? (Choose two.)

A. View the security associations for all virtual systems.B. Configure a vsys address book entry.


C. Modify the vsys administrator login name.D. Modify the vsys read/write administrator password.


QUESTION 61When you create a new virtual system, which zone is automatically created within the vsys- specific VR?

A. trust zoneB. untrust zoneC. shared zoneD. null zone


QUESTION 62What is the purpose of a virtual system profile?

A. to limit virtual system accessB. to limit virtual system resourcesC. to limit the number of virtual system interfacesD. to limit the number of VPNs


QUESTION 63What is required to route traffic from one virtual system to another virtual system?

A. Configure the same dynamic routing protocol in each virtual system.B. Configure a virtual system profile with a shared forwarding table.C. Configure a private virtual router in each virtual system.D. Configure a shared root-level virtual router.


QUESTION 64Policy-based routing (PBR) policies can be bound to which three ScreenOS objects? (Choose three.)

A. virtual routersB. interfacesC. zonesD. security policiesE. virtual system

Correct Answer: ABCSection: (none)Explanation

Explanation/Reference:"First Test, First Pass" - www.lead2pass.com 25Juniper JN0-533 Exam

QUESTION 65Policy-based routing consists of which three ScreenOS objects? (Choose three.)

A. extended access listsB. match groupsC. action groupsD. address booksE. security policy

Correct Answer: ABCSection: (none)Explanation

QUESTION 66What are two routing tables contained in a virtual router? (Choose two.)

A. destination-basedB. NHTBC. source-basedD. zone-based

Correct Answer: ACSection: (none)Explanation

QUESTION 67Which dynamic routing protocol does IPv6 use?

A. RIPB. RIPng

C. OSPFv2D. NHRP


QUESTION 68A routing table contains an IBGP route, a RIP route, an OSPF external Type 2 route, and an EBGP route for192.168.0.0/16. When the router receives traffic destined for, which route will the router use by default?

A. the EBGP routeB. the IBGP routeC. the OSPF routeD. the RIP route


QUESTION 69Users on the 10.10.10.0/24 subnet are reporting connectivity problems. While troubleshooting, you see theoutput shown in the exhibit. What is the cause of the route flapping?


A. The autonomous system (AS) ID is incorrect.B. The interface is in the incorrect OSPF area.C. A duplicate router ID exists in the network.D. The OSPF neighbors have different hold timer values.


QUESTION 70Which two statements are true regarding the route shown in the exhibit? (Choose two.)

A. 5.5.5.0/24 was configured as a source route with a next-hop IP address of 1.1.1.1 in the trust- vr.B. 5.5.5.0/24 was configured as a destination route with a next-hop IP address of 1.1.1.1 in the trust-vr.C. 5.5.5.0/24 was configured as a SIBR route with a next-hop IP address of 1.1.1.1 in the trust-vr.D. 5.5.5.0/24 was configured as a permanent source route.



QUESTION 71Which two statements are true about the default route configuration based on the output shown in the exhibit?(Choose two.)

A. A default route is configured in the trust-vr with a next-hop IP address of 1.1.1.1.B. A default route is configured in the trust-vr with a next hop of ethernet3/1.C. A default route is configured in the trust-vr with a next hop of the untrust-vr.D. A default route is configured in the untrust-vr with a next-hop IP address of 1.1.1.1.


QUESTION 72Network traffic with a source IP of 192.168.100.60, destination IP of 8.8.8.8, and a destination port of 80 is sentthrough the ScreenOS device. The inbound zone is Trust, the outbound zone is Untrust.Based on the policy configuration shown in the exhibit, what happens to this traffic?

A. The traffic is denied by default policy.B. Traffic is denied by policy ID 3.C. Traffic is permitted by the global policy.

D. Traffic is permitted by policy ID 2.


Explanation/Reference:Explanation:Question asks for source 192.168.100.60 and policies 1 and 2 use 192.168.100.50

QUESTION 73You are setting up security policies to allow access to the servers on the 1.1.1.0/24 subnet. Referring to theexhibit, which two host addresses will be able to access the Web servers using FTP? (Choose two.)


