6

Free VCE and PDF Exam Dumps from PassLeader
Vendor: Juniper
Exam Code: JN0-332
Exam Name: Juniper Networks Certified Specialist Security (JNCIS-SEC)
Question 251 -- Question 300
Visit PassLeader and Download Full Version JN0-332 Exam Dumps
QUESTION 251
Click the Exhibit button.
[edit security policies]
user@host# show
from-zone trust to-zone untrust {
policy AllowHTTP{
match {
source-address HOSTA;
destination-address any;
application junos-ftp;
}
then {
permit;
}}
policy AllowHTTP2{
match {
source-address any;
destination-address HOSTA;
application junos-http;
}
then {
permit;
}}
policy AllowHTTP3{
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}}}
A flow of HTTP traffic needs to go from HOSTA to HOSTB. Assume that traffic will initiate from
HOSTA and that HOSTA is in zone trust and HOSTB is in zone untrust.
What will happen to the traffic given the configuration in the exhibit?
A. The traffic will be permitted by policy AllowHTTP.

B. The traffic will be permitted by policy AllowHTTP3.
C. The traffic will be permitted by policy AllowHTTP2.
JN0-332 Exam Dumps JN0-332 Exam Questions JN0-332 PDF Dumps JN0-332 VCE Dumps
http://www.passleader.com/jn0-332.html
D. The traffic will be dropped as no policy match will be found.
Answer: B
QUESTION 252
Which two security policy actions are valid? (Choose two.)
A. deny
B. discard
C. reject
D. close
Answer: AC
QUESTION 253
[edit schedulers]
user@host# show
scheduler now {
monday all-day;
tuesday exclude;
wednesday {
start-time 07:00:00 stop-time 18:00:00;
}
thursday {
start-time 07:00:00 stop-time 18:00:00;
}}
[edit security policies from-zone Private to-zone External]
user@host# show
policy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn myTunnel;
}}}
scheduler-name now;
}
Based on the configuration shown in the exhibit, what will happen to the traffic matching the security
policy?
A. The traffic is permitted through the myTunnel IPsec tunnel only on Tuesdays.
B. The traffic is permitted through the myTunnel IPsec tunnel daily, with the exception of Mondays.
C. The traffic is permitted through the myTunnel IPsec tunnel all day on Mondays and Wednesdays
between 7:00 am and 6:00 pm, and Thursdays between 7:00 am and 6:00 pm.
D. The traffic is permitted through the myTunnel IPsec tunnel all day on Mondays and Wednesdays
between 6:01 pm and 6:59 am, and Thursdays between 6:01 pm and 6:59 am.
Answer: C
QUESTION 254
[edit security policies from-zone HR to-zone trust]
user@host# show
policy two {
match {
source-address subnet_a;
destination-address host_b;
application [ junos-telnet junos-ping ];
}
then {
reject;
}} policy one {
match {
source-address host_a;
destination-address subnet_b;
application any;
}
then {
permit;
}}
host_a is in subnet_a and host_b is in subnet_b.
Given the configuration shown in the exhibit, which statement is true about traffic from host_a to
host_b?
A. DNS traffic is denied.

B. Telnet traffic is denied.
C. SMTP traffic is denied.
D. Ping traffic is permitted.
Answer: B
QUESTION 255
Which statement is true about interface-based source NAT?
A. PAT is a requirement.
B. It requires you to configure address entries in the junos-nat zone.
C. It requires you to configure address entries in the junos-global zone.
D. The IP addresses being translated must be in the same subnet as the egress interface.
Answer: A
QUESTION 256
Which two statements are true about pool-based destination NAT? (Choose two.)
A. It also supports PAT.

B. PAT is not supported.
C. It allows the use of an address pool.
D. It requires you to configure an address in the junos-global zone.
Answer: AC
QUESTION 257
Which statement is true about source NAT?
A. Source NAT works only with source pools.

B. Destination NAT is required to translate the reply traffic.
C. Source NAT does not require a security policy to function.
D. The egress interface IP address can be used for source NAT.
Answer: D
QUESTION 258
Which two statements are true about overflow pools? (Choose two.)
A. Overflow pools do not support PAT.

B. Overflow pools can not use the egress interface IP address for NAT.
C. Overflow pools must use PAT.
D. Overflow pools can contain the egress interface IP address or separate IP addresses.
Answer: CD
QUESTION 259
Which statement is true regarding proxy ARP?
A. Proxy ARP is enabled by default on stand-alone JUNOS security devices.

