1.[A] establishes an IPsec tunnel with [B]. The NAT device translates the IP address 1.1.1.1 to 2.1.1.1.On which port is the IKE SA established?
A. TCP 500 B. UDP 500 C. TCP 4500 D. UDP 4500
D. UDP 4500
2.After applying the policy-rematch statement under the security policies stanza, what would happen to an existing flow if the policy source address or the destination address is changed and committed?
A. The Junos OS drops any flow that does not match the source address or destination address.
B. All traffic is dropped.
C. All existing sessions continue.
D. The Junos OS does a policy re-evaluation.
D. The Junos OS does a policy re-evaluation.
3.Antispam can be leveraged with which two features on a branch SRX Series device to provide maximum protection from malicious e-mail content? (Choose two.)
A. integrated Web filtering B. full AV
C. IPS
D. local Web filtering
B. full AV C. IPS
4.Assume the default-policy has not been configured.Given the configuration shown in the exhibit, which two statements about traffic from host_a in the HR zone to host_b in the trust zone are true? (Choose two.)
A. DNS traffic is denied. B. HTTP traffic is denied. C. FTP traffic is permitted. D. SMTP traffic is permitted. A. DNS traffic is denied. C. FTP traffic is permitted.
5.At which two levels of the Junos CLI hierarchy is the host-inbound-traffic command configured? (Choose two.)
A. [edit security idp]
B. [edit security zones security-zone trust interfaces ge-0/0/0.0] C. [edit security zones security-zone trust]
D. [edit security screen]
B. [edit security zones security-zone trust interfaces ge-0/0/0.0] C. [edit security zones security-zone trust]
Juniper JNCIS-JSEC JN0-332
6. By default, how is traffic evaluated when the antivirus database update is in progress?
A. Traffic is scanned against the old database.
B. Traffic is scanned against the existing portion of the currently downloaded database.
C. All traffic that requires antivirus inspection is dropped and a log message generated displaying the traffic endpoints.
D. All traffic that requires antivirus inspection is forwarded with no antivirus inspection and a log message generated displaying the traffic endpoints.
D. All traffic that requires antivirus inspection is forwarded with no antivirus inspection and a log message generated displaying the traffic endpoints.
7. Content filtering enables traffic to be permitted or blocked based on inspection of which three types of content? (Choose three.)
A. MIME pattern B. file extension C. IP spoofing D. POP3 E. protocol command A. MIME pattern B. file extension E. protocol command
8. For which network anomaly does Junos provide a SCREEN? A. a telnet to port 80
B. a TCP packet with the SYN and ACK flags set C. an SNMP getnext request
D. an ICMP packet larger than 1024 bytes
D. an ICMP packet larger than 1024 bytes
9. Given the configuration shown in the exhibit, which configuration object would be used to associate both Nancy and Walter with firewall user authentication within a security policy?
A. ftp-group B. ftp-users C. firewall-user D. nancy and walter
A. ftp-group
10.Given the configuration shown in the exhibit, which protocol(s) are allowed to communicate with the device on ge-0/0/0.0?
A. RIP B. OSPF C. BGP and RIP D. RIP and PIM
11.Host A opens a Telnet connection to Host B. Host A then opens another Telnet connection to Host
These connections are the only communication between Host A and Host B. The security policy configuration permits both connections.How many sessions exist between Host A and Host B? A. 1 B. 2 C. 3 D. 4 B. 2
12.How do you apply UTM enforcement to security policies on the branch SRX series? A. UTM profiles are applied on a security policy by policy basis.
B. UTM profiles are applied at the global policy level.
C. Individual UTM features like anti-spam or anti-virus are applied directly on a security policy by policy basis.
D. Individual UTM features like anti-spam or anti-virus are applied directly at the global policy level.
A. UTM profiles are applied on a security policy by policy basis.
13.How many IDP policies can be active at one time on an SRX Series device by means of the set security idp active-policy configuration statement?
A. 1 B. 2 C. 4 D. 8
14.If both nodes in a chassis cluster initialize at different times, which configuration example will allow you to ensure that the node with the higher priority will become primary for your RGs other than RG0?
A. [edit chassis cluster] user@host# show redundancy-group 1 { node 0 priority 200; node 1 priority 150; preempt; }
B. [edit chassis cluster] user@host# show redundancy-group 1 { node 0 priority 200; node 1 priority 150; monitoring; }
C. [edit chassis cluster] user@host# show redundancy-group 1 { node 0 priority 200; node 1 priority 150; control-link-recovery; }
D. [edit chassis cluster] user@host# show redundancy-group 1 { node 0 priority 200; node 1 priority 150; strict-priority; } A. [edit chassis cluster] user@host# show redundancy-group 1 { node 0 priority 200; node 1 priority 150; preempt; }
15.In a chassis cluster with two SRX 5800 devices, the interface ge-13/0/0 belongs to which device? A. This interface is a system-created interface.
B. This interface belongs to node 0 of the cluster. C. This interface belongs to node 1 of the cluster.
D. This interface will not exist because SRX 5800 devices have only 12 slots.
C. This interface belongs to node 1 of the cluster.
16.In the configuration shown in the exhibit, you decided to eliminate the junos-ftp application from the match condition of the policy MyTraffic.What will happen to the existing FTP and BGPsessions?
A. The existing FTP and BGP sessions will continue.
B. The existing FTP and BGP sessions will be re-evaluated and only FTP sessions will be dropped.
C. The existing FTP and BGP sessions will be re-evaluated and all sessions will be dropped.
D. The existing FTP sessions will continue and only the existing BGP sessions will be dropped.
B. The existing FTP and BGP sessions will be re-evaluated and only FTP sessions will be dropped.
17.In the exhibit, a new policy named DenyTelnet was created. You notice that Telnet traffic is still allowed.
Which statement will allow you to rearrange the policies for the DenyTelnet policy to be evaluated before your Allow policy?
A. insert security policies from-zone A to-zone B policy DenyTelnet before policy Allow
B. set security policies from-zone B to-zone A policy DenyTelnet before policy Allow C. insert security policies from-zone A to-zone B policy DenyTelnet after policy Allow
D. set security policies from-zone B to-zone A policy Allow after policy DenyTelnet
A. insert security policies from-zone A to-zone B policy DenyTelnet before policy Allow
18.In the exhibit, what is the function of the configuration statements? A. This section is where you define all chassis clustering configuration.
