Download pdf - study material for JN0-532

Exam Name: FWV, Specialist (JNCIS -FWV) Exam Type: Juniper Exam Code: JN0-532 Total Questions 146

Page 1 of 47

Question: 1 You have created a VPN to a dynamic peer. Which two configured parameters must match? (Choose two.) A. static side peer-id B. dynamic side local-id C. static side IP address D. dynamic side IP address Answer: A, B Question: 2 Which three events would cause ScreenOS devices to generate SNMP traps? (Choose three.) A. cold starts B. traffic alarms C. warm reboots D. self log events E. traffic log events Answer: A, B, C Question: 3 Which command shows the filter applied to snoop captures? A. get snoop B. snoop info C. get ffilter D. get ffilter ip-proto snoop Answer: B Question: 4 Review the exhibit. Based on the exhibit, which of the following statements is true about this OSPF configuration?


Page 2 of 47

A. The neighbor device has been selected as the DR. B. The OSPF neighbor's IP address is 10.50.1.1. C. OSPF hellos are going to the wrong multicast address. D. The neighbor relationship between the two devices cannot be established. Answer: A Question: 5 A VPN tunnel uses certificates for site-to-site authentication. Phase 1 is failing when the receiving device attempts to validate the received certificate. What would be causing this problem? A. The device certificate has been revoked. B. The CA certificate does not include the device certificate. C. The device certificate has a CDP extension, making it invalid. D. The device certificate was generated before the CRL was downloaded, so it cannot be

validated. Answer: A Question: 6 You have entered the following BGP configuration: set vrouter trust-vr bgp 65530 set vrouter trust-vr bgp enable set vrouter trust-vr protocol bgp neighbor 1.1.1.250 remote-as 65500 set vrouter trust-vr protocol bgp neighbor 1.2.3.250 remote-as 65280 BGP is not working. What two elements are missing from your configuration? (Choose two.) A. You have not enabled the BGP peers. B. You have not enabled EBGP multihop. C. You have not placed the peers in a BGP peer group. D. You have not enabled BGP on the interfaces connecting to the peers.


Page 3 of 47

Answer: A, D Question: 7 Which ScreenOS CLI command(s) allow(s) for redistribution of type 1-3 LSAs? A. set ospf export route external B. set match route-type internal-ospf C. set redistribute ospf lsa 1 set redistribute ospf lsa 2 set redistribute ospf lsa 3 D. set protocol ospf lsa 1 redistribute set protocol ospf lsa 2 redistribute set protocol ospf lsa 3 redistribute Answer: B Question: 8 When enabling OSPF over a hub and spoke VPN, what must you configure on the hub device tunnel interface to allow spokes to receive routing updates? A. point to multipoint B. disable split-horizon C. enable demand circuit D. enable passive interface Answer: A Question: 9 What do you need to change in your IPSec VPN configuration to use certificates for authentication? A. Replace the preshared key with the certificate name. B. Select PFS in Phase 2, then select the certificate to be used. C. Use a custom set of Phase 1 proposals, all beginning with rsa-. D. Use a custom set of Phase 2 proposals, all beginning with rsa-. Answer: C Question: 10 Click the Exhibit button. You have enabled OSPF on a device addressed as shown in the exhibit. You have not configured a router ID. Which address will be used as the router ID?


Page 4 of 47

A. 1.1.1.1 B. 10.1.1.1 C. 10.50.1.1 D. 192.168.1.1 Answer: C Question: 11 You have enabled RIP in a hub and spoke VPN environment, using demand circuits. You are not receiving routes from one of your spokes, although the VPN is up. When you debug RIP on the spoke device, you see regular RIP updates being generated on the tunnel interface. You are receiving and sending routes to the rest of your spokes. What is the problem? A. You did not disable split horizon on the spoke device. B. You did not configure demand circuit on the spoke device. C. You did not configure passive interface on the spoke device. D. You did not configure a RIP neighbor for the spoke device on the hub. Answer: B Question: 12 Which ScreenOS CLI command would be used for copying routes in the untrust-vr to OSPF in the trust-vr? A. set vrouter trust-vr ospf export vrouter untrust-vr address to-trust B. set vrouter untrust-vr export list to-trust vrouter trust-vr protocol ospf C. set vrouter untrust-vr export-to vrouter trust-vr route-map to-trust protocol ospf D. set vrouter trust-vr protocol ospf import-from vrouter untrust-vr distribute-list to-trust Answer: C Question: 13 Click the Exhibit button. Given the routing table in the exhibit, which interface will be used to reach the host at 10.1.20.1?

A. tunnel.1


Page 5 of 47

B. tunnel.21 C. ethernet0/2 D. ethernet0/4 Answer: C Question: 14 Which three interface types are supported in virtual systems? (Choose three.) A. subinterfaces B. VPN interfaces C. shared Interfaces D. limited Interfaces E. dedicated Interfaces Answer: A, C, E Question: 15 Which two statements regarding NHTB are correct? (Choose two.) A. If the spoke device is not a ScreenOS device, manual configuration of NHTB is required on the

hub. B. If the spoke device is not a ScreenOS device, manual configuration of NHTB is required on the

spoke. C. When configuring routing on a spoke device with one tunnel interface, the route to the tunnel

interface does not require a routing gateway address. D. When configuring routing on a hub device with one tunnel interface terminating multiple VPN

spokes, the route to the tunnel interface does not require a routing gateway address. Answer: A, C Question: 16 Click the Exhibit button. In the exhibit, what would correct the proxy-ID mismatch?

