Ensurepass

Juniper Enterprise Content Management Sales Mastery Test v3

 

QUESTION 71

Which QoS function is supported in transparent mode?

 

A.

802.1p

B.

DSCP

C.

IP precedence

D.

MPLS EXP

 

Correct Answer: A

Explanation:

http://chimera.labs.oreilly.com/books/1234000001633/ch06.html

 

 

QUESTION 72

You are asked to configure class of service (CoS) on an SRX device running in transparent mode. Which command would you use?

 

A.

set interfaces ge-0/0/0 unit 0 classifiers dscp priority-app

B.

set class-of-service interfaces ge-0/0/0 unit 0 classifiers dscp priority-app

C.

set class-of-service interfaces ge-0/0/0 unit 0 classifiers ieee-802.1 priority-app

D.

set interfaces ge-0/0/0 unit 0 classifiers inet-precedence priority-app

 

Correct Answer: C

Explanation:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB23234

 

 

QUESTION 73

A security administrator has configured an IPsec tunnel between two SRX devices. The devices are configured with OSPF on the st0 interface and an external interface destined to the IPsec endpoint. The adminstrator notes that the IPsec tunnel and OSPF adjacency keep going up and down. Which action would resolve this issue?

 

A.

Create a firewall filter on the st0 interface to permit IP protocol 89.

B.

Configure the IPsec tunnel to accept multicast traffic.

C.

Create a /32 static route to the IPsec endpoint through the external interface.

D.

Increase the OSPF metric of the external interface.

 

Correct Answer: C

Explanation:

http://packetsneverlie.blogspot.in/2013/03/route-based-ipsec-vpn-with-ospf.html

 

 

QUESTION 74

You are asked to troubleshoot ongoing problems with IPsec tunnels and security policy processing. Your network consists of SRX240s and SRX5600s. Regarding this scenario, which two statements are true? (Choose two.)

 

A.

You must enable data plane logging on the SRX240 devices to generate security policy logs.

B.

You must enable data plane logging on the SRX5600 devices to generate security policy logs.

C.

IKE logs are written to the kmd log file by default.

D.

IPsec logs are written to the kmd log file by default.

 

Correct Answer: BD

Explanation:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16506

http://www.google.co.in/url?sa=t&rct=j&q=IKE%20logs%20are%20written%20to%20the%20kmd% 20log%20file%20by%20default&source=web&cd=2&ved=0CC8QFjAB&url=http%3A%2F%2Fwww .juniper.net%2Fus%2Fen%2Flocal%2Fpdf%2Fapp-notes%2F3500175-en.pdf&ei=SNHzUZntEcaPrQfnpICYDQ&usg=AFQjCNGb-rMrVcm6cqqBLWDif54CaCTrrw

 

 

QUESTION 75

You are troubleshooting an IPsec session and see the following IPsec security associations:

 

ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys

 

< 192.168.224.1 500 ESP:aes-256/sha1 d6393645 26/ unlim – 0

 

> 192.168.224.1 500 ESP:aes-256/sha1 153ec235 26/ unlim – 0

 

< 192.168.224.1 500 ESP:aes-256/sha1 f9a2db9a 3011/ unlim – 0

 

> 192.168.224.1 500 ESP:aes-256/sha1 153ec236 3011/ unlim – 0

 

What are two reasons for this behavior? (Choose two.)

 

A.

Both peers are trying to establish IKE Phase 1 but are not successful.

B.

Both peers have established SAs with one another, resulting in two IPsec tunnels.

C.

The lifetime of the Phase 2 negotiation is close to expiration.

D.

Both peers have establish-tunnels immediately configured.

 

Correct Answer: CD

Explanation:

http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swcmdref/show-security-ipsec-security-associations.html

 

 

QUESTION 76

HostA (1.1.1.1) is sending TCP traffic to HostB (2.2.2.2). You need to capture the TCP packets locally on the SRX240. Which configuration would you use to enable this capture?

 

A.

[edit security flow]

user@srx# show

traceoptions {

file dump;

flag basic-datapath;

}

B.

[edit security]

user@srx# show

application-tracking {

enable;

}

flow {

traceoptions {

file dump;

flag basic-datapath;

}

}

C.

[edit firewall filter capture term one]

user@srx# show

from {

source-address {

1.1.1.1;

}

destination-address {

2.2.2.2;

}

protocol tcp;

}

then {

port-mirror;

accept;

}

D.

[edit firewall filter capture term one]

user@srx# show

from {

source-address {

1.1.1.1;

}

destination-address {

2.2.2.2;

}

protocol tcp;

}

then {

sample;

accept;

}

 

Correct Answer: D

Explanation:

http://khurramkhalid.wordpress.com/2012/05/22/packet-capture-on-srx-devices/

 

 

QUESTION 77

You are troubleshooting an SRX240 acting as a NAT translator for transit traffic. Traffic is dropping at the SRX240 in your network. Which three tools would you use to troubleshoot the issue? (Choose three.)

 

A.

security flow traceoptions

B.

monitor interface traffic

C.

show security flow session

D.

monitor traffic interface

E.

debug flow basic

 

Correct Answer: ABC

Explanation:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

 

 

 

QUESTION 78

Somebody has inadvertently configured several security policies with application firewall rule sets on an SRX device. These security policies are now dropping traffic that should be allowed. You must find and remove the application firewall rule sets that are associated with these policies. Which two commands allow you to view these associations? (Choose two.)

 

A.

show security policies

B.

show services application-identification application-system-cache

C.

show security application-firewall rule-set all

D.

show security policies application-firewall

 

Correct Answer: AD

Explanation:

http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/application-firewall-configuring.html

 

 

QUESTION 79

Click the Exhibit button.

 

— Exhibit —

 

[edit security]

 

user@srx# show idp

 

 

application-ddos Webserver {

 

service http;

 

connection-rate-threshold 1000;

 

context http-get-url {

 

hit-rate-threshold 60000;

 

value-hit-rate-threshold 30000;

 

time-binding-count 10;

 

time-binding-period 25;

 

}

 

}

 

— Exhibit —

 

You are using AppDoS to protect your network against a bot attack, but noticed an approved application has falsely triggered the configured IDP action of drop. You adjusted your AppDoS configuration as shown in the exhibit. However, the approved traffic is still dropped.

 

What are two reasons for this behavior? (Choose two.)

A.

The approved traffic results in 50,000 HTTP GET requests per minute.

B.

The approved traffic results in 25 HTTP GET requests within 10 seconds from a single host.

C.

The active IDP policy has not been defined in the security configuration.

D.

The IDP action is still in effect due to the timeout configuration.

 

Correct Answer: AD

Explanation:

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos- security-swconfig-security/appddos-protection-overview.html

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/appddos-proctecting-against.html#appddos-proctecting-against

 

 

QUESTION 80

Click the Exhibit button. Referring to the exhibit, AppTrack is only logging the session closure messages for sessions that last 1 to 3 minutes. What is causing this behavior?

 

clip_image002

 

A.

AppTrack is not properly configured under the [edit security application-tracking] hierarchy.

B.

AppTrack only generates session update messages.

C.

AppTrack only generates session closure messages.


D.

AppTrack generates other messages only when the update interval is surpassed.

 

Correct Answer: D

Explanation:

http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-45952.html

 

Free VCE & PDF File for Juniper JN0-633 Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

Comments are closed.