JN0-633 Exam
Shortcuts To JN0-633(41 to 50)
Youll get the detailed explanation once you encounter issues during your JN0-633 research. Pass4sure give you the JN0-633 Security, Professional (JNCIP-SEC) tips legibly inside the JN0-633 puts. These are tremendously conserving your own expenses to take part in the Juniper training courses.
2021 Mar JN0-633 exam
Q41. Click the Exhibit button.
{primarynode0}[edit security idp idp-policy test-ips-policy] user@host# show
rulebase-ips { rule r1 { match {
source-address any; attacks {
predefined-attack-groups “HTTP - All”;
}
}
then { action {
drop-packet;
}
}
terminal;
}
rule r2 { match {
source-address 172.16.0.0/12; attacks {
predefined-attack-groups “FTP - All”;
}
then { action { no-action;
}
}
}
rule r3 { match {
source-address 172.16.0.0/12; attacks {
predefined-attack-groups “TELNET - All”;
}
}
then { action { no-action;
}
}
}
rule r4 { match {
source-address any; attacks {
predefined-attack-groups “FTP - All”;
}
}
then { action {
drop-packet;
}
}
}
}
A user with IP address 172.301.100 initiates an FTP session to a host with IP address 10.100.1.50 through an SRX Series device and is subject to the IPS policy shown in the exhibit.
If the user tries to execute thecd ~rootcommand, which statement is correct?
A. The FTP command will be denied with the offending packet dropped and the session will be closed by the SRX device.
B. The FTP command will be denied with the offending packet dropped and the rest of the FTP session will be inspected by the IPS policy.
C. The FTP command will be allowed to execute and the rest of the FTP session will be ignored by the IPS policy.
D. The FTP command will be allowed to execute but any other attacks executed during the session will be inspected.
Answer: D
Q42. Click the Exhibit button.
user@host> monitor traffic interface ge-0/0/3
verbose output suppressed, use <detail> or <extensive> for full protocol decode Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay. Address resolution timeout is 4s.
Listening on ge-0/0/3, capture size 96 bytes
Reverse lookup for 172.168.3.254 failed (check DNS reachability). Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lockups on IP addresses.
19:24:16.320907 In arp who-has 172.168.3.254 tell 172.168.3.1 19.24:17.322751 In arp
who has 172.168.3.254 tell 172.168.3.1 19.24:18.328895 In arp who-has 172.168.3.254 tell
172.168.3.1
19.24:18.332956 In arn who has 172.168.3.254 tell 172.168.3.1
A new server has been set up in your environment. The administrator suspects that the firewall is blocking the traffic from the new server. Previously existing servers in the VLAN are working correctly. After reviewing the logs, you do not see any traffic for the new server.
Referring to the exhibit, what is the cause of the problem?
A. The server is in the wrong VLAN.
B. The server has been misconfigured with the wrong IP address.
C. The firewall has been misconfigured with the incorrect routing-instance.
D. The firewall has a filter enabled to blocktrafficfrom the server.
Answer: C
Q43. Click the Exhibit button. [edit]
user@host# show interfaces ge-0/0/1 {
unit 0 {
family bridge { interface-mode access; vlan-id 20;
}
}
}
ge-0/0/10 { unit 0 {
family bridge { interface-mode access; vlan-id 20;
}
}
}
[edit]
user@host# show bridge-domains d1 {
domain-type bridge; vlan-id 20;
}
[edit]
user@host# show security flow bridge
[edit]
user@host# show security zones security-zone 12 {
host-inbound-traffic { system-services { any-service;
}
}
interfaces { ge-0/0/1.0; ge-0/0/10.0;
}
}
Referring to the exhibit, which statement is true?
A. Packets sent tom the SRX Series device are sent to the RE.
B. Packets sent to the SRX Series device are discarded.
C. Only frames that have a VLAN ID of 20 are accepted.
D. Only frames that do not have any VLAN tags are accepted.
Answer: C
Q44. You are asked to merge the corporate network with the network from a recently acquired company. Both networks use the same private IPv4 address space (172.25.126.0/24). An SRX device serves as the gateway for each network.Which solution allows you to merge the two networks without adjusting the current address assignments?
