Up to the immediate present JN0-633: Testking real questions from 61 to 70

It is impossible to pass Juniper JN0-633 exam without any help in the short term. Come to Testking soon and find the most advanced, correct and guaranteed Juniper JN0-633 practice questions. You will get a surprising result by our Renew Security, Professional (JNCIP-SEC) practice guides.

2017 NEW RECOMMEND

Free VCE & PDF File for Juniper JN0-633 Real Exam
(Full Version!)

Pass on Your First TRY 100% Money Back Guarantee Realistic Practice Exam Questions

Free Instant Download NEW JN0-633 Exam Dumps (PDF & VCE):
Available on:
http://www.certleader.com/JN0-633-dumps.html

Q61. You are asked to implement the AppFW feature on an SRX Series device. Which three tasks must be performed to make the feature work? (Choose three.)

A. Configure a firewall filter that includes the application-firewall policy.

B. Install an IPS license.

C. Install an AppSecure license.

D. Configure a security policy that includes the application-firewall policy.

E. Configure an application-firewall policy.

Answer: C,D,E

Q62. Click the Exhibit button.

— Exhibit–

— Exhibit —

Referring to the exhibit, a pair of SRX3600s is in an active/passive chassis cluster configured for transparent mode. Which type of traffic would traverse the secondary SRX3600 (node 1)?

A. all traffic including non-IP traffic

B. any IP traffic

C. only TCP and UDP traffic

D. only BPDU traffic

Answer: D

Q63. Click the Exhibit button.

— Exhibit —

CID-0:RT: flow process pak fast ifl 71 in_ifp ge-0/0/5.0

CID-0:RT: ge-0/0/5.0:10.0.0.2/55892->192.168.1.2/80, tcp, flag 2 syn

CID-0:RT: find flow: table 0x5a386c90, hash 50728(0xffff), sa 10.0.0.2, da 192.168.1.2, sp 55892, dp 80, proto 6, tok 7

CID-0:RT: no session found, start first path. in_tunnel – 0x0, from_cp_flag – 0 CID-0:RT: flow_first_create_session

CID-0:RT: flow_first_in_dst_nat: in <ge-0/0/5.0>, out <N/A> dst_adr 192.168.1.2, sp 55892, dp 80

CID-0:RT: chose interface ge-0/0/5.0 as incoming nat if.

CID-0:RT:flow_first_rule_dst_xlatE.DST no-xlatE.0.0.0.0(0) to 192.168.1.2(80)

CID-0:RT:flow_first_routinG.vr_id 0, call flow_route_lookup(): src_ip 10.0.0.2, x_dst_ip 192.168.1.2, in ifp ge-0/0/5.0, out ifp N/A sp 55892, dp 80, ip_proto 6, tos 10

CID-0:RT:Doing DESTINATION addr route-lookup

CID-0:RT: routed (x_dst_ip 192.168.1.2) from LAN (ge-0/0/5.0 in 0) to ge-0/0/1.0, Next- hop: 172.16.32.1

CID-0:RT:flow_first_policy_searcH.policy search from zone LAN-> zone WAN (0x0,0xda540050,0x50)

CID-0:RT:Policy lkup: vsys 0 zone(7:LAN) -> zone(6:WAN) scope:0 CID-0:RT: 10.0.0.2/55892 -> 192.168.1.2/80 proto 6

CID-0:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0 CID-0:RT: 10.0.0.2/55892 -> 192.168.1.2/80 proto 6

CID-0:RT: app 6, timeout 1800s, curr ageout 20s CID-0:RT: packet dropped, denied by policy

CID-0:RT: denied by policy default-policy-00(2), dropping pkt CID-0:RT: packet dropped, policy deny.

CID-0:RT: flow find session returns error.

CID-0:RT: —– flow_process_pkt rc 0x7 (fp rc -1) CID-0:RT:jsf sess close notify

CID-0:RT:flow_ipv4_del_flow: sess , in hash 32

— Exhibit —

A host is not able to communicate with a Web server.

Based on the logs shown in the exhibit, what is the problem?

A. A policy is denying the traffic between these two hosts.

B. A session has not been created for this flow.

C. A NAT policy is translating the address to a private address.

D. The session table is running out of resources.

Answer: A

Q64. Click the Exhibit button.

— Exhibit —

Feb 8 10:39:40 Unable to find phase-1 policy as remote peer:2.2.2.2 is not recognized. Feb 8 10:39:40 KMD_PM_P1_POLICY_LOOKUP_FAILURE.Policy lookup for Phase-1

[responder] failed for p1_local=ipv4(any:0,[0..3]=1.1.1.2) p1_remote=ipv4(any:0,[0..3]=2.2.2.2)

Feb 8 10:39:40 1.1.1.2:500 (Responder) <-> 2.2.2.2:500 { dbe1d0af – a4d6d829 f9ed3bba [-1] / 0x00000000 } IP; Error = No proposal chosen (14)

— Exhibit —

According to the log shown in the exhibit, you notice that the IPsec session is not establishing.

What are two reasons for this behavior? (Choose two.)

A. mismatched preshared key

B. mismatched proxy ID

C. incorrect peer address

D. mismatched peer ID

Answer: C,D

Explanation:

If the peer was not matched with the peer ID, the line "Unable to find phase-1 policy as remote peer:192.168.1.60 is not recognized." should be shown

Reference :http://kb.juniper.net/InfoCenter/index?page=content&id=KB10097&pmv=print

Q65. You configured a custom signature attack object to match specific components of an

attack:

HTTP-request

Pattern .*\\x90 90 90 … 90 Direction: client-to-server

Which client traffic would be identified as an attack?

A. HTTP GET .*\\x90 90 90 … 90

B. HTTP POST .*\\x90 90 90 … 90

C. HTTP GET .*x909090 … 90

D. HTTP POST .*x909090 … 90

Answer: A

Explanation: Reference: http://www.juniper.net/techpubs/en_US//idp/topics/task/configuration/intrusion-detection-prevention-signature-attack-object-creating-nsm.html

Q66. Your company has added a connection to a new ISP and you have been asked to send specific traffic to the new ISP. You have decided to implement filter-based forwarding. You have configured new routing instances with type forwarding. You must direct traffic into each instance.Which step would accomplish this goal?

A. Add a firewall filter to the ingress interface that specifies the intended routing instance as the action.

B. Create a routing policy to direct the traffic to the required forwarding instances.

C. Configure the ingress and egress interfaces in each forwarding instance.

D. Create a static default route for each ISP in inet.0, each pointing to a different forwarding instance.

Answer: A

Explanation:

Reference :http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223

Q67. You have recently deployed a dynamic VPN. The remote users are complaining that communications with devices on the same subnet as the SRX device are intermittent and often fail. The tunnel is stable and up, and communications with remote devices on different subnets work without any issues.Which configuration setting would resolve this issue?

A. adding local-redirect at the [edit security nat] hierarchy

B. adding local-redirect at the [edit interfaces <interface-name>] hierarchy

C. adding proxy-arp at the [edit security nat] hierarchy

D. adding proxy-arp at the [edit interfaces <interface-name>] hierarchy

Answer: C

Explanation:

Reference : http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf

Q68. You are asked to implement a point-to-multipoint hub-and-spoke topology in a mixed vendor environment. The hub device is running the Junos OS and the spoke devices are different vendor devices.Regarding this scenario, which statement is correct?

A. The NHTB table must be statically defined.

B. The NHTB table is automatically created during Phase 2.

C. The NHTB table is automatically created during Phase 1.

D. The NHTB table must be imported from each spoke.

Answer: A

Explanation: Referencehttp://www.juniper.net/techpubs/en_US/junos/topics/example/vpn-hub-spoke- nhtb-example-configuring.html

Q69. Which configurable SRX Series device feature allows you to capture transit traffic?

A. syslog

B. traceoptions

C. packet-capture

D. archival

Answer: B

Q70. Click the Exhibit button.

— Exhibit–

— Exhibit —

Based on the output shown in the exhibit, what are two results? (Choose two.)

A. The output shows source NAT.

B. The output shows destination NAT.

C. The port information is changed.

D. The port information is unchanged.

Answer: B,D

Explanation: Reference:http://junos.com/techpubs/software/junos-security/junos-security10.2/junos-security-cli-reference/index.html?show-security-flow-session.html

Certleader Dumps
Certleader is a company specialized on providing high quality IT exam materials and fully committed to assist our respected clients crack any IT certification tests on their 1st efforts.