JN0-633 Exam
JN0-633 braindumps(51 to 60) for IT engineers: Apr 2021 Edition
Act now and download your Juniper JN0-633 test today! Do not waste time for the worthless Juniper JN0-633 tutorials. Download Up to the immediate present Juniper Security, Professional (JNCIP-SEC) exam with real questions and answers and begin to learn Juniper JN0-633 with a classic professional.
2021 Apr JN0-633 free exam
Q51. Click the Exhibit button.
-- Exhibit -- [edit security]
user@srx# show idp {
idp-policy NewPolicy { rulebase-exempt { rule 1 {
description AllowExternalRule; match {
source-address any; destination-address
}
}
}
}
}
-- Exhibit --
You are performing the initial IDP installation on your new SRX device. You have configured the IDP exempt rulebase as shown in the exhibit, but the commit is not successful.
Referring to the exhibit, what solves the issue?
A. You must configure the destination zone match.
B. You must configure the IPS exempt accept action.
C. You must configure the IPS rulebase.
D. You must configure the IPS engine flow action to ignore.
Answer: C
Explanation: Reference:http://jncie-sec.exactnetworks.net/2013/01/srx-idp-overview-initial-setup.html
Q52. At which two times does the IPS rulebase inspect traffic on an SRX device? (Choose two.)
A. When traffic matches the active IDP policy.
B. When traffic first matches an IDP rule with the terminal parameter.
C. When traffic uses the application layer gateway.
D. When traffic is established in the firewall session table.
Answer: A,B
Explanation: Reference: http://books.google.co.in/books?id=2HSLsTJIgEQC&pg=PA814&lpg=PA814&dq=what+time+IPS+rulebase+inspects+traffic+on+SRX&source=bl&ots=_eDe_vLNBA&sig=1I4yX_S0OvkQVP-rqL273laMCyE&hl=en&sa=X&ei=nqvzUfn1Is-rrAf71oHYBA&ved=0CC4Q6AEwAQ#v=onepage&q=what%20time%20IPS%20rulebase% 20inspects%20traffic%20on%20SRX&f=false
Q53. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
Referring to the exhibit, the session close log was generated by the application firewall rule set HTTP.
Why did the session close?
A. The application identification engine was unable to determine which application was in use, which caused the SRX device to close the session.
B. The host with the IP address of 192.168.1.123 received a TCP segment with the FIN flag set from the host with the IP address of 65.197.244.218.
C. The SRX device was unable to determine the user and role in the allotted time, which caused the session to close.
D. The host with the IP address of 192.168.1.123 sent a TCP segment with the FIN flag set to the host with the IP address of 65.197.244.218.
Answer: D
Explanation:
Reference:http://netscreen.com/techpubs/software/junos/junos92/syslog- messages/download/rt.pdf
Q54. What are three techniques to mark DSCP values on an SRX Series device? (Choose three.)
A. IDP attack action-based DSCP rewriters
B. 802.11Q
C. VLAN rewrite
D. ALG-based DSCP rewriters
E. Layer 7 application-based DSCP rewriters.
Answer: A,D,E
Q55. Click the Exhibit button.
root@host# show system login user user {
uid 2000; class operator;
authentication {
encrypted-password "$1$4s7ePrk5$9S.MZTwmXTV7sovJZFFsw1"; ## SECRET-DATA
]
}
An SRX Series device has been configured for multiple certificate-based VPNs. The IPsec security association used for data replication is currently down . The administrator is a contractor and has the permissions on the SPX Series device as shown in the exhibit
Which command set would allow the administrator to troubleshoot the cause for the VPN being down?
A. set security ipsec traceoptions file ipsec
set security ipsec traceoptions flag security-associations
B. set security ike traceoptions file ike set security ike traceoptions flag ike
C. request security pki verify-integrity-status
D. request security ike debug-enable local <ip of the local gateway> remote <ip of the remote gateway›
Answer: C
Improve JN0-633 free question:
Q56. You are asked to implement an IPsec VPN between your main office and a new remote office. The remote office receives its IKE gateway address from their ISP dynamically.
Regarding this scenario, which statement is correct?