A. 10.1.3.5B. 10.1.2.1C. 10.1.2.13D. 10.1.1.1


QUESTION 74Given the policy and address information for the three hosts shown in the exhibit, which two statements arecorrect? (Choose two.)


A. HTTP traffic from HostC to HostA will be silently discarded.B. HTTP traffic from HostC to HostA will result in a RST sent to HostC.C. HTTP traffic from HostA to HostB will be allowed.D. HTTP traffic from HostA to HostB will be rejected.


QUESTION 75FTP connections from host 10.20.1.10 to server 192.168.1.100 are not working. You produce the output shownin the exhibit. What is causing the traffic problem?

ssg20-> set address "Trust" "192.168.1.0/32" 10.20.1.0 255.255.255.0 ssg20-> set address "Untrust""10.204.1.0/24" 10.204.1.0 255.255.255.0 ssg20-> set address "Untrust" "192.168.1.0/24" 192.168.1.0255.255.255.255ssg20-> get policy id 1name:"none" (id 1), zone Trust -> Untrust,action Permit, status "enabled"src "192.168.1.0/32", dst "192.168.1.0/24", serv "FTP"Rules on this VPN policy: 0nat off, Web filtering : disabled

vpn unknown vpn, policy flag 00000000, session backup: on, idle reset:ontraffic shaping off, scheduler n/a, serv flag 00log no, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0 total octets 0, counter(session/packet/octet)0/0/0priority 7, diffserv marking Offtadapter: state off, gbw/mbw 0/0 policing (no)No AuthenticationNo User, User Group or Group expression set

A. The policy's source address is incorrect.B. The policy's destination address is incorrect.C. The policy's service is incorrect.D. The policy does not have the FTP ALG enabled.



In the exhibit, you have configured the MIP address 1.1.8.64 on a ScreenOS device.Which statement is correct?

A. It performs one-to-one address translation and maps 1.1.8.64 to 10.1.10.64.B. It performs one-to-many address translation and maps 1.1.8.64 to a range from 10.1.10.64 to 10.1.10.71.C. It performs range address translation and maps 1.1.8.64 to 10.1.10.64, 1.1.8.65 to 10.1.10.65, etc..D. It performs address translation using a random IP address from the pool for 10.1.10.64/29.


QUESTION 77

In the network shown in the exhibit, you have been asked to enable users in the Untrust zone to contactServer1 on TCP port 80 using IP address 1.1.1.1. You also need to allow Server1 to make connections to hostsin the Untrust zone. When Server1 makes connections to the Untrust zone, the source address of its trafficshould be translated to 1.1.1.1.What would you use to configure this behavior?

A. MIPB. VIPC. DIPD. SIBR



QUESTION 78You need to add a DIP pool to the interface shown in the exhibit. The DIP pool has been assigned the IPaddresses 20.20.20.1 through 20.20.20.10.Which command would you use to accomplish this task?

ssg5(M)-> get conf | incl ethernet1/2set interface "ethernet1/2" zone "Untrust"set interface ethernet1/2 ip 10.0.0.1/24set interface ethernet1/2 routeset interface "ethernet1/2" description "Internet Connection 1" set interface ethernet1/2 ip manageableset interface ethernet1/2 manage ping

A. set interface ethernet1/2 ext ip 20.20.20.1 255.255.255.0 dip 1 20.20.20.1 20.20.20.10B. set interface ethernet1/2 ext ip 10.0.0.1 255.255.255.0 dip 1 20.20.20.1 20.20.20.10C. set interface ethernet1/2 dip 1 20.20.20.1 20.20.20.10D. set interface ethernet1/2 secondary ip 20.20.20.1 255.255.255.0 dip 1 20.20.20.1 20.20.20.10


QUESTION 79Referring to the debug output shown in the exhibit, which NAT configuration is being used?

ns5gt-> get intInterfaces in vsys Root:

