Juniper JN0-633

Security, Professional (JNCIP-SEC) Version: 8.0 [ Total Questions: 175 ] Juniper JN0-633 : Practice Test Question No : 1 Where does the AppSecure suite of functions occur in the security flow proces

(Page 1 out of 12)
Showing 15 of 175 Questions
Exam Version: 1, VPN: vpn-1 Gateway: gate-1, Local:
Question No : 1 -

Where does the AppSecure suite of functions occur in the security flow process on an SRX
Series device?

  • A. services
  • B. security policy
  • C. NAT
  • D. session initiation

Answer : A



Question No : 2 -

Click the Exhibit button.
-- Exhibit


-- Exhibit --
You must configure two SRX devices to enable bidirectional communications between the
two networks shown in the exhibit. You have been allocated the 172.16.1.0/24 and
172.16.2.0/24 networks to use for this purpose.
Which configuration will accomplish this task?

  • A. Use an IPsec VPN to connect the two networks and hide the addresses from the Internet.
  • B. Using destination NAT, translate traffic destined to 172.16.1.0/24 to Site1's addresses, and translate traffic destined to 172.16.2.0/24 to Site2's addresses.
  • C. Using source NAT, translate traffic from Site1's addresses to 172.16.1.0/24, and translate traffic from Site2's addresses to 172.16.2.0/24.
  • D. Using static NAT, translate traffic destined to 172.16.1.0/24 to Site1's addresses, and translate traffic destined to 172.16.2.0/24 to Site2's addresses.

Answer : D

Explanation: To examine bidirectional communication you need multiple packet filters, one for each direction. Reference : http://my.safaribooksonline.com/book/networking/junos/9781449381721/security- policy/troubleshooting_security_policy_and_traf



Question No : 3 -

Somebody has inadvertently configured several security policies with application firewall
rule sets on an SRX device. These security policies are now dropping traffic that should be
allowed. You must find and remove the application firewall rule sets that are associated
with these policies. Which two commands allow you to view these associations? (Choose
two.)

  • A. show security policies
  • B. show services application-identification application-system-cache
  • C. show security application-firewall rule-set all
  • D. show security policies application-firewall

Answer : A,D

Reference: http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/application- firewall-configuring.html



Question No : 4 -

You are working as a security administrator and must configure a solution to protect
against distributed botnet attacks on your company's central SRX cluster.
How would you accomplish this goal?

  • A. Configure AppTrack to inspect and drop traffic from the malicious hosts.
  • B. Configure AppQoS to block the malicious hosts.
  • C. Configure AppDoS to rate limit connections from the malicious hosts.
  • D. Configure AppID with a custom application to block traffic from the malicious hosts.

Answer : C

Explanation: Reference : Page No 2 Figure 1 http://www.juniper.net/us/en/local/pdf/datasheets/1000327-en.pdf



Question No : 5 -

Click the Exhibit button.
Referring to the exhibit, you must send traffic from Host-1 to Host-2. These two hosts can
only communicate with IPv4.
Which feature would you use to permit communication between Host-1 and Host-2?

  • A. 6rd
  • B. DS-Lite
  • C. NAT46
  • D. NAT444

Answer : B



Question No : 6 -

Which statement is true regarding the dynamic VPN feature for Junos devices?

  • A. Only route-based VPNs are supported.
  • B. Aggressive mode is not supported.
  • C. Preshared keys for Phase 1 must be used.
  • D. It is supported on all SRX devices.

Answer : C

Reference: http://www.juniper.net/techpubs/en_US/junos12.1x45/information- products/pathway-pages/security/security-vpn-dynamic.pdf



Question No : 7 -

You must ensure that your Layer 2 traffic is secured on your SRX Series device in
transparent mode.
What must be considered when accomplishing this task?

  • A. Layer 2 interfaces must use the ethernet-switching protocol family.
  • B. Security policies are not supported when operating in transparent mode.
  • C. Screens are not supported in your security zones with transparent mode.
  • D. You must reboot your device after configuring transparent mode.

Answer : D



Question No : 8 -

You have recently deployed a dynamic VPN. Some remote users are complaining that they
cannot authenticate through the SRX device at the corporate network. The SRX device
serves as the tunnel endpoint for the dynamic VPN. What are two reasons for this
problem? (Choose two.)

  • A. The supported number of users has been exceeded for the applied license.
  • B. The users are connecting to the portal using Windows Vista.
  • C. The SRX device does not have the required user account definitions.
  • D. The SRX device does not have the required access profile definitions.

Answer : A,D

Explanation: Reference : https://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic- collections/syslog-messages/index.html?jd0e28566.html http://kb.juniper.net/InfoCenter/index?page=content&id=KB16477



Question No : 9 -

You want to create a custom IDP signature for a new HTTP attack on your SRX device.
You have the exact string that identifies the attack. Which two additional elements do you
need to define your custom signature? (Choose two.)

  • A. service context
  • B. protocol number
  • C. direction
  • D. source IP address of the attacker

Answer : A,C

Reference: http://rtoodtoo.net/2011/09/22/how-to-write-srx-idp-custom-attacksignature/



Question No : 10 -

Your company is providing multi-tenant security services on an SRX5800 cluster. You have
been asked to create a new logical system (LSYS) for a customer. The customer must be
able to access and manage new resources within their LSYS.
How do you accomplish this goal?

  • A. Create the new LSYS, allocate resources, and then create the user administrator role so that the customer can manage their allocated resources.
  • B. Create the new LSYS, and then create the user administrator role so that the customer can allocate and manage resources.
  • C. Create the new LSYS, and then create the master adminstrator role for the LSYS so that the customer can allocate and manage resources.
  • D. Create the new LSYS, then request the required resources from the customer, and create the required resources.

