Top Up to the minute JN0-633 exam question Reviews!

It is more faster and easier to pass the Juniper JN0-633 exam by using Validated Juniper Security, Professional (JNCIP-SEC) questuins and answers. Immediate access to the Refresh JN0-633 Exam and find the same core area JN0-633 questions with professionally verified answers, then PASS your exam with a high score now.

2017 NEW RECOMMEND

Free VCE & PDF File for Juniper JN0-633 Real Exam
(Full Version!)

Pass on Your First TRY 100% Money Back Guarantee Realistic Practice Exam Questions

Free Instant Download NEW JN0-633 Exam Dumps (PDF & VCE):
Available on:
http://www.certleader.com/JN0-633-dumps.html

Q1. Click the Exhibit button.

Traffic is being sent from Host-1 to Host-2 through an IPsec VPN. In this process, SRX-2 is using NAT to change the destination address of Host-2 from 192.168.1.1 to 10.60.60.1 SRX-1 uses the 172.31.50.1 address for its tunnel endpoint and SRX-2 uses the 10.10.50.1 address for its tunnel endpoint.

Referring to the exhibit, which statement is true?

A. The security policy on SRX-2 must permit traffic from the 172.31.50.1 destination address.

B. The security policy on SRX-2 must permit traffic from the 10.10.50.1destination address.

C. The security policy on SRX-2 must permit traffic from the 10.60.60.1 destination address.

D. The security policy on SRX-2 must permit traffic from the 192.168.1.1destination address.

Answer: C

Q2. You are asked to deploy dynamic VPNs between the corporate office and remote employees that work from home. The gateway device at the corporate office consists of a pair of SRX650s in a chassis cluster.Which two statements about the deployment are true? (Choose two.)

A. The SRX650s must be separated as standalone devices to support the dynamic VPNs.

B. The remote clients must install client software to establish a tunnel with the corporate network.

C. The remote clients must reside behind an SRX device configured as the local tunnel endpoint.

D. The SRX650 must have HTTP or HTTPS enabled to aid in the client software distribution process.

Answer: B,D

Explanation:

Reference :http://www.juniper.net/us/en/local/pdf/app-notes/3500201-en.pdf

Q3. Click the Exhibit button.

user@host# run show security flow session

Session ID: 28, Policy name: allow/5, Timeout: 2, Valid

In: 172.168.1.2/24800 –> 66.168.100.100/8001; tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 64 Out: 10.168.100.1/8001 –> 172.168.1.2/24800; tcp, If: ge-0/0/6.0, Pkts: 1, Bytes: 40

Your customer is unable to reach your HTTP server that is connected to the ge-0/0/6 interface. The HTTP server has an address of 10.168.100.1 on port 80 internally, but is accessed publicly using interface ge-0/0/3 with the address 66.168.100.100 on port 8001.

Referring to the exhibit, what is causing this problem?

A. The traffic is originated with incorrect IP address from the customer.

B. The traffic is translated with the incorrect IP address for the HTTP server.

C. The traffic is translated with the incorrect port number for the HTTP server.

D. The traffic is originated with the incorrect port number from the customer.

Answer: C

Q4. You have just created a few hundred application firewall rules on an SRX device and applied them to the appropriate firewall polices. However, you are concerned that the SRX device might become overwhelmed with the increased processing required to process traffic through the application firewall rules.

Which three actions will help reduce the amount of processing required by the application firewall rules? (Choose three.)

A. Use stateless firewall filtering to block the unwanted traffic.

B. Implement AppQoS to drop the unwanted traffic.

C. Implement screen options to block the unwanted traffic.

D. Implement IPS to drop the unwanted traffic.

E. Use security policies to block the unwanted traffic.

Answer: A,C,E

Explanation:

IPS and AppDoS are the most powerful, and thus, the least efficient method of dropping traffic on the SRX, because IPS and AppDoS tend to take up the most processing cycles.

Reference :http://answers.oreilly.com/topic/2036-how-to-protect-your-network-with-security-tools-for-junos/

Q5. Which two are required for the SRX device to perform DNS doctoring? (Choose two.)

A. DNS ALG

B. dns-doctoring stanza

C. name-server

D. static NAT

Answer: A,D

Explanation:

Reference :http://www.juniper.net/techpubs/en_US/junos12.1×44/information-products/pathway-pages/security/security-alg-dns.pdf

Q6. What is a secure key management protocol used by IPsec?

A. AH

B. ESP

C. TCP

D. IKE

Answer: D

Q7. You are asked to ensure that your IPS engine blocks attacks. You must ensure that your system continues to drop additional malicious traffic without additional IPS processing for up to 30 minutes. You must ensure that the SRX Series device does send a notification packet when the traffic is dropped.

Which statement is correct?

A. Use the IP-Block action.

B. Use the Drop Packet action.

C. Use the Drop Connection action.

D. Use the IP-Close action.

Answer: D

Q8. Click the Exhibit button.

user@host> show security ike security-associations

Index State Initiator cookie Responder cookie ModeRemote Address 3271043 UP7f42284089404673 95fd8408940438d8 Main 172.31.50.2

user@host> show security ipsec security-associations

Total active tunnels: 0

user@host> show log phase2

Feb 2 14:21:18 host kmd[1088]: IKE negotiation failed with error: TS unacceptable. IKE Version: 1, VPN: vpn-1 Gateway: gate-1, Local: 172.31.50.1/500, Remote: 172.31.50.2/500, Local IKE-ID: 172.31.50.1, Remote IKE-ID: 172.31.50.2, VR-ID: 0

Feb 2 14:21:18 host kmd[1088]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: vpn-1, Peer Proposed traffic-selector local-ip: ipv4(2.2.2.2), Peer Proposed traffic-selector remote-ip: ipv4 (1.1.1.1)

Feb 2 14:21:54 host kmd[1088]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: vpn-1 Gateway: gate-1, Local:

172.31.50.1 /500, Remote: 172.31.50.2/500, Local IKE-ID: 172.31.50.1, Remote IKE-ID:

172.31.50.2 , VR-ID: 0

Feb 2 14:22:19 host kmd[1088]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: vpn-1, Peer Proposed traffic-selector local-ip:

ipv4 (2.2.

2.2), Peer Proposed traffic-selector remote-ip: ipv4(1.1.1.1)

You have recently configured an IPsec VPN between an SRX Series device and another non-Junos security device. The phase one tunnel is up but the phase two tunnel is not present.

Referring to the exhibit, what is the cause of this problem?

A. preshared key mismatch

B. mode mismatch

C. proposal mismatch

D. proxy-ID mismatch

Answer: D

Q9. Click the Exhibit button.

— Exhibit — security { nat { destination {

pool Web-Server { address 10.0.1.5/32;

}

rule-set From-Internet { from zone Untrust;

rule To-Web-Server { match {

source-address 0.0.0.0/0; destination-address 172.16.1.7/32;

}

then {

destination-nat pool Web-Server;

}

}

}

}

}

zones {

security-zone Untrust { address-book {

address Web-Server-External 172.16.1.7/32; address Web-Server-Internal 10.0.1.5/32;

}

interfaces { ge-0/0/0.0;

}

}

security-zone DMZ { address-book {

address Web-Server-External 172.16.1.7/32; address Web-Server-Internal 10.0.1.5/32;

}

interfaces { ge-0/0/1.0;

}

}

}

}

— Exhibit —

You are migrating from one external address block to a different external address block. You want to enable a smooth transition to the new address block. You temporarily want to allow external users to contact the Web server using both the existing external address as well as the new external address 192.168.1.1.

How do you accomplish this goal?

A. Add address 192.168.1.1/32 under [edit security nat destination pool Web-Server].

B. Change the address Web-Server-Ext objects to be address-set objects that include both addresses.

C. Change the destination address under [edit security nat destination rule-set From- Internet rule To-Web-Server match] to include both 172.16.1.7/32 and 192.168.1.2/32.

D. Create a new rule for the new address in the [edit security nat destination rule-set From- Internet] hierarchy.

Answer:

Explanation: Reference:http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/nat-security- source-and-destination-nat-translation-configuring.html

Q10. Click the Exhibit button.

— Exhibit–

— Exhibit —

In the exhibit, the SRX device has hosts connected to interface ge-0/0/1 and ge-0/0/6. The devices are not able to ping each other.What is causing this behavior?

A. The interfaces must be in trunk mode.

B. The interfaces need to be configured for Ethernet switching.

C. The default security policy does not apply to transparent mode.

D. A bridge domain has not been defined.

Answer: D

Certleader Dumps
Certleader is a company specialized on providing high quality IT exam materials and fully committed to assist our respected clients crack any IT certification tests on their 1st efforts.