A. The 10.1.0.0 address book entry on the initiator needs to be changed to a 32 bit mask.


Page 6 of 47

B. The 10.50.0.0 address book entry on the initiator needs to be changed to a 30 bit mask. C. The 10.50.0.0 address book entry on the responder needs to be changed to a 24 bit mask. D. The 10.50.0.0 address book entry on the responder needs to be changed to a 32 bit mask. Answer: C Question: 17 You have implemented a hub and spoke VPN. On the hub, there are two tunnel interfaces, one to each spoke. Both tunnel interfaces are in the same zone. Which two configuration options will control traffic between the spokes? (Choose two.) A. Configure the common zone to block intra-zone traffic. B. Configure the common zone to block inter-zone traffic. C. Configure each tunnel interface to block intra-zone traffic. D. Move one of the tunnel interfaces to a different zone and create policies between the two

zones. Answer: A, D Question: 18 Which two item pairs are exchanged during Phase 2 negotiations? (Choose two.) A. proxy-id, SA proposal list B. IKE cookie, SA proposal list C. hash [ID + Key], DH key exchange D. SA proposal list, optional DH key exchange Answer: A, D Question: 19 Which two of the following statements regarding SYSLOG are true? (Choose two.) A. You can specify the source address of SYSLOG traffic. B. You can specify the source interface for SYSLOG traffic. C. You can encrypt SYSLOG traffic from within the SYSLOG configuration. D. You can send SYSLOG messages via TCP on a per-SYSLOG server basis. Answer: B, D Question: 20 You have configured NSRP Active/Passive using the default vsd-group. You are using BGP to learn routes from adjacent network devices. You want each firewall to establish a BGP peer to different upstream routers. You also want the backup device to learn dynamic routes. Which configuration would ensure you can establish a BGP peer to two different routers? A. Configure two BGP peers on the same VSI interface, but use a different virtual router on each

device. B. Use the unset vr <vr-name> nsrp-config-sync command and configure BGP peers on the VSI

interface. C. Use the unset nsrp vsd-group id 0 and set nsrp vsd-group id 1 commands for VSI interfaces,

then configure BGP peers on the local interfaces, then unset vr untrust-vr nsrp-config-sync. D. Use the unset nsrp vsd-group id 0 and set nsrp vsd-group id 1 commands for the VSI

interfaces, then configure BGP peers on the local interfaces, then unset vr <vr-name> nsrp-config-sync.


Page 7 of 47

Answer: D Question: 21 Review the exhibit. Based on the exhibit, which of the following statements about this policy are true?

A. The policy is queued at the highest priority. B. The policy is currently inactive. C. The policy will be processed second in the overall list of rules. D. The policy was created using multiple services rather than a service group. Answer: D Question: 22 Which statement about integrated Web filtering is true? A. You must configure a category profile. B. You must add categories to the black list and white list. C. User-defined categories are searched after pre-defined categories. D. The local cache contains the black list, white list, and all URLs in the user-defined categories. Answer: D Question: 23 Which two statements are true about redundant interfaces? (Choose two.) A. Only one link in a redundant group is active at a time. B. You can place up to four interfaces in a redundant group. C. All interfaces in the redundant group are active, providing more bandwidth. D. Each interface in the redundant group should be connected to a different L2 device. Answer: A, D Question: 24 You are a read/write VSYS administrator. Your configuration requires the use of a MIP. Which statement correctly describes this situation?


Page 8 of 47

A. MIP creation can only be done by the root administrator, not a VSYS administrator. B. You can create the MIPs on any interface imported into your VSYS, but not on shared

interfaces. C. You can create MIPs on any interface you can see in your interface list, including both private

and shared interfaces. D. You can create MIPs only on sub-interfaces within your VSYS. All other MIPs need to be

created by the root level VSYS admin. Answer: A Question: 25 Using VSYS profiles, which three can you limit on a per-VSYS basis? (Choose three.) A. zones B. sessions C. subinterfaces D. CPU allocation E. memory allocation Answer: A, B, D Question: 26 Click the Exhibit button. In the exhibit, what is the source IP address of the multicast traffic?

A. 236.1.1.1 B. 10.10.10.1 C. 20.20.20.10 D. 20.20.20.200 Answer: B


Page 9 of 47

Question: 27 Which command is used to verify that IGMP is running correctly? A. get route igmp B. get igmp query C. set igmp query interface e0/1 D. exec igmp interface e0/1 query Answer: D Question: 28 You create three policies that will send traffic through an interface configured for 1.544 Mbps. All policies are configured to have 256 Kbps guaranteed bandwidth and 512 Kbps of maximum bandwidth. Each policy has been assigned the following priorities: Policy 1 = priority 4 Policy 2 = priority 5 Policy 3 = priority 3 Each policy receives a constant stream of 1 Mbps. How much bandwidth will be available for Policy 2? A. 256 Kbps B. 512 Kbps C. 1.544 Mbps D. 1 Mbps Answer: B Question: 29 When adding deep inspection to a policy, when will inspection be performed? A. before the policy lookup B. after the routing lookup C. before the destination lookup D. after the packet has been permitted Answer: D Question: 30 Which three statements are true regarding IKE Phase 1? (Choose three.) A. Placing the SA proposal list in message 1 is an option. B. The digital certificate is used to decrypt the session key. C. The DH key exchange is used to validate the session key. D. The DH key exchange and digital certificates are both optional. E. The proxy-id is used to determine which SA is referenced for the VPN. Answer: A, B, C Question: 31 What should you configure to insure an HA cable failure does not result in both devices attempting to become master? A. failover count


Page 10 of 47

B. secondary path C. monitor threshold D. heartbeat threshold Answer: B Question: 32 Click the Exhibit button. In the exhibit, which two can be determined about the VPN? (Choose two.)

A. NAT-traversal is enabled. B. The rekey interval is 8 hours. C. This device initiated the Phase 1 negotiations. D. The certificate used in this exchange is set to never expire. Answer: B, C Question: 33 You have taken your backup ScreenOS device out of production for some maintenance. The device is brought back online and rejoins the NSRP cluster. You determine that the two devices are out of sync. Which command will sync the devices and on which device should it be run? A. set nsrp sync global-config save run on the Master B. set nsrp sync global-config save run on the Backup C. exec nsrp sync global-config save run on the Master D. exec nsrp sync global-config save run on the Backup Answer: D Question: 34 Click the Exhibit button. You have configured your device with a tunnel interface in the untrust zone, and your protected resources in the trust zone. The remote gateway is defined using an FQDN. The tunnel went down and has not reestablished. Based on the exhibit, what are two reasons why the tunnel is failing to reestablish? (Choose two.)


