JN0-633 Exam
JN0-633 cram(61 to 70) for candidates: Apr 2021 Edition
Browse Pass4sures home page and have any test using our Juniper Juniper exam demos just before buying. Locate out your powerful and weak details and help make more efforts on the weak details in afterwards study. You can download our Juniper Juniper exam dumps regarding free in Pass4sure site. It is worthy of your time and money because of the superior quality and also long durability of the Juniper Juniper JN0-633 exam questions and answers. My partner and i promise that you simply wont regret acquiring the Juniper JN0-633 exam goods. Pass4sure is the first and utmost choice for you to fulfill the getting Juniper certification fantasy. You will have access to the free of charge downloadable JN0-633 Pdf version and Examination Engine software in the date of buy. Using the Juniper Juniper practice materials, you will be able to knowledge a actual JN0-633 certification test. You may get satisfied using our Juniper Juniper exam dumps.
2021 Apr JN0-633 exam question
Q61. Which two statements are true about persistent NAT? (Choose two.)
A. Thepermit target-host-portstatement allows an external host to initiate a session to an internal host on any port, provided the internal host previously sent a packet to the external host.
B. Thepermit target-hoststatement allows an external host to initiate a session to an internal host on any port, provided the internal host previously sent a packet to the external host.
C. Port overloading must be enabled for Interface-based persistent NAT.
D. Port overloading must be disabled for Interface-based persistent NAT.
Answer: B,D
Q62. An external host is attacking your network. The host sends an HTTP request to a Web server, but does not include the version of HTTP in the request.
Which type of attack is being performed?
A. signature-based attack
B. application identification
C. anomaly
D. fingerprinting
Answer: C
Explanation: Reference;https://services.netscreen.com/restricted/sigupdates/nsm-updates/HTML/HTTP%3AINVALID%3AMSNG-HTTP-VER.html
Q63. Click the Exhibit button.
-- Exhibit --
CID-0:RT: flow process pak fast ifl 71 in_ifp ge-0/0/5.0
CID-0:RT: ge-0/0/5.0:10.0.0.2/55892->192.168.1.2/80, tcp, flag 2 syn
CID-0:RT: find flow: table 0x5a386c90, hash 50728(0xffff), sa 10.0.0.2, da 192.168.1.2, sp 55892, dp 80, proto 6, tok 7
CID-0:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0 CID-0:RT: flow_first_create_session
CID-0:RT: flow_first_in_dst_nat: in <ge-0/0/5.0>, out <N/A> dst_adr 192.168.1.2, sp 55892, dp 80
CID-0:RT: chose interface ge-0/0/5.0 as incoming nat if.
CID-0:RT:flow_first_rule_dst_xlatE.DST no-xlatE.0.0.0.0(0) to 192.168.1.2(80)
CID-0:RT:flow_first_routinG.vr_id 0, call flow_route_lookup(): src_ip 10.0.0.2, x_dst_ip 192.168.1.2, in ifp ge-0/0/5.0, out ifp N/A sp 55892, dp 80, ip_proto 6, tos 10
CID-0:RT:Doing DESTINATION addr route-lookup
CID-0:RT: routed (x_dst_ip 192.168.1.2) from LAN (ge-0/0/5.0 in 0) to ge-0/0/1.0, Next- hop: 172.16.32.1
CID-0:RT:flow_first_policy_searcH.policy search from zone LAN-> zone WAN (0x0,0xda540050,0x50)
CID-0:RT:Policy lkup: vsys 0 zone(7:LAN) -> zone(6:WAN) scope:0 CID-0:RT: 10.0.0.2/55892 -> 192.168.1.2/80 proto 6
CID-0:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0 CID-0:RT: 10.0.0.2/55892 -> 192.168.1.2/80 proto 6
CID-0:RT: app 6, timeout 1800s, curr ageout 20s CID-0:RT: packet dropped, denied by policy
CID-0:RT: denied by policy default-policy-00(2), dropping pkt CID-0:RT: packet dropped, policy deny.
