Which two VPN features are supported with CoS-based IPsec VPNs? (Choose two.)
- A . IKEv2
- B . VPN monitoring
- C . dead peer detection
- D . IKEv1
A,C
Explanation:
Reference: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/secuirty-cos-based-ipsec-vpns.html
According to the log shown in the exhibit, you notice the IPsec session is not establishing.
What is the reason for this behavior?
- A . Mismatched proxy ID
- B . Mismatched peer ID
- C . Mismatched preshared key
- D . Incorrect peer address.
B
Explanation: https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/policy-based-vpn-using-j-series-srxseries-device-configuring.html
Exhibit.
Referring to the exhibit, a spoke member of an ADVPN is not functioning correctly.
Which two commands will solve this problem? (Choose two.)
- A . [edit interfaces]
user@srx# delete st0.0 multipoint - B . [edit security ike gateway advpn-gateway]
user@srx# delete advpn partner - C . [edit security ike gateway advpn-gateway]
user@srx# set version v1-only - D . [edit security ike gateway advpn-gateway]
user@srx# set advpn suggester disable
B,D
Explanation: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-auto-discovery-vpns.html
In which two ways are tenant systems different from logical systems? (Choose two.)
- A . Tenant systems have higher scalability than logical systems
- B . Tenant systems have less scalability than logical systems
- C . Tenant systems have fewer routing features than logical systems
- D . Tenant systems have more routing features than logical systems
A,C
Explanation:
Reference: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/tenant-
systems-
overview.html#:~:text=Although%20similar%20to%20logical%20systems,administrative%2
0domain%20for% 20security%20services
You must troubleshoot ongoing problems with IPsec tunnels and security policy processing. Your network consists of SRX340s and SRX5600s.
In this scenario, which two statements are true? (Choose two.)
- A . IPsec logs are written to the kmd log file by default
- B . IKE logs are written to the messages log file by default
- C . You must enable data plane logging on the SRX340 devices to generate security policy logs
- D . You must enable data plane logging on the SRX5600 devices to generate security policy logs
Exhibit.
Referring to the exhibit, which two statements are true? (Choose two.)
- A . Juniper Networks will not investigate false positives generated by this custom feed.
- B . The custom infected hosts feed will not overwrite the Sky ATP infected host’s feed.
- C . The custom infected hosts feed will overwrite the Sky ATP infected host’s feed.
- D . Juniper Networks will investigate false positives generated by this custom feed.
A,C
Explanation: https://www.juniper.net/documentation/en_US/junos-space18.1/policy-enforcer/topics/task/configuration/junos-space-policyenforcer-custom-feeds-infected-host-configure.html
Click the Exhibit button.
A user is trying to reach a company’s website, but the connection errors out. The security policies are configured correctly.
Referring to the exhibit, what is the problem?
- A . Persistent NAT must be enabled
- B . The action for rule 1 must change to static-nat inet
- C . DNS ALG must be disabled
- D . Static NAT is missing a rule for DNS server
You are asked to configure an IPsec VPN between two SRX Series devices that allows for processing of CoS on the intermediate routers.
What will satisfy this requirement?
- A . route-based VPN
- B . OpenVPN
- C . remote access VPN
- D . policy-based VPN
A
Explanation:
Reference: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/secuirty-cos-based-ipsec-vpns.html
You have designed the firewall filter shown in the exhibit to limit SSH control traffic to yours SRX Series device without affecting other traffic.
Which two statement are true in this scenario? (Choose two.)
- A . The filter should be applied as an output filter on the loopback interface.
- B . Applying the filter will achieve the desired result.
- C . Applying the filter will not achieve the desired result.
- D . The filter should be applied as an input filter on the loopback interface.
C,D
Explanation: https://www.juniper.net/documentation//en_US/junos/topics/concept/firewall-filter-ex-series-evaluation-understanding.html
You are asked to configure a new SRX Series CPE device at a remote office. The device must participate in forwarding MPLS and IPsec traffic.
Which two statements are true regarding this implementation? (Choose two.)