Name IP Address Zone MAC VLAN State VSDeth1 192.168.1.1/24 Trust 0014.f693.edc2 - U -eth2 2.2.2.2/30 Untrust 0014.f693.edc8 - U -ns5gt-> get db stream****** .0: <Trust/ethernet1> packet received [69]******ipid = 22281(5709), @059ff214packet passed sanity check.flow_decap_vector IPv4 processethernet1:192.168.1.102/52380->4.2.2.2/53,17<Root>no session foundflow_first_sanity_check: in <ethernet1>, out <N/A>chose interface ethernet1 as incoming nat if.flow_first_routing: in <ethernet1>, out <N/A>search route to (ethernet1, 192.168.1.102->4.2.2.2) in vr trust-vr for vsd-0/flag-0/ifp-null[ Dest] 7.route 4.2.2.2->2.2.2.1, to ethernet2routed (x_dst_ip 4.2.2.2) from ethernet1 (ethernet1 in 0) to ethernet2 Permitted by policy 1dip id = 2, 192.168.1.102/52380->2.2.2.2/2157choose interface ethernet2 as outgoing phy ifno loop on ifp ethernet2.routed (x_dst_ip 4.2.2.2) from ethernet1 (ethernet1 in 0) to ethernet2 policy search from zone 2-> zone 1

A. MIPB. destination-based NATC. source-based NATD. VIP



QUESTION 80You configure NAT on your ScreenOS device to route the services shown in the exhibit to the internaladdresses. Which commands will you use to configure this scenario?

A. ssg5-> set interface ethernet3 vip 1.1.1.3 53 dns 10.1.1.3 ssg5-> set interface ethernet3 vip 1.1.1.3 80 http10.1.1.4 ssg5-> set interface ethernet3 vip 1.1.1.3 5983 ldap 10.1.1.4 ssg5-> set interface ethernet3 vip1.1.1.3 5631 pcanywhere 10.1.1.5 ssg5-> set interface ethernet3 mip 1.1.1.3 53 dns 10.1.1.3

B. ssg5-> set interface ethernet3 mip 1.1.1.3 80 http 10.1.1.4 ssg5-> set interface ethernet3 mip 1.1.1.3 5631pcanywhere 10.1.1.4 ssg5-> set interface ethernet3 mip 1.1.1.3 5983 ldap 10.1.1.5 ssg5-> set interfaceethernet3 dip 1.1.1.3 53 dns 10.1.1.3

C. ssg5-> set interface ethernet3 dip 1.1.1.3 80 http 10.1.1.4 ssg5-> set interface ethernet3 dip 1.1.1.3 5631pcanywhere 10.1.1.4 ssg5-> set interface ethernet3 dip 1.1.1.3 5983 ldap 10.1.1.5 ssg5-> set interfaceethernet3 vip 1.1.1.3 53 dns 10.1.1.3

D. ssg5-> set interface ethernet3 vip 1.1.1.3 80 http 10.1.1.4 ssg5-> set interface ethernet3 vip 1.1.1.3 5631pcanywhere 10.1.1.4 ssg5-> set interface ethernet3 vip 1.1.1.3 5983 ldap 10.1.1.5


QUESTION 81What are two advantages for using the count parameter on a security policy? (Choose two.)

A. to see any NAT traffic drops for that policyB. to see how many times users log in to the ScreenOS deviceC. to count the total number of bytes of traffic for that policyD. to see if the policy is temporarily not being used


QUESTION 82How is the maximum bandwidth pool allocated when all policies share the same priority?

A. first come first servedB. round robin


C. packet DSCP valueD. policy order number


QUESTION 83An SSG5 has a default configuration loaded on it.Which two statements are correct? (Choose two.)

A. Intrazone blocking is enabled for the trust zone.B. Intrazone blocking is disabled for the trust zone.C. Intrazone blocking is enabled for the untrust zone.D. Intrazone blocking is disabled for the untrust zone.


QUESTION 84What are three required policy elements? (Choose three.)

A. source addressB. protocol

C. serviceD. logE. destination address

Correct Answer: ACESection: (none)Explanation

QUESTION 85What are three policy types? (Choose three.)

A. destination-based policyB. intrazone policyC. source-based policyD. interzone policyE. global zone policy

Correct Answer: BDESection: (none)Explanation

QUESTION 86In a policy, which two statements are true about the no-hw-sess command? (Choose two.)

A. It increases the load on the CPU.B. It is used for debugging.C. It increases the load on the ASIC card.D. It reduces the load on the CPU.

Correct Answer: ABSection: (none)Explanation


QUESTION 87Given the following output, what do you know about this session?

id /s01,vsys 0,flag 18200450/4004/0083,policy 10,time 5, dip 0 module 0 if 14(nspflag0905):10.10.10.10/51112->8.8.8.8/443,6,000000000000,sess token 44,vlan 990,tun0,vsd 0,route 315,wsf 0if 8(nspflag 0904):10.10.10.10/51112<-8.8.8.8/443,6,000000000000,sess token 36,vlan 991,tun0,vsd 0,route 293,wsf 0

A. The session was denied by policy ID 10.B. The session was permitted by policy ID 10.C. The protocol used for this session is UDP protocol 6.D. This session has already timed out and is pending cleanup out of the session table.

Correct Answer: BSection: (none)

Explanation

QUESTION 88HostA is in the Trust zone and has an IP address of. ServerA is a Web server in the DMZ zone and has an IPaddress of. Which three configuration statements are required to allow traffic from HostA to communicate withServerA? (Choose three.)

A. ssg5-> set address Trust HostA /32B. ssg5-> set policy from DMZ to Trust ANY ANY ANY permitC. ssg5-> set address DMZ ServerA /32D. ssg5-> set policy from Trust to DMZ HostA ServerA HTTP permitE. ssg5-> set address Trust HostA /32


Correct Answer: CDESection: (none)Explanation

QUESTION 89You are using debug to determine which policy is used for Web traffic from host 10.20.1.5 to server10.240.1.100. Which flow filter will only capture traffic related to this scenario?

A. id:0 src ip 10.20.1.5 dst ip 10.240.1.100id:1 src port 80

B. id:0 src ip 10.240.1.100 dst ip 10.20.1.5id:1 src port 80

C. id:0 src ip 10.240.1.100 dst ip 10.20.1.5 dst port 80D. id:0 src ip 10.20.1.5 dst ip 10.240.1.100 dst port 80


QUESTION 90You have created a site-to-site IPsec VPN between two devices. You want to keep the tunnel up at all times,even when no user traffic is using it. Which two configuration additions will accomplish this goal? (Choose two.)

A. set vpn "RemoteVPN" monitor source-interface ethernet0/1 destination-ipB. set vpn "RemoteVPN" monitor source-interface ethernet0/1 destination-ip rekeyC. set vpn "RemoteVPN" monitor source-interface ethernet0/1 destination-ip keepaliveD. set vpn "RemoteVPN" monitor source-interface ethernet0/1 destination-ip rekey optimized


QUESTION 91When a new session is created on the primary ScreenOS device, what are two results that happen on thebackup device? (Choose two.)

A. Session information is sent in real time from the master to the backup over the HA link.

B. Session update messages are bundled together and sent over every 10 seconds to the backup over the HAlink.

C. A session is created on the backup device with a timeout value of 8 times the default.D. A session is created on the backup device and is completely identical to that of the master's session.


QUESTION 92What are three valid states for an NSRP member? (Choose three.)

A. backup"First Test, First Pass" - www.lead2pass.com 37Juniper JN0-533 Exam

B. feasible successorC. ineligibleD. masterE. standby

Correct Answer: ACDSection: (none)Explanation

QUESTION 93While troubleshooting performance issues on your NetScreen cluster, you decide to failover the master deviceto its redundant peer. Which two methods will accomplish this task? (Choose two.)

A. Manually disable an NSRP-monitored interface using the set interface <interface> phy link- down command.B. Manually disable an NSRP-monitored interface using the shutdown interface <interface> command.C. Force an NSRP failover using the exec nsrp vsd-group <group ID number> mode backup command on the

master device.D. Force an NSRP failover using the exec nsrp vsd-group <group ID number> mode backup command on the

backup device.


