Replace Juniper JN0-633 – An Overview 51 to 60

Examcollection offers free demo for JN0-633 exam. “Security, Professional (JNCIP-SEC)”, also known as JN0-633 exam, is a Juniper Certification. This set of posts, Passing the Juniper JN0-633 exam, will help you answer those questions. The JN0-633 Questions & Answers covers all the knowledge points of the real exam. 100% real Juniper JN0-633 exams and revised by experts!

2017 NEW RECOMMEND

Free VCE & PDF File for Juniper JN0-633 Real Exam
(Full Version!)

Pass on Your First TRY 100% Money Back Guarantee Realistic Practice Exam Questions

Free Instant Download NEW JN0-633 Exam Dumps (PDF & VCE):
Available on:
http://www.certleader.com/JN0-633-dumps.html

Q51. Click the Exhibit button.

[edit] user@host# run show log debug

Feb3 22:04:31 22:04:31.824294:CID-0:RT:flow_first_policy_search: policy search from zone host-> zone attacker (Ox0,0xe4089404,0x17)

Feb3 22:04:31 22:04:31.824297:CID-0:RT:Policy lkup: vsys 0 zone(9:host) -> zone(10:attacker) scope: 0

Feb3 22:04:31 22:04:31.824770:CID-0:RT:5.0.0.25/59028 -> 25.0.0.25/23 proto 6

Feb3 22:04:31 22:04:31.824778:CID-0:RT:Policy lkup: vsys 0 zone(5:Umkmowm) -> zone(5:Umkmowm) scope: 0

Feb3 22:04:31 22:04:31.824780:CID-0:RT:5.0.0.25/59028 -> 25.0.0.25/23 proto 6

Feb3 22:04:31 22:04:31.824783:CID-0:RT: app 10, timeout 1800s, curr ageout 20s Feb3 22:04:31 22:04:31.824785:CID-0:RT: permitted by policy default-policy-00(2)

Feb3 22:04:31 22:04:31.824787:CID-0:RT: packet passed, Permitted by policy.

Feb3 22:04:31 22:04:31.824790:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed; False

Feb3 22:04:31 22:04:31.824834:CID-0:RT:flow_first_src_xlate: incoming src port is: 38118 Which two statements are true regarding the output shown in the exhibit? (Choose two.)

A. The packet does not match any user-configured security policies.

B. The user has configured a security policy to allow the packet.

C. The log is showing the first path packet flow.

D. The log shows the reverse flow of the session.

Answer: C

Q52. You must configure a central SRX device connected to two branch offices with overlapping IP address space. The branch office connections to the central SRX device must reside in separate routing instances.Which two components are required? (Choose two.)

A. virtual routing instance

B. forwarding instance

C. static NAT

D. persistent NAT

Answer: A,C

Explanation:

Reference :http://kb.juniper.net/InfoCenter/index?page=content&id=KB21286

Q53. Click the Exhibit button.

— Exhibit–

— Exhibit —

Referring to the exhibit, the session close log was generated by the application firewall rule set HTTP.

Why did the session close?

A. The application identification engine was unable to determine which application was in use, which caused the SRX device to close the session.

B. The host with the IP address of 192.168.1.123 received a TCP segment with the FIN flag set from the host with the IP address of 65.197.244.218.

C. The SRX device was unable to determine the user and role in the allotted time, which caused the session to close.

D. The host with the IP address of 192.168.1.123 sent a TCP segment with the FIN flag set to the host with the IP address of 65.197.244.218.

Answer:

Explanation: 

Reference:http://netscreen.com/techpubs/software/junos/junos92/syslog- messages/download/rt.pdf

Q54. You are asked to design a solution to verify IPsec peer reachability with data path forwarding.

Which feature would meet the design requirements?

A. DPD over Phase 1 SA

B. DPD over Phase 2 SA

C. VPN monitoring over Phase 1 SA

D. VPN monitoring over Phase 2 SA

Answer: D

Explanation:

Reference :http://forums.juniper.net/t5/SRX-Services-Gateway/dead-peer-detection-VS-VPN-monitor-in-IPSEC/td-p/176671

Q55. Click the Exhibit button.

Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:<1.1.1.100/51303->1.1.1.30/3389;6>

matched filter MatchTraffic:

Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:packet [48] ipid = 5015, @423d7e9e Feb 2

09:00:02 09:00:00.1872004:CID-0:RT:—- flow_process_pkt: (thd 1): flow_ctxt type 13, common flag Ox0, mbuf Ox423d7d00

Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: flow process pak fast ifl 72 In_ifp fe-0/0/7.0

Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: fe-0/0/7.0:1.1.1.100/51303- >1.1.1.30/3389,

top, flag 2 syn

Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: find flow: table Ox5258d7b0, hash 17008(Oxffff), sa 1.1.1.100, da 1.1.1.30, sp 51303, dp 3389, proto 6, tok

448

Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: no session found, start first path. in_tunnel – 0, from_cp_flag – 0

Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: flow_first_create_session

Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: flow first_in_dst_nat: in <fe-0/0/7.0>, out

<N/A> dst_adr 1.1.1.30, sp 51303, dp 3389

Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: chose interface fe-0/0/7.0 as incoming nat if. Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_rule_dst_xlate: packet 1.1.1.100-

>1.1.1.30 nsp2 0.0.0.0->192.168.224.30.

Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_routing: call flow_route_lookup() src_ip 1.1.1.100, x_dst_ip 192.168.224.30, in ifp fe-0/0/7.0, out ifp N/A sp 51303, dp 3389, ip_proto 6, tos 0

Feb 2 09:00:02 09:00:00.1872004:CID-O:RT:Doing DESTINATION addr route-lookup Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: routed (x_dst_ip 192 168.224.30)

from untrust (fe-0/0/7.0 in 0) to ge-0/0/0.0, Next-hop: 192.168.224.30

Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: policy search from zone untrust-> zone trust Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: policy has timeout 900

Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: app 0, timeout 1800s, curr ageout 20s

Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_src_xlate: src nat 0.0.0.0(51303) to

192.168.224.30(3389) returns status 1, rule/pool id 1/2. Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: dip id = 2/0, 1.1.1.100/51303->192.168.224.3/48810

Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: choose interface ge-0/0/0.0 as outgoing phy if Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/0.0, addr:

192.168.224.30, rtt_idx:0

Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:sm_flow_interest_check: app_id 0, policy 9, app_svc_en 0, flags Ox2. not interested

Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:sm_flow_interest_check: app_id 1, policy 9, app_svc_en 0, flags Ox2. not interested

Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_service_lookup():

natp(Ox51ee4680): app_id, 0(0).

Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: service lookup identified service O. Referring to the exhibit, which two statements are correct? (Choose two.)

A. The packet being inspected is a UDP packet.

B. The incoming interface is fe-0/0/7.

C. This traffic matches an existing flow.

D. Source NAT is being used.

Answer: B,C

Q56. You have an existing group VPN established in your internal network using the group-id 1. You have been asked to configure a second group using the group-id 2. You must ensure that the key server for group 1 participates in group 2 but is not the key server for that group.Which statement is correct regarding the group configuration on the current key server for group 1?

A. You must configure both groups at the [edit security ipsec vpn] hierarchy.

B. You must configure both groups at the [edit security group-vpn member] hierarchy.

C. You must configure both groups at the [edit security ike] hierarchy.

D. You must configure both groups at the [edit security group-vpn] hierarchy.

Answer: D

Explanation: Reference: http://www.jnpr.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/security/index.html?topic-45791.html

Q57. You are asked to secure your company’s Web presence. This includes using an SRX Series device to inspect SSL traffic going to the Web servers in your DMZ.

Which two actions are required to accomplish this task? (Choose two.)

A. Load your Web server’s private key in the IDP configuration.

B. Load your Web server’s public key in the IDP configuration.

C. Generate a root certificate on the SRX Series device for your Web servers.

D. Specify the number of sessions in the SSL sensor configuration.

Answer: A,D

Q58. You have configured an IPsec VPN with traffic selectors; however, your IPsec tunnel does not appear to be working properly.

What are two reasons for the problem? (Choose two.)

A. You are configured a remote address value of 0.0.0.0/0.

B. You are trying to use traffic selectors with policy-based VPNs.

C. You have configured 15 traffic selectors on each SRX Series device.

D. You are trying to use traffic selectors with route-based VPNs.

Answer: A,B

Q59. You are asked to configure class of service (CoS) on an SRX device running in transparent mode. Which command would you use?

A. set interfaces ge-0/0/0 unit 0 classifiers dscp priority-app

B. set class-of-service interfaces ge-0/0/0 unit 0 classifiers dscp priority-app

C. set class-of-service interfaces ge-0/0/0 unit 0 classifiers ieee-802.1 priority-app

D. set interfaces ge-0/0/0 unit 0 classifiers inet-precedence priority-app

Answer: C

Explanation: Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB23234

Q60. You want to configure in-band management of an SRX device in transparent mode. Which command is required to enable this functionality?

A. set interfaces irb unit 1 family inet address

B. set interfaces vlan unit 1 family inet address

C. set interfaces ge-0/0/0 unit 0 family inet address

D. set interfaces ge-0/0/0 unit 0 family bridge address

Answer: A

Explanation: Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB23823

Certleader Dumps
Certleader is a company specialized on providing high quality IT exam materials and fully committed to assist our respected clients crack any IT certification tests on their 1st efforts.