Transcript
Page 1: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)

Number: JN0-632Passing Score: 800Time Limit: 120 minFile Version: 6.1

http://www.gratisexam.com/

Juniper JN0-632

Security Professional (JNCIP-SEC)

Version: 6.1

Page 2: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Exam A

QUESTION 1You are concerned about the latency introduced in processing packets through the IPS signature database andwant to configure the SRX Series device to minimize latency. You decide to configure inline tap mode.

Which two statements are true? (Choose two)

A. When packets pass through for firewall inspection, they are not copied to the IPS module.B. Packets passing through the firewall module are copied to the IPS module for processing as the packets

continue through the forwarding process.C. Traffic that exceeds the processing capacity of the IPS module will be dropped.D. Traffic that exceeds the processing capacity of the IPS module will be forwarded without being inspected by

the IPS module.

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Explanation: Inline Tap mode is supported in 10.2. It will have a positive impact on performance and will only besupported in dedicated mode. The processing will essentially be the same as it is in dedicated inline mode,however instead of flowd simply placing the packet in the IDPD queue to be processed, it will make a copy ofthe packet, put that in the queue, and forward on the original packet without waiting for IDPD to perform theinspection. This will mean that the IDP will not be a bottleneck in performance. The one limitation around thisfeature is that some attacks may be able to pass through the SRX without being blocked such as single packetattacks. However, even though the single packet attacks may not be blocked, most attacks will be blocked, andeven in the case that an attack is let through the SRX can still close down the session and even send TCPresets if it is a TCP protocol and the Close Connection option is set.

QUESTION 2You create a custom attack signature with the following criteria:

-- HTTP Request:

-- Pattern: *\x<404040...40

-- Direction Client to Server

Which client request would be identified as an attack?

A. FTP GET.,\x404040...40B. HTTP GET *\404040..40C. HTPPOST.*\x404040...40D. HTTP GET *\x4040401.40

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation: Signature-based attack objects will be the most common form of attack object to configure. This iswhere you use regular expression matching to define what attack objects should be matched by the detectorengine. The provided regular expression matches HTTP GET request containing *\x4040401..40. Here \x ?hexbased numbers, . - any symbol.

Reference: http://www.juniper.net/techpubs/en_US/idp5.1/topics/example/simple/intrusion- detection-

Page 3: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

prevention-custom-attack-object-compound-signature.html

QUESTION 3Click the Exhibit button.

In the exhibit, what does the configured screen do?

A. It blocks TCP connection from a host when more than 1000 successive TCP connections are receivedB. It blocks TCP connections for a host when more than 1000 connections are received within 3600 seconds.C. It blocks TCP connection attempts from a host when more than 10 connection attempts are made within

1000 microseconds.D. It blocks TCP connections from the host for 1000 seconds when a host is identified as a TCP scan source

Correct Answer: CSection: (none)Explanation

Explanation/Reference:"Pass Any Exam. Any Time." - www.actualtests.com 3Explanation: The command prevents port scan attacks. A port scan attack occurs when an attacker sendspackets with different port numbers to scan available services. The attack succeeds if a port responds. Toprevent this attack, the device internally logs the number of different ports scanned from a single remotesource. For example, if a remote host scans 10 portsin 0.005 seconds (equivalent to 5000 microseconds, thedefault threshold setting), the device flags this behavior as a port scan attack, and rejects further packets fromthe remote source.

Reference: http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swcmdref/port- scan.html

QUESTION 4Click the Exhibit button

Page 4: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

In the exhibit, Customer A and Customer B connect to the same SRX Series device. ISP1 and ISP2 are alsodirectly connected to the SRX device. Customer A's traffic must use ISP1, and Customer B's traffic must useISP2.

Which configuration will create the required routing tables?

A. set routing-options rib-groups fbf import-rib [ custA.inet.0 custB.inet.0]B. set routing-options rib-groups fbf export-rib [ custA.inet.0 custB.inet.0 ]C. set routing-options rib-groups fbf import-rib [ custA.inet.0 custB.inet.0 inet.0 ]D. set routing-options rib-groups fbf export-rib [ custA.inet.0 custB.inet.0 inet.0 ]

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 5You must configure a site-to-site VPN connection between your company and a business partner. The securitypolicy of your organization states that the source of incoming traffic must be authenticated by a neutral party toprevent spoofing of an unauthorized source gateway.

http://www.gratisexam.com/

What accomplishes this goal?

A. Use a manual key exchange to encrypt/decrypt traffic.B. Generate internal Diffie-Hellman public/private key pairs on each VPN device and exchange public keys

with the business partner.C. Use a third-party certificate authority and exchange public keys with the business partner.D. Use a private X.509 PKI certificate and verify it against a third-party certificate revocation list (CRL).

Page 5: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 6Company A and Company B are using the same IP address space. You are using static NAT to provide dualtranslation between the two networks.

Which two additional requirements are needed to fully allow end-to-end communication? (Choose two.)

A. route information for each remote deviceB. persistent-natC. required security policiesD. no-nat-traversal

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Reference:http://www.juniper.fr/techpubs/en_US/junos10.4/topics/example/nat-twice-configuring.html

http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

QUESTION 7Your company is deploying a new WAN that uses transport over a private network infrastructure to provide anany-to-any topology. Your manager is concerned about the confidentiality of data as it crosses the WAN.Scalability of the SRX Series device's ability to perform IKE key exchanges is a key consideration.

Which VPN design satisfies your manager's concerns?

A. a transparent IPSec VPNB. a hub-and-spoke VPNC. a point-to-multipoint VPND. a group VPN

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Reference: http://juniper.fr/techpubs/software/junos-security/junos-security10.2/junos-security- swconfig-security/topic-45780.html

QUESTION 8Click the Exhibit button

Page 6: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Senior management reports that your company's network is being attacked by hackers exploiting a recentlyannounced vulnerability. The attack is not being detected by the DP on your SRX Series device. You suspectthat your attack database is out of date. You check the version of the attack database and discover it is severalweeks old. You configured your device to download updates automatically as shown in the exhibit.

What must you do for the automatic update to function properly?

A. Change the interval to daily by adding set automatic interval 1 to the configuration and commit the change.B. Enable the automatic updates by adding set automatic enable to the configuration and commit the change.C. Set the time zone on your device.D. Change the URL of the update site to use https:// instead of http://.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 9You obtained a license file from Juniper Networks for the SRX Series Services Gateway IPS feature set. Youwant to install the license onto the SRX Series device.

Which statement is accurate?

A. The license file is automatically downloaded from the online license server, you need not do anything.B. Transfer the file to the SRX Series device using FTP or SCP and install the license with the request system

license add <filename> command.C. The license file must be decrypted with the openssl utility before being installed on the SRX Series device.D. Transfer the file to the SRX firewall using FTP or SCP and install the license with the request system license

install-permanent command.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Reference: http://www.juniper.net/techpubs/en_US/junos11.1/topics/reference/command- summary/request-system-license-add.html

QUESTION 10You have been asked to configure a signature to block an attack released by a security vulnerability reportingagency.

Which two characteristics of the attack must you understand to configure the attack object? (Choose two.)

A. the source port of the attackerB. a string or regular expression that occurs within the attack

Page 7: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

C. the context where the attack pattern is found within the packetD. the IPv4 routing header

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Reference: http://www.juniper.net/techpubs/en_US/nsm2011.1/topics/task/configuration/attack- signature-attack-object-creating-nsm.html

QUESTION 11In a group VPN the members rekey with the server using the Unicast PUSH method.

This rekey mechanism is protected by which secure channel?

A. KEKB. IPSec SAC. TEKD. IKE SA

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation: It's true that Key Encryption Key (KEK) is used to encrypt rekey messages. But in the same timeGDOI exchanges in Phase 2 must be protected by ISAKMP Phase 1 Sas. And GDOI groupkey-push exchangeis one of the two types of GDOI exchanges: groupkey-pull and groupkey-push.

QUESTION 12Which two configuration tasks should you use to implement filter-based forwarding? (Choose two.)

A. Create a VRF routing instance.B. Create a firewall filter with an action of virtual-channelC. Create routing options with rib-groups.D. Create routing options with interface routes.

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:Reference: http://www.juniper.net/techpubs/en_US/junos10.3/topics/usage-guidelines/routing- configuring-filter-based-forwarding.html

QUESTION 13Your corporate network consists of a central office and four branch offices. You are responsible for coming upwith an effective solution to provide secure connectivity between the sites.

Which solution meets the requirements?

A. Implement firewall filters on each device.B. Implement an HTTPS-based mesh between all sites.C. Implement secure routing policies.D. Implement a hub-and-spoke VPN.

Page 8: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Reference:

http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/vpn-hub-spoke-topologies-one- interface.html

QUESTION 14Click the Exhibit button.

The client is downloading a file from the FTP server. The FTP control channel is established using a securitypolicy named t rust-to-untrust.

Which statement is correct about the output in the exhibit regarding the data channel?

A. Passive FTP is being used to establish the data channel.B. The pinhole has been opened by the FTP ALG for return traffic.C. The session requires a separate security policy for return traffic.D. The session is using NAT to translate IP addresses.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation:

Page 9: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

QUESTION 15You want to verify how many security policies will match FTP traffic from source address 1.1.1.1 port 55000. todestination address 2.2.2.2 port 21.

Which operational mode command should you use?

A. show security match-policy from-zone trust source-ip 1.1.1.1 source-port 55000 to-zone untrust destination-ip 2.2.2.2 destination-port 21 protocol tcp result-count

B. test security match-policies from-zone trust source-ip 1.1.1.1 source-port 55000 to-zone untrust destination-ip 2.2.2.2 destination-port 21 protocol tcp result-count

C. show security match-policies from-zone trust source-ip 1.1.1.1 source-port 55000 to-zone untrustdestination-ip 2.2.2.2 destination-port 21 protocol tcp result-count

D. show security match-policies from-zone trust source-ip 1.1.1.1 source-port 55000 to-zone untrustdestination-ip 2.2.2.2 destination-port 21 protocol udp result-count

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Reference: http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic- collections/security/software-all/cli-reference/junos-security-cli-reference.pdf

QUESTION 16Click the Exhibit button

The exhibit shows an IPSec tunnel configuration. In an effort to increase the security of the tunnel, you mustconfigure the tunnel to negotiate a new tunnel key during IKE phase 2.

Page 10: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

How can the configuration be changed to accommodate this requirement?

A. A new tunnel key is negotiated by default during phase 2; no configuration change is necessary.B. PFS must be added to the IKE policy pol-ike.C. PFS must be added to the IPSec policy poi-IPSec.D. A new tunnel key cannot be negotiated in IKE phase 2 with route-based IPSec VPNs; a policy- based IPSec

VPN must be

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: PFS is a method for deriving Phase 2 keys independent from and unrelated to the preceding keys.Alternatively, the Phase 1 proposal creates the key (the SKEYID_d key) from which all Phase 2 keys arederived. The SKEYID_d key can generate Phase 2 keys with a minimum of CPU processing. Unfortunately, ifan unauthorized party gains access to the SKEYID_d key, all your encryption keys are compromised. PFSaddresses this security risk by forcing a new DH key exchange to occur for each Phase 2 tunnel. Using PFS isthus more secure, although the rekeying procedure in Phase 2 might take slightly longer with PFS enabled.Reference:http://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/vpn-security-phase-2- ipsec-proposal-understanding.html

QUESTION 17You configured all the required parameters to allow IPv6 address book entries. You successfully committed theconfiguration. You noticed that IPv4 traffic is still working as expected, but IPv6 traffic is being dropped.

What is the solution to the problem? (Choose Two)

A. IPv4 and IPv6 address book entries will not work togetherB. IPv6 flow-based mode must be enabled.C. The SRX device must be rebooted.D. IPv6 policy-based mode must be enabled.

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Explanation:[edit security forwarding-options] diriger# set family inet6 mode flow-based[edit security forwarding-options]diriger# exit[edit]diriger# commitwarning: You have enabled/disabled inet6 flow.You must reboot the system foryour change to take effect.If you have deployed a cluster, be sure to reboot all nodes.commit complete[edit]Reference:

http://blog.kramse.org/blojsom/blog/default/IPv6/Juniper-SRX210-Junos-10-2-flow-based-IPv6-forwarding?smm=y

http://blog.kramse.org/blojsom/blog/default/IPv6/JUNOS-software-on-SRX-basic-IPv6- configuration?smm=y

QUESTION 18Given the session shown below:

Page 11: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Which statement is true?

A. The session indicates that destination NAT with no port translation is taking place.B. The session indicates that no NAT is taking place.C. The session indicates that source NAT is taking place.D. The session indicates that destination NAT with port translation is taking place.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: The output of the command shows that the TCP packet with src ip 10.1.0.13 and src tcp port52939 and dst ip 207.17.137.229 and dst port 80 is entering interface ge-0/0/5.0 and the reverse connection iscreated for the same session: src ip 172.19.101.42 and src tcp port 2132 and dst ip 207.17.137.229 and dst tcpport 80. So the source ip 10.1.0.13 is translated to 172.19.101.42.Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos- security-cli-reference/show-security-flow-session.html#jd0e143381

QUESTION 19What are two implementations of NAT? (Choose two.)

A. source NATB. group NATC. filter-based NATD. destination NAT

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:Explanation:A - Source NAT is the translation of the source IP address of a packet leaving the Juniper Networks device.Source NAT is used to allow hosts with private IP addresses to access a public networkD - Destination NAT is the translation of the destination IP address of a packet entering the Juniper Networksdevice. Destination NAT is used to redirect traffic destined to a virtual host (identified by the original destinationIP address) to the real host (identified by the translated destination IP address).Reference:

http://www.juniper.net/techpubs/en_US/junos10.4/topics/example/nat-security-source-and- destination-nat-translation-configuring.html

http://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/network-address-translation- overview.html

QUESTION 20You are notified that a particular application passing through a SRX3600 is not working properly. A request hasbeen made to provide a packet capture of the application traffic as it egresses the SRX device.

Page 12: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

What is required to capture the transit application traffic on the egress interface?

A. Create a firewall filter with the action packet-capture and apply the firewall filter to the egress interface.B. Create a firewall filter with the action packet-mode and apply the firewall fitter to the egress interface.C. Execute the operational mode command monitor traffic interface and specify the egress interface.D. Configure the data path-debug capture parameters and start the packet capture from operational mode.E. Create a firewall filter with action sample and apply the firewall filter to the egress interface.

Correct Answer: ESection: (none)Explanation

Explanation/Reference:Explanation: See reference for details.Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

QUESTION 21The SRX Series device is configured for source NAT. The source IP address will be translated to 1.1.1.1. Apacket with a source address of 21.21.21.21 and destination address of 31.1.1.1 arrives at the SRX Seriesdevice.

Which security policy will this packet match?

A. a policy in which the match criteria has a source address of 21.21.21.21 and a destination- address of31.1.1.1

B. a policy in which the match criteria has a source address of 1.1.1.1 and a destination address of21.21.21.21

C. a policy in which the match criteria has a source address of 21.21.21.21 and a destination address of1.1.1.1

D. a policy in which the match criteria has a source address of 31.1.1.1 and a destination address of 1.1.1.1

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 22You want to allow users from routing-instance Juniper1 to route to the destination 2.2.2.2, reached throughrouting-instance Juniper2 without sharing all the routes between the two instances.