Page 11 of 47

A. The policy used by this VPN was deleted. B. The Phase 1 preshared key was modified in one of the devices. C. One of the devices was modified so that the peer ID and local ID no longer match. D. The IP address of the remote peer changed and your DNS table has not updated with the new

address. Answer: B, D Question: 35 Which parameter do you adjust on a static route to create a floating static route? A. cost B. metric C. weight D. preference Answer: D Question: 36 Which two OSPF parameters are protocol-level parameters? (Choose two.) A. cost B. priority C. neighbor list D. summarization E. advertise default route Answer: D, E Question: 37 Click the Exhibit button. Which command(s) will remove the ffilter shown in the exhibit?

A. unset ffilter all B. delete filter all C. unset ffilter 0-2 D. unset ffilter 0 unset ffilter 1 unset ffilter 2 E. unset ffilter 2


Page 12 of 47

unset ffilter 1 unset ffilter 0 Answer: E Question: 38 Review the exhibit. Which two of the following elements must be configured on the ScreenOS device in order to support PIM-SM? (Choose two)

A. A multicast control policy B. A bootstrap router process C. A unicast routing protocol D. A static RP Answer: A, C Question: 39 You want to deploy Equal Cost Multipath (ECMP) on your ScreenOS device. Which three parameters must match in order for routing paths to be considered equal? (Choose three) A. protocol B. preference C. cost D. metric E. outbound zone Answer: B, D, E Question: 40 You have configured the following on your device. set address trust MyPC 10.1.1.5/32 set address untrust CorpNet 10.10.0.0/16 set policy from trust to untrust MyPC CorpNet any permit set int tunnel.1 zone untrust set int tunnel.1 ip unnumbered int bgroup1 set ike gateway GW address 1.1.1.1 outgoing-interface e0/1 preshare Secret sec-level standard set vpn VPN gateway GW sec-level standard The tunnel interface is down, so the VPN cannot function properly. What is the problem? A. The policy needs to have the action tunnel. B. The VPN needs to be bound to the tunnel interface. C. The tunnel interface needs to be placed in the trust zone.


Page 13 of 47

D. The tunnel interface needs to be associated with the interface in the untrust zone. Answer: B Question: 41 You want to configure routing redundancy over your VPN network, but do not want to deploy a dynamic routing protocol. What should you do? A. Configure multiple static routes, setting tags to designate primary and backup routes. B. Configure multiple static routes, adjusting the cost to determine primary and backup routes. C. Configure multiple static routes, adjusting the metric to determine primary and backup routes. D. Configure multiple static routes, adjusting the preference to create floating static routes as

backups. Answer: C Question: 42 You enable run time object (RTO) sync on the NSRP cluster. Which command will provide RTO message sync counters? A. get nsrp rto B. get count stat C. get rto counter D. get nsrp counter Answer: D Question: 43 Which command shows the present debugging configuration? A. get conf B. get dbuf C. get debug D. debug info Answer: C Question: 44 Which statement about source-based routing is true? A. You cannot redistribute source-based routes. B. You can only specify an interface as the next hop. C. You cannot configure source-based routing in the untrust-vr. D. Destination-based routes take precedence over source-based routes. Answer: A Question: 45 You are concerned that one of the routes on your ScreenOS device has been cycling up and down. You would like to investigate how long this route has been up (and when the last outage occurred). Which command will provide you with this specific information? A. get route id <x> B. get route ip <x> C. get vrouter route id <x>


Page 14 of 47

D. get vrouter trust route-id <x> Answer: A Question: 46 Click the Exhibit button. In the exhibit, review the debug output. Which type of NAT has occurred?

A. MIP B. interface-based NAT C. policy-based NAT with DIP enabled D. policy-based NAT without DIP enabled Answer: B Question: 47 To which three ScreenOS components can a policy-based routing policy be bound? (Choose three.) A. zone B. policy C. interface D. virtual router E. virtual system Answer: A, C, D Question: 48 Click the Exhibit button.


Page 15 of 47

In the output shown, which single command is entered out of order? A. set ffilter B. clear db C. get dbuf stream D. debug flow basic Answer: B Question: 49 Click the Exhibit button. Given the routing table in the exhibit, which interface will be used to reach the host at 10.1.20.1?

A. tunnel.1 B. tunnel.21 C. ethernet0/2 D. ethernet0/4 Answer: D Question: 50 Click the Exhibit button. In the exhibit, the SSG 5 is using a route-based VPN configuration. Which two are required on the SSG 5 to successfully establish a VPN? (Choose two.)


Page 16 of 47

A. proxy-id B. peer-id of 1.1.2.5 C. local-id of 1.1.1.10 D. IKE Phase 1 aggressive mode Answer: A, B Question: 51 Click the Exhibit button. In the exhibit, which two would allow you to exchange traffic between hosts behind the SSG 5 and the SSG 550? (Choose two.)

A. VIPs on both sides B. DIPs on both sides C. MIPs on both sides D. a combination of NAT-src and NAT-dst Answer: C, D Question: 52 You are a read/write VSYS administrator. Your configuration requires the use of a DIP. Which statement correctly describes this situation? A. DIP creation can only be done by the root administrator, not a VSYS administrator. B. You can create the DIP on any interface imported into your VSYS, but not on shared

interfaces. C. You can create DIPs on any interface you can see in your interface list, including both private

and shared interfaces. D. You can create DIPs only on sub-interfaces within your VSYS. All other DIPs need to be

created by the root level VSYS admin. Answer: A


Page 17 of 47

Question: 53 When deploying AutoConnect-VPNs, which three of the following configuration elements must be configured on the hub device? (Choose three) A. AC-VPN Dynamic VPN B. AC-VPN Gateway profile C. NHRP configured as NHS D. NHRP configured as NHC E. NHRP enabled on tunnel interface Answer: B, C, E Question: 54 Click the Exhibit button. In the exhibit, what is the address of the multicast receiver?

A. 234.9.8.42 B. 192.168.10.2 C. 192.168.20.10 D. 192.168.20.200 Answer: D Question: 55 What is the default action of a ScreenOS device when a configured screening function threshold limit has been reached? A. Log the packet but not drop it. B. Drop the packet and all further packets matching the attack for up to 1 minute. C. Drop the packet and all further packets matching the attack for up to a configurable maximum

of 10 seconds. D. Drop the packet and all further packets matching the attack for the remainder of the current

second plus the next second.