QUESTION 94You have been making changes on an NSRP cluster and find that the ScreenOS devices are out of sync. Youwant to synchronize the devices' configurations together. Which command and process are needed toaccomplish this task?

A. Run the command set nsrp sync global-config check-sum on the local device and then reset the peerdevice.

B. Run the command set nsrp sync global-config save on the backup device and then reset the backup device.C. Run the command exec nsrp sync config save on the peer device and then reset the peer device.D. Run the command exec nsrp sync global-config save on the backup device and then reset the backup

device.

Correct Answer: D


QUESTION 95A monitored interface on a clustered pair of ScreenOS devices goes down and both devices became ineligibleto be master of the cluster. As a result, neither device is passing traffic. Which step would have prevented thissituation?

A. Configure initial hold-down time to 10 seconds.B. Configure the preempt parameter and a higher priority on one of the devices.C. Configure the lost heartbeat interval to 1 second.D. Configure the master-always-exists parameter.


QUESTION 96You have entered the command

set ffilter src-ip 1.1.7.250 dst-ip 10.1.10.5 ip-prot 6


What will be the resulting output in the debug for which this was created?

A. If the packet has a scr-ip of 1.1.7.250 or a dst-ip of 10.1.10.5 or has TCP as its protocol then it will becaptured

B. If the packet has a scr-ip of 1.1.7.250 or a dst-ip of 10.1.10.5 or has UDP as its protocol then it will becaptured

C. If the packet has a scr-ip of 1.1.7.250 and a dst-ip of 10.1.10.5 and has TCP as its protocol then it will becaptured

D. If the packet has a scr-ip of 1.1.7.250 and a dst-ip of 10.1.10.5 and has UDP as its protocol then it will becaptured



You are creating a DIP pool of 30 addresses. You would like to see how addresses are being allocated todifferent traffice streams. Which command will you use to view this information?

A. snoopB. get dip allC. get sessionD. get address xlate

Correct Answer: C


QUESTION 98You are using NSRP and enable preempt on a device with a priority of 120. The other device has the defaultpriority set. What will be the result of this action?

A. The device will become master immediately.B. The device will only become master if the device with default priority fails.C. The device will wait the defined holdtime period and then take over as master.D. The device will enter a pending state until the next maintenance window and then assume the master role.


QUESTION 99During main mode negations a failure has occurred while using IKE certificates. Which message pair would youreview to troubleshoot this failure?

A. messages 1 - 2B. messages 2 - 3C. messages 3 - 4D. messages 5 - 6


QUESTION 100You have entered the following BGP configuration:

set vrouter trust-vr bgp 65530set vrouter trust-vr bgp enableset vrouter trust-vr protocol bgp neighbor 1.1.1.250 remote-as 65500 set vrouter trust-vr protocol bgp neighbor1.2.3.250 remote-as 65280

BGP is not working.What two elements are missing from your configuration? (Choose two.)

A. You have not enabled the BGP peers.B. You have not enabled EBGP multihop.C. You have not placed the peers in a BGP peer group.D. You have not enabled BGP on the interfaces connecting to the peers.


Explanation/Reference:"First Test, First Pass" - www.lead2pass.com 41About Lead2pass.com

Lead2pass.com was founded in 2006. We provide latest & high quality IT Certification Training ExamQuestions, Study Guides, Practice Tests. Lead the way to help you pass any IT Certification exams, 100%Pass Guaranteed or Full Refund. Especially Cisco, CompTIA, Citrix, EMC, HP, Oracle, VMware, Juniper,Check Point, LPI, Nortel, EXIN and so on.

Our Slogan: First Test, First Pass.

Help you to pass any IT Certification exams at the first try.

You can reach us at any of the email addresses listed below.

Sales: [email protected]

Support: [email protected]

Technical Assistance Center: [email protected]

Any problems about IT certification or our products, you could rely upon us, we will give you satisfactoryanswers in 24 hours.

Our Official: http://www.lead2pass.com