Which static route configuration will accomplish this?

A. set routing-instances Juniper1 routing-options static route 2.2.2.2 next-table Juniper2.inet.0B. set routing-instances Juniper2 routing-options static route 2.2.2.2 next-table Juniperl.inet.0C. set routing-options static route 2.2.2.2 next-table Juniper2.inet.0D. set routing-options static route 2.2.2.2 next-table Juniperl.inet.0

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Explanation:

Page 13: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

QUESTION 23You want to implement a chassis cluster using SRX650s in your network. Your manager has informed you thatthe nodes participating in the chassis cluster will reside in remote locations.

Which two statements represent valid considerations for this deployment scenario? (Choose two.)

A. The latency between the participating nodes cannot exceed 300 ms.B. The links supporting the control and fabric links should all be 1 Gbps or higher.C. The same physical path supporting the control and fabric links should be used.D. The paths supporting the control and fabric links should use segregated virtual paths

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Explanation: After configuring the SRX650 HA Chassis Cluster, ge-0/0/0 is reserved for FXP0 (out of band), ge-0/0/1 for Control Link and one more port (mostly used ge-0/0/2) for Fabric Link. In most SRX Series devices ina chassis cluster, you can configure any pair of Gigabit Ethernet interfaces or any pair of 10-Gigabit interfacesto serve as the fabric between nodes. If you are connecting each of the fabric links through a switch, you mustenable the jumbo frame feature on the corresponding switch ports. If both of the fabric links are connectedthrough the same switch, theRTO-and-probes pair must be in one virtual LAN (VLAN) and the data pair mustbe in another VLAN. Here too, the jumbo frame feature must be enabled on the corresponding switch ports.Refrence:http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/chassis-cluster-fabric- configuring-cli.html

QUESTION 24Access to a Web server is being severely interrupted after configuring SCREEN parameters. The intent of theIT group was to alleviate the mitigation of SYN flood attacks by dropping connections aggressively if thenumber of SYN packets to the server exceeded 1000 packets per second.

Which two SCREEN settings will resolve the issue? (Choose two.)

Page 14: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

A. Option AB. Option BC. Option C

Page 15: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

D. Option D

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos- security-swconfig-security/id-68220.html#id-68220

QUESTION 25What are two valid chassis cluster implementations? (Choose two.)

A. active/activeB. online/offlineC. active/passiveD. passive/passive

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Explanation: There are only two options: active/active and active/passive. See reference.

Reference:

http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig- security/activeactive-full-mesh-chassis-cluster-scenario.html

http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig- security/activepassive-chassis-cluster-scenario.html

QUESTION 26What describes the NULL scan and how would you effectively mitigate it?

A. A NULL scan attack consists of a series of packets that have source port 0 and various destination ports setThey can be minimized with SCREEN options, such as set security screen ids-option foo tcp-no-null andudp-no-null.

B. A NULL scan attack is an attack targeting port of the remote device's TCP/IP stack. set security idp sensor-configuration flow no-allow-tcp-without-flow.

C. A NULL scan attack uses packets with no flags set and you can minimize it with SCREEN options, setscreen ids-option foo tcp tcp-no-flag.

D. A NULL attack is making use of UDP packets that just contain "0" characters in their payload; a statelessfirewall filter can help to mitigate this attack.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation:A normal TCP segment header has at least one flag control set. A TCP segment with no control flags set is ananomalous event. Because different operating systems respond differently to suchanomalies, the response (orlack of response) from the targeted device can provide a clue as to the type of OS it is running.

Reference:

Page 16: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos- security-swconfig-security/id-91902.html#id-20336

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-cli- reference/jd0e96963.html

QUESTION 27Click the Exhibit button.

In the process of securing your network from network reconnaissance, you notice that a large number ofrandom packets are destined for unused segments on your network.

Referring to the exhibit, how should you secure the borders from these attacks while allowing legitimate trafficto pass through?

A. Configure SYN fragment protection to prevent these types of packets from entering the network.B. Configure IP sweep protection to rate-limit the number of allowed packets.C. Configure TCP sweep protection to rate-limit the number of allowed packets to enterD. Configure the teardrop screen to prevent these types of packets from entering your network.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: In a TCP Sweep attack, an attacker sends TCK SYN packets to the target device as part of theTCP handshake. If the device responds to those packets, the attacker gets an indication that a port in thedevice is open, which makes the port vulnerable to attack. The TCP Sweep SCREENoption restricts thesession establishment between the source IP (the attacker) and the destination IP (the target device) based onthe number of attempts made by the attacker within a particular timeframe. The default threshold is 50 packetsper second. If the number of attempts exceeds 50, the security device does not establish connection. You canset the threshold to a value between 1 and 5000 packets per second.Reference:http://help.juniper.net/help/english/6.2.0/zone_ids_edit_cnt.htm

QUESTION 28You have been asked to configure a signature to block an attack released by a security vulnerability reportingagency. Which two characteristics of the attack must you understand to configure the attack object? (Choosetwo)

A. the source IP address of the attacker

Page 17: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

B. the protocol the attack is transported inC. a string or regular expression that occurs within the attackD. IPv4 routing header

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Reference:http://www.juniper.net/techpubs/en_US/idp5.1/topics/task/configuration/intrusion- detection-prevention-signature-attack-object-creating-nsm.html

QUESTION 29In a group VPN topology, you have three members A, B, and C. You want A lo communicate with B using adifferent encryption key from the one it uses to communicate with C.

How do you achieve this?

A. You put A, B, and C in three different groupsB. You put A, B, and C in the same group, but you define a different match-policy for communication between

A and B and for communication between A and C.C. You define a different SA and a different match-policy for communication between A and B and for

communication between A and C.D. In a group VPN, all members of a group must use the same key to communicate with each other.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Reference: http://www.juniper.net/us/en/local/pdf/app-notes/3500202-en.pdf

QUESTION 30What is the primary function of Junos Intrusion Prevention System (IPS)?

A. to protect against scans and attacksB. to perform firewall filteringC. to perform NAT translationD. to provide IPSec tunneling

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Explanation: IPS feature list includes:Stateful Signature Detection: Signatures are applied only to relevant portions of the network traffic determinedby the appropriate protocol context, minimizing false positives. Protocol Anomaly Detection: Protocol usage isverified against published RFCs to detect any violations or abuse, proactively protecting the network fromintrusions and even undiscovered vulnerabilities.Traffic Anomaly Detection: Heuristic rules provide detection from unexpected traffic patterns that may suggestreconnaissance or attacks. This intrusion prevention system proactively prevents reconnaissance activities andblocks distributed denial of service (DDoS) attacks. Role-Based Administration: More than 100 differentactivities can be assigned as unique permissions for different administrators, streamlining business operationsby logically separating and enforcing roles of various administrators.Intrusion Prevention System functions conform to business operations: Enable logical separation of devices,

Page 18: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

policies, reports, and other management activities to group devices based on business practices

Reference:

http://www.juniper.net/as/en/products-services/software/router-services/ips/

QUESTION 31Click the Exhibit button

Page 19: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

A junior network administrator has configured an inbound destination NAT to an internal server translating apublic IP to an RFC1918 IP address on the internal network. After configuring NAT and the policy to permit thisconnectivity, the junior administrator is unable to get this to work.Traffic never gets to the internal server.

Page 20: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Based upon the configuration in the exhibit, what is needed to resolve the problem?

A. The NAT policy is configured incorrectly.B. The security policies are out of order.C. The security policies for the return traffic are written incorrectlyD. The permit-web-dmz security policy is written incorrectly.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation: Destination-addressin policy permit-web-dmz should be 10.1.1.11/32.

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/nat-security- destination-address-port-translation-configuring.html

QUESTION 32In a group VPN a group member can reach the key server 100.0.0.3 using the interface ge-0/0/5. It can reachall other group members using the interface ge-0/0/7. The IP address of ge-0/0/5 is 1.1.1.1 and the IP addressof ge-0/0/7 is 2.2.2.1.

Which configuration is correct for this member?

Page 21: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements
Page 22: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

A. Option A

Page 23: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

B. Option BC. Option CD. Option D

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation: The correct answer should have:

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos- security-swconfig-security/topic-45798.html

QUESTION 33You are implementing a chassis cluster and adding the cluster to your multicast domain. Which two statementsare valid considerations for this implementation scenario? (Choose two.)

A. Multicast sessions are only maintained on the primary node in the cluster and will not be maintained duringa failover scenario.

B. Multicast sessions are synchronized on both nodes within the cluster and will be maintained during afailover scenario.

C. The ppe and ppd interfaces are used to enable a cluster to act as a rendezvous point (RP) or first hoprouter in the multicast domain.

D. The pe and pd interfaces are used to enable a cluster to act as a rendezvous point (RP) or first hop router inthe multicast domain.

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Explanation: Multicast protocols are supported in chassis clustering for all SRX Series and J Series devices. JSeries devices support pd and pe interfaces and SRX Series devices support ppd and ppe interfaces. If PIMsparse mode is enabled on any router (potentially a PIM sparse- mode source DR) and a Tunnel Services PICis present on the router, a PIM register encapsulation interface, or pe interface, is automatically created foreach RP address that is used to encapsulate source data packets and send them to respective RP addresseson the PIM DR as well as the PIM RP.The pe interface receives PIM register messages and encapsulates themby means of the hardware.

Reference:

https://www.thenewnetworkishere.com/techpubs/en_US/junos10.3/information-products/topic- collections/release-notes/10.3/topic-47950.html

QUESTION 34Click the Exhibit button

Page 24: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

In the exhibit, a site-to-site IPSec tunnel between the chassis cluster and the remote SRX240 device will notestablish. The chassis cluster and the remote SRX240 device are using their loopback interfaces tor IPSectunnel termination.

What is causing the problem?

A. Site-to-site IPSec VPNs are not supported on a chassis cluster; a GRE tunnel must be used instead.B. Loopback interface IPSec tunnel termination is not supported on high-end SRX Series chassis clusters; use

the reth0 interface instead.C. Site-to-site IPSec VPNs between high-end SRX Series chassis clusters and branch SRX devices are not

supported. The SRX240 device must be replaced with a high-end SRX deviceD. Loopback interface IPSec tunnel termination within a chassis cluster must have PFS enabled Configure

PFS on both ends of the IPSec tunnel.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos- security-swconfig-security/topic-43738.html

http://kb.juniper.net/InfoCenter/index?page=content&id=KB14371

QUESTION 35In terms of application and protocol recognition, how does the IPS engine inspect the traffic?

A. unidirectional on the incoming interfaceB. unidirectional on the outbound interfaceC. only traffic from and to well-known portsD. bidirectionally

Correct Answer: DSection: (none)Explanation

Page 25: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Explanation/Reference:Explanation:

QUESTION 36Click the Exhibit button

In the exhibit, traffic from the client is routed to Server A by default You have just implemented filter-basedforwarding to redirect specific traffic from the client to Server B. Server B will then send that traffic to Server A.After finalizing this implementation, you notice reverse traffic from Server A back to the client is being dropped

Which statement describes why the reverse traffic is being dropped?

A. The filter-based forwarding unidirectional-only option has been enabled.B. The MAC caching configuration option has not been enabled.C. The Junos OS performs a route lookup on the reverse traffic and drops the traffic due to a zone mismatch.D. The Junos OS performs a security policy check in the fast path packet flow on traffic matched by a stateless

filter.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Reference: http://juniper.ilkom.unsri.ac.id/stepbystep/Junos%20Security.pdf

QUESTION 37Your company has installed a new transparent proxy server that it wants all employee traffic to traverse beforetaking the default route to the Internet. The proxy server is within two DMZ zones from the SRX Series device,which means your SRX device must now have two default routes:one to the proxy DMZ and one to the Internet from the proxy DMZ.

What can you do to get the traffic to flow to the transparent proxy DMZ, and then from the proxy DMZ to theInternet, regardless of the destination or port?

A. Configure two static default floating routes: one from the employee zone to the ingress proxy DMZ and asecond from the egress proxy DMZ to the Internet.

B. Configure two separate routing instances: one instance for the employee zone to the ingress proxy DMZand the second for the egress proxy DMZ to the Internet.

C. Configure security policies that will route all traffic to the ingress proxy DMZ then traffic will follow the defaultroute to the Internet from the egress proxy DMZ.

D. Configure a rib-group to handle the two default routes between the ingress and egress zones of the newproxy.

Page 26: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 38You are configuring a hub-and-spoke VPN topology between an SRX Series device deployed at the hub siteand several non-Juniper devices at spoke sites. You have decided to use static routes on the hub device tomake the spoke network reachable.

What else must you do to make the remote networks reachable?

A. Use the NHTB protocol to ensure that automatic tunnel bindings are created.B. Add static next-hop tunnel bindings on the spoke devices for the hub networks.C. Configure proxy IDs for the remote networks on the hub device.D. Add static next-hop tunnel bindings on the hub device for the spoke networks.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Reference:http://kb.juniper.net/kb/documents/public/junos/jsrx/JSeries_SRXSeries_Multipoint_VPN_with_NH TB_12.pdf

QUESTION 39Click the Exhibit button

A user complains that they cannot reach a destination host using Telnet. The user expresses concern that theSRX Series device is blocking the connection attempt. You check the security policy log on the SRX device andsee the entry shown in the exhibit.

Based on the security policy log entry, which three statements describe why the user is unable to use Telnet toreach the destination host? (Choose three.)

A. No security policy is configured on the SRX device to match the request.B. The destination host does not have a valid route for the user's PC.C. The destination host is not listening on the requested service.D. Another device between the SRX device and destination host is blocking the request.E. A trace options flag is set on the SRX device to drop the telnet traffic

Correct Answer: BCDSection: (none)Explanation

Explanation/Reference:Explanation: Based on security policy log entry we can confirm that "allow-telnet" security policy is configuredon the SRX device and SRX device does not receive any packet from remote telnet server as the both server-packets(server-bytes) are zero. So the possible options are B, C, D.

Page 27: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Reference:http://www.juniperforum.com/index.php?topic=10131.0

http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security- swconfig-security/junos-security-swconfig-security.pdf

QUESTION 40You have a problem with an FTP session that will not establish through your SRX240 device. You confirmedthat routing and security policies are correct. You want to capture packets to further troubleshoot the problem.

Which two actions are required to do this? (Choose two.)

A. Run the monitor traffic interface | save pcap command.B. Turn on the packet-capture option in the forwarding-options section of the configuration.C. Build a firewall filter with a sample action on the interface.D. Enable traceoptions on the interface.

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Reference:

http://forums.juniper.net/t5/SRX-Services-Gateway/packet-capture-on-Juniper-SRX210/td-p/102454

QUESTION 41You have been asked to add a dynamic VPN to your SRX650. This dynamic VPN must be able to support fiveusers at the same time.

What are two primary requirements? (Choose two.)

A. You must configure IKE to use main mode.B. You must configure IKE to use certificates for authentication.C. You must configure IKE to use aggressive mode.D. You must configure IKE to use preshared keys for authentication.

