[Free] 2018(Jan) EnsurePass Testking Juniper JN0-633 Dumps with VCE and PDF 61-70

Ensurepass.com : Ensure you pass the IT Exams
2018 Jan Juniper Official New Released JN0-633
100% Free Download! 100% Pass Guaranteed!
http://www.EnsurePass.com/JN0-633.html

Security, Professional (JNCIP-SEC)

Question No: 61

Which two statements are true about persistent NAT? (Choose two.)

  1. The permit target-host-port statement allows an external host to initiate a session to an internal host on any port, provided the internal host previously sent a packet to the external host.

  2. The permit target-host statement allows an external host to initiate a session to an internal host on any port, provided the internal host previously sent a packet to the external host.

  3. Port overloading must be enabled for Interface-based persistent NAT.

  4. Port overloading must be disabled for Interface-based persistent NAT.

Answer: B,D

Question No: 62

You have configured an IPsec VPN with traffic selectors; however, your IPsec tunnel does not appear to be working properly.

What are two reasons for the problem? (Choose two.)

  1. You are configured a remote address value of 0.0.0.0/0.

  2. You are trying to use traffic selectors with policy-based VPNs.

  3. You have configured 15 traffic selectors on each SRX Series device.

  4. You are trying to use traffic selectors with route-based VPNs.

Answer: A,B

Question No: 63

Click the Exhibit button.

– Exhibit –

user@srx240lt; show route summary Router ID.

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

Direct: 1 routes, 1 active

Local: 1 routes, 1 active

StatiC. 1 routes, 1 active

customer-A.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)

Direct: 1 routes, 1 active

Local: 1 routes, 1 active

StatiC. 1 routes, 1 active

customer-B.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

Direct: 1 routes, 1 active

Local: 1 routes, 1 active

OSPF. 1 routes, 1 active

StatiC. 1 routes, 1 active

customer-B.inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)

Direct: 2 routes, 2 active

Local: 2 routes, 2 active

StatiC. 1 routes, 1 active

– Exhibit –

In the output, how many user-configured routing instances have active routes?

  1. 1

  2. 2

  3. 3

  4. 4

Answer: B

Reference: http://www.juniper.net/techpubs/en_US/junos11.4/topics/reference/command- summary/show-route-summary.html#jd0e185

Question No: 64

Click the Exhibit button.

– Exhibit –

[edit security idp] user@srx# show | no-more idp-policy basic {

rulebase-ips { rule 1 { match {

from-zone untrust; source-address any; to-zone trust;

destination-address any; application default; attacks {

custom-attacks data-inject;

}

}

then { action {

recommended;

}

notification { log-attacks;

}

}

}

}

}

active-policy basic; custom-attack data-inject {

recommended-action close; severity critical;

attack-type { signature {

context mssql-query;

pattern quot;SELECT * FROM accountsquot;; direction client-to-server;

}

}

}

– Exhibit –

You have configured the custom attack signature shown in the exhibit. This configuration is valid, but you want to improve the efficiency and performance of your IDP.

Which two commands should you use? (Choose two.)

  1. set custom attack data-inject recommended-action drop

  2. set custom-attack data-inject attack-type signature protocol-binding tcp

  3. set idp-policy basic rulebase-ips rule 1 match destination-address webserver

  4. set idp-policy basic rulebase-ips rule 1 match application any

Answer: B,C

Question No: 65

Your company is using a dynamic VPN configuration on their SRX device. Your manager asks you to enforce password expiration policies for all VPN users.

Which authentication method meets the requirement?

  1. local password database

  2. TACACS

  3. RADIUS

  4. LDAP

Answer: D Explanation:

Reference : http://kb.juniper.net/InfoCenter/index?page=contentamp;id=KB17423amp;actp=RSS

Question No: 66

Click the Exhibit button.

[edit security idp-policy test] user@host# show

rulebase-ips { rule R3 { match {

source-address any; destination-address any; attacks {

predefined-attacks FTP:USER:ROOT;

}

}

then { action {

recommended;

}

}

terminal;

}

rule R4 { match {

source-address any; destination-address any; attacks {

predefined-attacks HTTP:HOTMAIL:FILE-UPLOAD;

}

}

then { action {

recommended;

}

}

}

}

You have just committed the new IDP policy shown in the exhibit. However, you notice no action is taken on traffic matching the R4 IDP rule.

Which two actions will resolve the problem? (Choose two.)

  1. Change the R4 rule to match on a predefined attack group.

  2. Insert the R4 rule above the R3 rule.

  3. Delete the terminal statement from the R3 rule.

  4. Change the IPS rulebase to an exempt rulebase.

Answer: C

Question No: 67

HostA (1.1.1.1) is sending TCP traffic to HostB (2.2.2.2). You need to capture the TCP packets locally on the SRX240. Which configuration would you use to enable this capture?

  1. [edit security flow] user@srx# show traceoptions {

    file dump;

    flag basic-datapath;

    }

  2. [edit security] user@srx# show application-tracking { enable;

    }

    flow { traceoptions { file dump;

    flag basic-datapath;

    }

    }

  3. [edit firewall filter capture term one] user@srx# show

    from {

    source-address { 1.1.1.1;

    }

    destination-address { 2.2.2.2;

    }

    protocol tcp;

    }

    then {

    port-mirror; accept;

    }

  4. [edit firewall filter capture term one] user@srx# show

from {

source-address { 1.1.1.1;

}

destination-address { 2.2.2.2;

}

protocol tcp;

}

then { sample; accept;

}

Answer: D

Reference: http://khurramkhalid.wordpress.com/2012/05/22/packet-capture-on-srx-devices/

Question No: 68

Click the Exhibit button.

[edit protocols ospf area 0.0.0.0]

user@host# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address

3289542 UP 48d928408940de28 e418fc7702fe483b Main

172.31.50.1

3289543 UP eb45940484082b14 428086b100427326 Main 10.10.50.1

[edit protocols ospf area 0.0.0.0]

user@host# run show security ipsec; security-associations Total active tunnels: 2

ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway

lt;131073 ESP:des/ shal 6d40899b 1360/ unlim – root 500 10.10.50.1

gt;131073 ESP:des/ shal 5a89400e 1360/ unlim – root 500 10.10.50.1

lt;131074 ESP:des/ shal c04046f 1359/ unlim – root 500 172.31.50.1

gt;131074 ESP:des/ shal 5508946c 1359/ unlim – root 500 172.31.50.1

[edit protocols ospf area 0.0.0.0] user@host# run show ospf neighbor

Address Interface State ID Pri Dead 10.40.60.1 st0.0 Init 10.30.50.1 128 35

10.40.60.2 st0.0 Full 10.30.50.1 128 31

[edit protocols ospf area 0.0.0.0] user@host# show

interface st0.0;

You have already configured a hub-and-spoke VPN with one hub device and two spoke devices. However, the hub device has one neighbor in the Init state and one neighbor in the Full state.

What would you do to resolve this problem?

  1. Configure the st0.0 interface under OSPF as a nonbroadcast multiple access interface.

  2. Configure the st0.0 interface under OSPF as a point-to-multipoint interface.

  3. Configure the st0.0 interface under OSPF as a point-to-point interface.

  4. Configure the st0.0 interface under OSPF as an unnumbered interface.

Answer: B

Question No: 69

You are asked to troubleshoot ongoing problems with IPsec tunnels and security policy processing. Your network consists of SRX240s and SRX5600s.

Regarding this scenario, which two statements are true? (Choose two.)

  1. You must enable data plane logging on the SRX240 devices to generate security policy logs.

  2. You must enable data plane logging on the SRX5600 devices to generate security policy logs.

  3. IKE logs are written to the kmd log file by default.

  4. IPsec logs are written to the kmd log file by default.

Answer: B,D

Reference: http://kb.juniper.net/InfoCenter/index?page=contentamp;id=KB16506

http://www.google.co.in/url?sa=tamp;rct=jamp;q=IKE logs are written to the%2 0kmd log file by defaultamp;source=webamp;cd=2amp;ved=0CC8QFjABamp;url=http%3 A//www.juniper.net/us/en/local/pdf/app-notes/3500175- en.pdfamp;ei=SNHzUZntEcaPrQfnpICYDQamp;usg=AFQjCNGb-rMrVcm6cqqBLWDif54CaCTrrw

Question No: 70

You are asked to design a solution to verify IPsec peer reachability with data path forwarding.

Which feature would meet the design requirements?

  1. DPD over Phase 1 SA

  2. DPD over Phase 2 SA

  3. VPN monitoring over Phase 1 SA

  4. VPN monitoring over Phase 2 SA

Answer: D Explanation:

Reference : http://forums.juniper.net/t5/SRX-Services-Gateway/dead-peer-detection-VS- VPN-monitor-in-IPSEC/td-p/176671

100% Ensurepass Free Download!
Download Free Demo:JN0-633 Demo PDF
100% Ensurepass Free Guaranteed!
Download 2018 EnsurePass JN0-633 Full Exam PDF and VCE

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.