CID-0:RT: flow find session returns error.
CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1) CID-0:RT:jsf sess close notify
CID-0:RT:flow_ipv4_del_flow: sess , in hash 32
-- Exhibit --
A host is not able to communicate with a Web server.
Based on the logs shown in the exhibit, what is the problem?
A. A policy is denying the traffic between these two hosts.
B. A session has not been created for this flow.
C. A NAT policy is translating the address to a private address.
D. The session table is running out of resources.
Answer: A
Q64. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
Referring to the exhibit, a pair of SRX3600s is in an active/passive chassis cluster configured for transparent mode. Which type of traffic would traverse the secondary SRX3600 (node 1)?
A. all traffic including non-IP traffic
B. any IP traffic
C. only TCP and UDP traffic
D. only BPDU traffic
Answer: D
Q65. Click the Exhibit button
[edit security]
user@host# show policies global {
policy new-policy { match {
source-address any; destination-address any; application junos-https;
}
then { permit {
application-services { application-firewall { rule-set appfw;
}
}
}
}
}
}
[edit security]
user@host# show application-firewall rule-sets appfw {
rule 1 { match {
dynamic-application junos:SSL;
}
then { permit;
}
}
rule 2 { match {
dynamic-application junos:HTTP;
}
then { reject;
}
}
default-rule { permit;
}
}
Referring to the exhibit, which two statements are correct? (Choose two.)
A. HTTP traffic is permitted.
B. HTTP traffic is dropped.
C. HTTPS traffic is permitted.
D. HTTPS traffic is dropped.
Answer: B,C
Abreast of the times JN0-633 real exam:
Q66. Click the Exhibit button.
-- Exhibit --
[edit forwarding-options] user@srx240# show packet-capture {
file filename my-packet-capture; maximum-capture-size 1500;
}
-- Exhibit --
Referring to the exhibit, you are attempting to perform a packet capture on an SRX240 to troubleshoot an SSH issue in your network. However, no information appears in the packet capture file.
Which firewall filter must you apply to the necessary interface to collect data for the packet
capture?
A. user@srx240# show filter pkt-capture {
term pkt-capture-term { from {
protocol tcp; port ssh;
}
then packet-mode;
}
term allow-all { then accept;
}
}
[edit firewall family inet]
B. user@srx240# show filter pkt-capture {
term pkt-capture-term { from {
protocol tcp; port ssh;
}
then {
count packet-capture;
}
}
term allow-all { then accept;
}
}
[edit firewall family inet]
C. user@srx240# show filter pkt-capture {
term pkt-capture-term { from {
protocol tcp; port ssh;
}
then {
routing-instance packet-capture;
}
}
term allow-all { then accept;
}
}
[edit firewall family inet]
D. user@srx240# show filter pkt-capture {
term pkt-capture-term { from {
protocol tcp; port ssh;
}
then { sample; accept;
}
}
term allow-all { then accept;
}
}
[edit firewall family inet]
Answer: D
Q67. Your company is using a dynamic VPN configuration on their SRX device. Your manager asks you to enforce password expiration policies for all VPN users.
Which authentication method meets the requirement?
A. local password database
B. TACACS+
C. RADIUS
D. LDAP
Answer: D
Explanation:
Reference : http://kb.juniper.net/InfoCenter/index?page=content&id=KB17423&actp=RSS
Q68. Click the Exhibit button.
