JN0-633 Online Practice Questions and Answers

You are asked to change the configuration of your company's SRX device so that you can block nested traffic from certain Web sites, but the main pages of these Web sites must remain available to users. Which two methods will accomplish this goal? (Choose two.)

A. Enable the HTTP ALG.

B. Implement a firewall filter for Web traffic.

C. Use an IDP policy to inspect the Web traffic.

D. Configure an application firewall rule set.

Your company's network has seen an increase in Facebook-related traffic. You have been asked to restrict the amount of Facebook-related traffic to less than 100 Mbps regardless of congestion. What are three components used to accomplish this task? (Choose three.)

A. IDP policy

B. application traffic control

C. application firewall

D. security policy

E. application signature

You recently implemented application firewall rules on an SRX device to act upon encrypted traffic. However, the encrypted traffic is not being correctly identified. Which two actions will help the SRX device correctly identify the encrypted traffic? (Choose two.)

A. Enable heuristics to detect the encrypted traffic.

B. Disable the application system cache.

C. Use the junos:UNSPECIFIED-ENCRYPTED application signature.

D. Use the junos:SPECIFIED-ENCRYPTED application signature.

Two companies, A and B, are connected as separate customers on an SRX5800 residing on two virtual routers (VR-A and VR-B). These companies have recently been merged and now operate under a common IT security policy. You have been asked to facilitate communication between these VRs. Which two methods will accomplish this task? (Choose two.)

A. Use instance-import to share the routes between the two VRs.

B. Create logical tunnel interfaces to interconnect the two VRs.

C. Use a physical connection between VR-A and VR-B to interconnect them.

D. Create a static route using the next-table action in both VRs.

Your company is providing multi-tenant security services on an SRX5800 cluster. You have been asked to

create a new logical system (LSYS) for a customer. The customer must be able to access and manage

new resources within their LSYS.

How do you accomplish this goal?

A. Create the new LSYS, allocate resources, and then create the user administrator role so that the customer can manage their allocated resources.

B. Create the new LSYS, and then create the user administrator role so that the customer can allocate and manage resources.

C. Create the new LSYS, and then create the master adminstrator role for the LSYS so that the customer can allocate and manage resources.

D. Create the new LSYS, then request the required resources from the customer, and create the required resources.

You want to implement persistent NAT for an internal resource so that external hosts are able to initiate communications to the resource, without the internal resource having previously sent packets to the external hosts. Which configuration setting will accomplish this goal?

A. persistent-nat permit target-host

B. persistent-nat permit any-remote-host

C. persistent-nat permit target-host-port

D. address-persistent

You want to implement an IPsec VPN on an SRX device using PKI certificates for authentication. As part of the implementation, you are required to ensure that the certificate submission, renewal, and retrieval processes are handled automatically from the certificate authority. Regarding this scenario, which statement is correct?

A. You can use SCEP to accomplish this behavior.

B. You can use OCSP to accomplish this behavior.

C. You can use CRL to accomplish this behavior.

D. You can use SPKI to accomplish this behavior.

HostA (1.1.1.1) is sending TCP traffic to HostB (2.2.2.2). You need to capture the TCP packets locally on the SRX240. Which configuration would you use to enable this capture?

A. [edit security flow] user@srx# show traceoptions {

file dump;

flag basic-datapath;

}

B. [edit security] user@srx# show application-tracking {

enable;

}

flow {

traceoptions {

file dump;

flag basic-datapath;

}

}

C. [edit firewall filter capture term one] user@srx# show from {

source-address {

1.1.1.1;

}

destination-address {

2.2.2.2;

}

protocol tcp;

}

then {

port-mirror;

accept;

}

D. [edit firewall filter capture term one] user@srx# show from {

source-address {

1.1.1.1;

}

destination-address {

2.2.2.2;

}

protocol tcp;

}

then {

sample;

accept;

}

Click the Exhibit button.

In the network shown in the exhibit, you want to forward traffic from the employees to ISP1 and ISP2. You want to forward all Web traffic to ISP1 and all other traffic to ISP2. However, your configuration is not producing the expected results. Part of the configuration is shown in the exhibit. When you run the show route table isp1 command, you do not see the default route listed.

What is causing this behavior?