B. This configuration is required for members of a chassis cluster to talk to each other.
C. You can apply this configuration in the chassis cluster to make configuration easier.
D. This section is where unique node configuration is applied.
D. This section is where unique node configuration is applied.
19.In the exhibit, you decided to change myHosts addresses.What will happen to the new sessions matching the policy and in-progress sessions that had already matched the policy?
A. New sessions will be evaluated. In-progress sessions will be re-evaluated. B. New sessions will be evaluated. All in-progress sessions will continue. C. New sessions will be evaluated. All in-progress sessions will be dropped. D. New sessions will halt until all in-progress sessions are re-evaluated. In-progress sessions will be re-evaluated and possibly dropped.
A. New sessions will be evaluated. In-progress sessions will be re-evaluated.
20.In the Junos OS, which statement is true? A. vlan.0 belongs to the untrust zone.
B. You must configure Web authentication to allow inbound traffic in the untrust zone. C. The zone name "untrust" has no special meaning.
D. The untrust zone is not configurable.
C. The zone name "untrust" has no special meaning.
21.Interface ge-0/0/2.0 of your device is attached to the Internet and is configured with an IP address and network mask of 71.33.252.17/24. A Web server with IP address 10.20.20.1 is running an HTTP service on TCP port 8080. The Web server is attached to the ge-0/0/0.0 interface of your device. You must use NAT to make the Web server reachable from the Internet using port translation.Which type of NAT must you configure?
A. source NAT with address shifting B. pool-based source NAT
C. static destination NAT D. pool-based destination NAT
D. pool-based destination NAT
22.An IPsec tunnel is established on an SRX Series Gateway on an interface whose IP address was obtained using DHCP.Which two statements are true? (Choose two.)
A. Only main mode can be used for IKE negotiation. B. A local-identity must be defined.
C. It must be the initiator for IKE. D. A remote-identity must be defined.
B. A local-identity must be defined. C. It must be the initiator for IKE.
23.The Junos OS blocks an HTTP request due to a Websense server response.Which form of Web filtering is being used?
A. redirect Web filtering B. integrated Web filtering C. categorized Web filtering D. local Web filtering
A. redirect Web filtering
24.The Junos OS blocks an HTTP request due to its inclusion on the url-blacklist.Which form of Web filtering on the branch SRX device is fully executed within the device itself?
A. redirect Web filtering B. integrated Web filtering C. blacklist Web filtering D. local Web filtering
D. local Web filtering
25.The Junos OS blocks an HTTP request due to the category of the URL.Which form of Web filtering is being used?
A. redirect Web filtering B. integrated Web filtering C. categorized Web filtering D. local Web filtering
B. integrated Web filtering
26.A network administrator has configured source NAT, translating to an address that is on a locally connected subnet. The administrator sees the translation working, but traffic does not appear to come back.What is causing the problem?
A. The host needs to open the telnet port.
B. The host needs a route for the translated address.
C. The administrator must use a proxy-arp policy for the translated address.
D. The administrator must use a security policy, which will allow communication between the zones.
C. The administrator must use a proxy-arp policy for the translated address.
27.A network administrator is using source NAT for traffic from source network 10.0.0.0/8. The administrator must also disable NAT for any traffic destined to the 202.2.10.0/24 network.Which configuration would accomplish this task?
A. [edit security nat source rule-set test] user@host# show
from zone trust; to zone untrust; rule A { match { source-address 202.2.10.0/24; } then { source-nat { pool { A; } } } } rule B { match { destination-address 10.0.0.0/8; } then { source-nat { off; } } }
B. [edit security nat source] user@host# show rule-set test from zone trust;
to zone untrust; rule 1 { match { destination-address 202.2.10.0/24; } then { source-nat { off; } } } rule 2 { match { source-address 10.0.0.0/8; } then { source-nat { pool { A; } } } }
C. [edit security nat source rule-set test] user@host# show
from zone trust;
B. [edit security nat source] user@host# show rule-set test from zone trust; to zone untrust; rule 1 { match { destination-address 202.2.10.0/24; } then { source-nat { off; } } } rule 2 { match { source-address 10.0.0.0/8; } then { source-nat { pool { A; } } } }
from zone trust; to zone untrust; rule A { match { source-address 10.0.0.0/8; } then { source-nat { pool { A; } } } } rule B { match { destination-address 202.2.10.0/24; } then { source-nat { off; } } }
D. [edit security nat source rule-set test] user@host# show
from zone trust; to zone untrust; rule A { match { source-address 10.0.0.0/8; } then { source-nat { pool { A; } } } }
28.A network administrator receives complaints from the engineering group that an application on one server is not working properly. After further investigation, the administrator determines that source NAT translation is using a different source address after a random number of flows.Which two actions can the administrator take to force the server to use one address? (Choose two.) A. Use the custom application feature.
B. Configure static NAT for the host. C. Use port address translation (PAT). D. Use the address-persistent option.
B. Configure static NAT for the host. D. Use the address-persistent option.
29.A network administrator receives complaints that the application voicecube is timing out after being idle for 30 minutes.Referring to the exhibit, what is a resolution?
A. [edit]
user@host# set applications application voicecube inactivity-timeout never B. [edit]
user@host# set applications application voicecube inactivity-timeout 2 C. [edit]
user@host# set applications application voicecube destination-port 5060
A. [edit] user@host# set applications application voicecube inactivity-timeout never
user@host# set applications application voicecube destination-port 5060 D. [edit]
user@host# set security policies from-zone trust to-zone trust policy intrazone then timeout never 30.A network administrator repeatedly receives support calls about network issues. After
investigating the issues, the administrator finds that the source NAT pool is running out of addresses.To be notified that the pool is close to exhaustion, what should the administrator configure?
A. Use the pool-utilization-alarm raise-threshold under the security nat source stanza. B. Use a trap-group with a category of services under the SNMP stanza.
C. Use an external script that will run a show command on the SRX Series device to see when the pool is close to exhaustion.
D. Configure a syslog message to trigger a notification when the pool is close to exhaustion.
A. Use the pool-utilization-alarm raise-threshold under the security nat source stanza.
31.A network administrator wants to permit Telnet traffic initiated from the address book entry the10net in a zone called UNTRUST to the address book entry Server in a zone called TRUST.
However, the administrator does not want the server to be able to initiate any type of traffic from the TRUST zone to the UNTRUST zone.Which configuration statement would correctly accomplish this task?
A. from-zone UNTRUST to-zone TRUST { policy DenyServer { match { source-address any; destination-address any; application any; } then { deny; } } }
from-zone TRUST to-zone UNTRUST { policy AllowTelnetin { match { source-address the10net; destination-address Server; application junos-telnet; } then { permit; } } }
B. from-zone TRUST to-zone UNTRUST { policy DenyServer { match { source-address Server; destination-address any; application any; } then { deny; } } }
from-zone UNTRUST to-zone TRUST { policy AllowTelnetin { match { source-address the10net; B. from-zone TRUST to-zone UNTRUST { policy DenyServer { match { source-address Server; destination-address any; application any; } then { deny; } } } from-zone UNTRUST to-zone TRUST { policy AllowTelnetin { match { source-address the10net; destination-address Server; application junos-telnet; } then { permit; } } }
destination-address Server; application junos-telnet; } then { permit; } } }
C. from-zone UNTRUST to-zone TRUST { policy AllowTelnetin { match { source-address the10net; destination-address Server; application junos-ftp; } then { permit; } } }
D. from-zone TRUST to-zone UNTRUST { policy DenyServer { match { source-address Server; destination-address any; application any; } then { permit; } } }
from-zone UNTRUST to-zone TRUST { policy AllowTelnetin { match { source-address the10net; destination-address Server; application junos-telnet; } then { permit; } } }
32. On which component is the control plane implemented? A. IOC
B. PIM C. RE D. SPC
33. Referring to the exhibit, which statement contains the correct gateway parameters? A. [edit security ike]
user@host# show gateway ike-phase1-gateway { policy ike-policy1; address 10.10.10.1; dead-peer-detection { interval 20; threshold 5; } external-interface ge-1/0/1.0; }
B. [edit security ike] user@host# show gateway ike-phase1-gateway { ike-policy ike-policy1; address 10.10.10.1; dead-peer-detection { interval 20; threshold 5; } external-interface ge-1/0/1.0; }
C. [edit security ike] user@host# show gateway ike-phase1-gateway { policy ike1-policy; address 10.10.10.1; dead-peer-detection { interval 20; threshold 5; } external-interface ge-1/0/1.0; }
D. [edit security ike] user@host# show gateway ike-phase1-gateway { ike-policy ike1-policy; address 10.10.10.1; dead-peer-detection { interval 20; threshold 5; } external-interface ge-1/0/1.0; }
B. [edit security ike] user@host# show gateway ike-phase1-gateway { ike-policy ike-policy1; address 10.10.10.1; dead-peer-detection { interval 20; threshold 5; } external-interface ge-1/0/1.0; }
34.Referring to the exhibit, you are not able to telnet to 192.168.10.1 from client PC 192.168.10.10.What is causing the problem?
A. Telnet is not being permitted by self policy. B. Telnet is not being permitted by security policy.
C. Telnet is not allowed because it is not considered secure. D. Telnet is not enabled as a host-inbound service on the zone.
D. Telnet is not enabled as a host-inbound service on the zone.
35.Regarding content filtering, what are two pattern lists that can be configured in the Junos OS? (Choose two.)
A. protocol list B. MIME C. block list D. extension B. MIME D. extension
36.Regarding fast path processing, when does the system perform the policy check? A. The policy is determined after the SCREEN options check.
B. The policy is determined only during the first packet path, not during fast path. C. The policy is determined after the zone check.
D. The policy is determined after the SYN TCP flag.
B. The policy is determined only during the first packet path, not during fast path.
37.The same Web site is visited for the second time using a branch SRX Series Services Gateway configured with SurfControl integrated Web filtering.Which statement is true?
A. The SRX device sends the URL to the SurfControl server in the cloud and the SurfControl server provides the SRX with a category of the URL.
B. The SRX device sends the URL to the SurfControl server in the cloud and the SurfControl server asks the SRX device to permit the URL as it has been previously visited.
C. The SRX device looks at its local cache to find the category of the URL.
D. The SRX device does not perform any Web filtering operation as the Web site has already been visited.
C. The SRX device looks at its local cache to find the category of the URL.
38.The SRX device receives a packet and determines that it does not match an existing session.After SCREEN options are evaluated, what is evaluated next?
A. source NAT B. destination NAT C. route lookup D. zone lookup
39.A system administrator detects thousands of open idle connections from the same source.Which problem can arise from this type of attack?
A. It enables an attacker to perform an IP sweep of devices.
B. It enables a hacker to know which operating system the system is running. C. It can overflow the session table to its limit, which can result in rejection of legitimate traffic.
D. It creates a ping of death and can cause the entire network to be infected with a virus.
C. It can overflow the session table to its limit, which can result in rejection of legitimate traffic.
40.System services SSH, Telnet, FTP, and HTTP are enabled on the SRX Series device. Referring to the configuration shown in the exhibit, which two statements are true? (Choose two.)
A. A user can use SSH to interface ge-0/0/0.0 and ge-0/0/1.0. B. A user can use FTP to interface ge-0/0/0.0 and ge-0/0/1.0. C. A user can use SSH to interface ge-0/0/0.0.
D. A user can use SSH to interface ge-0/0/1.0.
B. A user can use FTP to interface ge-0/0/0.0 and ge-0/0/1.0.
C. A user can use SSH to interface ge-0/0/0.0.
41.To determine whether a particular file has a virus by only inspecting a few initial packets before receiving the entire file, which UTM feature do you enable? A. URL white lists
B. intelligent pre-screening C. trickling
D. scan mode extensions
B. intelligent pre-screening
42.Under which Junos hierarchy level are security policies configured? A. [edit security]
B. [edit protocols] C. [edit firewall] D. [edit policy-options]
A. [edit security]
43.A user wants to establish an FTP session to a server behind an SRX device but must authenticate to a Web page on the SRX device for additional authentication.Which type of user authentication is configured?
A. pass-through B. WebAuth
C. WebAuth with Web redirect D. pass-through with Web redirect
44.A user wants to establish an HTTP session to a server behind an SRX device but is being pointed to Web page on the SRX device for additional authentication.Which type of user authentication is configured?
A. pass-through with Web redirect B. WebAuth with HTTP redirect C. WebAuth
D. pass-through
D. pass-through
45.Using a policy with the policy-rematch flag enabled, what happens to the existing and new sessions when you change the policy action from permit to deny?
A. The new sessions matching the policy are denied. The existing sessions are dropped.
B. The new sessions matching the policy are denied. The existing sessions, not being allowed to carry any traffic, simply timeout.
C. The new sessions matching the policy might be allowed through if they match another policy.
The existing sessions are dropped.
D. The new sessions matching the policy are denied. The existing sessions continue until they are completed or their timeout is reached.
A. The new sessions matching the policy are denied. The existing sessions are dropped.
46.What are three configuration objects used to build Junos IDP rules? (Choose three.) A. zone objects
B. policy objects C. attack objects
D. alert and notify objects E. network and address objects
A. zone objects C. attack objects
E. network and address objects
47.What are three different integrated UTM components available on the branch SRX Series devices? (Choose three.)
A. antivirus (full AV, express AV) B. antivirus (desktop AV)
C. Web filtering D. antispam
E. firewall user authentication
A. antivirus (full AV, express AV) C. Web filtering
48.What are three valid Juniper Networks IPS attack object types? (Choose three.) A. signature B. anomaly C. trojan D. virus E. chain A. signature B. anomaly E. chain
49.What are two components of the Junos software architecture? (Choose two.)
A. Linux kernel
B. routing protocol daemon
C. session-based forwarding module D. separate routing and security planes
B. routing protocol daemon
C. session-based forwarding module
50.What are two rulebase types within an IPS policy on an SRX Series device? (Choose two.)
A. rulebase-ips B. rulebase-ignore C. rulebase-idp D. rulebase-exempt A. rulebase-ips D. rulebase-exempt
51.What are two TCP flag settings that are considered suspicious? (Choose two.)
A. Do-Not-Fragment flag is set. B. Both SYN and FIN flags are set. C. Both ACK and PSH flags are set. D. FIN flag is set and ACK flag is not set.
B. Both SYN and FIN flags are set. D. FIN flag is set and ACK flag is not set.
52.What are two valid reasons for the output shown in the exhibit? (Choose two.)
A. The local Web-filtering daemon is not enabled or is not running. B. The integrated Web-filtering policy server is not reachable. C. No DNS is configured on the SRX Series device.
D. No security policy is configured to use Web filtering.
B. The integrated Web-filtering policy server is not reachable.
53.What is the correct syntax for applying node-specific parameters to each node in a chassis cluster?
A. set apply-groups node$ B. set apply-groups (node) C. set apply-groups $(node) D. set apply-groups (node)all
C. set apply-groups $(node)
54.What is the default session timeout for TCP sessions? A. 1 minute
B. 15 minutes C. 30 minutes D. 90 minutes
C. 30 minutes
55.What is the default session timeout for UDP sessions? A. 30 seconds
B. 1 minute C. 5 minutes D. 30 minutes
B. 1 minute
56.What is the functionality of redundant interfaces (reth) in a chassis cluster?
A. reth interfaces are used only for VRRP.
B. reth interfaces are the same as physical interfaces.
C. reth interfaces are pseudo-interfaces that are considered the parent interface for two physical interfaces.
D. Each cluster member has a reth interface that can be used to share session state information with the other cluster members.
C. reth interfaces are pseudo-interfaces that are considered the parent interface for two physical interfaces.
57.What is the maximum number of layers of compression that kaspersky-lab-engine (full AV) can decompress for the HTTP protocol? A. 1 B. 4 C. 8 D. 16 B. 4
58.What is the maximum number of layers of decompression that juniper-express-engine (express AV) can decompress for the HTTP protocol? A. 0 B. 1 C. 4 D. 8 B. 1
59.What is the proper sequence of evaluation for the SurfControl integrated Web filter solution?
A. whitelists, blacklists, SurfControl categories B. blacklists, whitelists, SurfControl categories C. SurfControl categories, whitelists, blacklists D. SurfControl categories, blacklists, whitelists
B. blacklists, whitelists, SurfControl categories
60.What is the purpose of a chassis cluster? A. Chassis clusters are used to aggregate routes.
B. Chassis clusters are used to create aggregate interfaces. C. Chassis clusters are used to group two chassis into one logical chassis.
D. Chassis clusters are used to group all interfaces into one cluster interface.
C. Chassis clusters are used to group two chassis into one logical chassis.
61.When an SRX series device receives an ESP packet, what happens? A. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, it will immediately decrypt the packet.
B. If the destination IP address in the outer IP header of ESP does not match the IP address of the ingress interface, it will discard the packet.
C. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, based on SPI match, it will decrypt the packet.
D. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, based on SPI match and route lookup of inner header, it will decrypt the packet.
C. If the destination address of the outer IP header of the ESP packet matches the IP address of the ingress interface, based on SPI match, it will decrypt the packet.
62.When using UTM features in an HA cluster, which statement is true for installing the licenses on the cluster members?
A. One UTM cluster license will activate UTM features on both members. B. Each device will need a UTM license generated for its serial number.
C. Each device will need a UTM license generated for the cluster, but licenses can be applied to either member.
D. HA clustering automatically comes with UTM licensing, no additional actions are needed.
B. Each device will need a UTM license generated for its serial number.
63.Which antivirus solution integrated on branch SRX Series devices do you use to ensure maximum virus coverage for network traffic?
A. express AV B. full AV C. desktop AV D. ICAP
B. full AV
64.Which CLI command do you use to block MIME content at the [edit security utm feature-profile] hierarchy?
A. set content-filtering profile <name> permit-command block-mime B. set content-filtering profile <name> block-mime
C. set content-filtering block-content-type <name> block-mime D. set content-filtering notifications block-mime
B. set content-filtering profile <name> block-mime
65.Which CLI command provides a summary of what the content-filtering engine has blocked?
A. show security utm content-filtering statistics B. show security flow session
C. show security flow statistics
D. show security utm content-filtering summary
A. show security utm content-filtering statistics
66.Which command do you use to display the status of an antivirus database update?
A. show security utm anti-virus status B. show security anti-virus database status C. show security utm anti-virus database D. show security utm anti-virus update
67.Which command do you use to manually remove antivirus patterns? A. request security utm anti-virus juniper-express-engine pattern-delete B. request security utm anti-virus juniper-express-engine pattern-reload C. request security utm anti-virus juniper-express-engine pattern-remove D. delete security utm anti-virus juniper-express-engine antivirus-pattern
A. request security utm anti-virus juniper-express-engine pattern-delete
68.Which command is needed to change this policy to a tunnel policy for a policy-based VPN?