B. Proxy ARP is enabled by default on chassis clusters.
C. JUNOS security devices can forward ARP requests to a remote device when proxy ARP is enabled.
D. JUNOS security devices can reply to ARP requests intended for a remote device when proxy ARP is enabled.
Answer: D
QUESTION 260
You are creating a destination NAT rule-set.
Which two are valid for use with the from clause? (Choose two.)
A. security policy
B. interface
C. routing-instance
D. IP address
Answer: BC
QUESTION 261
Regarding an IPsec security association (SA), which two statements are true? (Choose two.)
A. IKE SA is bidirectional.
B. IPsec SA is bidirectional.
C. IKE SA is established during phase 2 negotiations.
D. IPsec SA is established during phase 2 negotiations.
Answer: AC
QUESTION 262
Which operational mode command displays all active IPsec phase 2 security associations?
A. show ike security-associations

B. show ipsec security-associations
C. show security ike security-associations
D. show security ipsec security-associations
Answer: D
QUESTION 263
Two VPN peers are negotiating IKE phase 1 using main mode. Which message pair in the
negotiation contains the phase 1 proposal for the peers?
A. message 1 and 2
B. message 3 and 4
C. message 5 and 6
D. message 7 and 8
Answer: A
QUESTION 264
Which attribute is required for all IKE phase 2 negotiations?
A. proxy-ID
B. preshared key
C. Diffie-Hellman group key
D. main or aggressive mode
Answer: A
QUESTION 265
Which attribute is optional for IKE phase 2 negotiations?
A. proxy-ID
B. phase 2 proposal
C. Diffie-Hellman group key
D. security protocol (ESP or AH)
Answer: C
QUESTION 266
A route-based VPN is required for which scenario?
A. when the remote VPN peer is behind a NAT device

B. when multiple networks need to be reached across the tunnel and GRE cannot be used
C. when the remote VPN peer is a dialup or remote access client
D. when a dynamic routing protocol is required across the VPN and GRE cannot be used
Answer: D
QUESTION 267
A policy-based IPsec VPN is ideal for which scenario?
A. when you want to conserve tunnel resources
B. when the remote peer is a dialup or remote access client
C. when you want to configure a tunnel policy with an action of deny
D. when a dynamic routing protocol such as OSPF must be sent across the VPN
Answer: B
QUESTION 268
Regarding a route-based versus policy-based IPsec VPN, which statement is true?
A. A route-based VPN generally uses less resources than a policy-based VPN.

B. A route-based VPN cannot have a deny action in a policy; a policy-based VPN can have a deny action.
C. A route-based VPN is better suited for dialup or remote access compared to a policy-based VPN.
D. A route-based VPN uses a policy referencing the IPsec VPN; a policy-based VPN policy does not use
a policy referencing the IPsec VPN.
Answer: A
QUESTION 269
Which two configuration elements are required for a route-based VPN? (Choose two.)
A. secure tunnel interface

B. security policy to permit the IKE traffic
C. a route for the tunneled transit traffic
D. tunnel policy for transit traffic referencing the IPsec VPN
Answer: AC
QUESTION 270
[edit security]
user@host# show
ike {
policy ike-policy1 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$GFjm5OBEclM5QCuO1yrYgo"; ## SECRET-DATA
}
gateway remote-ike {
ike-policy ike-policy1;
address 172.19.51.170;
external-interface ge-0/0/3.0;
}}
ipsec {
policy vpn-policy1 {
proposal-set standard;
}
vpn remote-vpn {
ike {
gateway remote-ike;
ipsec-policy vpn-policy1;
}}}
Assuming you want to configure a route-based VPN, which command is required to bind the VPN
to secure tunnel interface st0.0?
A. set ipsec vpn remote-vpn bind-interface st0.0

B. set ike gateway remote-ike bind-interface st0.0
C. set ike policy ike-policy1 bind-interface st0.0
D. set ipsec policy vpn-policy1 bind-interface st0.0
Answer: A
QUESTION 271
Regarding secure tunnel (st) interfaces, which statement is true?
A. You cannot assign st interfaces to a security zone.

B. You cannot apply static NAT on an st interface logical unit.
C. st interfaces are optional when configuring a route-based VPN.
D. A static route can reference the st interface logical unit as the next-hop.
Answer: D
QUESTION 272
What are three benefits of using chassis clustering? (Choose three.)
A. Provides stateful session failover for sessions.

B. Increases security capabilities for IPsec sessions.
C. Provides active-passive control and data plane redundancy.
D. Enables automated fast-reroute capabilities.
E. Synchronizes configuration files and session state.
Answer: ACE
QUESTION 273
You have been tasked with installing two SRX 5600 platforms in a high-availability cluster. Which
requirement must be met for a successful installation?
A. You must enable SPC detect within the configuration.