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:Explanation: When a dynamic VPN user negotiates an AutoKey IKE tunnel with a preshared key, aggressivemode must be used. Therefore, you must always use aggressive mode with the dynamic VPN feature.http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-swconfig- security/ipsec-vpn-overview.htmlhttp://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security- swconfig-security/vpn-dynamic-config-overview.html

QUESTION 42Click the Exhibit button

Page 28: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

The exhibit shows a configuration for two IPSec tunnels. The tunnel ipsec-vpn-primary is being used as theprimary tunnel, and the tunnel ipsec-vpn-backup is being used as the backup tunnel. The remote device is not aJuniper Networks device. When a link failure occurs in the path that supports the primary tunnel, traffic is blackholed for many minutes before the backup tunnel is used.

What can you do to reduce the failover time?

A. Configure BFD over the IPSec tunnel.B. Configure VPN monitoring on the primary tunnel.C. Configure DPD on the primary tunnel.D. Configure DPD on the backup tunnel

Correct Answer: CSection: (none)Explanation

Page 29: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Explanation/Reference:Reference: http://www.juniper.net/techpubs/software/junos/junos94/swconfig-services/configuring- the-remote-address-and-backup-remote-address.html

QUESTION 43Click the Exhibit button.

You are troubleshooting a new IPSec VPN tunnel that is failing to establish an IKE security association betweenSRX Series devices. You notice the error in the log shown in the exhibit.

What is a possible cause for this problem?

A. mismatched proxy IDsB. mismatched peer IDsC. mismatched Phase 2 proposalsD. mismatched preshared key

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: Most likely the Phase 1 pre-shared keys do not match. Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB10101

QUESTION 44Click the Exhibit button

Page 30: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

In the exhibit, two SRX240 devices form a chassis cluster. Node 0 is primary for RG 1, and interface monitoringis configured to fail primacy over to Node 1 in the event interface ge-5/0/3 goes down. However, when interlacege-5/0/3 goes down, Node 0 retains primary for RG 1.

Which two statements describe why Node 0 retained primacy for RG 1? (Choose two)

A. The ge-5/0/3 interface belongs to Node 1 which is in a secondary state so no failover is necessary.B. Node 0 has a priority of 254, but it will not switch unless an additional interface goes down.C. Node 1 has a priority of 0 and is not eligible to take primacy of RG 1.D. The ge-5/0/3 interface belongs to Node 1 and the priority was subtracted from Node 1.

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Explanation:Reference: http://answers.oreilly.com/topic/2040-how-to-initially-troubleshoot-a-junos-chassis- cluster/

QUESTION 45You want to implement an IPS rule base action in which matching traffic is dropped.

Page 31: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

http://www.gratisexam.com/

Which configuration parameter meets this requirement?

A. no-actionB. drop-packetC. acceptD. notification

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation:Actions specify the actions you want IDP to take when the monitored traffic matches the attack objectsspecified in the rules.The following table shows the actions you can specify for IDP rules:

Page 32: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Reference:

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security- swconfig-security/understand-rule-action-section.html#understand-rule-action-section

QUESTION 46Which two protocols are supported by Application Layer Gateways (ALGs) on SRX Series devices? (Choosetwo.)

A. FTPB. HTTPC. SIPD. SNMP

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Explanation:

Page 33: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

A - FTP use port number inside TCP payload. This requires ALGC - SIP use contact info inside UDP payload. This requires ALG

Reference:

http://www.juniper.net/techpubs/en_US/nsm2010.4/topics/reference/specifications/secu rity-service-firewall-alg-protocol-enable-disable-overview.html

http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic- collections/security/software-all/feature-support-reference/junos-security-feature-support-guide.pdf

QUESTION 47Click the Exhibit button

Your company uses a custom-built application that uses RSH. You have configured a new application definitionto support it on your SRX Series device as shown in the exhibit, and you applied the application to the relevantsecurity policy. After you commit the configuration, users report that they can no longer interact with remotedevices.

What is causing the problem?

A. The source-port parameter is missing.B. The inactivity timeout value is too lowC. The application-protocol parameter is missingD. The protocol parameter is incorrect.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: http://www.juniper.net/techpubs/en_US/junos10.3/topics/usage-guidelines/services- configuring-application-protocol-properties.html?searchid=1320265916617

QUESTION 48Which two protection mechanisms are supported on SRX Series Services Gateways? (Choose two)

A. flow overflow attack protectionB. back door protectionC. Layer 2 protection for ARP spoofingD. back link protection

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Explanation: The IDP system detects Layer 2 attacks by defining implied rules on the IDP Sensor. By default,

Page 34: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

the IDP has ARP spoof detection enabled. You can configure an interface to reject G-ARP requests and repliesbased on your security concerns. Accepting gratuitous ARP requests and replies might make the networkvulnerable to ARP spoofing attacks.

The backdoor rulebase protects your network from mechanisms installed on a host computer that facilitatesunauthorized access to the system. Attackers who have already compromised a system typically installbackdoors (such as Trojans) to make future attacks easier. When attackers send and retrieve information toand from the backdoor program (as when typing commands), they generate interactive traffic that IDP candetect.

Reference:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB7443&actp=search&viewlocale=en_US&searchid=1248336689499#

http://www.juniper.net/techpubs/software/management/security-manager/nsm2008_2/nsm- intrusion-detection-prevention-device-guide.pdf

QUESTION 49Your new employer has contacted you because the company's Web servers located at the DM2 (dmz zone) arenot reachable from the Internet (untrust zone). After examining the configuration from the previousadministrator, you determine that the problem must be with the NAT configuration. The servers have theinternal IP addresses 172.14 14 9/24 and 172.14.14 10/24.

Which NAT configuration will correct the problem?

Page 35: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements
Page 36: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

A. Option AB. Option BC. Option CD. Option D

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/nat-security- destination-address-port-translation-configuring.html

QUESTION 50You have a VoIP application that requires external sessions to be initiated into your environment. Your networkonly has a single public IP address configured on the egress interface.

Which two parameters must be configured for your application to work properly? (Choose two)

A. port-oversubscription offB. persistent-natC. overflow-pool interfaceD. port-overloading off

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Reference: http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/security/software-all/cli-reference/junos-security-cli-reference.pdf

QUESTION 51You configure an SRX Series chassis cluster with graceful restart support for the configured routing protocols.When testing your cluster failover in a large, multivendor lab environment, you notice that most of the BGP andOSPF neighbors remain adjacent, whereas a few other neighbors drop the adjacency with your cluster duringthe cluster failover test. You notice that the OSPF and BGP neighbors that drop the adjacencies are always thesame

Why is this happening?

A. The OSPF/BGP neighbors in question have misconfigured hello/dead interval timers, which causes theconnection to flap during the failover.

B. The OSPF/BGP neighbors in question are not running in GR helper mode, which causes the adjacencies toflap."Pass Any Exam. Any Time." - www.actualtests.com 40

C. The local SRX cluster devices have misconfigured OSPF/BGP hello/dead interval timers, which cause theconnections to flap during the failover.

D. The local SRX cluster devices are not running in GR helper mode, which causes the adjacencies to flap.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:

Page 37: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Explanation: When a router is running graceful restart and the router stops sending and replying toprotocollivensmessages (hellos), the adjacencies assume a graceful restart and begin running a timer tomonitor the restarting router. During this interval, helper routers do not process an adjacency change for therouter that they assume is restarting, but continue active routing with the rest of the network. The helper routersassume that the router can continue stateful forwarding based on the last preserved routing state during therestart. If the router was actually restarting and is back up before the graceful timer period expires in all of thehelper routers, the helper routers provide the router with the routing table, topology table, or label table(depending on the protocol), exit the graceful period, and return to normal network routing.

Reference: http://www.juniper.net/techpubs/en_US/junos10.2/topics/concept/high-availability- features-in-junos-introducing.html

QUESTION 52Click the Exhibit button.

Page 38: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements
Page 39: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

You are configuring a hub-and-spoke VPN in your company network Connectivity between the branches andcompany headquarters is not working.

Referring to the configuration excerpt shown in the exhibit, which statement is correct?

A. The st0 interface has a wrong interface type.B. Static routes are missing that point to the remote branch sites.C. The preshared keys between the branch sites and the headquarters do not match.D. This VPN type is not supported with policy-based IPSec VPNs.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation: Policy-based VPNs are primarily used for simple site-to-site VPNs and for remote accessVPNs.For more hub-and-spoke, route-based VPNs should be used.

QUESTION 53You want to limit attacks on TCP ports.

Which two scans should you be concerned about? (Choose two)

A. TCP/IP scanB. SYN scanC. SYN/SYN scanD. FIN/ACK scan

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Explanation: A port scan occurs when one source IP address sends IP packets containing TCP SYN segmentsto a defined number of different ports at the same destination IP address within a defined interval (5000microseconds is the default). The purpose of this attack is to scan the available services in the hopes that atleast one port will respond, thus identifying a service to target.Normally, TCP segments with the FIN flag set also have the ACK flag set (to acknowledge the previous packetreceived). Because a TCP header with the FIN flag set but not the ACK flag is anomalous TCP behavior, thereis no uniform response to this. The OS might respond by sending a TCP segment with the RST flag set.Another might completely ignore it. The victim's response can provide the attacker with a clue as to its OS.(Other purposes for sending a TCP segment with the FIN flag set are to evade detection while performingaddress and port scans and to evade defenses on guard for a SYN flood by performing a FIN flood instead

QUESTION 54Click the Exhibit button.

You want to verify a security flow on your SRX Series device.

Page 40: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Which statement is true regarding the output shown in the exhibit?

A. This output indicates interface-based source NATB. The policy nat-security-policy denies traffic from 10.1.0.13 to 207.17.137 229C. This output indicates source NAT without port translation.D. The "out" direction shows traffic egressing out of the firewall towards 207.17.137.229.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation:The client connects to WEB server 207.17.137.229. The reverse flow shows that destination IP is changedfrom 10.1.0.13 to 172.19.101.42. This indicates that source NAT is in place.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos- security-cli-reference/show-security-flow-session.html

QUESTION 55Two High End SRX Series devices are configured in a chassis cluster, but interchassis communication isproblematic and intermittent. Node 0 has SPCs located in slots 1, 2, 5, and 10 and has IOCs located in slots 3and A. Node 1 has SPCs located in slots 13, 14, 18, and 22 and has IOCs located in slots 15 and 16.

What is causing the interchassis communication issues?

A. The IOCs must be placed in the first two slots on each node.B. The SPCs must all be placed in consecutive slots on each node.C. The IOC slots being used do not align between nodes,D. The SPC slots being used do not align between nodes.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation: Both SRX devices are required to have the same number and location of SPCs and NetworkProcessing Cards (NPCs). This is required because the SPUs talk to their peer SPU in the same FPC and PIClocation.

Reference: Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, TimEberhard, James Quinn, August 2010, p. 543.

QUESTION 56Click the Exhibit button.

Page 41: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Which two statements are true based on the configuration shown in the exhibit? (Choose two)

A. All ICMP traffic without the ACK bit set from the untrust zone will be dropped.B. All ICMP traffic larger than 65 KB from the untrust zone will be dropped.C. All fragmented IP packets belonging to the same original packet that have differing offset and size values

will be dropped.D. All fragmented IP packets belonging to the same original packet that has matching offset and size values

Page 42: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

will be dropped.

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Explanation: A grossly oversized ICMP packet can trigger a range of adverse system reactions such as denialof service (DoS), crashing, freezing, and rebooting. Ping-death command is used to protect against a ping ofdeatch attack. Teardrop attacks exploit the reassembly of fragmented IP packets. IP tear-drop commandenable protection against a Teardrop attack.

Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos- security-swconfig-security/id-12795.html

http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig- security/id-58971.html

QUESTION 57Click the Exhibit button

In the exhibit, a chassis cluster is deployed in active/active mode. This chassis cluster control and fabric linksare connected through 100 Mbps WAN connections. During peak data usage times the chassis clusterbecomes disabled even though the rate of new connections through the cluster is relatively low.

What is the problem?

A. Control and fabric link WAN connections are not supported through a non-Ethernet-based technology.VPLS must be used instead

B. Control link heartbeats are being lost during peak data usage times. The WAN connection that supports thecontrol link must be upgraded to support greater bandwidth.

C. Fabric link probes are being lost during peak data usage times. The WAN connection that supports thefabric link must be upgraded to support greater bandwidth

D. Latency across a WAN connection will always exceed the recommended 100 ms limit. The chassis clusterwill always enter the disabled state during peak data usage.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation: If the control link fails, Junos OS disables the secondary node to prevent the possibility of eachnode becoming primary for all redundancy groups, including redundancy group 0.A control link failure is described as not receiving heartbeats over the control link; however, heartbeats are stillreceived over the fabric link.

Page 43: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/chassis-cluster- control-link-failure-recovery-understanding.html

QUESTION 58You are working at a service provider that offers only residential access to DSL subscribers. Your company hasdecided to make customer traffic subject to further inspection.

When you install a new IPS machine in the network, where should you place it?

A. as close as possible to the server farm that runs the company's Web and DNS serversB. between the dual-homed upstream routers and the firewallsC. as close to the B-RAS devices as possibleD. in the middle of the network

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: B-RAS concentrate the traffic from remote DSL subscribers. So IPS machine should be placed asclose to the B-RAS as possible.

QUESTION 59Click the Exhibit button

In the exhibit, you are configuring a flow trace of all packets for a TCP session initiated by the client to theserver "Die server's IP address is translated using static NAT You want to use flow trace packet filters to limitthe traffic viewed in your trace.

Which configuration specifies the correct filters?

Page 44: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements
Page 45: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

A. Option AB. Option BC. Option CD. Option D

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation:The correct answer matches source IP 1.1.1.100 and destination IP 1.1.1.30 in request packets and source IP192.168.224.30 and destination IP 10.1.1.100 in reply from the server.

QUESTION 60You have correctly implemented a SIP Application Layer Gateway (ALG) on your company's SRX Series deviceto support SIP traffic on the network. However, after committing the configuration, users report that they arehaving problems making calls. Other traffic is property flowing through the device, and calls that do not passthrough the SRX Series device have no issues.

Which action will help identify the problem?

A. Configure trace options for the SIP Application Layer Gateway (ALG).B. Configure the security policy to log SIP traffic events.C. Configure trace options for the security policy.D. Monitor traffic for the ingress interface, checking for SIP packet corruption.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Explanation: Troubleshooting this issue may be done by enabling the following traceoptions:set securitytraceoptions file <filename> eg. sip-trace-detailset security traceoptions flag allset security alg sip traceoptionsflag all extensiveset security flow traceoptions file <filename>set security flow traceoptions flag allset securityflow traceoptions packet-filter 1 source-port 5060set security flow traceoptions packet-filter 1 destination-port5060Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos- security-cli-reference/id-83758.html

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21406&actp=search&viewlocale=en_US&searchid=1320325662928#

QUESTION 61You want to source NAT all traffic initiated from Host A behind an SRX Series device to Server B. The internaltransport address must be mapped to the same external transport address. Also, the external Server B mustnot communicate with the internal Host A using the NAT IP address/port unless the internal Host A has alreadycommunicated with the external Server B.

How do you enforce this set of criteria on the SRX Series device?