- A . Host inbound traffic must not be processed by the flow module
- B . Host inbound traffic must be processed by the flow module
- C . The SRX Series device can process both MPLS and IPsec with default traffic handling
- D . A firewall filter must be configured to enable packet mode forwarding
A,D
Explanation:
Reference: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-packet-based-forwarding.html
You have noticed a high number of TCP-based attacks directed toward your primary edge device. You are asked to configure the IDP feature on your SRX Series device to block this attack.
Which two IDP attack objects would you configure to solve this problem? (Choose two.)
- A . Network
- B . Signature
- C . Protocol anomaly
- D . host
Click the Exhibit button.
You have configured tenant systems on your SRX Series device.
Referring to the exhibit, which two actions should you take to facilitate inter-TSYS communication? (Choose two.)
- A . Place the logical tunnel interfaces in a virtual router routing instance in the interconnect switch
- B . Place the logical tunnel interfaces in a VPLS routing instance in the interconnect switch
- C . Connect each TSYS with the interconnect switch by configuring INET configured logical tunnel interfaces in the interconnect switch
- D . Connect each TSYS with the interconnect switch by configuring Ethernet VPLS configured logical tunnel interfaces in the interconnect switch
Click the Exhibit button.
Referring to the exhibit, which three types of traffic would be examined by the IPS policy between Switch-1 and Switch-2? (Choose three.)
- A . TCP
- B . LLDP
- C . ARP
- D . ICMP
- E . UDP
A,D,E
Explanation:
Reference: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-idp-policy-rules-and-rulebases.html
Click the Exhibit button.
Referring to the exhibit, which two statements are true? (Choose two.)
- A . The SRX Series device is enrolled and communicating with a JATP Appliance
- B . The JATP Appliance cannot download the security feeds from the GSS servers
- C . The SRX Series device cannot download the security feeds from the JATP Appliance
- D . The SRX Series device is not enrolled but can communicate with the JATP Appliance
You have configured three logical tunnel interfaces in a tenant system on an SRX1500 device. When committing the configuration, the commit fails.
In this scenario, what would cause this problem?
- A . There is no GRE tunnel between the tenant system and master system allowing SSH traffic
- B . There is no VPLS switch on the tenant system containing a peer It-0/0/0 interface
- C . The SRX1500 device does not support more than two logical interfaces per tenant system
- D . The SRX1500 device requires a tunnel PIC to allow for logical tunnel interfaces
B
Explanation:
Reference: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/logical-systems-overview.html
Click the Exhibit button.
Referring to the exhibit, which two statements are true? (Choose two.)
- A . You can secure intra-VLAN traffic with a security policy on this device
- B . You can secure inter-VLAN traffic with a security policy on this device
- C . The device can pass Layer 2 and Layer 3 traffic at the same time
- D . The device cannot pass Layer 2 and Layer 3 traffic at the same time
A,D
Explanation:
Reference: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/ethernet-port-switching-modes.html
You are asked to configure an SRX Series device to bypass all security features for IP traffic from the engineering department.
Which firewall filter will accomplish this task?
A)
B)
C)
D)
- A . Option A
- B . Option B
- C . Option C
- D . Option D
Click the Exhibit button.
Given the command output shown in the exhibit, which two statements are true? (Choose two.)
- A . The host 172.31.15.1 is directly connected to interface ge-0/0/3.0
- B . Traffic matching this session has been received since the session was established
- C . The host 10.10.101.10 is directly connected to interface ge-0/0/4.0
- D . Network Address Translation is applied to this session
A user is unable to reach a necessary resource. You discover the path through the SRX Series device includes several security features. The traffic is not being evaluated by any security policies.
In this scenario, which two components within the flow module would affect the traffic? (Choose two.)
- A . services/ALG
- B . destination NAT
- C . source NAT
- D . route lookup
Click the Exhibit button.
Referring to the exhibit, which two statements are true? (Choose two.)
- A . Data is transmitted across the link in plaintext
- B . The link is not protected against man-in-the-middle attacks
- C . The link is protected against man-in-the-middle attacks
- D . Data is transmitted across the link in cyphertext
Click the Exhibit button.
When attempting to enroll an SRX Series device to JATP, you receive the error shown in the exhibit .
What is the cause of the error?