A. Configure a fully qualified domain name (FQDN) as the IKE identity.
B. Configure the dynamic-host-address option as the IKE identity.
C. Configure the unnumbered option as the IKE identity.
D. Configure a dynamic host configuration name (DHCN) as the IKE identity.
Answer: A
Q57. You are asked to deploy dynamic VPNs between the corporate office and remote employees that work from home. The gateway device at the corporate office is a chassis cluster formed from two SRX240s.Which two statements about this deployment are true? (Choose two.)
A. You must remove the SRX240s from the chassis cluster before enabling the dynamic VPNs.
B. The remote clients can run Windows XP, Windows Vista, Windows 7, or OS X operating systems.
C. If more than two dynamic VPN tunnels are required, you must purchase and install a new license.
D. The remote users can be authenticated by the SRX240s or a configured RADIUS server.
Answer: C,D
Explanation:
Reference :http://www.juniper.net/us/en/local/pdf/app-notes/3500201-en.pdf
Q58. Click the Exhibit button.
user@host> show interfaces routing-instance all ge* terse InterfaceAdmin Link Proto LocalInstance
ge-0/0/0.0 up up inet 172.16.12.205/24 default ge-0/0/1.0 up up inet 5.0.0.5/24
iso A
ge-0/0/2.0 up up inet 25.0.0.5/24 iso B
user@host> show security flow session
Session ID: 82274, Policy name: default-policy-00/2, Timeout: 1770, Valid In: 5.0.0.25/61935 --> 25.0.0.25/23;tcp, If: ge-0/0/1.0, Pkts: 31, Bytes: 1781 Out: 25.0.0.25/23 --> 5.0.0.25/61935;tcp, If: ge-0/0/2.0, Pkts: 23, Bytes: 1452
Total sessions: 3 user@host> show route
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, + = Both
0.0.0.0/0 *[Static/5] 04:08:52
> to 172.16.12.1 via ge-0/0/0.0 172.16.12.0/24 *[Direct/0] 04:08:52
via ge-0/0/0.0
172.16.12.205/32 *[Local/0] 4w4d 23:04:29
Loca1 via ge-0/0/0.0
224.0.0.5/32 *[OSPF/10] 14:37:35, metric 1
MultiRecv
A. inet.0: 4 destinations, 4 routes {4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both 5.0.0.0/24 5 *[Direct/0] 00:05:04
> via ge-0/0/1.0
5.0.0.5/32 *[Local/0] 00:05:04
Local via ge-0/0/1.0 25.0.0.0/24 *[Direct/0] 00:02:37
> via ge-0/0/2.0
B. inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both 5.0.0.25/32 *[Static/5] 00:02:38
to table A.inet.0
25.0.0.0/24 *[Direct/0] 00:02:37
> via ge-0/0/2.0
25.0.0.5/32 *[Local/0] 00:02:37
Local via ge-0/0/2.0
Which statement is true about the outputs shown in the exhibit?
C. The routing instances A and B are connected using anltinterface.
D. Routing instance A’s routes are shared with routing instance B.
E. Routing instance B’s routes are shared with routing instance A.
F. The routing instances A and B are connected using avtinterface.
Answer: C
Q59. You are asked to implement a point-to-multipoint hub-and-spoke topology in a mixed vendor environment. The hub device is running the Junos OS and the spoke devices are different vendor devices.Regarding this scenario, which statement is correct?
A. The NHTB table must be statically defined.
B. The NHTB table is automatically created during Phase 2.
C. The NHTB table is automatically created during Phase 1.
D. The NHTB table must be imported from each spoke.
Answer: A
Explanation: Referencehttp://www.juniper.net/techpubs/en_US/junos/topics/example/vpn-hub-spoke- nhtb-example-configuring.html
Q60. You are asked to design a solution to verify IPsec peer reachability with data path forwarding.
Which feature would meet the design requirements?
A. DPD over Phase 1 SA
B. DPD over Phase 2 SA
C. VPN monitoring over Phase 1 SA
D. VPN monitoring over Phase 2 SA
Answer: D
Explanation:
Reference :http://forums.juniper.net/t5/SRX-Services-Gateway/dead-peer-detection-VS-VPN-monitor-in-IPSEC/td-p/176671