A. Configure port randomization and pool overloading for source NAT.B. Configure pool overloading and persistent NAT for source NAT.C. Turn off port randomization and configure persistent NAT for source NAT.D. Turn off pool overloading and configure persistent NAT for source NAT.

Page 46: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation: To keep transport address PAT should be disabled using "port no-translation" command.

Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB21296

QUESTION 62Your company plans to increase the security level for VPNs in its network by using certificates instead ofpreshared keys The company wants to introduce its own centrally administered certificate authority from whichall device certificates will be derived. You have been asked to automate certification enrollment, re-enrollment,and revocation.

How can you implement this?

A. Use self-signed certificates on each device and have copies stored centrallyB. Contract out this problem to VeriSign to deliver a solution.C. Roll out a certificate automation system that is based on SCEP.D. Buy certificates that do not need to be renewed from Entrust.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation:With Simple Certificate Enrollment Protocol (SCEP), you can configure your Juniper Networks device to obtaina certificate authority (CA) certificate online and start the online enrollment for the specified certificate ID. TheCA public key verifies certificates from remote peers. Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/task/configuration/certificate- digital-online-configuration-enabling.html

QUESTION 63Your company is bringing a remote office online and is using an IPSec VPN to establishes securecommunication between the offices. The remote SRX Series device is receiving its IP address dynamically fromthe service provider.

Which VPN technique can you use on your remote office SRX device?

A. Configure a fully qualified domain name (FQDN) as the IKE identity, and configure IKE to use main mode.B. Configure a fully qualified domain name (FQDN) as the IKE identity, and configure IKE to use aggressive

mode.C. Configure the dynamic-host-address option as the IKE identity, and configure IKE to use aggressive modeD. Configure the dynamic-host-address option as the IKE identity, and configure IKE to use main mode

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation: When using site-to-site VPNs the most common type of IKE identity is the IP address, assumingthat the host has a static IP address. If the host does not have a static IP address, a hostname can be used.Aggressive mode is an alternative to Main mode IPsec negotiation and it is most common when building VPNsfrom client workstations to VPN gateways, where the client's IP address is neither known in advanced nor fixed.

Page 47: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

QUESTION 64Click the Exhibit button.

The output shown in the exhibit is from an SRX Series device that is the hub in a hub-and-spoke VPN.

Which two statements are true regarding this output? (Choose two.)

A. NAT traversal is being used.B. VPN monitoring has been enabledC. VPN monitoring has not been enabled.D. The IKE SA has been successfully established

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:Explanation: The command show security ipsec security-associations is not NAT relative. The value of Monparameter proves that VPN monitoring is disabled. Here are the possible values of the Mon field:

Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB10090

QUESTION 65Click the Exhibit button

Page 48: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Referring to the exhibit, an IPSec tunnel is established between SRXA and SRXB. A GRE tunnel is establishedbetween router A and router B. Users in LANA can ping users in LANB however large FTP transfers are failing.

What is causing the problem?

A. The anti-replay service window size needs to be increased to 64.B. SRXB is running in transport mode.C. Fragmentation is not allowed on the IPSec tunnel.D. GRE over IPSec is not supported.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: Fragmentation is not allowed on the IPSec tunnel because don't fragment (DF) bit is set. So thepackets with size equal to standard ethernet MTU (1500 bytes) are dropped. Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/reference/configuration- statement/clear-dont-fragment-bit-edit-service-set.html

QUESTION 66You are asked to set up a multi-tenant configuration on your SRX Series device. Several remote branchlocations are connected to the device. You will connect each remote site to a separate logical interface. Youwant to implement segmentation between the branch locations using security zones and routing-instances.

Which two statements are true? (Choose two.)

A. Multiple branch locations can be assigned to the same zone but different routing-instances.B. Multiple branch locations can be assigned to the same routing-instance but different zones.C. If you use the interfaces all configuration option under a zone, different interfaces in the same zone can be

Page 49: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

assigned to multiple routing instances.D. If you use the interfaces all configuration option under a zone, different interfaces must be assigned to the

same routing instance.

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Explanation: If you connect each remote site to a separate logical interface then multiple branch locations canbe assigned to different zones. SRX is different from an ordinary Junos router. On the SRX, interfaces don't justlive in routing instances; they also live in security zones. All interfaces configured within the same security zonemust also be configured within the same routing instance (the security zone cannot span more than one routinginstance).

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, JamesQuinn, August 2010, p. 691

QUESTION 67Click the Exhibit button

You are troubleshooting a new IPSec VPN tunnel that is failing to establish an IKE security association betweenSRX Series devices. You notice the error in the log shown in the exhibit.

What are two possible causes for this problem? (Choose two.)

A. no route to 2.2.2.2B. mismatched peer ID typeC. incorrect peer addressD. missing Phase 1 policy

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Explanation: Message "unable to find phase-1 policy as remote peer:2.2.2.2 is not recognized" means that theresponder did not recognize the incoming request as originating from a valid gateway peer.You have to confirm that on the responder the following IKE gateway configuration settings are correct:The Static IP Address specified for the Remote Gateway is correct.The Peer ID specified for the RemoteGateway is correct.The outgoing interface is correct.

Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB10101

QUESTION 68In planning for your core data center's SRX5800 cluster software upgrade, minimal downtime is requested byyour management team.

With a goal to achieve maximum uptime, how should you upgrade the SRX cluster?

A. Preload the software onto the SRX devices and then issue the following command at the same time on bothSRX devices: request system software add <package-name> reboot

B. Use in-service software upgrade using the following command: request system software in- service-upgrade

Page 50: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

<package-name> reboot.C. Preload the software onto the SRX devices and then issue the following command at the same time on both

SRX devices: request system software add no-validate <package-name> reboot.D. Use an in-service software upgrade using the following command: request system software in- service

upgrade <package-name> restart."Pass Any Exam. Any Time." - www.actualtests.com 56

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation: The in-service software upgrade (ISSU) feature allows a chassis cluster pair to be upgraded ordowngraded from supported JUNOS versions with a traffic impact similar to that of redundancy group failovers.Before upgrading, you should perform failovers so that all redundancy groups are active on only one device. Itis recommended that routing protocols graceful restart be enabled prior to initiating an ISSU.Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos- security-cli-reference/request-system-software-in-service-upgrade.html

QUESTION 69A site-to-site VPN is configured between satellite offices and headquarters using a digital certificate from aneutral party. Once the VPN is up and stable, the certificate issued by the neutral party is revoked. The next-update time is not contained in the CRL.

Which two actions should you take to ensure that the SRX Series device renegotiates the VPN faster? (Choosetwo.)

A. Configure the SRX Series device with refresh-interval.B. Wait for the default timer to expire; the device will then renegotiate the VPN tunnel.C. Specify a URL to retrieve the CRL using HTTP or LDAP.D. Configure the next-update time in the CRL.

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Explanation: The refresh interval specifies the frequency (in hours) to update the CRL. The default values are:next-update time in CRL, or 1 week if no next-update time is specified. By default, the location (URL) to retrievethe CRL (HTTP or LDAP) is empty and uses CDP information embedded in the CA certificate. To set URL thefollowing command may be used (example):

Setsecurity pki ca-profile ms-ca revocation-check crl url http://labsrv1.labdomain.com/CertEnroll/LABDOMAIN.crl

Reference: http://www.juniper.net/techpubs/en_US/junos11.3/topics/example/pki-example-pki-in- junos-configuring.html

QUESTION 70Click the Exhibit button.

Page 51: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

You configured a security policy with an address book entry using a DNS name. Traffic matching the securitypolicy for the DNS name is being dropped.

Referring to the exhibit, what is the cause?

A. The domain name must be configured as www.juniper.net.B. The security policy is missing the junos-dns applicationC. The destination address configuration must also include an IP address.

Page 52: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

D. The domain name has not been resolved by DNS.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation:Once of requirements for configuring address-book with dns-name entries is "Configure Domain Name System(DNS) services" without which domain name cnnot be resolved.

Reference:http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/zone-address-book- configuring-cli.html

Page 53: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Exam B

QUESTION 1An attacker from IP address 1.1.1.2 is filling your SRX Series device's session table with TCP sessions thathave all completed a legitimate three-way handshake.

What will help throttle the attack?

A. syn-flood destination-thresholdB. syn-ack-ack-proxyC. limit-session destination-ip-basedD. limit-session source-ip-based

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation: Limit-session source-ip-based command is used to Limit the number of concurrent sessions thedevice can initiate from a single source IP address.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security94/junos- security-cli-reference/limit-session.html

QUESTION 2You want to allow users from routing-instance Juniper1 to route to the destination 2.2.2.2, reached throughrouting-instance Juniper2 without sharing all the routes between the two instances. You have configured policy-statement move_routes with a route-filter to accept the 2 2.2.2 route. You have created rib-group Group1, andapplied it under routing-instance Juniper2.

Which rib-group configuration will accomplish this?

Page 54: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

A. Option AB. Option BC. Option CD. Option D

Correct Answer: CSection: (none)

Page 55: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Explanation

Explanation/Reference:Explanation: We have to import only one route from Juniper2.inet.0 to Juniper1.inet.0 so we have to use import-policy move_routes to filter out other route during the import. Also we have to do import into the Juniper1.inet.0table so we have to select the option with "import Juniper1.inet.0"

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos- security-cli-reference/jd0e34855.html

QUESTION 3A SYN packet traverses an SRX Series device and a session is created. When the return SYN- ACK packetarrives at the SRX, the original interface on which the SYN packet arrived is down. However, an alternate routeexists through another interface in a different zone .no-syn-check is not configured on the device

What will happen to the return packet?

A. The packet will be dropped.B. The packet will be dropped with an ICMP message being sent back to the originating device.C. The packet will match the existing session and will be forwarded to the destination device.D. A new session will be created and the packet will be forwarded to the destination device.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Explanation:As an alternate route exists through the interface in a different zone SYN-ACK packet will be dropped.Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB21983&actp=search&viewlocale=en_US&searchid=1320415514489#

QUESTION 4A security analyst at your company wants to make sure packets coming from the Internet accessing your publicWeb servers are protected from HTTP packets that do not meet standards.

Which attack object will protect your infrastructure from nonstandard packets?

A. signature attack objectsB. compound protocol attack objectsC. protocol anomaly attack objectsD. the HTTP anomaly screen

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation:Protocol anomaly attack objects are predefined objects developed by the Juniper Security Team to detectactivity that is outside the bounds of a protocol. Typically, the enforcement for what is considered acceptablebehavior for protocols is based on an RFC specification or a manufacturer spec if there is no RFC.

Reference: O'Reilly. Junos Security,Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, JamesQuinn, August 2010, p. 404

Page 56: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

QUESTION 5You want to deploy an SRX Series cluster for a distributed data center between two remote locations. Theearner will provide you with dark fiber capable of the following: a 100 km reach. 125 ms propagation delay, anda packet loss of 1 out of 10.000.000 packets. You plan to connect the fiber directly to the SRX Series deviceswithout any switches in between, and you plan to configure the SRX Series devices with a straightforwardcluster configuration. One of the NOC engineers expresses doubts that this design will work.

http://www.gratisexam.com/

How do you respond?

A. You explain that everything will work as expected.B. You agree to install switches in between the SRX Series clusters in both sites for increased availability of

the network.C. You agree with the argument that dark fiber is not the best choice and choose a managed SDH/SONET

solution, running Ethernet over SDH/SONET.D. You agree with the NOC engineer that the heartbeat interval timers for the cluster must be adjusted to

accommodate the 125 ms delay.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation: JUNOS Software transmits heartbeat signals over the control link at a configured interval. Thesystem uses heartbeat transmissions to determine the "health" of the control link. If the number of missedheartbeats has reached the configured threshold, the system assesses whether a failure condition exists. Youspecify the heartbeat threshold and heartbeat interval when you configure the chassis cluster. In a chassiscluster configuration on an SRX100, SRX210, SRX240, or SRX650 device, the default values of the heartbeat-threshold and heartbeat-interval options in the [edit chassis cluster] hierarchy are 8 beats and 2000 msrespectively. These values

cannot be changed on these devices.

Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos- security-swconfig-security/topic-43696.html?searchid=1320415514489

http://www.juniper.net/techpubs/en_US/junos10.2/information-products/topic-collections/release- notes/10.2/topic-45729.html?searchid=1320415514489

QUESTION 6A site-to-site VPN is configured between the main office and a remote office. An administrator wants to keeptrack of the VPN tunnel.

Which feature is used to verify that the VPN tunnel is up even if user traffic is not passing through it?

A. Dead peer detection sending ICMP packetsB. VPN monitoring sending ICMP packetsC. VPN monitoring sending UDP packetsD. Dead peer detection sending UDP packets

Correct Answer: B

Page 57: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Section: (none)Explanation

Explanation/Reference:Explanation: The command set security ipsec vpn-monitor-options interval 15 threshold 15 is used to monitorthe VPN by sending Internet Control Message Protocol (ICMP) requests to the peer every 15 seconds, and todeclare the peer unreachable after 15 unsuccessful pings. Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos- security-cli-reference/id-84923.html?searchid=1320423410978

http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security- swconfig-security/topic-40793.html?searchid=1320423410978

QUESTION 7You want to add a dynamic VPN to your SRX650. This dynamic VPN must be able to support five users at thesame time.

What are two primary requirements? (Choose two.)

A. You must use a policy-based VPN.B. You must use a route-based VPN.C. You must install the proper licenses.D. You must configure local client authentication.

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Explanation: SRX only supports Dynamic VPN which has embedded client. For that it must be policy-based asfor client-based VPN SRX will be specifically looking for this tunnel policy. So this cannot work as route-basedVPN.Dynamic VPN is a licensed feature. By default, a two user evaluation license is provided free of cost on theSRX devices, and it does not expire. In cases where there are more than two users that need to connectconcurrently, a license is required. These are available as a 5, 10, 25, and 50 user license.

Reference:

http://forums.juniper.net/t5/SRX-Services-Gateway/dialup-vpn-over-route-based-vpn/m-p/90610

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17436&actp=search&viewlocale=en_US&searchid=1320423410978#

QUESTION 8What can cause a node in an SRX Series chassis cluster to be in the disabled state?

A. The primary node loses all power.B. Both the control and fabric links between the two nodes go down at the same time.C. The number of missed heartbeats reaches the configured threshold.D. The backup node is configured to go into a disabled state until the active node has a failure

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: JUNOS Software transmits heartbeat signals over the control link at a configured interval. The

Page 58: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

system uses heartbeat transmissions to determine the "health" of the control link. If the number of missedheartbeats has reached the configured threshold, the system assesses whether a failure condition exists. For achassis cluster with one control link, if the control link goes down, all redundancy groups on the secondary nodego to the ineligible state and eventually to the disabled state.

Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB15421&actp=search&viewlocale=en_US&searchid=1320424816614#

http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security- swconfig-security/topic-43696.html

QUESTION 9Click the Exhibit button.

Referring to the exhibit, what happens when the source pool is exhausted?

A. Traffic is forwarded with the translated source as the egress interface.B. Traffic is dropped.C. Traffic is forwarded without port translation.D. Traffic is forwarded without translation.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Explanation: When a given pool is exhausted, it may then reference a completely different overflow-pool foradditional translations. If interface key word is used with overflow-pool then interface's IP address is used forNAT and PAT.