Page 18 of 47

Answer: D Question: 56 Click the Exhibit button. In the exhibit, the hub and spoke VPN uses route-based VPNs. What is the minimum number of policy rules required to establish full, bi-directional communications between all locations?

A. 0 B. 3 C. 4 D. 6 Answer: A Question: 57 You have configured a secondary path for the NSRP cluster. Which type of traffic is sent over the secondary path? A. NSRP heartbeats B. RTO message sync C. NSRP data packet forwarding D. configuration sync messages Answer: A Question: 58 You are creating a DIP pool of 30 addresses. You would like to see how addresses are being allocated to different traffic streams. Which command will you use to view this information? A. snoop B. get dip all C. get session D. get address xlate Answer: C


Page 19 of 47

Question: 59 You need to investigate some physical layer problems. Which command will provide you with information that you can use to analyze these type of problems? A. get counter interface e0/0 B. get counter statistics e0/0 C. get counter flow interface e0/0 D. get counter statistics interface e0/0 Answer: D Question: 60 Click the Exhibit button. In the exhibit, which statement can be verified from the debug output?

A. Traffic is departing from the root virtual system. B. Traffic is arriving from the virtual system CustA. C. Traffic is departing from the virtual system CustA. D. The matched policy is from a custom zone to a system-defined zone. Answer: C Question: 61 What determines which interface is the primary link in a redundant interface group? A. the lowest MAC address B. the highest MAC address C. the first interface placed in the group D. the lowest numbered interface on the device E. the highest numbered interface on the device


Page 20 of 47

Answer: C Question: 62 Click the Exhibit button. After the commands shown in the exhibit were entered, users began reporting network performance problems. Which command would resolve this problem?

A. undebug all B. unset filter C. set debug optimize 8192kb D. debug flow src-ip 10.35.29.1 Answer: A Question: 63 Which feature minimizes OSPF routing exchanges and hello traffic over VPN links? A. demand circuit B. passive interface C. point-to-multipoint interface D. inter-area route summarization Answer: A Question: 64 Which statement defines maximum bandwidth? A. The total amount of bandwidth (configured in Mbps) that can be used by a policy after

guaranteed bandwidth has been serviced. B. The total amount of bandwidth (configured in Kbps) that can be used by a policy after all

guaranteed bandwidth has been serviced. C. The additional amount of bandwidth over the guaranteed bandwidth amount (configured in

Kbps) that can be used by a policy after guaranteed bandwidth has been serviced. D. The additional amount of bandwidth over the guaranteed bandwidth amount (configured in

Mbps) that can be used by a policy after guaranteed bandwidth has been serviced. Answer: B Question: 65 Which two methods can the ScreenOS device use to assign traffic to a VSYS? (Choose two.)


Page 21 of 47

A. IP-based classification B. policy-based classification C. interface-based classification D. VLAN tag-based classification Answer: A, C Question: 66 Click the Exhibit button. In the ScreenOS CLI output shown, which configuration step is missing?

A. set policy id 5 screen limit-session inspect B. set zone trust screen limit-session enable C. set zone trust screen limit-session source-ip-based D. set interface ethernet0/1 screen limit-session inspect Answer: C Question: 67 What are two methods of implementing external antivirus scanning on ScreenOS devices? (Choose two.) A. Policy-Based Routing B. IP-Based Traffic Classification C. VLAN-Based Traffic Classification D. Internet Content Adaptation Protocol Answer: A, D Question: 68 What are three components that make up a redundant VPN configuration? (Choose three.) A. master B. targets C. monitor D. backups E. VPN groups Answer: B, C, E


Page 22 of 47

Question: 69 Which two statements are correct when manage-ip and manager-ip settings are configured properly? (Choose two.) A. manager-ip is configured for each zone. B. manage-ip limits who can manage a ScreenOS device. C. manager-ip limits who can manage a ScreenOS device. D. manage-ip is never published nor used as a source address. E. manage-ip changes the address used for packets sourced by the device. Answer: C, D Question: 70 Review the exhibit. Based on the exhibit, what is wrong with this OSPF configuration?

A. No DR has been selected. B. OSPF hellos are going to the wrong OSPF multicast address. C. The interface is assigned to a different area than the peer device. D. The hello interval on our device does not match the neighbor device. Answer: D Question: 71 Review the exhibit. You've been asked to build a route-based hub and spoke network, with policy control for traffic travelling from spoke to spoke. Which two of the following configuration options will meet this requirement? (Choose two.)


Page 23 of 47

A. Place the spoke tunnel interfaces in the trust zone and create policies on the spokes. B. Place the spoke tunnel interfaces in the untrust zone and create policies on the spokes. C. Create a single tunnel interface in the trust zone at the hub and enable intra-zone blocking. D. Create separate tunnel interfaces at the hub and place them in different zones, then create

policies at the hub. Answer: B, D Question: 72 Click the Exhibit button. In the exhibit, what are two explanations for the output shown? (Choose two.)

A. The nsp card needs reseating. B. The routing protocol is in holddown. C. The next hop device is failing to respond. D. The routing table requires reconfiguration.


