Juniper Juniper Certifications JN0-633 Questions & Answers

• Question 11:

  You are asked to ensure that your IPS engine blocks attacks. You must ensure that your system continues to drop additional malicious traffic without additional IPS processing for up to 30 minutes. You must ensure that the SRX Series device does send a notification packet when the traffic is dropped.

  Which statement is correct?

  A. Use the IP-Block action.

  B. Use the Drop Packet action.

  C. Use the Drop Connection action.

  D. Use the IP-Close action.

  Correct Answer: D

• Question 12:

  Click the Exhibit button.

  root@host# show system login

  user user { uid 2000; class operator; authentication {

  encrypted-password "$1$4s7ePrk5$9S.MZTwmXTV7sovJZFFsw1"; ## SECRET-DATA ] }

  An SRX Series device has been configured for multiple certificate-based VPNs. The IPsec security association used for data replication is currently down . The administrator is a contractor and has the permissions on the SPX Series device as shown in the exhibit

  Which command set would allow the administrator to troubleshoot the cause for the VPN being down?

  A. set security ipsec traceoptions file ipsec set security ipsec traceoptions flag security-associations

  B. set security ike traceoptions file ike set security ike traceoptions flag ike

  C. request security pki verify-integrity-status

  D. request security ike debug-enable local remote

  Correct Answer: C

• Question 13:

  Which statement is true regarding destination NAT?

  A. Destination NAT changes the content of the source IP address field.

  B. Destination NAT changes the content of the destination IP address field.

  C. Destination NAT matches on the destination IP address and changes the source IP address.

  D. Destination NAT matches on the destination IP address and changes the source port.

  Correct Answer: B

• Question 14:

  You want to route traffic between two newly created virtual routers without the use of logical systems using the configuration options on the SRX5800.

  Which two methods of forwarding, between virtual routers, would you recommend? (Choose two.)

  A. Use a static route to forward traffic across virtual routers using the next-table option. Enable the return route by using a RIB group. next-table command.

  B. Create static routes in each virtual router using the

  C. Use a RIB group to share the internal routing protocol routes from the master routing instance.

  D. Connect a direct cable between boo physical interfaces, one in each virtual router and use next-hop command. static routes with the

  Correct Answer: BD

• Question 15:

  Click the Exhibit button.

  userehost# run show route

  inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

  + = Active Route, - = Last Active, * = Both

  0.0.0.0/0 *[Static/5] 00:05:06 > to 172.16.1.1 via ge-0/0/1.0 172.16.1.0/24 *[Direct/O] 00:05:06 > via ge-0/0/1.0 172.16.1.3/32 *[Local/0] 00:05:07 Local via ge-0/0/1.0 192.168.200.2/32 *[Local/0] 00:05:07 Reject

  vr-a.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both

  192.168.1.0/24 *[Direct/0] 00:01:05 > via ge-0/0/2.0 192.168.1.1/32 *[Local/0] 00:01:05 Local via ge-0/0/2.0

  vr-b.inet.0: 2 destinations, 2 routes (2 active, 0 holddcwn, 0 hidden) + = Active Route, - = Last Active, * = Both

  192.168.1.0/24 *[Direct/O] 00:01:05 > via go-0/0/3.0 192.168.1.1/32 *[Local/0] 00:01:05 Local via ge-0/0/3.0

  User 1 will access Server 1 using IP address 10.2.1.1. You need to ensure that return traffic is able to reach User 1 from Server 1.

  Exhibit:

  

  A. [edit security nat static] user@host# show rule-set server-nat {

  from zone [ untrust ];

  rule 1 {

  match {

  destination-address 10.2.1.1/32; } then {

  static-nat {

  prefix {

  192.168.1.2/32;

  }

  }

  }

  }

  }

  B. [edit security nat static] user@host# show rule-set server-nat {

  from zone [ junos-host untrust ]; rule 1 { match {

  destination-address 10.2.1.1/32; } then {

  static-nat {

  prefix { 192.168.1.2/32; routing-instance vr-b;

  }

  }

  }

  }

  }

  C. [edit security nat static] user@host# show rule-set server-nat {

  from zone untrust;

  rule 1 {

  match {

  destination-address 10.2.1.1/32; } then {

  static-nat {

  prefix { 192.168.1.2/32; routing-instance vr-a;

  }

  }

  }

  }

  }

  D. [edit security nat static] user@host# show rule-set in {

  from zone untrust;

  to zone cust-a;

  rule overload {

  match {

  source-address 0.0.0.0/0; } then {

  source-nat {

  interface;

  }

  }

  }

  }

  Correct Answer: B

• Question 16:

  Click the Exhibit button.

  Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:<1.1.1.100/51303->1.1.1.30/3389;6> matched filter MatchTraffic: Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:packet [48] ipid = 5015, @423d7e9e Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 13, common flag Ox0, mbuf Ox423d7d00 Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: flow process pak fast ifl 72 In_ifp fe-0/0/7.0 Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: fe-0/0/7.0:1.1.1.100/51303- >1.1.1.30/3389, top, flag 2 syn Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: find flow: table Ox5258d7b0, hash 17008(Oxffff), sa 1.1.1.100, da 1.1.1.30, sp 51303, dp 3389, proto 6, tok 448 Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0 Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: flow_first_create_session Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: flow first_in_dst_nat: in , out dst_adr 1.1.1.30, sp 51303, dp 3389 Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: chose interface fe-0/0/7.0 as incoming nat if. Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_rule_dst_xlate: packet 1.1.1.100->1.1.1.30 nsp2 0.0.0.0->192.168.224.30. Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_routing: call flow_route_lookup() src_ip 1.1.1.100, x_dst_ip 192.168.224.30, in ifp fe-0/0/7.0, out ifp N/A sp 51303, dp 3389, ip_proto 6, tos 0 Feb 2 09:00:02 09:00:00.1872004:CID-O:RT:Doing DESTINATION addr route-lookup Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: routed (x_dst_ip 192 168.224.30) from untrust (fe-0/0/7.0 in 0) to ge-0/0/0.0, Next-hop: 192.168.224.30 Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: policy search from zone untrust-> zone trust Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: policy has timeout 900 Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: app 0, timeout 1800s, curr ageout 20s Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_src_xlate: src nat 0.0.0.0(51303) to 192.168.224.30 (3389) returns status 1, rule/pool id 1/2. Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: dip id = 2/0, 1.1.1.100/51303->192.168.224.3/48810 Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: choose interface ge-0/0/0.0 as outgoing phy if Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/0.0, addr: 192.168.224.30, rtt_idx:0 Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:sm_flow_interest_check: app_id 0, policy 9, app_svc_en 0, flags Ox2. not interested Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:sm_flow_interest_check: app_id 1, policy 9, app_svc_en 0, flags Ox2. not interested Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_service_lookup(): natp(Ox51ee4680): app_id, 0(0). Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: service lookup identified service O.

  Referring to the exhibit, which two statements are correct? (Choose two.)

  A. The packet being inspected is a UDP packet.

  B. The incoming interface is fe-0/0/7.

  C. This traffic matches an existing flow.

  D. Source NAT is being used.

  Correct Answer: BC

• Question 17:

  Which AppSecure module provides Quality of Service?

  A. AppTrack

  B. AppFW

  C. AppID

  D. AppQoS

  Correct Answer: D

• Question 18:

  Click the Exhibit button.

  user@host> show security flow session extensive Session ID: 1173, Status: Normal Flag: Ox0 Policy name: two/6 Source NAT pool: interface, Application: junos-ftp/1 Dynamic application: junos:UNKNOWN, Application traffic control rule-set: INVALID, Rule: INVALID Maximum timeout: 1800, Current timeout: 1756 Session State: Valid Start time: 4859, Duration: 99

  In: 172.20.103.10/56457 --> 10.210.14.130/21;tcp,

  Interface: vlan.103,

  Session token: Ox8, Flag: Ox21

  Route: 0x100010, Gateway: 172.20.103.10, Tunnel: 0

  Port sequence: 0, FIN sequence: 0, FIN state: 0,

  Pkts: 12, Bytes: 549

  Out: 10.210.14.130/21 --> 10.210.14.133/18698;tcp,

  Interface: ge-0/0/0.0,

  Session token: 0x7, Flag: Ox20

  Route: Oxf0010, Gateway: 10.210 14.130, Tunnel: 0

  Port sequence: 0, FIN sequence: 0,

  FIN state: 0,

  Pkts: 8, Bytes: 514

  Total sessions: 1

  A user complains that they are unable to download files using FTP. They are able to connect to the remote site, but cannot download any files. You investigate and execute the show security flow session extensive command to receive the result shown in the exhibit.

  What is the cause of the problem?

  A. The NAT translation is incorrect.

  B. The FTP ALG has been disabled.

  C. Passive mode FTP is not enabled.

  D. The FTP session is using the wrong port number.

  Correct Answer: B

• Question 19:

  Click the Exhibit button.