Page 59: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos- security-cli-reference/jd0e81039.html?searchid=1320424816614

QUESTION 10Click the Exhibit button

A junior member of the network team has set up a new VPN tunnel using a PKI certificate and is unable toestablish the tunnel. After troubleshooting the problem and confirming that the proposals and encryptionalgorithms match on both sides, they ask you for help.

Referring to the exhibit, what is the cause of this problem?

A. The authentication method must be changed to pre-shared-keys to make use of the PKI certificateB. The proposal set is missing which will cause the VPN tunnel to not establish.C. PKI-based VPN tunnels cannot use main mode; aggressive mode must be used.D. There is no trusted CA configured, which is required for PKI-based tunnels.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation: Trusted-ca specifies the preferred certificate authority (CA) to use when requesting a certificatefrom the peer. If no value is specified, then no certificate request is sent.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos- security-cli-reference/jd0e104424.html?searchid=1320424816614

QUESTION 11You initiated the download of the attack database. The system indicates that it will run asynchronous andreturns you to a command prompt in the CLI. You want to know if the download has completed.

Which command do you run to confirm this?

A. request security idp security-package install statusB. request system software idp security-package download status

Page 60: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

C. request security idp security-package download statusD. request security idp security-package install

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: "request security idp security-package download status" command is used to verify the downloadstatus.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, JamesQuinn, August 2010, p. 434

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15806&actp=search&viewlocale=en_US&searchid=1320424816614#

QUESTION 12Click the Exhibit button

In the exhibit, Node 0 had primacy of RG 1 until interface ge-0/0/1 failed. Upon restoration of interface ge-0/0/1Node 1 retained primacy for RG 1

What will allow Node 0 to regain primacy of RG 1?

A. Add the preempt parameter.B. Add the acquire parameter.C. Increase the gratuitous ARP threshold.D. Decrease the hold-down interval.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Explanation:Preempt command enables chassis cluster node preemption within a redundancy group. If preempt is added toa redundancy group configuration, the device with the higher priority in the group can initiate a failover tobecome master. By default, preemption is disabled.Reference:

http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security-cli- reference/jd0e11037.html?searchid=1320424816614

Page 61: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

QUESTION 13You have been asked to implement a hub-and-spoke IPSec VPN in a multi-vendor environment where thespoke devices are not always Junos devices.

Which statement is correct?

A. The next-hop tunnel bindings are not needed for a non-Junos spoke device.B. The next-hop tunnel bindings are created automatically for all spoke devices.C. You must manually configure the next-hop tunnel bindings for all non-Junos spoke devices.D. You must manually configure the next-hop tunnel bindings for all spoke devices.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: The hub device uses the IP address of the remote peer's st0 interface as the next- hop. You canenter the static route manually, or you can allow a dynamic routing protocol such as OSPF to automaticallyenter the route referencing the peer's st0 interface IP address as the next- hop in the route table. The same IPaddress must also be entered as the next hop, along with the appropriate IPSec VPN name, in the NHTB table.In this way the route and NHTB tables are linked. Regarding the NHTB table, there are two options: you caneither enter the nexthop manually, or you can allow the J Series or SRX Series device to obtain it automaticallyfrom the remote peer during Phase 2 negotiations using the NOTIFY_NS_NHTB_INFORM message. Note thatthis functionality currently only applies if both peers are J Series or SRX Series devices, running the JUNOS.

Reference:http://kb.juniper.net/kb/documents/public/junos/jsrx/JSeries_SRXSeries_Multipoint_VPN_with_NHTB_12.pdf

QUESTION 14You have a VoIP application that requires external sessions to be initiated into your environment. The internalhost has previously sent a packet to the external VoIP application's reflexive transport address.

Which parameter would be enabled for this solution?

A. persistent-nat all-remote-hostB. persistent-nat target-host-portC. persistent-nat target-hostD. persistent-nat any-remote-host

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation: You can configure three persistent NAT types on the SRX device. With all three types, all requestsfrom a specific internal IP address and port are mapped to the same external address. Differences existbetween the three types.Referencehttp://kb.juniper.net/InfoCenter/index?page=content&id=KB21296&cat=JUNOS&actp=LIST

QUESTION 15An IPSec tunnel has just gone down in your network and you have been asked to troubleshoot and resolve theissue.

Which three reasons might be the cause of this issue? (Choose three.)

A. network connectivity issues

Page 62: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

B. encapsulation mismatchesC. identical preshared keysD. MTU mismatch on tunnel endpointsE. authentication mismatches

Correct Answer: ABESection: (none)Explanation

Explanation/Reference:Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB21899&actp=search&viewlocale=en_US&searchid=1320424816614#

QUESTION 16Bandwidth utilization has significant increased recently on the SRX3600 connecting your company to theInternet. You have decided to enable the Application Tracking feature on the device to provide visibility into thevolume of the different applications passing through.

Where in the configuration is Application Tracking applied?

A. interfacesB. zoneC. routing instancesD. globally

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation: Application tracking is configured under security zone security-zone section.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos- security-swconfig-security/topic-45953.html?searchid=1320424816614

QUESTION 17You have been asked to troubleshoot a VoIP connectivity problem that occurs every time the IPSec VPN tunneldrops. The SRX Series device has a default route to the Internet and receives a more specific route for theVoIP server over the IPSec tunnel using OSPF. Every time the tunnel drops, when the tunnel re-establishes,the NOC must manually clear the sessions on the SRX device for these VoIP sessions to work again.

What can you do to resolve this problem?

A. Configure the route change timeout value under the flow options.B. Configure OSPF to advertise the default route to the SRX device.C. Write security policies bidirectionally so either side can initiate traffic.D. Configure the IPSec tunnels to establish tunnels immediately.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Explanation:The session with incorrect route information needs to be deleted in a timely fashion. To do this there is a flow

Page 63: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

command in the firewall:set flow route-change-timeout <seconds>This is the command to timeout the sessions which are affected by a route change. The sessions can timeoutwith this setting instead of the actual timeout of the session. This being shorter than the original timeout canclear the session before the actual timeout.Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB13637&actp=search&viewlocale=en_US&searchid=1320424816614#

QUESTION 18You need to establish a new point-to-point IPSec VPN to a recently acquired remote site. The remote site iscurrently using the same network space with many overlapping IP addresses. You have been asked toimplement an interim solution until there is time to migrate the remote site to a different network space.

Which solution accomplishes this task?

A. Implement source NAT on the remote gateway device.B. Implement destination NAT on the local gateway device.C. Implement static NAT on the local gateway device.D. Implement static NAT on both gateway devices.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation: Because both networks use the same internal IP addressing, it is not possible to simply build atunnel between the two sites. However, if the tunnel endpoints on both sides are Juniper services routers, it ispossible to configure a tunnel between these sites with an advanced configuration using NAT. It is important tounderstand this basic routing dilemma. If a host is attached to a network, say 10.0.0.0/24, and the other deviceon the remote end is attached to a network using the same IP address subnet, it is not possible to build a tunneland route the traffic to the other device without some sort of address translation. This is because all packets arerouted based on the destination IP address. Before routing occurs, a determination must be made as towhether the destination IP is on the same (local) network or not. If the destination IP is on the same network,say 10.0.0.10, the destination device is found using Address Resolution Protocol (ARP). However, if thedestination IP resides on a different network, the packet is sent to the next- hop router based on the device'srouting table. Because both the local and remote networks share the same IP addressing scheme, the packetswill be handled locally and never route to the VPN tunnel. To work around this, we can perform static NAT onthe source IP and destination IP of all traffic destined for the remote network at the other end of the tunnel. Forthis reason, aroute based approach to IPsec VPNs makes sense, because the creation of a "virtual" networkinterface on each services router by way of a "secure tunnel" or "st0" interface is required. It is important to notethat in this case the both source and destination addresses are translated as the packet traverses the VPNtunnel to the end host. Thus the services routers at each end of the tunnel must contact each other using anewly created IP network.

Reference:http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/JSRX_VPN_with_Overlapping_Subnetsv2_0.pdf

QUESTION 19Click the Exhibit button

Page 64: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Host A and Server B must each be able to initiate traffic to each other. Server B does not have a route to the1.1.1 0/24 network; it can send traffic only to IP addresses in the 2.1.1.0/24 network.

Which NAT type will you configure to achieve this communication using the SRX Series device?

A. Configure a source NAT that maps 1.1.1.1 to 2.1.1.100.B. Configure a destination NAT that maps 2.1.1.100 to 1.1.1.1.C. Configure a static NAT that maps 1.1.1.1 to 2.1.1.100.D. Configure a static NAT that maps 1.1.1.1 to 2.1.1.200.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: Static NAT defines a one-to-one mapping from one IP subnet to another IP subnet. The mappingincludes destination IP address translation in one direction (2.1.1.100 to 1.1.1.1 for IP packets going fromServer B to Host A) and source IP address translation in the reverse direction (1.1.1.1 to 2.1.1.1.100 forpackets going from Host A t oServer B). From the NAT device, the original destination address is the virtualhost IP address while the mapped-to address is the real host IP address. Static NAT allows connections to beoriginated from either side of the network, but translation is limited to one-to-one or between blocks ofaddresses of the same size. For each private address, a public address must be allocated. No address poolsare necessary.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos- security-swconfig-security/topic-42805.html

QUESTION 20You notice an unusual increase in activity in your network. You investigate by reviewing logs and analyzingtraffic flows. In your analysis, you identify a remote host is sending traffic to your network with random TCPflags set including URG PSH, ACK and FIN.

What is the attacker doing with these packets?

A. The attacker is attempting a TCP random flag attack.B. The attacker is attempting a TCP overflow attack.C. The attacker is running an XMAS tree scan.D. The attacker is running an idle scan.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: The Xmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flagsset. This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte(00101001), much like the lights of a Christmas tree.

Page 65: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

http://en.wikipedia.org/wiki/Christmas_tree_packet

QUESTION 21Your company is bringing a remote office online and will use VPN connectivity for access to resources betweenoffices. The remote SRX Series device has an IP address, which it obtained dynamically from a serviceprovider.

Which VPN technique can be used on your remote office SRX Series device?

A. Configure the head office to allow promiscuous VPN connections and disable the use of IKE peer identities.B. Use the main-mode IKE exchange method in combination with a transport-mode tunnel.C. Use a certificate authority for IKE Phase 2 authentication.D. Use a fully qualified domain name (FQDN) as the IKE identity and configure IKE to use aggressive mode.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation: When using site-to-site VPNs the most common type of IKE identity is the IP address, assumingthat the host has a static IP address. If the host does not have a static IP address, a hostname or FQDN can beused. Also dynamic IP address requires the use of aggressive mode (unprotected IKE identities)

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, JamesQuinn, August 2010, p. 261.

QUESTION 22You have a branch location connected to a virtual-router type of routing-instance. To provide Internet access,one requirement is to provide connectivity to an interface and its direct route, which belongs to the default inet.0routing-instance.

Which statement is true?

A. The scenario is not possible; the interfaces must both be in the same routing-instance.B. You must configure a non-forwarding routing-instance.C. You must configure interface-routes with a share rib-group.D. You must configure a policy in the forwarding-options configuration hierarchy.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: You have to import interface routes from inet.0 table into routing-instance. This is done byconfiguring routing-options interface-routes rib-group command.

Reference: http://www.juniper.net/techpubs/en_US/junos10.3/topics/reference/configuration- statement/rib-group-edit-routing-options.html?searchid=1320424816614

QUESTION 23Click the Exhibit button.

Page 66: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

The client is downloading a file from the FTP server. The FTP control channel is established using a securitypolicy named trust-to-untrust.

Referring to the exhibit, which two statements are correct from the output showing the data channel? (Choosetwo.)

A. Active FTP is being used to establish the data channel.B. The client is using passive FTP to establish the data channel.C. The FTP ALG has opened a pinhole for the return traffic.D. The FTP ALG is not being used in the security policy.

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Explanation: The client is using passive FTP to establish the data channel (active FTP use port 20 and reversedirection). There is no need to open hole for return traffic as theboth session are initiated by the client.

Reference: http://slacksite.com/other/ftp.html

QUESTION 24You have configured your SRX Series device with two route-based VPNs for the same destination networkRemote SRX Series device A's route has a preference of 5 and remote SRX Series device B has a preferenceof 10. Users complain they cannot reach the networks through the VPN tunnel. You verify the VPN's status anddiscover that the IKE Phase 1 and Phase 2 security associations are active, but the remote networks are notreachable.

Which SRX VPN feature would you use to cause the route-based VPN with preference 10 to be used?

Page 67: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

A. Configure the dead peer detection feature.B. Configure the vpn-monitor feature.C. Configure the establish-tunnels-immediately option.D. Configure the IPSec security association lifetime to a lower value.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation: One issue with DPD is that it doesn't necessarily mean the underlying VPN is up and running, justthat the peer is up and responding. VPN monitoring is not an Ipsec standard feature, but it utilizes InternetControl Message Protocol (ICMP) to determine if the VPN is up. VPN monitoring allows the SRX to send ICMPtraffic either to the peer gateway, or to another destination on the other end of the tunnel (such as a server),along with specifying the source IP address of the ICMP traffic. If the ICMP traffic fails, the VPN is considereddown.

Reference: Reference: O'Reilly,Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard,James Quinn, August 2010, p. 269.

QUESTION 25Click the Exhibit button.

Page 68: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

You created the IPS policy displayed in the exhibit and find that the policy is not being used to inspect traffic.

What must you do to activate the policy?

A. You must import and activate the IPS signature database to the SRX Series device.B. You must run the set security idp active-policy base-policy command and commit the configurationC. You must run the set security idp activate base-policy command and commit the configuration.D. You must use the commit activate-ips command to recompile the IPS rule base.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation: New policy must be activated with set security idp active-policy base-policy command.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos- security-swconfig-security/topic-42460.html?searchid=1320438879836

QUESTION 26In the sequence of IPS inspection steps, protocol anomaly detection is performed after which step?

A. after fragments are reassembledB. after packets in sessions are trackedC. after applications and decode protocols are identifiedD. after packet signatures are checked

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: Anomaly detection can be performed only after application and protocol are idetified.

Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos- security-swconfig-security/topic-42473.html

http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security- swconfig-security/topic-42478.html?searchid=1320438879836

QUESTION 27You have configured persistent NAT in your NAT rule base. You create a security policy in the direction ofexternal to internal.

Which persistent NAT parameter should you configure?

A. all-remote-hostB. target-hostC. any-remote-hostD. target-host-port

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:

Page 69: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Explanation:The following types of persistent NAT can be configured on the Juniper Networks device:

* Any remote host--All requests from a specific internal IP address and port are mappedto the same reflexivetransport address. Any external host can send a packet to theinternal host by sending the packet to thereflexive transport address.

* Target host--All requests from a specific internal IP address and port are mapped tothe same reflexivetransport address. An external host can send a packet to an internalhost by sending the packet to the reflexivetransport address. The internal host musthave previously sent a packet to the external host's IP address.

Reference:

http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic- collections/security/software-all/security/junos-security-swconfig-security.pdf

QUESTION 28You have implemented a chassis cluster that spans a Layer 2 network between two office campuses. You areusing dual fabric links. Some of the RTOs are getting lost.

What are two reasons why this happens? (Choose two.)

A. The switches interconnecting the fabric links do not support jumbo frames.B. The switches are not configured with the proper VLAN tags used by RTO traffic.C. The Layer 2 network contains 10 Gigabit links.D. There is a 500 millisecond latency between the SRX Series devices.

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:Explanation:If you are connecting each of the fabric links through a switch, you must enable the jumbo frame feature on thecorresponding switch ports. If both of the fabric links are connected through the same switch, the RTO-and-probes pair must be in one virtual LAN (VLAN) and the data pair must be in another VLAN. Here too, the jumboframe feature must be enabled on the corresponding switch ports.

Reference:

http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/chassis-cluster-fabric- configuring-cli.html

QUESTION 29Your company recently acquired another company. During a site visit and network audit, you recognize that theacquired company's private network address space overlaps with yours. You will eventually merge thenetworks, but for the moment, you must make communication between the networks work over the Internet asa first step toward the migration.

What should you do to meet the requirements?

A. Use source NAT to deliver the necessary translations between private and public networks.B. Implement a static NAT at one site.C. Implement double NAT on both sites' public network-facing routers.D. Migrate to multicast.

Correct Answer: CSection: (none)Explanation

Page 70: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Explanation/Reference:Explanation: Double NAT occurs when both the source IP address and destination IP address leave thetranslating system changed. Double NAT is commonly used for merging two networks with overlapping addressspace. This has become an increasingly common scenario as more organizations have moved to using RFC1918 private address space for their internal addressing in an effort to overcome public IPv4 addressexhaustion. When these organizations merge, they are left with overlapping RFC 1918 addressing. In thesecases, double NAT must be leveraged until systems can be readdressed.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, JamesQuinn, August 2010, p. 243

QUESTION 30What is a NULL scan attack and how can you minimize its effects?

A. A NULL scan attack consists of a series of packets that have source port 0 and various destination portsset. This attack can be minimized using 3et security screen ids-option my screen tcp-no-null and udp-no-null.

B. A NULL scan attack is an attack targeting port 0 of the remote device's TCP/IP stack. This attack can beminimized Using set security idp sensor-configuration flow no-allow-tcp without-flow.

C. A NULL scan attack uses TCP packets with no flags set. This attack can be minimized using set screen ids-option my-screen tcp tcp-no-flag.

D. A NULL attack makes use of UDP packets that contain only null characters in their payload.This attack can be minimized using a stateless firewall filter.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. In aproduction environment, there will never be a TCP packet that doesn't contain a

flag. Because the Null Scan does not contain any set flags, it can sometimes penetrate firewalls and edgerouters that filter incoming packets with particular flags. Null scan attack can be minimized using set screen ids-option my-screen tcp tcp-no-flag.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos- security-cli-reference/jd0e98530.html?searchid=1320438879836

QUESTION 31Click the Exhibit button

You have been asked to configure a virtual-router routing-instance (or a group of internal users. To grant theinternal users Internet access, you create a static route for all unknown traffic to be routed to the main instanceinet.0 table, as shown in the exhibit.

Page 71: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

What is required for the return traffic from the Internet to be allowed back through the SRX?

A. You must configure a rib-group to move routes from the Juniper routing-instance route table into the inet.0table for the return traffic to be routed back through.

B. The return traffic uses fast path processing to bypass routing in the inet.0 routing table.C. You must configure a group to move routes from inet.0 table into the Juniper routing-instance route table for

the return traffic to be routed back through.D. The return traffic uses first packet processing to bypass routing in the inet.0 routing table.

Correct Answer: ABSection: (none)Explanation

Explanation/Reference:Explanation: Without exporting routes from routing-instance Juniper to inet.0 the traffic from internet to thenetworks in routing-instance Juniper is dropped. When a packet enters the SRX, the flow daemon (flowd)performs a session lookup. It does this to see whether the packet is already part of an existing session. If thepacket is part of an existing session, it takes what is referred to as the fast path . If it is not found to be part ofan existing session, it goes down the slow path .

Thefast path has fewer steps involved in checking the packet, and as a result, it is much faster at processingthe packet.

http://www.juniper.net/techpubs/en_US/junos11.3/topics/reference/configuration-statement/rib- groups-edit-routing-options.html

QUESTION 32Your company provides a managed network service for its customers. Two of your customers have mergedand want to have the same configurations and firewalls. However, they must use their legacy Internetconnections. As a result, you need 172.27.0.0/24 to go to ISP A and 172.25.0 0/24 to go to ISP B.

Which filter-based forwarding configuration will work for these two customers?

Page 72: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements
Page 73: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

A. Option AB. Option BC. Option CD. Option D

Correct Answer: DSection: (none)Explanation

Page 74: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Explanation/Reference:Explanation:Option D is selected because it forward traffic sourced from 172.27.0.0/24 to routing-instance ISP- A and trafficsourced from 172.25.0.0/24 to routing-instance ISP-B.

Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223&actp=search&viewlocale=en_US&searchid=1320488885905#

QUESTION 33Which two make up the context of an IPS attack signature? (Choose two.)

A. service bindingB. applicationC. scopeD. application subset

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Explanation: To aid in the accuracy and performance of IPS inspection, the SRX uses a concept calledcontexts to match an attack in the specific place where it occurs in the application protocol. This helps toensure that performance is optimized by not searching for attacks where they would not occur, and it limits falsepositives.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, JamesQuinn, August 2010, p. 405

QUESTION 34Which component can you use to find an attack for traffic that uses a nonstandard service?

A. last packetB. ToS markingsC. first packetD. last data packet

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: Juniper Networks provides predefined application signatures that detect Transmission ControlProtocol (TCP) and User Datagram Protocol (UDP) applications running on nonstandard ports.Identifying theseapplications allows Intrusion Detection and Prevention (IDP) to apply appropriate attack objects to applicationsrunning on nonstandard ports. The application signatures identify an application by matching patterns in the firstpacket of a session.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos- security-swconfig-security/topic-42381.html?searchid=1320488885905

QUESTION 35Click the Exhibit button

Page 75: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

You are asked to help troubleshoot new connectivity to a server on your network. The system administrator isreceiving user requests and confirms that the responses are being sent out. However, the user never sees theresponse packet and suspects the firewall is dropping them. You configure a basic data path trace option andconfirm you see the return data but it is being dropped.

Referring to the exhibit, why is the traffic being dropped?

A. The server is changing the ports,causing the session to be treated as a new session and it is beingdropped.

B. The sessions are stale and must be cleared manually.C. The traffic is failing a route lookup.D. The traffic is routing asymmetrically.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation: Asymmetric return traffic can pass zone based firewall if outgoing interface is in the same zone.

Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB21983&actp=search&viewlocale=en_US&searchid=1320415514489#

QUESTION 36You loaded the attack database on your SRX device, but it must be installed.

Which command statement installs the attack database?

A. request system security-package add /var/tmp/idp.tar.tgzB. request security idp security-package installC. request security idp security-package install packageD. request security idp security-package install database

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation: The command request security idp security-package install is used to Install the signature DB onto the control and data-plane.

Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB15806&actp=search&viewlocale=en_U

Page 76: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

S&searchid=1320424816614

QUESTION 37A user residing in the trust zone of the SRX Series device cannot access a Web page hosted on a server in theDMZ zone. You verity that an active security policy exists on the SRX device that allows the user's PC toaccess the Web server with the application HTTP. However, you do not see the security policy access counterincrement, nor do you see any information in the log file associated with the security policy.

What is causing the problem?

A. A security policy exists further down the list that is denying the user access to Web server trafficB. No route exists on the SRX device to the destination server.C. A firewall filter is applied to the egress interface.D. The policy rematch option is disabled for the session configuration

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation: Without the correct route to Web server in DMZ zone the packet will be dropped.

QUESTION 38You have configured persistent NAT with the default inactivity timeout. All of the sessions of a persistent NATbinding have expired.

How long will the binding remain in the SRX Series device's memory?

A. 30 secondsB. 120 secondsC. 300 secondsD. 360 seconds

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: The inactivity-timeout option defines how long a persistent NAT mapping will remain in thepersistent NAT table. The value is defined in increments of seconds from a minimum of one minute to amaximum of two hours. The default is five minutes.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, JamesQuinn, August 2010, p. 224.

QUESTION 39Click the Exhibit button.

Page 77: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Referring to the exhibit, which type of NAT is implemented?

A. persistent NATB. double NATC. destination NATD. source NAT

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation:Double NAT occurs when both the source IP address and destination IP address leave the translating system

Page 78: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

changed. Double NAT is commonly used for merging two networks with overlapping address space.

Reference: Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, TimEberhard, James Quinn, August 2010, p. 243.

QUESTION 40You are configuring a hub-and-spoke VPN topology between an SRX Series device deployed at the hub siteand several devices at spoke sites. You have configured all the settings to establish the tunnel, but the IPSecSA has not yet established all configured proposals and policies match on both sides

Which three actions can you perform to establish the IPSec SA between the hub and spoke sites? (Choosethree.)

A. Enable VPN monitoringB. Initiate traffic from the spoke site to the hub siteC. Configure the tunnel to establish immediatelyD. Configure dead peer detectionE. Initiate traffic from the hub site to the spoke site

Correct Answer: BCESection: (none)Explanation

Explanation/Reference:Explanation: The VPN can be established immediately when the configuration is applied (and subsequentlywhenever the VPN expires), or it can be established on-traffic when there is user data traffic. By default, VPNsare established on-traffic.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, JamesQuinn, August 2010, p. 296

QUESTION 41Your company has decided to enable IPv6 in its corporate network. All core network elements are alreadyenabled. You have completed the configuration of the SRX Series cluster. All tests are running well and noissues have been found. The IT department decides to increase the MTU on the access switches and theworkstations to 9000, everything else will continue using the standard settings.

Which statement is correct about how the SRX chassis cluster will handle all these packets?

A. It drops all IPv4 and IPv6 packets.B. It fragments all IPv4 packets as well as the IPv6 packets, no issues are expected.C. It fragments all IPv4 packets without the DF bit set and drops all IPv6 packets, sending an ICMP message

back to the senderD. This configuration will not work unless you run the SRX Series device in Layer 2 mode only

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: For IPv4 Internet Control Message Protocol (IPv4 ICMP), if a node within the path between asource node and a destination node receives a packet that is larger than its MTU size, it can fragment thepacket and transmit the resulting smaller packets. For IPv6, only a source node (the node that sent the packet)can fragment a packet, and this is done to accommodate a path MTU size-adjustment requirement. Nodesalong the path of a packet cannot fragment the packet to transmit it.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos- security-swconfig-

Page 79: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

security/topic-45354.html?searchid=1320499651998

QUESTION 42You have set up a chassis cluster in an active-active state. While monitoring the fabric link during a failoverscenario, you noticed the utilization is higher than expected.

What are two possible causes of the higher utilization? (Choose two)

A. An upstream link failure has resulted in Internet-bound traffic ingressing the primary node and egressing thesecondary node.

B. The failover from the primary node to the secondary node has resulted in increased heartbeat and RTOtraffic.

C. A LAN interface failure has resulted in Internet-bound traffic ingressing the secondary node and egressingthe primary node.

D. The failover from the primary node to the secondary node has resulted in a graceful restart scenario inwhich all traffic must use the fabric link.

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Explanation: The control plane software operates in active/backup mode. When configured as a chassiscluster, the two nodes back up each other, with one node acting as the primary device and the other as thesecondary device, ensuring stateful failover of processes and services in the event of system or hardwarefailure. If the primary device fails, the secondary device takes over processing of traffic.

The data plane software operates in active/active mode. In a chassis cluster, session information is updated astraffic traverses either device and this information is transmitted between the nodes over the fabric link toguarantee that established sessions are not dropped when a failover occurs. In active/active mode, it ispossible for traffic to ingress the cluster on one node and egress from the other node.

Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos- security-swconfig-security/junos-security-swconfig-security.pdfp. 779

QUESTION 43Your network engineering department has decided another SRX cluster is needed for additional capacity andDMZ segments. After installing the new cluster on the same VLANs, network segment customers are reportingintermittent loss of service. Upon investigating the problem, you have confirmed that there are no IP addressconflicts.

What is causing the problem?

A. The two SRX clusters are competing for primary RE1 status and the traffic keeps failing over between thetwo clusters.

B. The two SRX clusters have been configured with matching cluster IDs and as a result have conflicting MACaddresses.

C. The two SRX clusters are flooding the network with gratuitous ARPs and overloading the directly connectedswitches.

D. The two SRX clusters are competing for primary REO status and traffic keeps failing over between the twoclusters.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation: The cluster ID is used when determining Media Access Control (MAC) addresses for the

Page 80: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

redundant Ethernet interfaces.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, JamesQuinn, August 2010, p. 545.

QUESTION 44When fragmented traffic is processed by the IPS engine, two steps are performed. First, the IPS engineidentifies IP fragments.

What is the second step?

A. detecting fragment chainsB. checking fragments for overlaps, duplicates, or fragmented packets of the wrong lengthC. reassembling packets and serializing them in the correct order for further inspectionD. checking a TCP packet's length and TTL

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: Forfurther processing fragments of IP packet must be reassembled and serialized

QUESTION 45Click the Exhibit button.

Referring to the exhibit, Company A and Company B are using the same IP address space

Which NAT configuration allows device A and device B to communicate?

Page 81: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements
Page 82: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

A. Option AB. Option BC. Option CD. Option D

Page 83: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation:To habdle this situation double NAT is required. First of all you create two one-to-one maping for translation ofdestination IPs:

10.1.1.0/24 172.31.1.0/24 for packets that go from Company B to Company A and 10.1.1.0/24 172.31.2.0/24 fropackets that go from Company A to Company B

Then on each router you create destination addrress translation for packets coming from untrusted zone.

QUESTION 46You administer an SRX5600 to which several customer networks are attached. Each customer networkterminates in a virtual routing-instance. You have been asked to direct traffic sourced from a specific prefix inone routing-instance to another routing-instance. The affected traffic enters the SRX5600 on one physicalinterface.

Which method can accomplish this objective?

A. Use a stateless firewall on the interface to forward traffic to the other routing-instance.B. Use a routing policy on the interface to forward traffic to the other routing-instance.C. Use a security policy on the zone to forward traffic to the other routing-instance.D. Use a forwarding rule on the interface to forward traffic to the other routing-instance.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Explanation: You configure firewall filter to match source address and then forward matched traffic to neededrouting-instance.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, JamesQuinn, August 2010, p. 694

QUESTION 47You have many security policies configured using the predefined junos-ftp application. You create

a new application named my-ftp for FTP traffic, but you do not want the FTP ALG to be used.

Which command should you use to disable the FTP ALG only for the application my-ftp?

A. set applications my-ftp application-protocol ftp ignoreB. set applications application my-ftp application-protocol ignoreC. set security alg ftp disableD. set applications application my-ftp application-protocol ftp ignore

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation:

Page 84: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

QUESTION 48You are troubleshooting a problem with a chassis cluster, and you issue the show log jsrpd command.