A. set policy tunnel-traffic then tunnel remote-vpn
B. set policy tunnel-traffic then permit tunnel remote-vpn
C. set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn permit D. set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn
D. set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn
69.Which command shows the event and traceoptions file for chassis clusters? A. show log chassisd
B. show log clusterd C. show log jsrpd D. show log messages
C. show log jsrpd
70.Which command would you use to enable chassis cluster on an SRX device, setting the cluster ID to 1 and node to 0?
A. user@host# set chassis cluster cluster-id 1 node 0 reboot B. user@host> set chassis cluster id 1 node 0 reboot
C. user@host> set chassis cluster cluster-id 1 node 0 reboot D. user@host# set chassis cluster id 1 node 0 reboot
C. user@host> set chassis cluster cluster-id 1 node 0 reboot
71.Which configuration keyword ensures that all in-progress sessions are re-evaluated upon committing a security policy change?
A. policy-rematch B. policy-evaluate C. rematch-policy D. evaluate-policy
72. Which configuration shows a pool-based source NAT without PAT? A. [edit security nat source]
user@host# show pool A { address { 207.17.137.1/32 to 207.17.137.254/32; } } rule-set 1A { from zone trust; to zone untrust; rule 1 { match { source-address 10.1.10.0/24; } then { source-nat pool A; port no-translation; } } }
B. [edit security nat source] user@host# show pool A { address { 207.17.137.1/32 to 207.17.137.254/32; } overflow-pool interface; } rule-set 1A { from zone trust; to zone untrust; rule 1 { match { source-address 10.1.10.0/24; } then { source-nat pool A; port no-translation; } } }
C. [edit security nat source] user@host# show pool A { address { 207.17.137.1/32 to 207.17.137.254/32; } port no-translation; } rule-set 1A { from zone trust; to zone untrust; rule 1 { match { source-address 10.1.10.0/24; } then {
C. [edit security nat source] user@host# show pool A { address { 207.17.137.1/32 to 207.17.137.254/32; } port no-translation; } rule-set 1A { from zone trust; to zone untrust; rule 1 { match { source-address 10.1.10.0/24; } then { source-nat pool A; } } }
then {
source-nat pool A; }
} }
D. [edit security nat source]. user@host# show pool A { address { 207.17.137.1/32 to 207.17.137.254/32; } overflow-pool interface; } rule-set 1A {
from zone trust; to zone untrust; rule 1 { match { source-address 10.1.10.0/24; } then { source-nat pool A; } } }
73.Which configuration shows the correct application of a security policy scheduler?
A. [edit security policies from-zone Private to-zone External] user@host# show policy allowTransit { match { source-address PrivateHosts; destination-address ExtServers; application ExtApps; } then { permit { tunnel { ipsec-vpn myTunnel; } scheduler-name now; } } }
B. [edit security policies from-zone Private to-zone External] user@host# show policy allowTransit { match { source-address PrivateHosts; destination-address ExtServers; application ExtApps; } then { permit { tunnel { ipsec-vpn myTunnel; } } } scheduler-name now; }
C. [edit security policies from-zone Private to-zone External] user@host# show policy allowTransit { match { source-address PrivateHosts; destination-address ExtServers; application ExtApps; } then { permit { tunnel { ipsec-vpn myTunnel; scheduler-name now; } } } }
D. [edit security policies from-zone Private to-zone External] user@host# show
policy allowTransit { match {
B. [edit security policies from-zone Private to-zone External] user@host# show policy allowTransit { match { source-address PrivateHosts; destination-address ExtServers; application ExtApps; } then { permit { tunnel { ipsec-vpn myTunnel; } } } scheduler-name now; }
match { source-address PrivateHosts; destination-address ExtServers; application ExtApps; scheduler-name now; } then { permit { tunnel { ipsec-vpn myTunnel; } } } scheduler-name now; }
74.Which element occurs first during the first-packet-path processing? A. destination NAT
B. forwarding lookup C. route lookup D. SCREEN options
D. SCREEN options
75.Which encryption type is used to secure user data in an IPsec tunnel? A. symmetric key encryption
B. asymmetric key encryption C. RSA
D. digital certificates
A. symmetric key encryption
76.Which IDP policy action closes the connection and sends an RST packet to both the client and the server?
A. close-connection B. terminate-connection C. close-client-and-server D. terminate-session
C. close-client-and-server
77.Which interface is used for RTO synchronization and forwarding traffic between the devices in a cluster?
A. the st interface B. the reth interface
C. the fxp1 and fxp0 interfaces D. the fab0 and fab1 interfaces
D. the fab0 and fab1 interfaces
78.Which parameters are valid SCREEN options for combating operating system probes? A. syn-fin, syn-flood, and tcp-no-frag
B. syn-fin, port-scan, and tcp-no-flag C. syn-fin, fin-no-ack, and tcp-no-frag
D. syn-fin, syn-ack-ack-proxy, and tcp-no-frag
C. syn-fin, fin-no-ack, and tcp-no-frag
79. Which security or functional zone name has special significance to the Junos OS? A. self B. trust C. untrust D. junos-global D. junos-global
80.Which statement contains the correct parameters for a route-based IPsec VPN? A. [edit security ipsec]
user@host# show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; } policy ipsec1-policy { perfect-forward-secrecy { keys group2; } proposals ike1-proposal; } vpn VpnTunnel { interface ge-0/0/1.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; } establish-tunnels immediately; }
B. [edit security ipsec] user@host# show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; } policy ipsec1-policy { perfect-forward-secrecy { keys group2; } proposals ike1-proposal; } vpn VpnTunnel { interface st0.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; } establish-tunnels immediately; }
C. [edit security ipsec] user@host# show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; } policy ipsec1-policy { perfect-forward-secrecy { keys group2; } proposals ike1-proposal;
D. [edit security ipsec] user@host# show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; }policy ipsec1-policy { perfect-forward-secrecy { keys group2; } proposals ike1-proposal; } vpn VpnTunnel { bind-interface st0.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; } establish-tunnels immediately; }
proposals ike1-proposal; } vpn VpnTunnel { bind-interface ge-0/0/1.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; } establish-tunnels immediately; }
D. [edit security ipsec] user@host# show proposal ike1-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; }policy ipsec1-policy { perfect-forward-secrecy { keys group2; } proposals ike1-proposal; } vpn VpnTunnel { bind-interface st0.0; ike { gateway ike1-gateway; ipsec-policy ipsec1-policy; } establish-tunnels immediately; }
81.Which statement describes a security zone?
A. A security zone can contain one or more interfaces. B. A security zone can contain interfaces in multiple routing instances.
C. A security zone must contain two or more interfaces. D. A security zone must contain bridge groups.
A. A security zone can contain one or more interfaces.
82.Which statement describes an ALG?
A. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to deny the traffic. B. An ALG intercepts and analyzes the specified traffic,
allocates resources, and defines dynamic policies to permit the traffic to pass.
C. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to deny the traffic.
D. An ALG intercepts and analyzes all traffic, allocates
resources, and defines dynamic policies to permit the traffic to pass.
B. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to permit the traffic to pass.
83.Which statement describes the behavior of source NAT with address shifting?
A. Source NAT with address shifting translates both the source IP address and the source port of a packet.
B. Source NAT with address shifting defines a one-to-one mapping from an original source IP address to a translated source IP address.
B. Source NAT with address shifting defines a one-to-one mapping from an original source IP address to a translated source IP address.
C. Source NAT with address shifting can translate multiple source IP addresses to the same translated IP address. D. Source NAT with address shifting allows inbound connections to be initiated to the static source pool IP addresses.
84.Which statement describes the UTM licensing model? A. Install the license key and all UTM features will be enabled for the life of the product.
B. Install one license key per feature and the license key will be enabled for the life of the product.
C. Install one UTM license key, which will activate all UTM features; the license will need to be renewed when it expires. D. Install one UTM license key per UTM feature; the licenses will need to be renewed when they expire.
D. Install one UTM license key per UTM feature; the licenses will need to be renewed when they expire.
85.Which statement is correct about HTTP trickling?
A. It prevents the HTTP client or server from timing-out during an antivirus update.
B. It prevents the HTTP client or server from timing-out during antivirus scanning.
C. It is an attack.
D. It is used to bypass antivirus scanners.
B. It prevents the HTTP client or server from timing-out during antivirus scanning.
86.Which statement is true about a NAT rule action of off?
A. The NAT action of off is only supported for destination NAT rule-sets.
B. The NAT action of off is only supported for source NAT rule-sets. C. The NAT action of off is useful for detailed control of NAT. D. The NAT action of off is useful for disabling NAT when a pool is exhausted.
C. The NAT action of off is useful for detailed control of NAT.
87.Which statement is true about SurfControl integrated Web filter solution?
A. The SurfControl server in the cloud provides the SRX device with the category of the URL as well as the reputation of the URL.
B. The SurfControl server in the cloud provides the SRX device with only the category of the URL.
C. The SurfControl server in the cloud provides the SRX device with only the reputation of the URL.
D. The SurfControl server in the cloud provides the SRX device with a decision to permit or deny the URL.
B. The SurfControl server in the cloud provides the SRX device with only the category of the URL.
88.Which statement is true regarding a session key in the Diffie-Hellman key-exchange process?
A. A session key value is exchanged across the network. B. A session key never passes across the network.
C. A session key is used as the key for asymmetric data encryption. D. A session key is used as the key for symmetric data encryption. 89.Which statement is true regarding IPsec VPNs?
A. There are five phases of IKE negotiation. B. There are two phases of IKE negotiation.
C. IPsec VPN tunnels are not supported on SRX Series devices. D. IPsec VPNs require a tunnel PIC in SRX Series devices.
B. There are two phases of IKE negotiation.
90.Which statement is true regarding NAT? A. NAT is not supported on SRX Series devices.
B. NAT requires special hardware on SRX Series devices. C. NAT is processed in the control plane.
D. NAT is processed in the data plane.
D. NAT is processed in the data plane.
91.Which statement is true regarding the Junos OS for security platforms?
A. SRX Series devices can store sessions in a session table. B. SRX Series devices accept all traffic by default.
C. SRX Series devices must operate only in packet-based mode. D. SRX Series devices must operate only in flow-based mode.
A. SRX Series devices can store sessions in a session table.
92.Which statement is true when express AV detects a virus in TCP session?
A. TCP RST is sent and a session is restarted.
B. TCP connection is closed gracefully and the data content is dropped.
C. TCP traffic is allowed and an SNMP trap is sent. D. AV scanning is restarted.
B. TCP connection is closed gracefully and the data content is dropped.
93.Which three actions can a branch SRX Series device perform on a spam e-mail message? (Choose three.)
A. It can drop the connection at the IP address level. B. It can block the e-mail based upon the sender ID. C. It can allow the e-mail and bypass all UTM inspection. D. It can allow the e-mail to be forwarded, but change the intended recipient to a new e-mail address.
E. It can allow the e-mail to be forwarded to the destination, but tag it with a custom value in the subject line.
A. It can drop the connection at the IP address level. B. It can block the e-mail based upon the sender ID. E. It can allow the e-mail to be forwarded to the destination, but tag it with a custom value in the subject line.
94.Which three advanced permit actions within security policies are valid? (Choose three.)
are valid? (Choose three.)
A. Mark permitted traffic for firewall user authentication. B. Mark permitted traffic for SCREEN options.
C. Associate permitted traffic with an IPsec tunnel. D. Associate permitted traffic with a NAT rule. E. Mark permitted traffic for IDP processing.
C. Associate permitted traffic with an IPsec tunnel. E. Mark permitted traffic for IDP processing.
95.Which three are necessary for antispam to function properly on a branch SRX Series device? (Choose three.)
A. an antispam license
B. DNS servers configured on the SRX Series device C. SMTP services on SRX
D. a UTM profile with an antispam configuration in the appropriate security policy
E. antivirus (full or express)
A. an antispam license
B. DNS servers configured on the SRX Series device
D. a UTM profile with an antispam configuration in the appropriate security policy
96.Which three components can be leveraged when defining a local whitelist or blacklist for antispam on a branch SRX Series device? (Choose three.) A. spam assassin filtering score
B. sender country C. sender IP address D. sender domain E. sender e-mail address
C. sender IP address D. sender domain E. sender e-mail address
97.Which three contexts can be used as matching conditions in a source NAT configuration? (Choose three.)
A. routing-instance B. zone C. interface D. policy E. rule-set A. routing-instance B. zone C. interface
98.Which three features are part of the branch SRX series UTM suite? (Choose three.) A. antispam B. antivirus C. IPS D. application firewalling E. Web filtering A. antispam B. antivirus E. Web filtering
99. Which three firewall user authentication objects can be referenced in a security policy? (Choose three.)
A. access profile B. client group C. client D. default profile E. external A. access profile B. client group C. client
100.Which three functions are provided by the Junos OS for security platforms? (Choose three.)