  [edit protocols ospf area 0.0.0.0] user@host# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 3289542 UP 48d928408940de28 e418fc7702fe483b Main

  172.31.50.1 3289543 UP eb45940484082b14 428086b100427326 Main 10.10.50.1

  [edit protocols ospf area 0.0.0.0] user@host# run show security ipsec; security-associations Total active tunnels: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:des/ shal 6d40899b 1360/ unlim -root 500 10.10.50.1

  >131073 ESP:des/ shal 5a89400e 1360/ unlim -root 500 10.10.50.1

  <131074 ESP:des/ shal c04046f 1359/ unlim -root 500 172.31.50.1

  >131074 ESP:des/ shal 5508946c 1359/ unlim -root 500 172.31.50.1

  [edit protocols ospf area 0.0.0.0] user@host# run show ospf neighbor Address Interface State ID Pri Dead 10.40.60.1 st0.0 Init 10.30.50.1 128 35

  10.40.60.2 st0.0 Full 10.30.50.1 128 31

  [edit protocols ospf area 0.0.0.0]

  user@host# show

  interface st0.0;

  You have already configured a hub-and-spoke VPN with one hub device and two spoke devices. However,

  the hub device has one neighbor in the Init state and one neighbor in the Full state.

  What would you do to resolve this problem?

  A. Configure the st0.0 interface under OSPF as a nonbroadcast multiple access interface.

  B. Configure the st0.0 interface under OSPF as a point-to-multipoint interface.

  C. Configure the st0.0 interface under OSPF as a point-to-point interface.

  D. Configure the st0.0 interface under OSPF as an unnumbered interface.

  Correct Answer: B

• Question 20:

  Click the Exhibit button.

  user @host> show bgp summary logical-system LSYS1 Groups : 11 Peers : 10 Down peers: 1 Table Tot. Paths Act Paths Suppressed History Damp State

  Pending inet.0 141 129 0 0 0 Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...

  192.168.64.12 65008 11153 11459 0 26 3d

  3:10:43 9/10/10/0 0/0/0/0

  192.168.72.12 65009 11171 11457 0 26 3d

  3:10:39 11/12/12/0 0/0/0/0

  192.168.80.12 65010 9480 9729 0 27 3d

  3:10:42 11/12/12/0 0/0/0/0

  192.168.88.12 65011 11171 11457 0 25 3d

  3:10:31 12/13/13/0 0/0/0/0

  192.168.96.12 65012 9479 9729 0 26 3d

  3:10:34 12/13/13/0 0/0/0/0

  192.168.10.12 65013 111689 11460 0 27 3d

  3:10:46 9/10/10/0 0/0/0/0

  192.168.11.12 65014 111688 11458 0 25 3d

  3:10:42 9/10/10/0 0/0/0/0

  192.168.12.12 65015 111687 11457 0 25 3d

  3:10:38 9/10/10/0 0/0/0/0

  192.68.11.12 650168 9478 9729 0 25 3d

  3:10:42 9/10/10/0 0/0/0/0

  192.168.13.12 65017 111687 11457 0 27 3d

  3:10:30 9/10/10/0 0/0/0/0

  192.168.16.12 65017 111687 11457 0 27 1w3d2h Connect

  user@host> show interfaces ge-0/0/7.0 extensive Logical interface ge-0/0/7.0 (Index 76) (SNMP ifIndex 548) (Generation 141)

  ... Security: Zone: log Allowed host-inbound traffic : bootp dns dhcp finger ftp tftp ident-reset http https ike netconf ping

  reverse-telnet reverse-ssh rloqin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip

  r2cp Flow Statistics: Flow Input statistics:

  Self packets: 0

  ICMP packets: 0

  VPN packets: 0

  Multicast packets: 0

  Bytes permitted by policy: 0

  Connections established: 0

  Flow Output statistics:

  Multicast packets: 0

  Bytes permitted by policy: 0

  Flow error statistics (Packets dropped due to):

  Address spoofing: 0

  Authentication failed: 0

  Incoming NAT errors: 0

  Invalid zone received packet: 0

  Multiple user authentications: 0

  Multiple incoming NAT: 0

  No parent for a gate: 0

  No one interested in self pakets: 0

  No minor session: 0

  No more sessions: 589723

  No NAT gate: 0

  No route present: 0

  No SA for incoming SPI: 0

  No tunnel found: 0

  No session for a gate: 0

  No zone or NULL zone binding 0

  Policy denied: 0

  Security association not active: 0

  TCP sequence number out of window: 0

  Syn-attack protection: 0

  User authentication errors: 0

  Protocol inet, MTU: 1500, Generation: 1685, Route table: 0

  Flags: Sendbcast-pkt-to-re

  Addresses, F1ags: Is-Preferred Is-Primary

  Destination: 10.5.123/24, Local: 10.5.123.3, Broadcast: 10.5.123.255, Generation: 156 Protocol multiservice, MTU: Unlimited, Generation: 1686, Route table: 0 Policer: Input: __default_arp_policer__ ...

  ...

  An SRX Series device has been configured with a logical system LSYS1. One of the BGP peers is down.

  Referring to the exhibit, which statement explains this problem?

  A. The LSYS license only allows up to ten BGP peerings.

  B. The maximum number of allowed flows is set to low.

  C. The allocated memory is not sufficient for this LSYS.

  D. The minimum number of flows is set to high.

  Correct Answer: B