Exhibit:

A. The autonomous system number is incorrect, which is preventing the device from receiving a default route from ISP1.

B. The device is not able to resolve the next-hop.

C. The isp1 routing instance is configured with an incorrect instance-type.

D. The show route table isp1 command does not display the default route unless you add the exact 0.0.0.0/0 option.

Click the Exhibit button.

Based on the output shown in the exhibit, what are two results? (Choose two.)

Exhibit:

A. The output shows source NAT.

B. The output shows destination NAT.

C. The port information is changed.

D. The port information is unchanged.

Click the Exhibit button.

You receive complaints from users that their Web browsing sessions keep dropping prematurely. Upon investigation, you find that the IDP policy shown in the exhibit is detecting the users' sessions as HTTP:WIN-CMD:WIN-CMD-EXE attacks, even though their sessions are not actual attacks. You must allow these sessions but still inspect for all other relevant attacks.

How would you configure your SRX device to meet this goal?

Exhibit:

A. Create a new security policy that allows HTTP for all users and does not apply IDP.

B. Modify the security policy to add an application exception.

C. Modify the IDP policy to delete this particular attack from the IDP rulebase.

D. Modify the IDP policy to add an exempt rulebase rule to not inspect for this attack.

Click the Exhibit button.

user@host# run show security flow session ... Session ID: 28, Policy name: allow/5, Timeout: 2, Valid

In: 172.168.1.2/24800 --> 66.168.100.100/8001; tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 64

Out: 10.168.100.1/8001 --> 172.168.1.2/24800; tcp, If: ge-0/0/6.0, Pkts: 1, Bytes: 40

Your customer is unable to reach your HTTP server that is connected to the ge-0/0/6 interface. The HTTP server has an address of 10.168.100.1 on port 80 internally, but is accessed publicly using interface ge0/0/3 with the address 66.168.100.100 on port 8001.

Referring to the exhibit, what is causing this problem?

A. The traffic is originated with incorrect IP address from the customer.

B. The traffic is translated with the incorrect IP address for the HTTP server.

C. The traffic is translated with the incorrect port number for the HTTP server.

D. The traffic is originated with the incorrect port number from the customer.

Click the Exhibit button.

user@host> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 3271043 UP 7f42284089404673 95fd8408940438d8 Main 172.31.50.2

user@host> show security ipsec security-associations Total active tunnels: 0

user@host> show log phase2

Feb 2 14:21:18 host kmd[1088]: IKE negotiation failed with error: TS unacceptable. IKE Version: 1, VPN:

vpn-1 Gateway: gate-1, Local: 172.31.50.1/500, Remote: 172.31.50.2/500, Local IKE-ID: 172.31.50.1,

Remote IKE-ID: 172.31.50.2, VR-ID: 0

Feb 2 14:21:18 host kmd[1088]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: vpn-1,

Peer Proposed traffic-selector local-ip: ipv4(2.2.2.2), Peer Proposed traffic-selector remote-ip: ipv4

(1.1.1.1)

Feb 2 14:21:54 host kmd[1088]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1,

VPN: vpn-1 Gateway: gate-1, Local:

172.31.50.1/500, Remote: 172.31.50.2/500, Local IKE-ID: 172.31.50.1, Remote IKE-ID: 172.31.50.2, VRID: 0

Feb 2 14:22:19 host kmd[1088]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: vpn-1,

Peer Proposed traffic-selector local-ip:

ipv4 (2.2.

2.2), Peer Proposed traffic-selector remote-ip: ipv4(1.1.1.1)

You have recently configured an IPsec VPN between an SRX Series device and another non- Junos security device. The phase one tunnel is up but the phase two tunnel is not present.

Referring to the exhibit, what is the cause of this problem?

A. preshared key mismatch

B. mode mismatch

C. proposal mismatch

D. proxy-ID mismatch

Which AppSecure module provides Quality of Service?

A. AppTrack

B. AppFW

C. AppID

D. AppQoS

An SRX Series device is configured for inline tap mode.

What will occur if Drop Packet is selected?

A. The SRX Series device drops a matching packet before it can reach its destination but does not close the connection.

B. The SRX Series device will ignore the action Drop Packet.

C. The SRX Series device closes the connection and sends an RST packet to both the client and the server.

D. The SRX Series device drops a matching packet associated with the connection, preventing traffic for

the connection from reaching its destination.