What information would be helpful in the generated output? (Choose two)

A. The output displays fabric link status information, including details such as jitter and when a link goes upand down.

B. The output displays node-to-node tunneling status information, including details such as tunnel negotiationsand endpoint discovery information.

C. The output displays authentication error conditions for reth interfaces, including details used for linkaggregation negotiations and member interface status.

D. The output displays redundancy group status information, including details such as node primacy orredundancy group failover reasons.

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:Explanation: The data link uses jsrpd heartbeat messages to validate that the path is up and is actively working.The JSRPD detects a change in chassis cluster redundancy mode.

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic- collections/syslog-messages/syslog-messages.pdf

QUESTION 49You are having problems with SYN flood attacks against your network. You administered the TCP syn-floodoptions on your SRX device to block these attacks, but internal hosts are still seeing floods that fall just underthe threshold you have set for blocking SYN floods. You cannot set the threshold any lower without impactinglegitimate traffic.

What are two SYN flood protection commands that you can use to resolve the problem? (Choose two.)

A. set security flow syn-flood-protection-mode syn-proxyB. disable security flow syn-flood-protection-mode syn-floodC. set security flow syn-flood-protection-mode [syn-proxy syn-cookie]D. set security flow syn-flood-protection-mode syn-cookie

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:Explanation: When syn-proxy is configured the first SYN packets are allowed through. Once the attackthreshold is met, the SRX proxies the connection, sending a SYN/ACK back to the source. This is used todetermine if it is a legitimate request or just a drone flooding SYN requests. In the source- and destination-based SYN flooding protections, the SYN packets are not proxied but dropped to the floor. Anything above thatconfigured threshold is dropped. This is a dangerous setting, and you must be cautious when designing thesethresholds. SYN cookie protection is a stateless SYN proxy that you can use to defend against SYN floods fromspoofed source IP addresses. A SYN cookie doesn't add much value if the source IP addresses are legitimateand reply to the SYN/ACK packet.

Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB3268

QUESTION 50You have been asked to secure your network from as many network reconnaissance activities as possible.

Page 85: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Which three screens would be helpful in blocking these types of activities? (Choose three.)

A. Option AB. Option BC. Option CD. Option D

Correct Answer: BCDSection: (none)Explanation

Explanation/Reference:Explanation:

The packets with source-route-option creates load on CPU and may create security risk. A TCP header with theFIN flag set but not the ACK flag is anomalous TCP behavior, causing various responses from the recipient,depending on the OS. Blocking packets with the FIN flag and without the ACK flag helps prevent OS systemprobes. Land attacks occur when an attacker sends spoofed SYN packets containing the IP address of thevictim as both the destination and source IP address.

Reference:

http://www.juniper.net/techpubs/en_US/junos11.2/topics/reference/statement-hierarchy/security- screen.html

QUESTION 51

Page 86: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Your company is in the process of deploying a VPN network 10 connects its sites Traffic will predominantlyaccess resources at the central site. However, on occasion, traffic must be transported from one spoke site toanother.

Which two methods will provide the desired connectivity? (Choose two.)

A. a hub-and-spoke IPSec VPN using a multipoint secure tunnel interface on the hub deviceB. a hub-and-spoke IPSec VPN using a multipoint secure tunnel interface on all devicesC. a hub-and-spoke IPSec VPN using a separate secure tunnel unit for each spoke deviceD. a hub-and-spoke IPSec VPN using a separate multipoint secure tunnel on each spoke device

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Explanation: Route-based VPNs offer two different types of architectures: point-to-point and point-to-multipoint.Point-to-point VPNs map a single VPN to a single logical interface unit, so the SRX connects directly to a singlepeer VPN gateway on the interface. Point-tomultipoint VPNs allow the device to connect to multiple peergateways on a single logical interface.

Reference: Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, TimEberhard, James Quinn, August 2010, p. 266.

QUESTION 52You recently added NAT in your environment and now users are complaining about not being able to accessthe Internet.

Which two parameters would you configure to verify that NAT is working correctly? (Choose two.)

A. security trace-options flag flow basicB. security flow trace-options flag packet-dropsC. security nat trace-options flag allD. security nat source/destination trace-options flag all

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Explanation: The NAT trace options hierarchy configures trace file and flags for verification purposes. J Seriesand SRX Series devices have two main components. Those are the Routing Engine (RE) and the PacketForwarding Engine (PFE). The PFE is divided into the ukernel portion and the real-time portion. For verification,you can turn on flags individually to debug NAT functionality on the RE, ukernel PFE, or real-time PFE. Thetrace data is written to/var/log/security- trace by default. Example:set security nat traceoptions flag allset security nat traceoptions flag source-nat-pfeset security nat traceoptions flag source-nat-reset security nat traceoptions flag source-nat-rt

Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos- security-swconfig-security/topic-42831.html?searchid=1320517464784

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15758&actp=search&viewlocale=en_US&searchid=1320517464784#Verification

QUESTION 53Click the Exhibit button.

Page 87: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Compare the two outputs shown in the exhibit.

Which two statements are correct about VPN monitoring? (Choose two.)

A. In the output, "DOWN" means that VPN monitoring is disabledB. In the output, "DOWN" means that the VPN monitoring feature has detected a failureC. In the output,"-" means that VPN monitoring feature is not enabledD. In the output,"-" means that the VPN monitoring feature has detected a failure

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Explanation:If VPN monitoring is enabled, then this will show Up or Down. A hyphen (-) means VPN monitoring is notenabled for this SA.

Page 88: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Reference: http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es- swcmdref/show-security-ipsec-security-associations.html

QUESTION 54Click the Exhibit button.

Referring to the exhibit, which parameter can be applied under the destination-address hierarchy?

A. utm-policyB. idp-filterC. drop-translatedD. uac-policy

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation: With uac-policy enabled JUNOS security policies enforce rules for transit traffic, defining whattraffic can pass through the Juniper Networks device. The policies control traffic that enters from one zone(from-zone) and exits another (to-zone).

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17476&cat=SRX_SERIES&actp=LIST

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security- swconfig-security/uac-config-enabling-uac.html

QUESTION 55Which statement accurately describes an idle scan?

A. A scanning method where "stealth" packets (packets without arty flags set) are sent from an attacker to aremote target host through IDS systems.

B. A scanning method that scans all idle TCP connections on a remote target host to hijack them, so that youcan take advantage of an authenticated data connection.

C. A scanning method where long idle periods exist between the scanning packets sent so IDS systems do notsense the scan attack.

D. A scanning method where a "zombie" host is used by an attacker to exploit a predictable IP fragmentationID sequence and to discover open ports on the target host.

Page 89: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation: The idle scan is a TCP port scan method that consists of sending spoofed packets to a computerto find out what services are available. This is accomplished by impersonating another computer called a"zombie" (that is not transmitting or receiving information) and observing the behavior of the zombie system.Reference:http://nmap.org/book/idlescan.html

http://en.wikipedia.org/wiki/Idle_scan

QUESTION 56You must protect your network against Layer 4 scans.

Which two actions help you achieve this objective? (Choose two)

A. Configure an IPS rule to use the predefined attack group SCAN.B. Configure screens capable of blocking port scans.C. Configure an IPS rule to use the predefined attack group SCAN and enable the DP option in a security

policyD. Enable TCP/UDP monitoring to discover scan sources and block them.

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Explanation: B. Example: set security screen ids-option untrusted-internet tcp port-scan threshold 1000000C. Juniper provides predefined attack objects (both protocol anomaly and signatures) individually and inpredefined groups to customers who have active licenses. The predefinedattack objects cannot be edited forthe most part; however, you can use these as a basis for creating custom attack objects.

Reference: Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, TimEberhard, James Quinn, August 2010, p. 405.

QUESTION 57You have been asked to design and deploy a VPN-based backup network for your enterprise. Your network iscurrently configured across a single OSPF Area 0. All the VPN termination points in your network will beJuniper Networks SRX Series devices.

How must you configure your devices so that static routing can be avoided?

A. OSPF will not provide the needed functionality. The group VPN feature is required to create the next-hoptunnel binding and arrange key management across routing domains.

B. Configure VPN tunnels between the SRX Series devices and enable OSPF Area 0 on the st.0 interfaces.You can use the next-hop tunnel binding (NHTB) protocol for next hops to the tunnels.

C. Configure VPN tunnels between the SRX Series devices and enable OSPF Area 0 on the st.0 interfaces.You must configure next-hop tunnel binding for the remote peers mapping next hops to VPN names.

D. Because OSPF will not provide the required next-hop VPN binding alone, dynamic VPN must be used todiscover the next-hop tunnel binding automatically.

Correct Answer: BSection: (none)Explanation

Page 90: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Explanation/Reference:Explanation: Point-to-multipoint VPNs allow you to bind multiple VPNs to a single interface on the hub. For thisto work properly, the SRX must know not only which VPN to send the traffic into on the st0 interface to which itis bound, but also which next-hop will be used for routing that traffic on the interface. To accomplish this, theSRX uses a mechanism called a Next-Hop Tunnel Binding (NHTB) table on the interface to map all of thisinformation. On the SRX, if you are going to another SRX or ScreenOS device and you are using static routing,the SRX can automatically exchange the next-hop tunnel information with the peer as part of the optionalvendor attribute exchanges in Phase 2 (also known as auto NHTB). If you are using a dynamic routing protocol(such as RIP, OSPF, or BGP), you will not need to make a manual mapping entry because the SRX can buildthe table automatically from the routing updates matching the next-hop to the tunnel it came out of.

Reference: Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, TimEberhard, James Quinn, August 2010, p. 268.

QUESTION 58Click the Exhibit button.

Referring to the exhibit, which two statements are true? (Choose two)

A. The VPN is setup using a preshared key.B. The VPN is set up using certificates,C. The VPN is set with NAT traversal.D. The VPN is set without NAT traversal.

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Explanation: Authentication-method: Pre-shared-keys indicates that pre-shared key is used for authentication.Certificates and preshared keys are mutually exclusive options.

Page 91: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

The VPN is set with NAT traversal as NAT-T uses UDP port 4500 (by default) rather than the standard UDPport 500.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, JamesQuinn, August 2010, p. 270.

QUESTION 59For RG 1, Node 0 has priority 200; Node 1 has priority 100. Preempt has been configured. Node 0 has beenrebooted; therefore, Node 1 is primary for RG 1.

What happens when Node 0 comes back up?

A. Node 0 is still secondary for RG 1 because preempt is configuredB. All redundancy groups failover to Node 0.C. Node 0 becomes primary for RG 1.D. Node 0 will preempt Node 1 from becoming primary for RG 1.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: Each node is given a priority within a redundancy group. The higher-priority device is givenmastership over the redundancy group. This depends on a few options, and one of them, by default, is that anode with a higher priority will not preempt the device with the lower priority. The result is that if a lower-prioritynode were to have ownership of a redundancy group and then a node with the higher priority were to comeonline, it would not give ownership to the higher- priority device. To enable this, the preempt option would needto be enabled, and the device with the higher priority would take ownership of the redundancy group when itwas healthy to do so.

Reference: Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, TimEberhard, James Quinn, August 2010, p. 572.

QUESTION 60Click the Exhibit button.

Page 92: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Which statement is true regarding the session displayed in the exhibit?

A. The session must be a transit session.B. The session must be a local session.C. The session traverses more than one routing-instance.D. The session traverses only one routing-instance.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation: The session tokens match (0x20a) for In and Out parts. This indicates that the session traversesonly one routing-instance.

QUESTION 61Click the Exhibit button.

Page 93: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

The NHTB configuration excerpt shown in the exhibit is applied on an SRX Series device that is a hub in a hub-and-spoke VPN

Which statement is true about this configuration?

A. The spoke devices can be any IPSec VPN gatewayB. The spoke devices must be SRX Series devicesC. The spoke devices must support NHTB protocol.D. The spoke devices require multipoint configured on the st0 interface.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Explanation: As far as NHTB is configured the remote spoke device is not required to be Juniper. NHTBprotocol must be supported by the hub only and only on the hub st0 is configured as multipoint.

Reference: Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, TimEberhard, James Quinn, August 2010, p. 267.

QUESTION 62Click the Exhibit button

Page 94: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

In the exhibit, which two commands should you use to ping 10.1.1.100 from me SRX Series device's commandline? (Choose two)

A. ping 10.1.1.100B. ping source 10.1.1.1 10.1.1.100C. ping routing-instance vr1 10.1.1.100D. ping interface ge-0/0/1.0 10.1.1.100

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:Explanation: As far as 10.1.1.100 belongs to routing-instance vr1 we have the two options to ping this host:

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/task/operational/security-ping- command-using.html

QUESTION 63Your company has VPNs that connect to other companies. The company wants to use certificates with arecognized third-patty certificate authority.

Which two steps are required to use certificates with a certificate authority? (Choose two)

A. Configure a CRLB. Configure RSA signatures for the IKE authentication methodC. Configure DSA signatures for the IKE authentication methodD. Generate a certificate request for the SRX device

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Explanation: To use certificates with a certificate authority you have to set the IKE authentication methodconfiguring phase 1 proposal by setting the "rsa-signature" attribute. the rsa-signatures attribute signifiescertificates using RSA key generation. Before you can use certificate basedauthentication you have to generatecertificate request fro each participating SRX device.You can do it by issuing th ecommand:request security pki generate-certificate-request

Reference: http://jsrx.juniperwiki.com/index.php?title=JNCIE-SEC#Certificates

QUESTION 64Your company wants to deploy IPv6. The deployment on core routers has been completed. You now mustenable your firewalls with the new protocol, but you must configure the SRX Series device so that it does notyet examine IPv6 packets.

How do you accomplish this?

A. Configure IPv6 addresses on all Layer 3 interfaces, including the reth interfaces, enhance the securitypolicies so that IPv6 packets are ignored; enhance the used routing protocols with IPv6 capabilities.

B. Configure IPv6 addresses on all Layer 3 interfaces, including the reth interfaces, and enhance the usedrouting protocols with IPv6 capabilities.

C. Configure IPv6 addresses on all Layer 3 interfaces, including the reth interfaces, enhance the used routingprotocols with IPv6 capabilities; configure the security forwarding options so that IPv6 traffic is nottransported in the stateful forwarding mode.

Page 95: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

D. Configure IPv6 addresses on all Layer 3 interfaces, including the reth interfaces, and enhance the securityprotocols with IPv6 capabilities as well as to switch on "Inet6 routing" in the configuration's routing-optionsstanza.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: By default, SRX runs with flow-based forwarding, which drops IPv6 packets. To allow IPv6 packetsto be able to be forwarded by SRX, a forwarding-options command must be configured. The followingforwarding-options command is required:

Setsecurity forwarding-options family inet6 mode packet-based

Reference:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16040&actp=search&viewlocale=en_US&searchid=1320572266620#

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security- swconfig-interfaces-and-routing/logical-properties-section.html#ipv6-enable-section

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-admin- guide/config-selective-stateless-chap.html#config-selective-stateless-chap

QUESTION 65You have a VoIP application that requires external sessions to be initiated into your environment. The internalhost has not sent an initial packet to the external host's reflexive transport address.

Which NAT parameter will accomplish this task?