Answer : A

Explanation: Reference : http://www.juniper.net/techpubs/en_US/junos12.1/topics/task/configuration/logical-system- security-user-lsys-overview-configuring.html



Question No : 11 -

Click the Exhibit button.
-- Exhibit --
[edit security]
user@srx# show idp

application-ddos Webserver {
service http;
connection-rate-threshold 1000;
context http-get-url {
hit-rate-threshold 60000;
value-hit-rate-threshold 30000;
time-binding-count 10;
time-binding-period 25;
-- Exhibit --
You are using AppDoS to protect your network against a bot attack, but noticed an
approved application has falsely triggered the configured IDP action of drop. You adjusted
your AppDoS configuration as shown in the exhibit. However, the approved traffic is still
dropped.
What are two reasons for this behavior? (Choose two.)

  • A. The approved traffic results in 50,000 HTTP GET requests per minute.
  • B. The approved traffic results in 25 HTTP GET requests within 10 seconds from a single host.
  • C. The active IDP policy has not been defined in the security configuration.
  • D. The IDP action is still in effect due to the timeout configuration.

Answer : A,D

Reference: http://www.juniper.net/techpubs/software/junos-security/junos- security10.0/junos-security-swconfig-security/appddos-protection-overview.html http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security- swconfig-security/appddos-proctecting-against.html#appddos-proctecting-against



Question No : 12 -

You configured a custom signature attack object to match specific components of an
attack:
HTTP-request
Pattern .*\x90 90 90 90
Direction: client-to-server
Which client traffic would be identified as an attack?

  • A. HTTP GET .*\x90 90 90 … 90
  • B. HTTP POST .*\x90 90 90 … 90
  • C. HTTP GET .*x909090 … 90
  • D. HTTP POST .*x909090 … 90

Answer : A

Reference: http://www.juniper.net/techpubs/en_US//idp/topics/task/configuration/intrusion- detection-prevention-signature-attack-object-creating-nsm.html



Question No : 13 -

Click the Exhibit button.
user@host> show interfaces routing-instance all ge* terse
InterfaceAdmin Link Proto Local Instance
ge-0/0/0.0 up up inet 172.16.12.205/24 default
ge-0/0/1.0 up up inet 5.0.0.5/24
iso A
ge-0/0/2.0 up up inet 25.0.0.5/24
iso B
user@host> show security flow session
Session ID: 82274, Policy name: default-policy-00/2, Timeout: 1770, Valid
In: 5.0.0.25/61935 --> 25.0.0.25/23;tcp, If: ge-0/0/1.0, Pkts: 31, Bytes: 1781
Out: 25.0.0.25/23 --> 5.0.0.25/61935;tcp, If: ge-0/0/2.0, Pkts: 23, Bytes: 1452
Total sessions: 3
user@host> show route
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, + = Both
0.0.0.0/0 *[Static/5] 04:08:52
> to 172.16.12.1 via ge-0/0/0.0
172.16.12.0/24 *[Direct/0] 04:08:52
via ge-0/0/0.0
172.16.12.205/32 *[Local/0] 4w4d 23:04:29
Loca1 via ge-0/0/0.0
224.0.0.5/32 *[OSPF/10] 14:37:35, metric 1
MultiRecv

  • A. inet.0: 4 destinations, 4 routes {4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 5.0.0.0/24 5 *[Direct/0] 00:05:04 > via ge-0/0/1.0 5.0.0.5/32 *[Local/0] 00:05:04 Local via ge-0/0/1.0 25.0.0.0/24 *[Direct/0] 00:02:37 > via ge-0/0/2.0
  • B. inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 5.0.0.25/32 *[Static/5] 00:02:38 to table A.inet.0 25.0.0.0/24 *[Direct/0] 00:02:37 > via ge-0/0/2.0 25.0.0.5/32 *[Local/0] 00:02:37 Local via ge-0/0/2.0 Which statement is true about the outputs shown in the exhibit?
  • C. The routing instances A and B are connected using an lt interface.
  • D. Routing instance A’s routes are shared with routing instance B.
  • E. Routing instance B’s routes are shared with routing instance A.
  • F. The routing instances A and B are connected using a vt interface.

Answer : C



Question No : 14 -

Microsoft has altered the way their Web-based Hotmail application works. You want to
update your application firewall policy to correctly identify the altered Hotmail application.
Which two steps must you take to modify the application? (Choose two.)

  • A. user@srx> request services application-identification application copy junos:HOTMAIL
  • B. user@srx> request services application-identification application enable junos:HOTMAIL
  • C. user@srx# edit services custom application-identification my:HOTMAIL
  • D. user@srx# edit services application-identification my:HOTMAIL

Answer : A,D

Reference: http://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/command- summary/request-services-application-identification-application.html



Question No : 15 -

Click the Exhibit button.
-- Exhibit


-- Exhibit --
Host traffic is traversing through an IPsec tunnel. Users are complaining of intermittent
issues with their connection.
Referring to the exhibit, what is the problem?

  • A. The tunnel is down due to a configuration change.
  • B. The do-not-fragment bit is copied to the tunnel header.
  • C. The MSS option on the SYN packet is set to 1300.
  • D. The TCP SYN check option is disabled for tunnel traffic.

Answer : B



(Page 1 out of 12)
Showing of 175 Questions
Exam Version: 1, VPN: vpn-1 Gateway: gate-1, Local: