JN0-635

JNCIP SEC

Q1. How does secure wire mode differ from transparent mode?

 In secure wire mode security policy cannot be used to secure intra vlan traffic
 In secure wire mode no switching lookup takes place to forward traffic
 In secure wire mode Traffic can be modified using source nat
 In secure wire mode IRB interfaces can be configured to route inter vlan traffic

Ans: B

Q2. You are trying to get a SSH honeypot setup on a Juniper ATP appliance collector. The collector is running with hardware
with two physical interfaces and two physical CPU cores. The honeypot feature is not working

What would be a cause of this problem?

 The collector must have at least of four physical cores.

 The collector must have at least of three physical interfaces.
 The collector must have at least of four physical interfaces.
 The collector must have at least of six physical cores.

Ans: C

Q3. A user is unable to reach a necessary resource. You discover the path through the srx series device includes several
security features. The traffic is not being evaluated by any security policy

In this scenario, which two components within the flow module would affect the traffic? (Choose two.)

 Services ALG
 Source Nat.
 Destination Nat
 Route lookup

Ans: C,D

Q4 Click the exhibit button

Which statement is correct regarding the information shown in the exhibit?

 The tunnel gateway address was automatically discovered

 The tunnel is not encrypting the traffic
 The output is for an advpn
 The tunnel binding was discovered automatically

Ans: C
Q5. Your SRX series device does not see the SYN packet

 The device will forward the subsequent packets and the session will not be established
 The device will Drop the subsequent packets and the session will be established
 The device will forward the subsequent packets and the session will be established
 The device will Drop the subsequent packets and the session will not be established

Ans: D

Q6. You have set up security director with policy enforcer and have configured 12 third-party feeds and sky atp feed. You are
also injecting 16 feeds using the available open api. You want to add another compatible feed using open api, but policy
enforcer is not receiving the new feed

What is the problem scenario?

 You cannot add more than 16 feeds though the available open api
 You must wait 48 hours for the feed to update
 You have reached the maximum limit of 29 total feeds
 You cannot add more than 16 feeds with the available open api

Ans: C

Q7. An administrator want to implement persistent NAT for an internal resource so that external hosts are able to initiate
communications to the resource, with the internal resource having previously sent packets to the external host

Which configuration setting is used to accomplish this goal?

 Persistent-nat permit target-host-port

 Persistent-nat permit target-host
 Address-persistent
 Persistent-nat permit any-remote-host

Ans: D

Q8 Click the exhibit button

Which two statement are true shown in the exhibit? Choose two

 The session utilizes one routing instance

 The session utilizes two routing instances
 The ge-0/0/5 and ge-0/0/1 interfaces can reside in different security zone
 The ge-0/0/5 and ge-0/0/1 interfaces must reside in a single security zone

Ans: A,C
Q9 Click the exhibit button

Referring to the exhibit which IPS deployment mode is running on the SRX5800 device?

 In-line tap mode

 Monitor mode
 Integrated mode
 Sniffer mode

Ans: C

Q10. Which would you use the port-overload-factor 1?

 to enable the port-overloading

 to disable the port-overloading
 to map port with 1:1 ratio for port-overloading
 to set the maximum port-overloading capability.

Ans: C

Q11. Click the Exhibit button.

Which two additional configuration actions are necessary for the third-party feed shown in the exhibit to work properly?
(Choose two.)

 You must create a dynamic address entry with the IP filter category and the ipfilter_office365 value.
 You must create a dynamic address entry with the C&C category and the cc_offic365 value.
 You must apply the dynamic address entry in a security policy.
 You must apply the dynamic address entry in a security intelligence policy.

Ans: A,C

https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/concept/sky-atp-integrated-feeds.html

Q12. Which Junos security feature is used for signature-based attack prevention?

 RADIUS
 AppQoS
 IPS
 PIM

Ans: C

Q13. Click the Exhibit button.

You issue the command shown in the exhibit.

Which policy will be active for the identified traffic?

 Policy p4
 Policy p7
 Policy p1
 Policy p12

Ans: B

https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-security-match-
policies.html
Q14. Click the Exhibit button.

A user report trouble when using SSH to a server outside your organization. The traffic traverses an SRX Series device that is
performing NAT and apply security policies. Referring to the exhibit, which configuration will allow you to see the
bidirectional flow through the SRX Series device?

 [edit security flow traceoptions]

file tracfile;
flag basic-datapath;
packet-filter MATCH-TRAFFIC {
source-prefix 192.168.1.1/32;
destination-prefix 10.1.1.1/32;
}

 [edit security flow traceoptions]

file tracfile;
flag basic-datapath;
packet-filter MATCH-TRAFFIC-OUT {
source-prefix 192.168.1.1/32;
destination-prefix 192.168.1.254/32;
}
 [edit security flow traceoptions]
file tracfile;
flag basic-datapath;
packet-filter MATCH-TRAFFIC-OUT {
source-prefix 192.168.1.1/32;
destination-prefix 10.1.1.1/32;
}
packet-filter MATCH-TRAFFIC-IN {
source-prefix 10.1.1.1/32;
destination-prefix 192.168.1.1./32;
}

 [edit security flow traceoptions]

file tracfile;
flag basic-datapath;
packet-filter MATCH-TRAFFIC-OUT {
source-prefix 192.168.1.1/32;
destination-prefix 192.168.1.254/32;
}
packet-filter MATCH-TRAFFIC-IN {
source-prefix 10.1.1.1/32;
destination-prefix 10.1.1.254/32;
}

Ans: C

https://learning.oreilly.com/library/view/junos-security/9781449381721/ch04.html
Q15. Which two statement are true about ADVPN members? (Choose two.)

 ADVPN members can use IKEv1

 ADVPN members are authenticated using pre-shared keys.
 ADVPN members can use IKEv2
 ADVPN members are authenticated using certificates.

Ans: C,D

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-auto-discovery-vpns.html

Q16. Click the Exhibit button.

You have designed the firewall filter shown in the exhibit to limit SSH control traffic to yours SRX Series device without
affecting other traffic.

Which two statement are true in this scenario? (Choose two.)

 The filter should be applied as an output filter on the loopback interface.

 Applying the filter will achieve the desired result.
 Applying the filter will not achieve the desired result.
 The filter should be applied as an input filter on the loopback interface.

Ans: C,D

https://www.juniper.net/documentation//en_US/junos/topics/concept/firewall-filter-ex-series-evaluation-understanding.html

Q17. You have noticed a high number of TCP-based attacks directed toward your primary edge device. You are asked to
configure the IDP feature on your SRX Series device to block this attack.

Which two IDP attack objects would you configure to solve this problem? (Choose two.)

 Network
 Signature
 Protocol anomaly
 host

Ans: B,C

Q18. Which two log format types are supported by the JATP appliance? (Choose two.)

 YAML
 XML
 CSV
 YANG

Ans: B,C
https://www.juniper.net/documentation/en_US/release-independent/jatp/topics/topic-map/jatp-custom-log-ingestion.html

Q19. Click the Exhibit button.

You have recently committed the IPS policy shown in the exbibit. When evaluating the expected behavior, you notice that
you have a session that matches all the rules in your IPS policy.
In this scenario, which action would be taken?

 no-action
 Ignore-connection
 close-client-and-server
 drop packet

Ans: A

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-idp-policy-rules-and-rulebases.html

Q20. Click the Exhibit button.

A hub member of an ADVPN is not functioning correctly.

Referring the exhibit, which action should you take to solve the problem?
  [edit interfaces]
root@vSRX-1# delete st0.0 multipoint

 [edit interfaces]
user@hub-1# delete ipsec vpn advpn-vpn traffic-selector

 [edit security]
user@hub-1# set ike gateway advpn-gateway advpn suggester disable

 [edit security]
user@hub-1# delete ike gateway advpn-gateway advpn partner

Ans: B

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-traffic-selectors-in-route-based-vpns.html

Q21. You are asked to set up notifications if one of your collector traffic feeds drops below 100 kbps.

Which two configuration parameters must be set to accomplish this task? (Choose two.)

 Set a traffic SNMP trap on the JATP appliance.

 Set a logging notification on the JATP appliance.
 Set a traffic system alert on the JATP appliance.
 Set a general triggered notification on the JATP appliance.

Ans: C,D

https://kb.juniper.net/InfoCenter/index?page=content&id=KB32605&actp=RSS

Q22. Click the Exhibit button.

Referring to the exhibit, which three type of traffic would be examined by the IPS policy between Switch-1 and Switch-2?
(Choose three.)

 LLDP
 ARP
 TCP
 UDP
 ICMP
Ans: C,D,E

Q23. Click the Exhibit button.

Referring to the exhibit, which two statement are true? (Choose two.)

 The link is protected against man-in-the-middle attacks.

 The link is not protected against man-in-the-middle attacks.
 Data is transmitted across the link in cyphertext.
 Data is transmitted across the link in plaintext.

Ans: A,D

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec.html

Q24. You have a remote access VPN where the remote users are using the NCP client. The remote users can access the
internal corporate resources as intended; however, traffic that is destined to all other internet sites is going through the
remote access VPN. You want to ensure that only traffic that is destined to the internal corporate resources use the remote
access VPN.

Which two actions should you take to accomplish this task? (choose two.)

 Configure split tunneling on the NCP profile on the remote client.

 Configure the necessary traffic selectors within the VPN configuration on the SRX Series device.
 Enable the split tunneling feature within the VPN configuration on the SRX Series device.
 Enable IKEv2 within the VPN configuration on the SRX Series device.

Ans: A,B

https://forums.juniper.net/t5/SRX-Services-Gateway/Split-tunnelling-in-remote-access-vpn/m-p/456513#M52226

Q25. Your organization has multiple Active Directory domain to control user access. You must ensure that security polices are
passing traffic based upon the user’s access rights.

What would you use to assist your SRX series devices to accomplish this task?

 JIMS
 Junos Space
 JSA
 JATP Appliance

Ans: A

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-user-auth-configure-jims.html

Q26. Click the Exhibit button.

According to the log shown in the exhibit, you notice the IPsec session is not establishing.

What is the reason for this behavior?

 Mismatched proxy ID
 Mismatched peer ID
 Mismatched preshared key
 Incorrect peer address.

Ans: B

https://www.juniper.net/documentation/en_US/release-independent/nce/topics/example/policy-based-vpn-using-j-series-srx-
series-device-configuring.html

Q27. Click the Exhibit button.

Referring to the exhibit, which statement is true?

 ARP security is securing data across the control interface.

 SSH is securing data across the control interface.
 MACsec is securing data across the control interface.
 IPsec is securing data across the control interface.

Ans: C

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-macsec.html

https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-chassis-cluster-
interfaces.html

Q28. Malware that is detonated by the JATP sandbox must be able to communicate with the internet without being able to
harm your local network resources.

Which statement is correct in this scenario?

 The exhaust interface must be connected to the Internet zone.

 The monitoring interface must be connected to the Internet zone.
 The honeypot interface must be connected to the Internet zone.
 The management interface must be connected to the Internet zone.

Ans: A

https://www.juniper.net/documentation/en_US/release-independent/jatp/topics/topic-map/jatp-getting-started.html#id-
monitoring-port-eth1
Q29. Click the Exhibit button.

Referring to the exhibit, which two statements are true? (Choose two.)

 The configured solution allows IPv6 to IPv4 translation.

 The configured solution allows IPv4 to IPv6 translation.
 The IPv6 address is invalid.
 External hosts cannot initiate contact.

Ans: A,C

Q30. You are asked to secure your network against TOR network traffic.

Which two Juniper products would accomplish this task? (Choose two.)

 Juniper Sky ATP

 Contrail Insights
 Juniper ATP Appliance
 Contrail Edge

Ans: A,C

Q31. You are asked to configure an IPsec VPN between two SRX Series devices that allows for processing of CoS on the
intermediate routers.

What will satisfy this requirement?

 OpenVPN
 Remote Access VPN
 Policy-based VPN
 Route-based VPN

Ans: D

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-route-based-ipsec-vpns.html

Q32. You opened a support ticket with JTAC for your Juniper ATP appliance. JTAC asks you to set up access to the device
using the reverse SSH connection.
Which three setting must be configured to satisfy this request? (Choose three.)

 Enable JTAC remote access

 Create a temporary root account.
 Enable a JATP support account.
 Create a temporary admin account.
 Enable remote support.

Ans: C,D,E

https://kb.juniper.net/InfoCenter/index?page=content&id=TN326&cat=&actp=LIST&showDraft=false

Q33. Which interface family is required for Layer 2 transparent mode on SRX Series devices?

 LLDP
 Ethernet switching
 inet
 VPLS

Ans: B

Q34. Click the exhibit button.

Given the command output shown in the exhibit, which two statements are true? (Choose two.)

 Traffic matching this session has been received since the session was established.
 Network address translation is applied to this session.
 The host 10.10.101.10 is directly connected to interface ge-0/0/4.0
 The host 172.31.15.1 is directly connected to interface ge-0/0/3.0

Ans: A,C

Q35. The monitor traffic interface command is being used to capture the packets destined to and the from the
SRX Series device.

In this scenario, which two statements related to the feature are true? (Choose two.)

 This feature does not capture transit traffic.

 This feature captures ICMP traffic to and from the SRX Series device.
 This feature is supported on high-end SRX Series devices only.
 This feature is supported on both branch and high-end SRX Series devices.

Ans: A,D

https://forums.juniper.net/t5/Ethernet-Switching/monitor-traffic-interface/td-p/462528

Q36. You are asked to configure an SRX Series device to bypass all security features for IP traffic from the engineering depart.
Which firewall filter will accomplish this task?

 user@srx# show firewall filter eng-filter

term 1 {
from {
source-prefix-list {
eng-subnet;
}
}
then accept;
}
term 2 {
then accept;
}

 user@srx# show firewall filter eng-filter

term 1 {
from {
source-prefix-list {
eng-subnet;
}
destination-prefix-list {
hr-subnet;
}
}
then accept;
}
term 2 {
then packet-mode;
}
 user@srx# show firewall filter eng-filter
term 1 {
from {
source-prefix-list {
hr-subnet;

}
destination-prefix-list {
eng-subnet;
}
}
then accept;
}
term 2 {
then packet-mode;
}

 user@srx# show firewall filter eng-filter

term 1 {
from {
source-prefix-list {
eng-subnet;
}
}
then packet-mode;
}
term 2 {
then accept;
}

Ans: D

https://kb.juniper.net/InfoCenter/index?page=content&id=KB26757

Q37. In a Juniper ATP Appliance, what would be a reason for the mitigation rule to be in the failed-remove state?
  The Juniper ATP appliance was not able to communicate with the SRX Series device.
 The Juniper ATP appliance was not able to obtain the config lock.
 The Juniper ATP appliance received a commit error message from the SRX Series device.
 The Juniper ATP appliance received an unknown error message from the SRX Series device.

Ans: B

https://www.juniper.net/documentation/en_US/release-independent/jatp/topics/topic-map/jatp-mitigation-and-
reporting.html

Q38. You are asked to configure a new SRX Series CPE device at a remote office. The device must participate in forwarding
MPLS and IPsec traffic.

Which two statement are true regarding this implementation? (Choose two.)

 A firewall filter must be configured to enable packet mode forwarding.

 The SRX Series device can process both MPLS and IPsec with default traffic handling.
 Host inbound traffic must not be processed by the flow module.
 Host inbound traffic must be processed by the flow module.

Ans: A,D

Q39. Click the exhibit button.

Which traffic will be evaluated by term 2 as shown in this exhibit?

 No traffic
 All traffic except traffic sourced from address 192.168.0.0/16
 All traffic
 Only traffic sourced from address 192.168.0.0/16

Ans: C

Q40. You are configuring transparent mode on an SRX Series device. You must permit IP-based traffic only, and BPDUs must
be restricted to the VLANs from which they originate.

Which configuration accomplishes these objectives?

 bridge {
block-non-ip-all;
bypass-non-ip-unicast;
no-packet-flooding;
 }

 bridge {
block-non-ip-all;
bypass-non-ip-unicast;
bpdu-vlan-flooding;
}

 bridge {
bypass-non-ip-unicast;
bpdu-vlan-flooding;
}

 bridge {
block-non-ip-all;
bpdu-vlan-flooding;
}

Ans: D

Q41. Click the exhibit button.

You have configured an ADVPN that is operational. However, OSPF will not establish correctly across the ADVPN tunnels.

Referring to the exhibit, which two commands will solve the problem? (Choose two.)

 [edit protocols ospf area 0.0.0.0]

user@srx# set interface st0.0 dynamic-neighbors

 [edit protocols ospf area 0.0.0.0]

user@srx# set interface st0.0 demand-circuit

 [edit protocols ospf area 0.0.0.0]

user@srx# set interface st0.0 interface-type nbma

 [edit protocols ospf area 0.0.0.0]

user@srx# set interface st0.0 topology advpn

Ans: A,B

Q42. You have a webserver and a DNS server residing in the same internal DMZ subnet. The public Static NAT addresses for
the servers are in the same subnet as the SRX Series devices internet-facing interface. You implement DNS doctoring to
ensure remote users can access the webserver.
Which two statements are true in this scenario? (Choose two.)

 The DNS doctoring ALG is not enabled by default.

 The Proxy ARP feature must be configured.
 The DNS doctoring ALG is enabled by default.
 The DNS CNAME record is translated.

Ans: B,C

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-dns-algs.html

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21785&actp=METADATA

Q43. Click the exhibit button.

Referring to the exhibit, which two statements are true? (Choose two.)

 You can secure intra-VLAN traffic with a security policy on this device.
 You can secure inter-VLAN traffic with a security policy on this device.
 The device can pass Layer 2 and Layer 3 traffic at the same time.
 The device cannot pass Layer 2 and Layer 3 traffic at the same time.

Ans: B,C

Q44. You are not able to activate the SSH honeypot on the all-in-one Juniper ATP appliance.

What would be a cause of this problem?

 The collector must have a minimum of two interfaces.

 The collector must have a minimum of three interfaces.
 The collector must have a minimum of five interfaces.
 The collector must have a minimum of four interfaces.

Ans: D

https://www.juniper.net/documentation/en_US/release-independent/jatp/topics/task/configuration/jatp-traffic-collector-
setting-ssh-honeypot-detection.html

Q45. Click the exhibit button.

You have two hosts on the same subnet connecting to an SRX340 on interfaces ge-0/0/4 and ge-0/0/5. However, the two
hosts cannot communicate with each other’s.
Referring to the exhibit, what are two actions that would solve this problem? (Choose two.)

 Set the SRX340 to ethernet switching mode and reboot.

 Remove the ge-0/0/4 and ge-0/0/5 interfaces from the L2 security zone.
 Add an IRB interface to the VLAN.
 Put the ge-0/0/4 and ge-0/0/5 interfaces in different VLANs.

Ans: A,B

Q46. You must implement an IPsec VPN on an SRX Series device using PKI certificates for authentication. As part of the
implementation, you are required to ensure that the certificate submission, renewal, and retrieval processes are handled
automatically from the certificate authority.

In this scenario, which statement is correct.

 You can use CRL to accomplish this behavior.

 You can use SCEP to accomplish this behavior.
 You can use OCSP to accomplish this behavior.
 You can use SPKI to accomplish this behavior.

Ans: B

Certificate Renewal
The renewal of certificates is much the same as initial certificate enrollment except you are just replacing an old certificate
(about to expire) on the VPN device with a new certificate. As with the initial certificate request, only manual renewal is
supported. SCEP can be used to re-enroll local certificates automatically before they expire. Refer to Appendix D for more
details.

Q47. Click the exhibit button.

Referring to the exhibit, which two statements are true? (Choose two.)

 Juniper Networks will not investigate false positives generated by this custom feed.
 The custom infected hosts feed will not overwrite the Sky ATP infected host’s feed.
 The custom infected hosts feed will overwrite the Sky ATP infected host’s feed.
 Juniper Networks will investigate false positives generated by this custom feed.

Ans: A,C

https://www.juniper.net/documentation/en_US/junos-space18.1/policy-enforcer/topics/task/configuration/junos-space-policy-
enforcer-custom-feeds-infected-host-configure.html
Q48. Click the exhibit button.

Referring to the exhibit, which two statements are true? (Choose two.)

 The JATP appliance cannot download the security feeds from the GSS servers.
 The SRX Series device is not enrolled but can communicate with the JATP appliance.
 The SRX Series device cannot download the security feeds from the JATP appliance.
 The SRX Series device is enrolled and communicating with a JATP appliance.

Ans: A,D

Q49. You are asked to merge the corporate network with the network from a recently acquired company. Both networks use
the same private IPv4 address space (172.25.126.0/24). An SRX Series device serves as the gateway for each network.

Which solution allows you to merge the two networks without modifying the current address assignments?
  Persistent NAT
 NAT64
 Source NAT
 Double NAT

Ans: D

Q50. You are asked to configure a security policy on the SRX Series device. After committing the policy, you receive the
“Policy is out of sync between RE and PFE <SPU-name(s)>.” error.

Which command would be used to solve the problem?

 request security polices resync

 request service-deployment
 request security polices check
 restart security-intelligence

Ans: A

https://kb.juniper.net/InfoCenter/index?page=content&id=KB30443&cat=SRX_SERIES&actp=LIST

Q51. Click the exhibit button.

Referring to the exhibit, a spoke member of an ADVPN is not functioning correctly.

Which two commands will solve this problem? (Choose two.)

 [edit interfaces]
user@srx# delete st0.0 multipoint

 [edit security ike gateway advpn-gateway]

user@srx# delete advpn partner

 [edit security ike gateway advpn-gateway]

user@srx# set version v1-only

 [edit security ike gateway advpn-gateway]

user@srx# set advpn suggester disable

Ans: B,D

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-auto-discovery-vpns.html
Q52. In which two ways are tenant systems different from logical systems? (Choose two.)

 Tenant systems have higher scalability than logical systems.

 Tenant systems have fewer routing features than logical systems.
 Tenant systems have less scalability than logical systems.
 Tenant systems have more routing features than logical systems.

Ans: A,B

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/tenant-systems-overview.html

Q53. You are connecting two remote sites to your corporate headquarters site; you must ensure that all traffic is secured and
only uses a single Phase 2 SA for both sites.

In this scenario, which VPN should be used?

 An IPsec group VPN with the corporate firewall acting as the hub device.
 Full mesh IPsec VPNs with tunnels between all sites.
 A hub-and-spoke IPsec VPN with the corporate firewall acting as the hub device.
 A full mesh Layer 3 VPN with the corporate firewall acting as the hub device.

Ans: A

https://www.juniper.net/us/en/local/pdf/app-notes/3500202-en.pdf

Q54. Click the exhibit button.

Which configuring the SRX345, you review the MACsec connection between devices and note that it is not working.

Referring to the exhibit, which action would you use to identify problem?

 Verify that the interface between the two devices is up and not experiencing errors.
 Verify that the formatting settings are correct between the devices and that the software supports the version of
MACsec in use.
 Verify that the connectivity association key and the connectivity association key name match on both devices.
 Verify that the transmission path is not replicating packets or correcting frame check sequence error packets.

Ans: C

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/troubleshooting-macsec-psk-hitless-rollover.html

Q55. Click the exhibit button.

Which type of NAT is shown in the exhibit?

 Persistent NAT
 NAT64
 DS-Lite
 NAT46

Ans: D

https://kb.juniper.net/InfoCenter/index?page=content&id=KB33559&actp=METADATA

Q56. Click the exhibit button.

Referring to the exhibit, what is the maximum number of zones that are able to be created within all logical systems?

 74
 34
 17
 40

Ans: D

Q57. Click the exhibit button.

You have the NAT rule, shown in the exhibit, applied to allow communication across an IPsec tunnel between your two sites
with identical networks.
Which statement is correct in this scenario?

 The NAT rule with translate the source and destination addresses.
 The NAT rule will only translate two addresses at a time.
 The NAT rule in applied to the N/A routing instance.
 10 packets have been processed by the NAT rule.

Ans: A

Q58. Which three type of peer devices are supported for Cos-Based IPsec VPN?
 High-end SRX Series device
 cSRX
 vSRX
 Branch-end SRX Series devics

Ans: A,C,D

Q59. The IKE policy and proposal are configured properly on both devices as shown in the exhibit.

user@hq# show security ike

gateway ike_gtw-branch {
ike-policy ike-policy-branch;
dynamic hostname branch.abc.com;
external-inteface ge-0/0/0;
local-address 203.0.113.1;
}

Which configuration snippet will complete the IKE configuration on the branch SRX series device?

[edit security ike]

user@srx# show gateway ike_gt-hq
ike-policy ike-policy-hq;
dynamic hostname hq.abc.com;
external-interface ge-0/0/0;
local-address 203.0.113.2;

[edit security ike]

user@srx# show gateway ike_gtw-hq
ike-policy ike-policy-hq;
dynamic hostname branch.abc.com;
external-interface ge-0/0/0;
local-address 203.0.113.2;

[edit security ike]

user@srx# show gateway ike_gtw-hq
ike-policy ike-policy-hq;
local identifier branch.abc.com;
external-interface ge-0/0/0;
local-address 203.0.113.2;

Ans: C
Q60. Which three role or protocol are required when configuring an ADVPN? (choose three)

 BGP
 OSPF
 shortcut suggester
 shortcut partner
 IKEv1

Ans: B,C,D

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-auto-discovery-vpns.html

Q61. When attempting to enroll an SRX Series device to JATP, you received the error shown in the exhibit.

Communicate with JATP server…

error: [Error]Failed to communicate with JATP server when retrieving registration
status
Please make sure you are able to connect to JATP server

What is the cause of the error?

 The fxp0 IP address is not routable.

 The SRX Series device does not have IP address assigned to the interface.
 A firewall is blocking HTTPS on fxp0
 The SRX Series devices certificate does not match the JATP certificate.
Ans: B

https://kb.juniper.net/InfoCenter/index?page=content&id=KB33979&cat=JATP_SERIES&actp=LIST

Q62. A user trying to reach a company’s website, but the connection errors out. The security policies are configured correctly.

Referring to the exhibit, what is the problem?

 Persistent NAT must be enabled.

 DNS ALG must be disabled.
 The action for rule 1 must change to static-nat inet.
 Static NAT is missing a rule for DNS.

Ans: D

Q63. What are two important function of the Juniper Networks ATP appliance solution? (Choose two.).

 Statistics
 Analysis
 Detection
  Filtration
Ans: B,C

https://www.juniper.net/us/en/products-services/security/advanced-threat-prevention/

Q64. You have configured tenant systems on your SRX Series devices.

Referring to the exhibit, which two actions should you take to facilitate inter-TSYS communication?

 Connect each TSYS with the interconnect switch by configuring INET configured logical interfaces in.
 Connect each TSYS with the interconnect switch by configuration Ethernet VPLS
 Place logical tunnel interfaces in a virtual router routing instance in the
 Place the logical tunnel interface in a VPLS routing instance in the interconnect

Ans: B,D

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/tenant-systems-overview.html

Q65. Branch 1 and branch 2 have an active VPN tunnel configured but internal host cannot communicate.

Referring to the exhibit, which type of configuration should be applied to solve the problem?

 Configure source NAT on branch 1

 Configure destination NAT on both branch 1 and Branch 2
 Configure static NAT on both Branch 1 and Branch 2.
 Configure destination NAT on Branch 2 only.

Ans: C

Q66. You have configured three logical tunnel interfaces in a tenant system on the SRX series devices….

In this scenario, what would case this problem.

  The SRX1500 device requires a tunnel PIC to allow for logical tunnel interfaces.
 There is no VPLS switch on the tenant system containing a peer lt-0/0/0
 The SRX1500 devices does not support more than two logical interfaces.
 There is no GRE tunnel between the tenant system and master system.

Ans: B

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/logical-systems-overview.html

Q67. Which two modes are supported Juniper Skey ATP? (Choose two)

 tap mode
 private mode
 global mode
 secure wire mode

Ans: A,D

https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/concept/sky-atp-about.html

Q68. Click the Exhibit button. Variation replay protect was off and encryption was on

Referring to the exhibit, which two statement are true? (Choose two.)

 The link is protected against man-in-the-middle attacks.

 The link is not protected against man-in-the-middle attacks.
 Data is transmitted across the link in cyphertext.
 Data is transmitted across the link in plaintext.

Ans: A,C

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec.html

Q69. Click the exhibit button.

Which type of NAT is shown in the exhibit?

 Persistent NAT
 NAT64
 DS-Lite
 NAT46

Ans: B
Q70. Click the exhibit button

The exhibit shows a snippet of a security flow trace. A user cannot open an ssh session to a server

Which action solve the problem?

 Edit the source nat to correct the translated address

 Create a route to the desired sever
 Create a security policy that matches the traffic parameters
 Create a route entry to direct traffic into the configured tunnel

Ans: C

Q71. You must troubleshoot ongoing problems with IPsec tunnels and security policy processing. Your network consists of
SRX340s and SRX5600s. In this scenario, which two statements are true? (Choose two.)

 You must enable data plane logging on the SRX5600 devices to generate security policy logs.
 IPsec logs are written to the kmd log file by default
 IKE logs are written to the messages log file by default
 You must enable data plane logging on the SRX340 devices to generate security policy logs.

Ans: a,b

Q72. Click the Exhibit button

Referring to the exhibit, which two statement are true? (Choose two.)

 SRX series devices will block traffic based on this third-party feed.
 Events based on this third-party feed will affect a host’s threat score.
 Events based on this third-party feed will not affect a host’s threat score.
 SRX series devices will not block traffic based on this third-party feed.

Ans: A,C

Q73. Which feature of Sky ATP is deployed with Policy Enforcer?

 Zero-day threat mitigation

 Software image snapshot support
 Device inventory management
 Service redundancy daemon configuration support

Ans: A

Q74. You correctly configured a security policy to deny certain traffic, but logs reveal that traffic is still allowed.

You specific traceoption flag will help you troubleshoot this problem.

 rules
 routing-packet
 lookup
 configuration

Ans: C

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-edit-traceoptions-
policies.html

Q75. Click the Exhibit button.

Referring to the exhibit, which three topologies are supported by Policy Enforcer? (Choose three.)

 Topology 1
 Topology 5
 Topology 2
 Topology 3
 Topology 4

Ans: A,D,E
https://www.juniper.net/documentation/en_US/junos-space17.2/policy-enforcer/topics/concept/policy-enforcer-deployment-
supported-topologies.html

Q76. You configured a security policy permitting traffic from the trust zone to the DMZ zone, inserted the new policy at the
top of the list, and successfully committed it to the SRX series device, Upon monitoring you notice that the hit count does not
increase on the newly configured policy.

In this scenario, which two commands would help you to identify the problem? (Choose two.)

 user@srx> show security match-policies from-zone trust to-zone DMZ source-ip

192.168.10.100/32 destination-ip 10.10.10.80/32 protocol tcp source-port 5806
destination-port 443 result-count 10
 user@srx> show security zones trust detail
 user@srx> show security match-policies from-zone trust to-zone DMZ source-ip
192.168.10.100/32 destination-ip 10.10.10.80/32 protocol tcp source-port 5806
destination-port 443
 user@srx> show security shadow-polices from zone trust to zone DMZ

Ans: A,D

https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-security-match-
policies.html#jd0e611

https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-security-shadow-policies-
logical-system.html

Q77. Click the Exhibit button.

Your company has purchased a competitor and now must connect the new network to the existing one. The competitors
gateway device is receiving its ISP address using DHCP. Communication between the two sites must be secured; however,
obtaining a static public IP address for the new site gateway is not an option at this time. The company has several
requirements for this solution.

 A site-to-site IPsec VPN must be used to secure traffic between the two sites.
 The IKE identity on the new site gateway device must use the hostname option; and
 Internet traffic from each site should exit through its local internet connection.

The configuration shown in the exhibit has been applied to the new sites SRX, but the secure tunnel is not working.

In this scenario, what configuration change is needed for the tunnel to come up?

 Change the IKE policy mode to aggressive

 Remove the quotes around the hostname.
 Apply a static address to ge-0/0/2
 Bind interface st0 to the gateway.

Ans: A

Q78. Click the Exhibit button.

Referring to the exhibit, which two statements are true? (Choose two.)

 The c-1 TSYS has a reservation for the security flow resource.
 The c-1 TSYS can use security flow resources up to the system maximum.
 The c-1 TSYS cannot use any security flow resources.
 The c-1 TSYS has no reservation for the security flow resource.

Ans: C,D

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-profile-logical-system.html

Q79. Click the Exhibit button.

Referring to the exhibit, which statement is true?

 Destination NAT is occurring

 Source NAT with PAT is occurring
 Static NAT without PAT is occurring
 Source NAT without PAT is occurring.

Ans: B

Q80. Click the Exhibit button.

You deployed a site-to-site IPsec VPN connecting two data centers together using SRX5800s. After examining the
performance of the IPsec VPN, you decide to enable IPsec performance acceleration to increase the rate of traffic that can be
sent through the tunnel.

Referring to the exhibit, which two statements should you add to the configuration to accomplish this task? (Choose two.)

 [edit security flow]

user@srx# set ipsec-performance-acceleration

 [edit security flow]

user@srx# set power-mode-ipsec

 [edit security flow]

user@srx# set load-distribution session-affinity ipsec

 [edit security flow]

user@srx# set tcp-mss ipsec-vpn mss 65535

Ans: A,C

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-improving-ipsec-vpn-traffic-performance.html

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/ipsec-performance-
acceleration-edit-flow.html

Q81. You are asked to implement the session cache feature on an SRX5400

In th scenario, what information does a session cache entry record (choose two)

 To which SPU the traffic of the session should be forwarded

 To which NPU the traffic of the session should be forwarded
 The type of processing to do for egress traffic
 The type of processing to do for ingress traffic

Ans: A,C

Q82. Click the Exhibit button

You are asked to look at a configuration that is designed to take all traffic with a specific source ip address and forward the
traffic to a traffic analysis server for further evaluation. The configuration is no longer working as intended.

Referring to the exhibit which change must be made to correct the configuration?

 Apply the filter as in input filter on interface xe-0/2/1.0

 Apply the filter as in input filter on interface xe-0/0/1.0
 Create a routing instance named default
 Apply the filter as in output filter on interface xe-0/1/0.0

Ans: B

Q83. Click the exhibit

A host is unable to communicate with a webserver

 A policy is denying the traffic between these two hosts

 The session table is running out of resources
 A session is created for this flow
 The webserver is not listening for traffic on port 80

Ans: A

Q84. Which two VPN features are supported with cos-based ipsec vpns? (choose two)

 IKEv2
 Dead peer detection
 IKEV1
 VPN monitoring

Ans: A,B

Q85. You have configured static nat for webserver in your dmz. Both internal and external users can reach the webserver
using the IP address. However only internal users can reach the webserver using DNS name when external users attempt to
reach using DNS name an error message received.

Which action would solve this problem

 Disable web filtering

 Use dns doctoring
 Modify the security policy
 Use destination nat instead of static nat

Ans: B

Q86. You have download and initiated the installation of the application package for the JATP applicance on an SRX1500. You
must confirm that the installation of the application package has completed successfully

In this scenario which command would you use to accomplish this task?

 Show services application-identification version

 Show services application-identification application detail
 Show services application-identification application version
 Show services application-identification status

Ans: D

Q87. Click the Exhibit

Referring to the exhibit you are attempting to enable ipsec power mode to improve ipsec vpn performance. However, you are
unable to use ipsec power mode. What is the problem?

 Ipsec power mode cannot be used with ipsec performance accelaration

 Ipsec power mode cannot be used with advanced services
 Ipsec power mode requires that you configure a policy-based vpn
 Ipsec power mode cannot be used with ipsec maximum segment size values

Ans: B