JN0-333 Online Practice Questions and Answers

Click the Exhibit button.

Which feature is enabled with destination NAT as shown in the exhibit?

A. NAT overload

B. block allocation

C. port translation

D. NAT hairpinning

Click the Exhibit button.

You have configured NAT on your network so that Host A can communicate with Server B. You want to ensure that Host C can initiate communication with Host A using Host A's reflexive address.

Referring to the exhibit, which parameter should you configure on the SRX Series device to satisfy this requirement?

A. Configure persistent NAT with the target-host parameter.

B. Configure persistent NAT with the target-host-port parameter.

C. Configure persistent NAT with the any-remote-host parameter.

D. Configure persistent NAT with the port-overloading parameter.

What is the function of redundancy group 0 in a chassis cluster?

A. Redundancy group 0 identifies the node controlling the cluster management interface IP addresses.

B. The primary node for redundancy group 0 identifies the first member node in a chassis cluster.

C. The primary node for redundancy group 0 determines the interface naming for all chassis cluster nodes.

D. The node on which redundancy group 0 is primary determines which Routing Engine is active in the cluster.

Click the Exhibit button.

The inside server must communicate with the external DNS server. The internal DNS server address is

10.100.75.75. The external DNS server address is 75.75.76.76. Traffic from the inside server to the DNS server fails.

Referring to the exhibit, what is causing the problem?

A. The security policy must match the translated destination address.

B. Source and static NAT cannot be configured at the same time.

C. The static NAT rule must use the global address book entry name for the DNS server.

D. The security policy must match the translated source and translated destination address.

What are three valid virtual interface types for a vSRX? (Choose three.)

A. SR-IOV

B. fxp0

C. eth0

D. VMXNET 3

E. virtio

Clients at a remote office are accessing a website that is against your company Internet policy. You change the action of the security policy that controls HTTP access from permit to deny on the remote office SRX Series device. After committing the policy change, you notice that new users cannot access the website but users that have existing sessions on the device still have access. You want to block all user sessions immediately.

Which change would you make on the SRX Series device to accomplish this task?

A. Add the set security flow tcp-session rst-invalidate-session option to the configuration and commit the change.

B. Add the set security policies policy-rematch parameter to the configuration and commit the change.

C. Add the security flow tcp-session strict-syn-check option to the configuration and commit the change.

D. Issue the commit full command from the top of the configuration hierarchy.

Which process describes the implementation of screen options on an SRX Series device?

A. Configured screen options are only applied when traffic does not match a valid route.

B. Configured screen options are applied only to the first packet that is processed in a stateful session.

C. Configured screen options are applied to all packets that are processed by the stateful session firewall processor.

D. Configured screen options are only applied when traffic does not match a valid policy.

What are three defined zone types on an SRX Series device?

A. dynamic

B. junos-host

C. null

D. functional

E. routing

A session token on an SRX Series device is derived from what information? (Choose two.)

A. routing instance

B. zone

C. screen

D. MAC address

Your network includes IPsec tunnels. One IPsec tunnel transits an SRX Series device with NAT configured. You must ensure that the IPsec tunnels function properly.

Which statement is correct in this scenario?

A. Persistent NAT should be enabled.

B. NAT-T should be enabled.

C. Destination NAT should be configured.

D. A source address pool should be configured.

You recently configured an IPsec VPN between two SRX Series devices. You notice that the Phase 1 negotiation succeeds and the Phase 2 negotiation fails.

Which two configuration parameters should you verify are correct? (Choose two.)

A. Verify that the IKE gateway proposals on the initiator and responder are the same.

B. Verify that the VPN tunnel configuration references the correct IKE gateway.

C. Verify that the IPsec policy references the correct IKE proposals.

D. Verify that the IKE initiator is configured for main mode.

Your internal webserver uses port 8088 for inbound connections. You want to allow external HTTP traffic to connect to the webserver.

Which two actions would accomplish this task? (Choose two.)

A. Create a custom application for port 8088 and create a security policy that permits the custom-http application.

B. Remap port 80 to port 8088 in the junos-http application and create a security policy that permits the junos-http application.

C. Use destination NAT to remap incoming traffic from port 80 to port 8088.

D. Create an Application Layer Gateway to permit HTTP traffic on port 8088.

Which type of VPN provides a secure method of transporting encrypted IP traffic?

A. IPsec

B. Layer 3 VPN

C. VPLS

D. Layer 2 VPN

Click the Exhibit button. Referring to the exhibit, what will happen if client 172.16.128.50 tries to connect to destination 192.168.150.3 using HTTP?

A. The client will be permitted by policy p1.

B. The client will be denied by policy p3.

C. The client will be denied by policy p2.

D. The client will be permitted by the global policy.

You recently configured an IPsec VPN between two SRX Series devices. You notice that the Phase1 negotiation succeeds and the Phase 2 negotiation fails.

Which two configuration parameters should you verify are correct? (Choose two.)

A. Verify that the IKE gateway proposals on the initiator and responder are the same.

B. Verify that the VPN tunnel configuration references the correct IKE gateway.

C. Verify that the IKE initiator is configured for main mode.

D. Verify that the IPsec policy references the correct IKE proposals.