Page 24 of 47

Answer: C, D Question: 73 Which statement is correct about the configuration of GRE? A. It can be enabled on any tunnel interface. B. It can provide simple encryption by enabling a key option. C. It can be enabled by going to the advanced AutoKey IKE options. D. It requires matching keep-alive settings on both sides of the tunnel. Answer: A Question: 74 What must be configured differently for a route-based VPN and a policy-based VPN? A. proxy-id B. proposals C. remote gateway type D. binding the tunnel interface Answer: D Question: 75 Which of the following protocols is required in order to deploy AutoConnect-VPNs? A. PKI B. OSPF C. NSRP D. NHRP Answer: D Question: 76 Which item in a virtual system is shared by default? A. trust zone in the trust-vr B. trust zone in the untrust-vr C. untrust zone in the trust-vr D. untrust zone in the untrust-vr Answer: C Question: 77 Which three steps comprise the basic NSRP configuration? (Choose three.) A. Adjust VSD settings. B. Configure interfaces. C. Establish the HA link. D. Activate NSRP protocol. E. Configure cluster settings. Answer: A, C, E


Page 25 of 47

Question: 78 When enabling RIP over a hub and spoke VPN, what must you configure on the hub device tunnel interface to allow spokes to receive routing updates? A. point to multipoint B. disable split-horizon C. enable demand circuit D. enable passive interface Answer: B Question: 79 Which description about an Active/Active configuration is accurate? A. Both ScreenOS devices are passing traffic. If one device fails, or if a monitored interface fails,

all traffic will fail over to the other device. B. Both ScreenOS devices are operational. NSRP provides for a virtual device MAC address. If

one device or port fails the other device continues the traffic flow immediately. C. Both ScreenOS devices are turned on, but only one carries traffic. The second device listens

to traffic and builds all session tables, VPN, SA, and ARP table entries to take over in event of a failure.

D. Both ScreenOS devices are passing traffic. If one device fails completely the other one will carry traffic for both devices. If a monitored interface fails the other device will carry the traffic just for that interface.

Answer: A Question: 80 What is the maximum number of DSCP bits that can be configured for rewrite by a ScreenOS device? A. 1 B. 3 C. 6 D. 8 Answer: C Question: 81 Click the Exhibit button. In the exhibit, you are attempting to snoop packets destined to 10.84.57.29. The output shown is not what you expected. Which of the following commands would you enter next to work toward accomplishing your goal?


Page 26 of 47

A. snoop on B. snoop info C. set ffilter D. snoop ffilter Answer: B Question: 82 Click the Exhibit button. In the exhibit, you need to configure BGP between devices A and C in AS 65200. Which configuration, if any, will be required only on device B?


Page 27 of 47

A. No configuration is required on device B. B. You need to configure IBGP, defining devices A and C as BGP peers. C. You need to enable OSPF and redistribute BGP routes on devices A and C. D. You need to configure a policy permitting BGP traffic between device A and device C. Answer: D Question: 83 Click the Exhibit button. In the exhibit, Phase 1 negotiation is failing. Which two would be related to the problem? (Choose two.)

A. Phase 1 proposal mismatch B. incorrect peer address set on initiator C. incorrect peer address set on receiver D. incorrect outgoing interface set on receiver Answer: C, D Question: 84 When using NSRP, which command will insure uninterrupted communications for VPNs using certificates for authentication? A. set hostname B. set NSRP clustername C. set NSRP cluster name D. set NSRP cluster hostname


Page 28 of 47

Answer: C Question: 85 You have four policies configured for the egress interface with 10 Mbps physical bandwidth. The policies are configured as follows: Policy 1 - Highest Priority, 2 Mbps guaranteed, 3 Mbps maximum Policy 2 - 1st Priority, 3 Mbps guaranteed, 4 Mbps maximum Policy 3 - 1st Priority, 3 Mbps guaranteed, 3 Mbps maximum Policy 4 - Highest Priority, 1 Mbps guaranteed, 4 Mbps maximum Assuming the policies are processed in the order shown, which policy will drop traffic first under a full traffic load? A. Policy 1 B. Policy 2 C. Policy 3 D. Policy 4 Answer: A Question: 86 Click the Exhibit button. In the exhibit, you want to enable route summarization for area 10 and advertise only the summary route. Which command will accomplish this?

A. set vrouter trust-vr protocol ospf summary-range 10.50.1.0/20 B. set vrouter trust-vr protocol ospf area 10 range 10.50.1.0/20 advertise C. set interface e0/3 protocol ospf area 10 range 10.50.1.0/20 no-advertise D. set vrouter trust-vr protocol ospf area 10 range 10.50.1.0/20 no-advertise Answer: B Question: 87 Which three HTTP components can a ScreenOS device inspect and selectively block? (Choose three.)


Page 29 of 47

A. .gz files B. .zip files C. .exe files D. Java applets E. JavaScript applets Answer: B, C, D Question: 88 Which two are valid actions for policy-based routing? (Choose two.) A. next hop only B. next interface only C. next hop gateway only D. next hop virtual router only Answer: A, B Question: 89 You create a policy-based VPN, and select an address group for the source address. What will be the source component of the proxy-id seen by the remote security gateway? A. the default 0.0.0.0/0 B. the last member of the address group C. the first member of the address group D. the subnet that contains all addresses in the address group Answer: A Question: 90 You are concerned about log entries being overwritten and would like to save this valuable information on an external system. Which three systems will work with ScreenOS devices to accomplish this goal? (Choose three.) A. SNMP B. WebSense C. WebTrends D. SYSLOG server E. NetScreen Security Manager Answer: C, D, E Question: 91 During main mode negations a failure has occurred while using IKE certificates. Which message pair would you review to troubleshoot this failure? A. messages 1 2 B. messages 2 3 C. messages 3 4 D. messages 5 6 Answer: D


Page 30 of 47

Question: 92 What must be enabled to protect Phase 2 key exchanges? A. Phase 1 PFS B. Phase 2 SHA C. Phase 2 3-DES D. Phase 2 DH key exchange Answer: D Question: 93 Which three items do you need to download and install on your ScreenOS device for IKE gateways to be able to use digital certificates without OCSP? (Choose three.) A. the CRL list B. the SCEP list C. a local certificate D. the CA public key certificate E. the CA private key certificate Answer: A, C, D Question: 94 Click the Exhibit button. In the exhibit, which two can be determined about the VPN? (Choose two.)

A. This is a policy-based VPN. B. The VPN tunnel is active but the VPN monitor shows the tunnel is down. C. The VPN is active and has 3288 more seconds until reaching its 3600 second timeout. D. The VPN is active and has 312 more seconds until reaching its 3600 second timeout. Answer: B, C Question: 95 Review the exhibit. Based on the output in the exhibit, what is the router ID of the designated router?