A. target-hostB. address-persistentC. target-host-portD. any-remote-host

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation: When persistent NAT is used with any-remote-host option all requests from a specific internal IPaddress and port are mapped to the same reflexive transport address and any external host can send a packetto the internal host by sending the packet to the reflexive transport address.Reference:http://www.juniper.net/techpubs/en_US/junos11.1/information-products/topic- collections/security/software-all/security/index.html?topic-42825.html#jd0e125921

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21296&cat=JUNOS&actp=LIST

http://www.juniper.net/techpubs/en_US/junos11.1/information-products/topic- collections/security/software-all/security/index.html?topic-42826.html

QUESTION 66You want to implement a VPN on your SRX device that will use certificates to authenticate with the peergateway. You plan to allow certificates from any certificate authority.

Which two configuration commands are required? (Choose two.)

Page 96: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

A. Set security ipsec proposal rsa-prop1 authentication-method rsa-signatures.B. Set security ike policy ike-poll certificate local-certificate my-cert.C. Set security ike proposal rsa-prop1 authentication-method rsa-signatures.D. Set security ike policy ike-poll certificate trusted-ca use-all.

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:Explanation: Set security ike proposal rsa-prop1 authentication-method rsa-signatures enables certificate basedauthentication in IKE phase 1.

Set security ike policy ike-poll certificate trusted-ca use-all enables the using of all configured certificateauthorities.

Reference:http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic- collections/security/software-all/cli-reference/junos-security-cli-reference.pdf

QUESTION 67A security alert has been issued for an application running on your network that exploits a buffer overflow tocompromise the application. The security alert specifies that client-to-server communication will contain thestring "*~\hack-man?\" or the string "\back\*?/hat".

Which type of IPS custom signature is required to block the traffic?

A. A signature attack object for each of the specified stringsB. A compound attack objectC. A protocol anomaly attack objectD. A regular expression matching the identified strings

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Explanation: Signature-based attack objects will be the most common form of attack object to configure. This iswhere you use regular expression matching to define what attack objects should be matched by the detectorengine.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, JamesQuinn, August 2010, p. 430

QUESTION 68Click the Exhibit button.

Page 97: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Given the exhibit, which type of NAT is implemented?

A. one-to-many with port translationB. many-to-many with port translationC. many-to-many without port translationD. many-to-one with port translation

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation: Many-to-many with port translation type of NAT was implemented in exhibit. It translates source IPfor maximum 255 hosts from matching 10.1.1.0/24 network to the pool of 11 Ips from 200.0.0.30 ?200.0.0.40.As the first number 255 isgreaterthan the second one (11) PAT may be neede for translation.

Reference: Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, TimEberhard, James Quinn, August 2010, p. 209.

QUESTION 69After implementing a chassis cluster for active/active clustering, you have identified a congestion issue withtraffic traversing the data link between the two nodes.

Which solution should you implement?

A. Increase the throughput ratio for the active/active clustering configuration.B. Use a link with a higher bandwidth capacity for the data link.C. Offload the excess traffic to a dedicated reth group.D. Implement dual data links to load balance data traffic

Correct Answer: B

Page 98: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Section: (none)Explanation

Explanation/Reference:Explanation: You have to upgrade fabric link to support a higher bandwidth. Connecting two fabric linksbetween nodes provide with redundency. Having two fabric links helps to avoid a possible single point of failurebut does not provide load balancing of data traffic.

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/chassis-cluster-dual- fabric-links-understanding.html

QUESTION 70In which order are the stages of an attack?

A. reconnaissance, host probes, evasion, host accessB. host probes, host access, evasion, reconnaissanceC. evasion, reconnaissance, host probes, host accessD. reconnaissance, host access, evasion, host probes

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Explanation: An attacker usually precedes an attack by performing reconnaissance on the target. Beforelaunching an exploit, attackers might try to probe the targeted host to learn its operating system (OS).Whethergathering information or launching an attack, it is generally expected that the attacker avoids detection.Although some IP address and port scans are blatant and easily detectable, more wily attackers use a variety ofmeans to conceal their activity. Techniques such as using FIN scans instead of SYN scans--which attackersknow most firewalls and intrusion detection programs detect--indicate an evolution of reconnaissance andexploit techniques for evading detection and successfully accomplishing their tasks.

Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos- security-swconfig-security/id-93100.html

http://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/attack-detection-prevention- overview.html

http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig- security/understanding-operating-system-probes.html

QUESTION 71Which three scans can an attacker use to probe your network for open TCP ports? (Choose three.)

A. Xmas tree scanB. SYN scanC. SYN floodD. FIN/ACK scanE. IP protocol scan

Correct Answer: ABDSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 72

Page 99: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

The finance department has implemented a new network application that transits multiple network devices,including an SRX5600. Application servers in different locations are unable to communicate. You havenarrowed down the issue to the SRX5600, and have determined that the application can initiate a flow, butreturn traffic is dropped by the SRX5600.

What will help you troubleshoot this issue?

A. The default messages logB. SNMP trapsC. Transparent modeD. Flow trace options

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 73Which feature would you use to bypass the flow-based forwarding capability of an SRX Series branch devicefor a specific application?

A. security policyB. policerC. firewall filterD. routing policy

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 74Click the Exhibit button.

Page 100: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Your company has begun implementing a hub-and-spoke VPN to connect employees safely to the corporatenetwork. You are asked to work on a troubleshooting ticket in which employees complain that their VPNconnection is not working. The exhibit shows the VPN configuration for the hub device.

Page 101: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

What must you change to make the setup work?

A. Option AB. Option B

Page 102: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

C. Option CD. Option D

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 75While configuring your SRX device, you notice problems with the configuration. You suspect that someonemade an undocumented change to your device. You want to determine who made the change and when it wasmade. All administrators have unique logins.

Which two commands do you use to troubleshoot this problem? (Choose two.)

A. user@srx# rollback ?B. user@srx# show | compare rollback 2C. user@srx> show rollback 2D. user@srx> show system commit

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 76Your SRX Series device must have the IPS signature database installed for use in IPS policy development.

How do you install the IPS signature database onto the SRX Series device?

A. Run the request security idp security-package idp install command, the signature database will bedownloaded from Juniper Networks and installed.

B. Run the request security idp security-package download command followed by the request security idpsecurity-package install command.

C. Run the request security idp security-package download command after the signature database has beenmanually downloaded from Juniper Networks.

D. Download the signature database from Juniper Networks and run the request security idp security-packagedownload <ip-address> to use TFTP to transferee file from your laptop and install it on the SRX Seriesdevice.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 77You have an SRX650 that supports many customers who are each assigned to their own virtual router and donot normally communicate with each other. However, a request has been made to allow Customers A and B tocommunicate directly with Customer C.

Which two methods would enable the requested communication? (Choose two.)

Page 103: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

A. Create a static route from routing instances A and B with a qualified-next-hop of C's interface and a routedistinguisher ID of value "C".

B. Create a logical tunnel interface for each of Customer A, B, and C's routing instances.Configure a static route from A and B pointing to C's single logical tunnel interface IP address.

C. On the SRX device, physically connect cables from interfaces in Customer A and B's routing instances toCustomer C's routing instance, and assign the same IP address space.

D. Create individual static routes and logical tunnel interfaces between routing instances A and C as well asbetween routing instances B and C.

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 78Click the Exhibit button.

You are troubleshooting a new IPsec VPN tunnel that is failing to establish an IKE security association betweenSRX Series devices.

What is a possible cause for this problem?

A. Mismatched Phase 1 proposalsB. Missing Phase 1 proposal on the responderC. Mismatched Phase 2 proposalsD. Missing Phase 2 proposal on the responder

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 79While performing routine monitoring of your network, you notice an unusual increase in activity. You check thelogs and notice a specific set of flows from a single source IP address. In analyzing these flows you determinethat a remote host has sent several packets to your server with no TCP flags set.

Which scan is being used?

A. The attacker is using an XMAS tree scan.B. The attacker is using a SYN scan.C. The attacker is using a NULL scan.D. The attacker is using a FIN scan.

Correct Answer: C

Page 104: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Section: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 80In a group VPN, the members rekey with the server using the Unicast PuLL method.

This rekey mechanism is protected by which secure channel?

A. KEKB. IPsec SAC. TEKD. IKESA

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 81Click the Exhibit button.

Which two commands are required to generate the results shown in the exhibit? (Choose two.)

A. Option AB. Option B

Page 105: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

C. Option CD. Option D

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 82Which IPS inspection step is completed last?

A. reassembly of packet fragmentsB. identification of attack signaturesC. location of protocol anomaliesD. tracking of packets in sessions and flows

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 83Click the Exhibit button.

You have configured an SRX Series device to act as the hub in a hub-and-spoke environment. After configuringtwo of your spoke sites, you notice that only one of your VPNs is established.

Referring to the exhibit, what must be added to the hub's st0 interface to resolve the problem?

A. MultipointB. Point-to-multipointC. Multi-tunnelD. Multi-path

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 84Click the Exhibit button.

Page 106: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Your company uses a custom-built FTP application. You have configured an application definition to support iton your SRX Series device as shown in the exhibit, and applied the application to the relevant security policy.

Which statement is true about the application definition?

A. The source-port parameter must be specified.B. The inactivity timeout value is too low.C. The application-protocol parameter must be specifiedD. The application definition is configured correctly.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 85Two High End SRX Series devices are configured in a chassis cluster, but interchassis communication isproblematic and intermittent. Node 0 has SPCs located in slots 1, 2, 5, and 10 and has IOCs located in slots 3and 4. Node 1 has SPCs located in slots 13, 14, and 18 and has IOCs located in slots 15 and 16.

What is causing the interchassis communication issues?

A. There must be a SPC installed in the first slot on each node.B. The SPCs must all be placed in consecutive slots on each node.C. The IOCs must be placed in the first two slots on each node.D. The number of SPCs being used must be the same on both nodes

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 86You have an internal application that requires the same IP address to be used for multiple concurrent sessions.

Which NAT parameter would you enable to provide this functionality?

A. persistent-nat any-remote-hostB. persistent-addressC. address-persistenceD. persistent-nat target-host

Page 107: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 87Click the Exhibit button.

High availability chassis clustering has been configured. The SRX 5800-A is in passive mode, while the SRX5800-B is in active mode. The administrator has configured the control-link- recovery feature. A unidirectionalfabric link causes the SRX 5800-A to see the SRX 5800-B's probes, but the SRX 5800-B cannot see the SRX5800-A's probes.

What will happen in this situation?

A. Traffic from R2 toward R4 flows through the SRX 5800-B to the SRX 5800-A.B. Traffic from R2 toward R4 flows through the SRX 5800-A reth3 interface to R3.C. Traffic from R2 toward R4 flows through the SRX 5800-B reth2 interface.D. Traffic from R2 toward R4 flows through the SRX 5800-A reth2 interface to R3.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 88You have been asked to change the authentication mechanism on one of your VPNs to use public-keycertificates to authenticate the peer SRX devices at each end.

Page 108: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Which part of the VPN configuration must you change?

A. IKE Phase 2B. IKE Phase 1C. Security policyD. Proxy ID

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 89You have two SRX3400s running in active/passive mode. The primary SRX device has an NPC fail and goesoffline. What happens to the SRX cluster?

A. The SRX device cannot recover from an NPC failure, and causes a no-brain situation; both SRXs go in to adisabled state.

B. Both RGO and RG1 fail over to the backup node, and the primary node goes into a disabled state.C. The RG1 fails over to the backup node, whereas RGO remains active on the primary.D. The SRX device cannot recover from an NPC failure, and causes a split-brain situation; both SRX devices

become active.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 90What are two protection methods employed on SRX Series devices? (Choose two.)

A. Stateless signature protectionB. Stateful signature protectionC. Protocol anomaly protectionD. Preamble protection

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 91You are using certificates for IPsec VPNs and want the SRX Series device to verify that the certificates arevalid.

When configuring the SRX device, which protocol is supported for retrieving the CRL?

A. RADIUSB. TACACS+

Page 109: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

C. LDAPD. FTP

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 92You initiated the installation of the attack database. The system indicates that it will run asynchronously andreturns you to a command prompt in the CLI. You want to know if the installation has completed.

Which command do you run to confirm this?

A. Request security idp security-package install statusB. Request system software idp security-package install statusC. Request security idp security-package download statusD. Request security idp security-package install

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 93How many components can a compound attack object contain?

A. 8B. 16C. 24D. 32

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 94You want out-of-band management traffic to be separated from the transit traffic going through an SRX chassiscluster.

Which two must you implement to meet this requirement? (Choose two.)

A. Put fxp0 in a routing instance named mgt-vr.B. Leave fxp0 in the main instance, inet.0.C. Put all transit interfaces in a routing instance named transit-vr.D. Leave all transit interfaces in the main instance, inet.0.

Correct Answer: BC

Page 110: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Section: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 95You have configured several new security policies on your SRX Series device, and they are ready to becommitted. The device is running in a live network and you are concerned that any configuration errors willaffect traffic.

How would you deal with this challenge?

A. Use the test policy feature.B. Use the match-policies feature.C. Use the commit check feature.D. Use the commit confirmed feature.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 96What can cause a node in an SRX Series chassis cluster to be in the disabled state?

A. One of the nodes has no power.B. The control link between the two nodes has gone down, but the fabric link is still up.C. The configuration on the SRX Series device was set to disable a node permanently.D. Both the control and fabric links between the two nodes have gone down.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 97Click the exhibit.

Page 111: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements
Page 112: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

The exhibit contains the full routing-instances and interface configuration present on your SRX Series device.Customer A hosts are attached to the ge-0/0/3 interface and belong to the 10.0.0.0/24 network. Customer Bhosts are attached to the ge-0/0/4 interface and belong to the 20.0.0.0/24 network. Assume the appropriatesecurity configuration is in place.

Which statement is correct when a host with the IP address 10.0.0.100 pings a host with the IP address20.0.0.100?

A. The SRX Series device will drop the packets because interface routes are not shared within a rib-group.B. The SRX Series device will drop the packets because filter-based forwarding is not configured.C. The SRX Series device will forward the traffic because filter-based forwarding is configured.D. The SRX Series device will forward the traffic using the logical tunnel interfaces.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 98A security alert has been issued for an application running on your network that exploits a buffer overflow tocompromise the application. The security alert specifies that initial client-to-server communication will containthe string "~\hack-app\", followed by the string "\&&-phase-2//" or the string "\bad\7string".

Which type of IPS custom signature is required to block the traffic?

A. a signature attack object for each of the specified stringsB. a compound attack objectC. a protocol anomaly attack objectD. a regular expression matching the identified strings

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 99You are asked to configure an IPsec tunnel to securely connect from the headquarters office to a remote office.

You are required to use ESP and to disable NAT traversal between offices.

What will accomplish this task?

A. set security ipsec vpn vpn-name ike no-nat-traversalB. set security ike no-nat-t raversalC. set security ike gateway gateway-name no-nat-traversalD. set security ipsec no-nat-traversal

Correct Answer: CSection: (none)Explanation

Page 113: Juniper Networks JN0-632 Security, Professional (JNCIP-SEC)...want to configure the SRX Series device to minimize latency. You decide to configure inline tap mode. Which two statements

Explanation/Reference:Explanation:

http://www.gratisexam.com/


Recommended