A. VPN establishment B. stateful ARP lookups C. Dynamic ARP inspection D. Network Address Translation
E. inspection of packets at higher levels (Layer 4 and above)
A. VPN establishment
D. Network Address Translation E. inspection of packets at higher levels (Layer 4 and above)
101.Which three methods of source NAT does the Junos OS support? (Choose three.)
A. interface-based source NAT B. source NAT with address shifting C. source NAT using static source pool D. interface-based source NAT without PAT E. source NAT with address shifting and PAT
A. interface-based source NAT B. source NAT with address shifting C. source NAT using static source pool
102.Which three options represent IDP policy match conditions? (Choose three.) A. service B. to-zone C. attacks D. port E. destination-address B. to-zone C. attacks E. destination-address
103.Which three parameters are configured in the IKE policy? (Choose three.) A. mode
B. preshared key C. external interface D. security proposals
E. dead peer detection settings
A. mode B. preshared key D. security proposals
104.Which three represent IDP policy match conditions? (Choose three.) A. protocol B. source-address C. port D. application E. attacks B. source-address D. application E. attacks
105.Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by AH? (Choose three.)
A.data integrity B. data confidentiality C. data authentication
D. outer IP header confidentiality E. outer IP header authentication
A. data integrity C. data authentication E. outer IP header authentication
106.Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by ESP? (Choose three.)
A. data integrity B. data confidentiality C. data authentication
D. outer IP header confidentiality E. outer IP header authentication
A. data integrity B. data confidentiality C. data authentication
107.Which three situations will trigger an e-mail to be flagged as spam if a branch SRX Series device has been properly configured with antispam inspection enabled for the appropriate security policy? (Choose three.) A. The server sending the e-mail to the SRX Series device is a known open SMTP relay.
B. The server sending the e-mail to the SRX Series device is running unknown SMTP server software.
C. The server sending the e-mail to the SRX Series device is on an IP address range that is known to be dynamically assigned.
D. The e-mail that the server is sending to the SRX Series device has a virus in its attachment.
E. The server sending the e-mail to the SRX Series device is a known spammer IP address.
A. The server sending the e-mail to the SRX Series device is a known open SMTP relay. C. The server sending the e-mail to the SRX Series device is on an IP address range that is known to be dynamically assigned.
E. The server sending the e-mail to the SRX Series device is a known spammer IP address.
108.Which three statements are true regarding IDP? (Choose three.)
A. IDP cannot be used in conjunction with other Junos security features such as SCREEN options, zones, and security policy.
B. IDP inspects traffic up to the Application Layer.
C. IDP searches the data stream for specific attack patterns. D. IDP inspects traffic up to the Presentation Layer.
E. IDP can drop packets, close sessions, prevent future sessions, and log attacks for review by network administrators when an attack is detected.
B. IDP inspects traffic up to the Application Layer.
C. IDP searches the data stream for specific attack patterns.
E. IDP can drop packets, close sessions, prevent future sessions, and log attacks for review by network administrators when an attack is detected.
109.Which three statements are true when working with high-availability clusters? (Choose three.)
A. The valid cluster-id range is between 0 and 255.
B. Junos OS security devices can belong to more than one cluster if cluster virtualization is enabled.
C. If the cluster-id value is set to 0 on a Junos security device, the device will not participate in the cluster.
D. A reboot is required if the cluster-id or node value is changed. E. Junos OS security devices can belong to one cluster only.
C. If the cluster-id value is set to 0 on a Junos security device, the device will not participate in the cluster.
D. A reboot is required if the cluster-id or node value is changed.
E. Junos OS security devices can belong to one cluster only.
110. Which three types of content filtering are supported only for HTTP? (Choose three.) A. block Flash
B. block Java applets C. block ActiveX D. block EXE files E. block MIME type
B. block Java applets C. block ActiveX D. block EXE files
111. Which two content-filtering features does FTP support? (Choose two.) A. block extension list
B. block MIME type C. protocol command list D. notifications-options
A. block extension list C. protocol command list
112. Which two functions of the Junos OS are handled by the data plane? (Choose two.) A. NAT B. OSPF C. SNMP D. SCREEN options A. NAT D. SCREEN options
113. Which two packet attributes contribute to the identification of a session? (Choose two.) A. destination port B. TTL C. IP options D. protocol number A. destination port D. protocol number
114. Which two parameters are configured in IPsec policy? (Choose two.) A. mode
B. IKE gateway C. security proposal D. Perfect Forward Secrecy
C. security proposal D. Perfect Forward Secrecy
115.Which two statements about Junos software packet handling are correct? (Choose two.)
A. The Junos OS applies service ALGs only for the first packet of a flow.
B. The Junos OS uses fast-path processing only for the first packet of a flow.
C. The Junos OS performs policy lookup only for the first packet of a flow.
D. The Junos OS applies SCREEN options for both first and consecutive packets of a flow.
C. The Junos OS performs policy lookup only for the first packet of a flow.
D. The Junos OS applies SCREEN options for both first and consecutive packets of a flow.
116.Which two statements about static NAT are true? (Choose two.) A. Static NAT can only be used with destination NAT.
B. Static NAT rules take precedence over overlapping dynamic NAT rules.
C. NAT rules take precedence over overlapping static NAT rules.
D. A reverse mapping is automatically created.
B. Static NAT rules take precedence over overlapping dynamic NAT rules.
D. A reverse mapping is automatically created.
117.Which two statements about the Diffie-Hellman (DH) key exchange process are correct? (Choose two.)
A. In the DH key exchange process, the session key is never passed across the network.
B. In the DH key exchange process, the public and private keys are mathematically related using the DH algorithm.
C. In the DH key exchange process, the session key is passed across the network to the peer for confirmation.
D. In the DH key exchange process, the public and private keys are not mathematically related, ensuring higher security.
A. In the DH key exchange process, the session key is never passed across the network.
B. In the DH key exchange process, the public and private keys are mathematically related using the DH algorithm.
118.Which two statements about the use of SCREEN options are correct? (Choose two.)
A. SCREEN options are deployed at the ingress and egress sides of a packet flow.
B. Although SCREEN options are very useful, their use can result in more session creation.
C. SCREEN options offer protection against various attacks at the ingress zone of a packet flow.
D. SCREEN options examine traffic prior to policy processing, thereby resulting in fewer resources used for malicious packet processing.
C. SCREEN options offer protection against various attacks at the ingress zone of a packet flow.
D. SCREEN options examine traffic prior to policy processing, thereby resulting in fewer resources used for malicious packet processing.
119.Which two statements apply to policy scheduling? (Choose two.)
A. An individual policy can have only one scheduler applied. B. You must manually configure system-time updates. C. Multiple policies can use the same scheduler. D. Policies that do not have schedulers are not active.
A. An individual policy can have only one scheduler applied. C. Multiple policies can use the same scheduler.
120.Which two statements are true about AH? (Choose two.) A. AH provides data integrity.
B. AH is identified by IP protocol 50. C. AH is identified by IP protocol 51.
D. AH cannot work in conjunction with ESP
A. AH provides data integrity. C. AH is identified by IP protocol 51.
121.Which two statements are true about hierarchical architecture? (Choose two.)
A. You can assign a logical interface to multiple zones. B. You cannot assign a logical interface to multiple zones. C. You can assign a logical interface to multiple routing instances.
D. You cannot assign a logical interface to multiple routing instances.
B. You cannot assign a logical interface to multiple zones. D. You cannot assign a logical interface to multiple routing instances.
122.Which two statements are true about IPsec traffic? (Choose two.)
A. IPsec traffic can be forwarded when no IKE SA is present. B. IPsec traffic can be forwarded when no IPsec SA is present. C. For traffic that has to be encrypted, the security policy must be crafted based on the IP addresses in the inner IP header of the final ESP packet.
D. For traffic that has to be encrypted, the security policy must be crafted based on the IP addresses in the outer IP header of the final ESP packet.
A. IPsec traffic can be forwarded when no IKE SA is present. C. For traffic that has to be encrypted, the security policy must be crafted based on the IP addresses in the inner IP header of the final ESP packet.
123.Which two statements are true about pool-based source NAT? (Choose two.)
A. PAT is not supported. B. PAT is enabled by default.
C. It supports the address-persistent configuration option. D. It supports the junos-global configuration option.
B. PAT is enabled by default.
124.Which two statements are true about the relationship between static NAT and proxy ARP? (Choose two.)
A. It is necessary to forward ARP requests to remote hosts. B. It is necessary when translated traffic belongs to the same subnet as the ingress interface.
C. It is not automatic and you must configure it.
D. It is enabled by default and you do not need to configure it.
B. It is necessary when translated traffic belongs to the same subnet as the ingress interface.
C. It is not automatic and you must configure it.
125.Which two statements are true about the Websense redirect Web filter solution? (Choose two.)
A. The Websense redirect Web filter solution does not require a license on the SRX device.
B. The Websense server provides the SRX device with a category for the URL and the SRX device then matches the category with its configured polices and decides to permit or deny the URL. C. The Websense server provides the SRX device with a decision as to whether the SRX device permits or denies the URL.
D. When the Websense server does not know the category of the URL, it sends a request back to the SRX device to validate against the integrated SurfControl server in the cloud.
A. The Websense redirect Web filter solution does not require a license on the SRX device.
C. The Websense server provides the SRX device with a decision as to whether the SRX device permits or denies the URL.
126.Which two statements are true for a security policy? (Choose two.)
A. It controls inter-zone traffic. B. It controls intra-zone traffic.
C. It is named with a system-defined name.
D. It controls traffic destined to the device's ingress interface.
A. It controls inter-zone traffic. B. It controls intra-zone traffic.
127.Which two statements are true regarding firewall user authentication? (Choose two.)
A. When configured for pass-through firewall user
authentication, the user must first open a connection to the Junos security platform before connecting to a remote network resource.
B. When configured for Web firewall user authentication only, the user must first open a connection to the Junos security platform before connecting to a remote network resource. C. If a Junos security device is configured for pass-through firewall user authentication, new sessions are automatically intercepted to perform authentication.
D. If a Junos security device is configured for Web firewall user authentication, new sessions are automatically intercepted to perform authentication.
B. When configured for Web firewall user authentication only, the user must first open a connection to the Junos security platform before connecting to a remote network resource.
C. If a Junos security device is configured for pass-through firewall user authentication, new sessions are automatically intercepted to perform authentication.
128.Which two statements are true regarding IDP? (Choose two.) A. IDP can be used in conjunction with other Junos security features such as SCREEN options, zones, and security policy. B. IDP cannot be used in conjunction with other Junos security features such as SCREEN options, zones, and security policy. C. IDP inspects traffic up to the Presentation Layer.
D. IDP inspects traffic up to the Application Layer.
A. IDP can be used in conjunction with other Junos security features such as SCREEN options, zones, and security policy. D. IDP inspects traffic up to the Application Layer.
129.Which two statements are true regarding redundancy groups? (Choose two.)
A. When priority settings are equal and the members
participating in a cluster are initialized at the same time, the primary role for redundancy group 0 is assigned to node 0. B. The preempt option determines the primary and secondary roles for redundancy group 0 during a failure and recovery scenario.
C. Redundancy group 0 manages the control plane failover between the nodes of a cluster.
D. The primary role can be shared for redundancy group 0 when the active-active option is enabled.
A. When priority settings are equal and the members participating in a cluster are initialized at the same time, the primary role for redundancy group 0 is assigned to node 0. C. Redundancy group 0 manages the control plane failover between the nodes of a cluster.
130.Which two statements are true regarding the system-default security policy [edit security policies default-policy]? (Choose two.)
A. Traffic is permitted from the trust zone to the untrust zone. B. Intrazone traffic in the trust zone is permitted.
C. All traffic through the device is denied.
D. The policy is matched only when no other matching policies are found.
C. All traffic through the device is denied.
D. The policy is matched only when no other matching policies are found.
131.Which two statements are true when describing the
capabilities of integrated Web filtering on branch SRX Series devices? (Choose two.)
A. Integrated Web filtering can enforce UTM policies on traffic encrypted in SSL.
B. Integrated Web filtering can detect client-side exploits that attack the user's Web browser.
C. Integrated Web filtering can permit or deny access to specific categories of sites.
D. Different integrated Web-filtering policies can be applied on a firewall rule-by-rule basis to allow different policies to be enforced for different users.
C. Integrated Web filtering can permit or deny access to specific categories of sites.
D. Different integrated Web-filtering policies can be applied on a firewall rule-by-rule basis to allow different policies to be enforced for different users.