B. You must enable active-active failover for redundancy.
C. You must ensure all SPCs use the same slot placement.
D. You must configure auto-negotiation on the control ports of both devices.
Answer: C
QUESTION 274
[edit chassis]
user@host# show
cluster {
reth-count 3;
redundancy-group 1 {
node 0 priority 1;
node 1 priority 100;
}}
When applying the configuration in the exhibit and initializing a chassis cluster, which statement is
correct?
A. Three physical interfaces are redundant.

B. You must define an additional redundancy group.
C. node 0 will immediately become primary for redundancy group 1.
D. You must issue an operational command and reboot the system for the above configuration to take effect.
Answer: D
QUESTION 275
What is a redundancy group in JUNOS Software?
A. a set of chassis clusters that fail over as a group

B. a set of devices that participate in a chassis cluster
C. a set of VRRP neighbors that fail over as a group
D. a set of chassis cluster objects that fail over as a group
Answer: D
QUESTION 276
When devices are in cluster mode, which new interfaces are created?
A. No new interface is created.

B. Only the st interface is created.
C. fxp1, fab0, and fab1 are created.
D. st, fxp1, reth, fab0, and fab1 are created.
Answer: C
QUESTION 277
What are two interfaces created when enabling a chassis cluster? (Choose two.)
A. st0
B. fxp1
C. fab0
D. reth0
Answer: BC
QUESTION 278
Which statement is true regarding redundancy groups?
A. The preempt option determines the primary and secondary roles for redundancy group 0 during a
failure and recovery scenario.
B. When priority settings are equal and the members participating in a cluster are initialized at the same
time, the primary role for redundancy group 0 is assigned to node 1.
C. The primary role can be shared for redundancy group 0 when the active-active option is enabled.
D. Redundancy group 0 manages the control plane failover between the nodes of a cluster.
Answer: D
QUESTION 279
Which IDP policy action drops a packet before it can reach its destination, but does not close the
connection?
A. discard-packet
B. drop-traffic
C. discard-traffic
D. drop-packet
Answer: D
QUESTION 280
You have been tasked with performing an update to the IDP attack database. Which three
requirements are included as part of this task? (Choose three.)
A. The IDP security package must be installed after it is downloaded.

B. The device must be rebooted to complete the update.
C. The device must be connected to a network.
D. An IDP license must be installed on your device.
E. You must be logged in as the root user.
Answer: ACD
QUESTION 281
You are implementing an IDP policy template from Juniper Networks. Which three steps are
included in this process? (Choose three.)
A. activating a JUNOS Software commit script?

B. configuring an IDP groups statement
C. setting up a chassis cluster
D. downloading the IDP policy templates
E. installing the policy templates
Answer: ADE
QUESTION 282
Which statement regarding the implementation of an IDP policy template is true?
A. IDP policy templates are automatically installed as the active IDP policy.
B. IDP policy templates are enabled using a commit script.
C. IDP policy templates can be downloaded without an IDP license.
D. IDP policy templates are included in the factory-default configuration.
Answer: B
QUESTION 283
Which two statements are true regarding firewall user authentication? (Choose two.)
A. Firewall user authentication is performed only for traffic that is accepted by a security policy.
B. Firewall user authentication is performed only for traffic that is denied by a security policy.
C. Firewall user authentication provides an additional method of controlling user access to the JUNOS
security device itself.
D. Firewall user authentication provides an additional method of controlling user access to remote networks.
Answer: AD
QUESTION 284
Which statement accurately describes firewall user authentication?
A. Firewall user authentication provides another layer of security in a network.

B. Firewall user authentication provides a means for accessing a JUNOS Software-based security device.
C. Firewall user authentication enables session-based forwarding.
D. Firewall user authentication is used as a last resort security method in a network.
Answer: A
QUESTION 285
Which two firewall user authentication objects can be referenced in a security policy? (Choose two.)
A. access profile
B. client group
C. client
D. default profile
Answer: BC
QUESTION 286
Which high availability feature is supported only on Junos security platforms?
A. Virtual Chassis
B. VRRP
C. chassis clustering
D. graceful restart
Answer: C
QUESTION 287
What is a security policy?
A. a set of rules that controls traffic from a specified source to a specified destination using a specified service
B. a collection of one or more network segments sharing identical security requirements
C. a method of providing a secure connection across a network
D. a tool to protect against DoS attacks
Answer: A
QUESTION 288
What is a zone?
A. a set of rules that controls traffic from a specified source to a specified destination using a specified service
B. a collection of one or more network segments sharing identical security requirements
C. a method of providing a secure connection across a network
D. a tool to protect against DoS attacks
Answer: B
QUESTION 289
What is the function of NAT?
A. It performs Layer 3 routing.

B. It evaluates and redirects matching traffic into secure tunnels.
C. It provides translation between public and private IP addresses.
D. It performs Layer 2 switching.
Answer: C
QUESTION 290
Which statement correctly describes the default state of a high-end SRX Series Services Gateway?
A. It forwards all traffic.

B. It selectively forwards traffic based on default security policies.
C. It selectively restricts traffic based on default security policies.
D. It forwards no traffic.
Answer: A
QUESTION 291
Which Junos security feature helps protect against spam, viruses, trojans, and malware?
A. session-based stateful firewall

B. IPsec VPNs
C. security policies
D. Unified Threat Management
Answer: D
QUESTION 292
When the first packet in a new flow is received, which high-end SRX component is responsible for
setting up the flow?
A. Routing Engine
B. I/O card
C. network processing card
D. services processing card
Answer: B
QUESTION 293
Which three elements are contained in a session-close log message? (Choose three.)
A. source IP address
B. DSCP value
C. number of packets transferred
D. policy name
E. MAC address
Answer: CDE
QUESTION 294
Which card performs flow lookup on incoming packets on high-end SRX Series devices?
A. Network Processing Card (NPC)

B. Services Processing Card (SPC)
C. Switch Control Board (SCB)
D. Routing Engine (RE)
Answer: A
QUESTION 295
How is the control plane separated from the data plane on branch SRX Series devices?
A. by running separate kernels inside the Junos OS

B. by dedicating a separate CPU core for the control plane
C. by using separate CPUs for the control plane and data plane
D. by offloading control plane traffic to the SPC
Answer: B
QUESTION 296
Which three parameters does the Junos OS attempt to match against during session lookup?
(Choose three.)
A. session token
B. ingress interface
C. protocol number
D. source port number
E. egress interface
Answer: ACD
QUESTION 297
You have packet loss on an IPsec VPN using the default maximum transmission unit (MTU) where
the packets have the DF-bit (do not fragment) set.
Which configuration solves this problem?
A. Set an increased MTU value on the physical interface.

B. Set a reduced MSS value for VPN traffic under the [edit security flow tcp-mss] hierarchy.
C. Set a reduced MTU value for VPN traffic under the [edit security flow] hierarchy.
D. Set an increased MSS value on the st0 interface.
Answer: B
QUESTION 298
The branch SRX Series Services Gateways implement the data plane on which two components?
(Choose two.)
A. IOCs
B. SPCs
C. CPU cores
D. PIMs
Answer: CD
QUESTION 299
Which configuration must be completed to use both packet-based and session-based forwarding
on a branch SRX Series Services Gateway?
A. A stateless firewall filter must be used on the ingress interface to match traffic to be processed
as session based.
B. A security policy rule must be used on the ingress interface to match traffic to be processed as
session based.
C. A global security policy rule must be used on the ingress interface to match traffic to be processed
as packet based.
D. A stateless firewall filter must be used on the ingress interface to match traffic to be processed as
packet based.
Answer: D
QUESTION 300
Which branch SRX Series Services Gateway model has a hardware-based, modular Routing
Engine?
A. SRX1400
B. SRX650
C. SRX110
D. SRX240
Answer: B
Visit PassLeader and Download Full Version JN0-332 Exam Dumps

6

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

6

Загружено:

Авторское право:

Доступные форматы

Free VCE and PDF Exam Dumps from PassLeader

Exam Code: JN0-332

Exam Name: Juniper Networks Certified Specialist Security (JNCIS-SEC)

Question 251 -- Question 300

Visit PassLeader and Download Full Version JN0-332 Exam Dumps

A. The traffic will be permitted by policy AllowHTTP.

A. DNS traffic is denied.

A. It also supports PAT.

A. Source NAT works only with source pools.

A. Overflow pools do not support PAT.

A. Proxy ARP is enabled by default on stand-alone JUNOS security devices.

A. show ike security-associations

A. when the remote VPN peer is behind a NAT device

A. A route-based VPN generally uses less resources than a policy-based VPN.

A. secure tunnel interface

A. set ipsec vpn remote-vpn bind-interface st0.0

A. You cannot assign st interfaces to a security zone.

A. Provides stateful session failover for sessions.

A. You must enable SPC detect within the configuration.

A. Three physical interfaces are redundant.

A. a set of chassis clusters that fail over as a group

A. No new interface is created.

A. The IDP security package must be installed after it is downloaded.

A. activating a JUNOS Software commit script?

A. Firewall user authentication provides another layer of security in a network.

A. It performs Layer 3 routing.

A. It forwards all traffic.

A. session-based stateful firewall

A. Network Processing Card (NPC)

A. by running separate kernels inside the Junos OS

A. Set an increased MTU value on the physical interface.

Visit PassLeader and Download Full Version JN0-332 Exam Dumps

Вам также может понравиться