Page 31 of 47

A. 1.1.1.1 B. 10.1.3.1 C. 10.1.1.1 D. 10.1.75.1 Answer: D Question: 96 You are using NSRP and enable preempt on a device with a priority of 120. The other device has the default priority set. What will be the result of this action? A. The device will be come master immediately. B. The device will only become master if the device with default priority fails. C. The device will wait the defined holdtime period and then take over as master. D. The device will enter a pending state until the next maintenance window and then assume the

master role. Answer: B Question: 97 As a member of a VSD group, a device may be in which two states? (Choose two.) A. init B. backup C. inactive D. passive Answer: A, B Question: 98 Which three VSYS features can only be created by the root administrator? (Choose three.) A. VPNs B. policies C. subinterfaces D. dedicated interfaces


Page 32 of 47

E. VSYS read/write Admin Answer: C, D, E Question: 99 Click the Exhibit button. You have three VSYS configured with the CPU weights shown below: VSYS-A: 20 VSYS-B: 10 VSYS-C: 10 Packets arrive in the order shown in the exhibit. The CPU is in shared mode. In which order will the packets be transmitted?

A. A B C A B C A A B. C C B B A A A A C. A A A A B B C C D. A A B C A A B C Answer: C Question: 100 Click the Exhibit button. In the exhibit, which two must you configure on the SSG 550 to successfully establish a VPN?

A. default route B. local-id of 1.1.2.5 C. peer-id of 1.1.1.10 D. tunnel interface associated with VLAN1 Answer: A, C Question: 101 Click the Exhibit button. Users are having difficulties reaching 10.1.1.25. You execute a get route command and find the results shown in the exhibit. What can you determine from this routing table?


Page 33 of 47

A. The problem is probably at the next hop. B. A gateway must be assigned to ethernet0/1. C. The preference on route ID 2 must be configured to a higher value. D. The ethernet0/1 physical link may be down and needs troubleshooting. Answer: D Question: 102 Which ScreenOS CLI command is necessary for configuring IGMP on interface ethernet0/1? A. set igmp interface ethernet0/1 B. set multicast interface ethernet0/1 C. set interface ethernet0/1 igmp router D. set igmp interface ethernet0/1 enable Answer: C Question: 103 You have entered the command set ffilter src-ip 1.1.7.250 dst-ip 10.1.10.5 ip-prot 6 What will be the resulting output in the debug for which this was created? A. If the packet has a src-ip of 1.1.7.250 or a dst-ip of 10.1.10.5 or has TCP as its protocol then it

will be captured B. If the packet has a src-ip of 1.1.7.250 or a dst-ip of 10.1.10.5 or has UDP as its protocol then it

will be captured C. If the packet has a src-ip of 1.1.7.250 and a dst-ip of 10.1.10.5 and has TCP as its protocol

then it will be captured D. If the packet has a src-ip of 1.1.7.250 and a dst-ip of 10.1.10.5 and has UDP as its protocol

then it will be captured Answer: C Question: 104 Which three elements are required to configure route redistribution on a ScreenOS device? (Choose three.)


Page 34 of 47

A. a filter map B. a route map C. an export rule D. an access list E. a redistribution list Answer: B, C, D Question: 105 You have created a virtual router called VSYSA-vr and made it shareable. You then create the VSYS using the WebUI, telling it to use an existing VR and selecting the VR called VSYSA-vr. What is the status of the virtual router after you create the VSYS? A. The router will be the default router but will no longer be shared. B. The router will be the default router and will still have a shareable status. C. The system will not let you use a shared virtual router when you create a new VSYS. The

initial virtual router must be private. D. The system will not create a private vr for the VSYS but will assign the untrust-vr as the default

router. The shared Virtual router will not be the default router. Answer: B Question: 106 You enter the following commands: snoop filter ip dst-ip 1.1.1.10 snoop filter ip src-ip 2.1.1.10 What is the net result of these settings? A. Only packets with both a dst-ip of 1.1.1.10 and a src-ip of 2.1.1.10 will be captured B. Packets that have either a dst-ip of 1.1.1.10 or packets with a src-ip of 2.1.1.10 will be

captured C. The second command will be ignored since a second filter cannot be added until the first one

has been deleted D. The second command you entered will overwrite the first command you entered so you will

only capture traffic with a src-ip of 2.1.1.10 Answer: B Question: 107 Which two components are required to implement ScreenOS deep inspection? (Choose two.) A. policy statements B. signature database C. IDP action statement D. service book group entries Answer: A, B Question: 108 You have configured NSRP so that session state messages are sent to the backup device. A session is about to timeout on the backup device. Which statement most correctly describes what happens next? A. The backup device sends a session sync query message to the primary.


Page 35 of 47

B. The master device sends a session disconnect message to the backup device. C. The session times out with no action from either the backup device or the primary device. D. The primary sends a reset timer message to the backup with a time value of 8 times the

protocol timeout value. Answer: A Question: 109 Which two statements are correct regarding NHTB? (Choose two.) A. The NHTB table can be viewed with the command get nhtb. B. The NHTB table can be viewed with the command get interface <tunnel interface>. C. The NHTB table can be viewed with the command get interface <physical interface>. D. NHTB is enabled automatically when multiple VPNs are bound to a single tunnel interface. Answer: B, D Question: 110 You have configured NSRP Active/Passive using the default vsd-group. You are using OSPF to learn routes from adjacent network devices. Which configuration is required to ensure the dynamic routes are available on both the devices? A. Dynamic routes are RTO objects; no additional configuration is required. B. You have to unset nsrp vsd-group id 0 and configure OSPF on the local interfaces of the

master device only. C. You have to configure OSPF on the VSI interfaces. All dynamic routes learned on the VSI will

be synced to the backup. D. You have to unset nsrp vsd-group id 0 and set nsrp vsd-group id 1 for the VSI interface, then

configure OSPF on the local interfaces on both the devices. Answer: D Question: 111 When configuring ScreenOS, which three are OSPF area types? (Choose three.) A. stub B. virtual C. normal D. ordinary E. not-so-stubby Answer: A, C, E Question: 112 Which CLI command identifies the multicast sources visible to your ScreenOS device? A. get route pim B. get igmp source all C. exec pim interface all query D. get vrouter trust-vr protocol pim Answer: D Question: 113 Click the Exhibit button.