user@host> show log message
Feb4 00:04:17 host rpd[4516]: EVENT <UpDowm> st0.0 index 76 <Up Broadcast Multicast>
Feb4 00:04:17 host-kmd[1391]: KMD_PM_SA ESTABLISHED: Local gateway: 192.168.10.1, Remote gateway: 192.168.10.3, Local ID: ipv4_subnet(any:0, [0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Direction: inbound, SPI: 0x8d5816fd, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Feb4 00:04:17 host rpd[4516]: EVENT UpDown st0.0 index 76 10.10.10.1/24 –
> (null) <Up Broadcast Multicast>
Feb4 00:04:17 host kmd[1391]: KMD_PM_SA_ESTABLISHED: Local gateway: 192.168.10.1, Remote gateway: 192.168.10.3, Local ID: ipv4_subnet(any:0, [0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Direction: outbound, SPI: 0x77f07d5c, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Feb4 00:04:17 host kmd[1391]: KMD_VPN_UP_ALARM_USER: VPNto-spoke-1 from 192.168.10.3 is up. Local-ip: 192.168.10.1, gateway name: spoke-1, vpn name:
to-spoke-1, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip:
10.10.10.3, Local IKE-ID: 192.168.10.1, Remote IKE-ID: 192.168.10.3, XAUTH
username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID:ipv4_subnet,(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:11,[0..7]=0.0.0.0/0)
Feb4 00:04:17 host mib2d[1385]: SNMP_TRAP_LINK_UP: ifIndex 539, ifAdminSiLatus up(1), ifOperStatus up(1), ifName st0.0
Feb4 00:04:17 host kmd[1391]: KMD_PM_SA_ESTABLTSHED: Local gateway: 192.168.10.1, Remote gateway: 192.168.10.5, Local ID: ipv4 subnet(any:0, [0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Direction: inbound, SPI: 0x2790a42c, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Feb4 00:04:17 host kmd[1391]: KMD_PM_SA_ESTABLISHED: Local gateway: 192.168.10.1, Remote gateway: 192.168.10.5, Local ID: ipv4_subnet(any:0, [0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Direction: outbound, SPI: 0x2df17ea8, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Feb4 00:04:17 host kmd[1391]: KMD_VPN_UP_ALARM_USER: VPN to-spoke-3 from 192.168.10.5 is up. Local-ip: 192.168.10.1, gateway name: spoke-3, vpn name:
to-spoke-3, tunnel-id: 131076, local tunnel-if: st0.0, remote tunnel-ip:
Not-Available, Local IKE-ID: 192.168.10.1, Remote IKE-ID: 192.168.10.5,
XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic- selector local TD: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0._7]=0.0.0.0/0)
Feb4 00:04:17 host kmd[1391]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: to-spoke-2 Gateway: spoke-2, Local: 192.168.10.1/500, Remote: 192.168.10.4/500, Local IKE-ID: Not-Available,
Remote Not-Available, VR-ID: 0
Referring to the exhibit, which statement is correct?
A. The phase 1 security association for theto-spoke-3VPN is failing.
B. The phase 2 security association for theto-spoke-1VPN is failing.
C. The phase 2 security association for theto-spoke-3VPN is failing.
D. The phase 1 security association for theto-spoke-2VPN is failing.
Answer: B
Q69. Which two statements are true regarding DNS doctoring? (Choose two.)
A. DNS doctoring translates the DNS CNAME payload.
B. DNS doctoring for IPv4 is supported on SRX devices.
C. DNS doctoring for IPv4 and IPv6 is supported on SRX devices.
D. DNS doctoring translates the DNS A-record.
Answer: B,D
Explanation:
Reference :http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/security/index.html?topic-61847.html
Q70. You are responding to a proposal request from an enterprise with multiple branch offices. All branch offices connect to a single SRX device at a centralized location. The request requires each office to be segregated on the central SRX device with separate IP networks and security considerations. No single office should be able to starve the CPU from other branch offices on the central SRX device due to the number of flow sessions. However, connectivity between offices must be maintained.Which three features are required to accomplish this goal? (Choose three.)
A. Logical Systems
B. Interconnect Logical System
C. Virtual Tunnel Interface
D. Logical Tunnel Interface
E. Virtual Routing Instance
Answer: A,B,D
Explanation:
Reference :http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/logical-systems-interfaces.html
http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/logical-systems-config/index.html?topic-57390.html