- A . The fxp0 IP address is not routable
- B . The SRX Series device certificate does not match the JATP certificate
- C . The SRX Series device does not have an IP address assigned to the interface that accesses JATP
- D . A firewall is blocking HTTPS on fxp0
C
Explanation:
Reference: https://kb.juniper.net/InfoCenter/index?page=content&id=KB33979&cat=JATP_SERIES&actp=LIST
Click the Exhibit button.
Branch 1 and Branch 2 have an active VPN tunnel configured, but internal hosts cannot communicate with each other.
Referring to the exhibit, which type of configuration should be applied to solve the problem?
- A . Configure destination NAT on both Branch 1 and Branch 2
- B . Configure source NAT on Branch 1
- C . Configure destination NAT on Branch 2 only
- D . Configure static NAT on both Branch 1 and Branch 2
Your SRX Series device does not see the SYN packet.
What is the default action in this scenario?
- A . The device will forward the subsequent packets and the session will be established
- B . The device will forward the subsequent packets and the session will not be established
- C . The device will drop the subsequent packets and the session will not be established
- D . The device will drop the subsequent packets and the session will be established
C
Explanation:
Reference: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-tcp-session-checks.html
Click the Exhibit button.
Referring to the exhibit, which two statements are true? (Choose two.)
- A . Events based on this third-party feed will not affect a host’s threat score
- B . SRX Series devices will block traffic based on this third-party feed
- C . SRX Series devices will not block traffic based on this third-party feed
- D . Events based on this third-party feed will affect a host’s threat score
A,B
Explanation:
Reference: https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/concept/sky-atp-integrated-feeds.html
Click the Exhibit button.
You are implementing a new branch site and want to ensure Internet traffic is sent directly to your ISP and other traffic is sent to your company headquarters. You have configured filter-based forwarding to accomplish this objective. You verify proper functionality using the outputs shown in the exhibit.
Which two statements are true in this scenario? (Choose two.)
- A . The session utilizes one routing instance
- B . The ge-0/0/5 and ge-0/0/1 interfaces must reside in a single security zone
- C . The ge-0/0/5 and ge-0/0/1 interfaces can reside in different security zones
- D . The session utilizes two routing instances
You configured a security policy permitting traffic from the trust zone to the DMZ zone, inserted the new policy at the top of the list, and successfully committed it to the SRX Series device. Upon monitoring, you notice that the hit count does not increase on the newly configured policy.
In this scenario, which two commands would help you to identify the problem? (Choose two.)
- A . user@srx> show security zones trust detail
- B . user@srx> show security shadow-policies from zone trust to zone DMZ
- C . user@srx> show security match-policies from-zone trust to-zone DMZ source-ip 192.168.10.100/32
destination-ip 10.10.10.80/32 protocol tcp source-port 5806 destination-port 443 - D . user@srx> show security match-policies from-zone trust to-zone DMZ source-ip 192.168.10.100/32
destination-ip 10.10.10.80/32 protocol tcp source-port 5806 destination-port 443 result-count 10
B,D
Explanation:
Reference: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/monitoring-troubleshooting-security-policy.html
Which feature of Sky ATP is deployed with Policy Enforcer?
- A . zero-day threat mitigation
- B . software image snapshot support
- C . device inventory management
- D . service redundancy daemon configuration support
You are asked to implement the session cache feature on an SRX5400.
In this scenario, what information does a session cache entry record? (Choose two.)
- A . The type of processing to do for ingress traffic
- B . The type of processing to do for egress traffic
- C . To which SPU the traffic of the session should be forwarded
- D . To which NPU the traffic of the session should be forwarded
B,C
Explanation:
Reference: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-packet-based-forwarding.html
What are two important function of the Juniper Networks ATP appliance solution? (Choose two.).
- A . Statistics
- B . Analysis
- C . Detection
- D . Filtration
B,C
Explanation: https://www.juniper.net/us/en/products-services/security/advanced-threat-prevention/
Click the Exhibit button.
The exhibit shows a snippet of a security flow trace. A user cannot open an SSH session to a server .
Which action will solve the problem?
- A . Create a security policy that matches the traffic parameters
- B . Edit the source NAT to correct the translated address
- C . Create a route entry to direct traffic into the configured tunnel
- D . Create a route to the desired server