Page 36 of 47

In the exhibit, you need to provide communication from the hosts connected to the SSG 5 to the servers connected to the SSG 550 using a VPN, but the sites use the same RFC1918 address space. Which three configuration elements will allow this communication? (Choose three.)

A. Configure a DIP on e0/0 on the SSG 5. B. Configure a policy from trust to untrust on the SSG 5. C. Configure a DIP on the tunnel interface on the SSG 5. D. Configure a policy from trust to untrust on the SSG 550 using a MIP. E. Configure a policy from untrust to trust on the SSG 550 using a MIP. Answer: B, C, E Question: 114 What is the default number of equal-cost routes that are used by a ScreenOS device? A. 1 B. 2 C. 3 D. 4 Answer: A Question: 115 A VPN tunnel that uses a CA certificate has failed Phase 1 negotiations. The peer's certificate has been rejected. What would be causing this problem? A. The CA certificate is not synced with the NTP server. B. One of the peering devices is not synced with the NTP server. C. The device certificates were generated before the CRL was downloaded, thus making them

invalid. D. The CRL has been downloaded, but the certificates have a CDP extension, thus making them

invalid. Answer: B Question: 116 What are the three building blocks to create a PBR policy? (Choose three.) A. action groups B. match groups C. session groups


Page 37 of 47

D. extended access lists E. extended access groups Answer: A, B, D Question: 117 What will happen if you type the command unset protocol vrouter trust-vr protocol ospf? A. OSPF stops running, but the OSPF configuration is left intact. B. All OSPF configuration parameters are removed from the vrouter only. C. All OSPF configuration parameters are removed from all interfaces in the vrouter. D. All OSPF configuration parameters are removed from the vrouter and from all interfaces in the

vrouter. Answer: D Question: 118 You have entered the following configuration. set vrouter untrust-vr source 1.1.10.0/24 interface tunnel.1 gateway 1.1.1.1 Your source-based route is not working. What is the problem? A. You cannot use source-based routing with VPNs. B. You have not specified a metric for the source-based route. C. You cannot configure source-based routes in the untrust-vr. D. You have not enabled source-based routing in the untrust-vr. Answer: D Question: 119 Which three OSPF parameters are interface parameters? (Choose three.) A. cost B. priority C. neighbor list D. summarization E. advertise default route Answer: A, B, C Question: 120 You have configured set nsrp vsd-group master-always-exist on your ScreenOS device. What does this do? A. The NSRP protocol will not initialize without a master. B. This device will always be master in the NSRP cluster. C. There will always be a master device in the NSRP cluster. D. The vsd-group will always be homed to the master in the NSRP cluster. Answer: C Question: 121 You have entered the following OSPF configuration: set vrouter trust-vr protocol ospf set vrouter trust-vr protocol ospf area 10 set interface e0/0 protocol ospf area 10


Page 38 of 47

set interface e0/0 protocol ospf enable set interface e0/1 protocol ospf area 10 set interface e0/1 protocol ospf enable OSPF is not working. What is missing from your configuration? A. You have not assigned any interfaces to area 0. B. You have not enabled OSPF on the virtual router. C. You have not set the costs on the OSPF interfaces. D. You have not configured OSPF neighbors on the interfaces. Answer: B Question: 122 Click the Exhibit button. In the exhibit, what can be determined using the ScreenOS CLI output?

A. This firewall is in an NSRP-lite pair. B. This firewall is in an Active/Active NSRP pair. C. This firewall is isolated from its NSRP partner. D. This firewall is in an Active/Passive NSRP pair. Answer: D Question: 123 Which three ways can a ScreenOS device be administered by a direct secure connection using default ports? (Choose three.) A. Console B. TCP port 22 C. TCP port 23 D. TCP port 80 E. TCP port 443 Answer: A, B, E


Page 39 of 47

Question: 124 Which statement is correct when using GRE in combination with IPSec? A. GRE improves the efficiency of IPSec packet handling. B. GRE allows ScreenOS devices to encapsulate IPX traffic over IPSec. C. GRE encapsulates IPSec headers to provide legacy support with some VPN vendors. D. GRE encapsulation is processed in software, while IPSec is processed in hardware. Answer: D Question: 125 Which ScreenOS CLI commands would match the 10.35.89.0/24 subnet for route redistribution? A. set access-list 20 permit ip 10.35.89.0/24 10 set route-map name harry permit 5 set match ip 20 B. set access-list 5 permit 10.35.89.0 0.0.0.255 set route-map harry permit 10 set match ip address 5 C. set address Trust harry 10.35.89.0 255.255.255.0 set distribution-list harrylist 1 set address harry D. set address Trust harry 10.35.89.0 255.255.255.0 set route-map harry permit 10 set ospf export harry Answer: A Question: 126 You want to create a subinterface in VSYS A. Which two actions are required? (Choose two.) A. Import the subinterface. B. Login as root level admin. C. Login as a VSYS level admin. D. Create the subinterface at the root VSYS. E. Create the subinterface at the VSYS level. Answer: B, E Question: 127 Click the Exhibit button. In the exhibit, which two statements can be verified from the debug output? (Choose two.)


Page 40 of 47

A. The routing decision used the default route. B. Traffic is arriving from the virtual system CustA. C. Traffic is departing using the root virtual system. D. The matched policy is from a custom zone to a system-defined zone. Answer: B, D Question: 128 Which of the following is true about the ScreenOS SNMP implementation? A. ScreenOS supports SNMP v1 or v2c on a per-SNMP server basis. B. You can set traps on a per-community-string basis. C. ScreenOS supports only two communities: public and private. D. You can include traffic alarms on a per-SNMP server basis. Answer: A Question: 129 You suspect that there has been an increase in the number of multiple user authentication failures. In the logs, which severity level would you search to see this event? A. Alert B. Critical C. Warning D. Notifications Answer: A Question: 130 Click the Exibit button. In the exhibit, the route based VPN on the SSG 5 needs to configured to allow access from your PC to Server G at corporate. Corporate has a Policy Based VPN set up from Server G to only your PC's address. Assume the gateways are static. Which proxy-id must be configured?


Page 41 of 47

A. Local: 10.0.0.5/24Remote: 20.0.0.5/24 B. Local: 10.0.0.5/32Remote: 20.0.0.5/32 C. Local: 1.1.1.250/32Remote: 4.4.4.250/32 D. Local: 1.1.1.250/24Remote: 4.4.4.250/24 Answer: B Question: 131 Click the Exhibit button. In the exhibit, the hub and spoke VPN uses route-based VPNs and has intra-zone blocking enabled on the Evil zone. What is the minimum number of policy rules required to establish full, bi-directional communications between all locations?

A. 3 B. 4 C. 6 D. 7 Answer: D Question: 132 Which ScreenOS configuration element will influence the application of SCREENs to traffic passing through the device? A. policy


Page 42 of 47

B. zones C. routing D. interfaces Answer: B Question: 133 Click the Exhibit button.

You are troubleshooting a problem with traffic passing through the ScreenOS device. You run debug flow basic and get the results in the exhibit. Why was the packet dropped? A. The packet was dropped because of the implicit deny at the end of the policy set. B. The packet was dropped because a global policy was configured to deny the traffic. C. There is not enough detail in the output to know exactly what part of the policy dropped the

packet. D. The packet was dropped because it was explicitly denied by the policy between zones 1002

and 1000. Answer: A Question: 134 Which policy action is needed to add deep inspection to a policy? A. reject B. detect C. permit D. inspect Answer: C Question: 135 You have four policies configured for the egress interface with 10 Mbps physical bandwidth. The policies are configured as follows: Policy 1 - Highest Priority, 1 Mbps guaranteed, 3 Mbps maximum Policy 2 - 1st Priority, 1 Mbps guaranteed, 4 Mbps maximum Policy 3 - 1st Priority, 2 Mbps guaranteed, 2 Mbps maximum


Page 43 of 47

Policy 4 - Highest Priority, 2 Mbps guaranteed, 4 Mbps maximum Assuming the policies are processed in the order shown, which policy will drop traffic first under a full load? A. Policy 1 B. Policy 2 C. Policy 3 D. Policy 4 Answer: D Question: 136 Your ScreenOS device has come under a SYN flood attack. In the logs, which severity level would you search to see this event? A. Alert B. Critical C. Warning D. Emergency Answer: D Question: 137 Which two of the following statements regarding ScreenOS antivirus functionality are true? (Choose two.) A. ICAP-based external scanning requires an AV profile. B. External scanning requires a Trend Micro antivirus scanner. C. Embedded scanning can be based on file extension and content type. D. You can used policy-based routing to implement AV in a high-performance environment. Answer: C, D Question: 138 You have created a NAT-src policy that runs between the Private zone and the Public zone. When looking at a session in debug output, the translated address is not what you expected. What are two explanations? (Choose two.) A. A VIP defined on the egress interface is overriding your NAT. B. A MIP defined on the egress interface is overriding your NAT. C. Your source IP address is outside the range of your IP shift pool. D. The source interface is in NAT mode overriding your NAT-src policy. Answer: B, C Question: 139 Click the Exhibit button. In the exhibit, the firewall administrator at the Storefront is complaining that when the communication to the DataCenter1 fails, the preexisting transfers and applications are dropped when the traffic is switched to DataCenter2. Which statement explains this behavior?


Page 44 of 47

A. SYN checking is enabled in the tunnel. B. The weight value for the DataCenter2 is too high. C. VPN monitor is misconfigured in the DataCenter2. D. Phase 1 and Phase 2 negotiations to DataCenter2 did not occur on time. Answer: A Question: 140 You suspect you are having encryption problems with an IKE VPN. Which two commands would help you determine if it is an encryption issue? (Choose two.) A. get counter screen <zone> B. get counter flow interface <name> C. get counter policy <policy number> D. get counter statistics interface <name> Answer: B, D Question: 141 Click the Exhibit button. In the exhibit, you want to enable route summarization for external routes and advertise only the summary route. Which command will accomplish this?


Page 45 of 47

A. set interface e0/2 protocol ospf summary-import 10.50.1.0/20 B. set vrouter trust-vr protocol ospf summary-range 10.50.1.0/20 C. set vrouter trust-vr protocol ospf summary-import ip 10.50.1.0/20 D. set vrouter trust-vr protocol ospf summary-import 10.50.1.0/20 no-advertise Answer: C Question: 142 If you configure 5 Mbps of guaranteed bandwidth for a policy, and you have 10 sessions created for that policy, how much bandwidth is reserved for each session? A. 5 Mbps B. .5 Mbps C. 50 Mbps D. 10 Mbps Answer: A Question: 143 Click the Exhibit button. Using the ScreenOS CLI output in the exhibit, which statement can be confirmed?


Page 46 of 47

A. There have been 3,583 unique hosts that have exceeded the source IP address session limit. B. There have been 3,583 packets from hosts that have exceeded the source IP address session

limit. C. There have been 3,583 session limits configured for source IP addresses on this ScreenOS

device. D. There have been 3,583 violations of the source IP address license limitations on this

ScreenOS device. Answer: B Question: 144 Click the Exhibit button.

Review the exhibit. Track-ip has failed on the device, but the device did not fail over to the second unit in the cluster: Why has failover not occurred? A. The physical interfaces have not failed. B. The track-ip interval is not sufficient to cause failover. C. The track-ip address weight is not sufficient to cause failover. D. The track-ip address threshold is not sufficient to cause failover. Answer: C


Page 47 of 47

Question: 145 You have configured NSRP Active/Active with vsd-group 0 as master on device A and vsd-group 1 as master on device B. Both the devices are active and are masters for their respective VSDs. What will happen to the traffic for vsd-group 1 if received on device A? A. The traffic will be dropped on device A. B. The traffic will be handled locally on device A. C. The traffic will be forwarded to device B over the HA link. D. Device A will inform the sender to re-direct traffic to device B. Answer: C Question: 146 Which command will show address translation for sessions that have ended? A. snoop B. get session C. get log traffic D. get dbuf stream Answer: C

End of Document