A. source NAT
B. persistent NAT
C. double NAT
D. NAT444
Answer: C
Explanation:
Reference :http://class10e.com/juniper/what-should-you-do-to-meet-the-requirements/
Q45. You are asked to establish a baseline for your company's network traffic to determine the bandwidth usage per application. You want to undertake this task on the central SRX device that connects all segments together.What are two ways to accomplish this goal? (Choose two.)
A. Configure a mirror port on the SRX device to capture all traffic on a data collection server for further investigation.
B. Use interface packet counters for all permitted and denied traffic and calculate the values using Junos scripts.
C. Send SNMP traps with bandwidth usage to a central SNMP server.
D. Enable AppTrack on the SRX device and configure a remote syslog server to receive AppTrack messages.
Answer: A,D
Explanation:
AppTrack is used for visibility for application usage and bandwidth Reference:http://www.juniper.net/us/en/local/pdf/datasheets/1000327-en.pdf
Abreast of the times JN0-633 exam topics:
Q46. You want to route traffic between two newly created virtual routers without the use of logical systems using the configuration options on the SRX5800.
Which two methods of forwarding, between virtual routers, would you recommend? (Choose two.)
A. Use a static route to forward traffic across virtual routers using the next-table option. Enable the return route by using a RIB group.
B. Create static routes in each virtual router using thenext-tablecommand.
C. Use a RIB group to share the internal routing protocol routes from the master routing instance.
D. Connect a direct cable between boo physical interfaces, one in each virtual router and use static routes with thenext-hopcommand.
Answer: B
Q47. Click the Exhibit button.
user@host# run show security flow session
Session ID: 28, Policy name: allow/5, Timeout: 2, Valid
In: 172.168.1.2/24800 --> 66.168.100.100/8001; tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 64 Out: 10.168.100.1/8001 --> 172.168.1.2/24800; tcp, If: ge-0/0/6.0, Pkts: 1, Bytes: 40
Your customer is unable to reach your HTTP server that is connected to the ge-0/0/6 interface. The HTTP server has an address of 10.168.100.1 on port 80 internally, but is accessed publicly using interface ge-0/0/3 with the address 66.168.100.100 on port 8001.
Referring to the exhibit, what is causing this problem?
A. The traffic is originated with incorrect IP address from the customer.
B. The traffic is translated with the incorrect IP address for the HTTP server.
C. The traffic is translated with the incorrect port number for the HTTP server.
D. The traffic is originated with the incorrect port number from the customer.
Answer: C
Q48. You have an existing group VPN established in your internal network using the group-id 1. You have been asked to configure a second group using the group-id 2. You must ensure that the key server for group 1 participates in group 2 but is not the key server for that group.Which statement is correct regarding the group configuration on the current key server for group 1?
A. You must configure both groups at the [edit security ipsec vpn] hierarchy.
B. You must configure both groups at the [edit security group-vpn member] hierarchy.
C. You must configure both groups at the [edit security ike] hierarchy.
D. You must configure both groups at the [edit security group-vpn] hierarchy.
Answer: D
Explanation: Reference: http://www.jnpr.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/security/index.html?topic-45791.html
Q49. A security administrator has configured an IPsec tunnel between two SRX devices. The
devices are configured with OSPF on the st0 interface and an external interface destined to the IPsec endpoint. The adminstrator notes that the IPsec tunnel and OSPF adjacency keep going up and down. Which action would resolve this issue?
A. Create a firewall filter on the st0 interface to permit IP protocol 89.
B. Configure the IPsec tunnel to accept multicast traffic.
C. Create a /32 static route to the IPsec endpoint through the external interface.
D. Increase the OSPF metric of the external interface.
Answer: C
Explanation: Reference: http://packetsneverlie.blogspot.in/2013/03/route-based-ipsec-vpn-with-ospf.html
Q50. Which action will allow an administrator to connect in band to an SRX Series device in transparent mode over SSH?
A. Use a VLAN interface.
B. Use the loopback interface.
C. Use a logical interface.
D. Use an irb interface.
Answer: D