Free of JN0-633 practice question materials and answers for Juniper certification for candidates, Real Success Guaranteed with Updated JN0-633 pdf dumps vce Materials. 100% PASS Security, Professional (JNCIP-SEC) exam Today!

Q21. You are asked to design a solution to verify IPsec peer reachability with data path forwarding.

Which feature would meet the design requirements?

A. DPD over Phase 1 SA

B. DPD over Phase 2 SA

C. VPN monitoring over Phase 1 SA

D. VPN monitoring over Phase 2 SA

Answer: D

Explanation:

Reference :http://forums.juniper.net/t5/SRX-Services-Gateway/dead-peer-detection-VS-VPN-monitor-in-IPSEC/td-p/176671


Q22. What are two AppSecure modules? (Choose two.)

A. AppDoS

B. AppFlow

C. AppTrack

D. AppNAT

Answer: A,C

Explanation:

Reference :Page No 2 Figure 1 http://www.juniper.net/us/en/local/pdf/datasheets/1000327-en.pdf


Q23. You are asked to deploy dynamic VPNs between the corporate office and remote employees that work from home. The gateway device at the corporate office is a chassis cluster formed from two SRX240s.Which two statements about this deployment are true? (Choose two.)

A. You must remove the SRX240s from the chassis cluster before enabling the dynamic VPNs.

B. The remote clients can run Windows XP, Windows Vista, Windows 7, or OS X operating systems.

C. If more than two dynamic VPN tunnels are required, you must purchase and install a new license.

D. The remote users can be authenticated by the SRX240s or a configured RADIUS server.

Answer: C,D

Explanation:

Reference :http://www.juniper.net/us/en/local/pdf/app-notes/3500201-en.pdf


Q24. You recently implemented application firewall rules on an SRX device to act upon encrypted traffic. However, the encrypted traffic is not being correctly identified.

Which two actions will help the SRX device correctly identify the encrypted traffic? (Choose two.)

A. Enable heuristics to detect the encrypted traffic.

B. Disable the application system cache.

C. Use the junos:UNSPECIFIED-ENCRYPTED application signature.

D. Use the junos:SPECIFIED-ENCRYPTED application signature.

Answer: A,C 

Explanation: Reference:http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/encrypted-p2p-heuristics-detection.html


Q25. Click the Exhibit button.

-- Exhibit–

-- Exhibit --

You must configure two SRX devices to enable bidirectional communications between the two networks shown in the exhibit. You have been allocated the 172.16.1.0/24 and 172.16.2.0/24 networks to use for this purpose.

Which configuration will accomplish this task?

A. Use an IPsec VPN to connect the two networks and hide the addresses from the Internet.

B. Using destination NAT, translate traffic destined to 172.16.1.0/24 to Site1's addresses, and translate traffic destined to 172.16.2.0/24 to Site2's addresses.

C. Using source NAT, translate traffic from Site1's addresses to 172.16.1.0/24, and translate traffic from Site2's addresses to 172.16.2.0/24.

D. Using static NAT, translate traffic destined to 172.16.1.0/24 to Site1's addresses, and translate traffic destined to 172.16.2.0/24 to Site2's addresses.

Answer: D

Explanation:

To examine bidirectional communication you need multiple packet filters, one for each direction.

Reference

http://my.safaribooksonline.com/book/networking/junos/9781449381721/security-policy/troubleshooting_security_policy_and_traf


Q26. You are asked to change the configuration of your company's SRX device so that you can block nested traffic from certain Web sites, but the main pages of these Web sites must remain available to users.Which two methods will accomplish this goal? (Choose two.)

A. Enable the HTTP ALG.

B. Implement a firewall filter for Web traffic.

C. Use an IDP policy to inspect the Web traffic.

D. Configure an application firewall rule set.

Answer: B,D

Explanation: Reference: An application layer gateway (ALG) is a feature on ScreenOS gateways that enables the gateway to parse application layer payloads and take decisions on them.ALGs are typically employedto support applications that use the application layer payload to communicate the dynamic Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports on which the applications open data connections (http://kb.juniper.net/InfoCenter/index?page=content&id=KB13530)

IDP policy defines the rule for defining the type of traffic permittedon network(http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-swconfig-security/enable-idp-security-policy-section.html)


Q27. You have implemented a tunnel in your network using DS-Lite. The tunnel is formed between one of the SRX devices in your network and a DS-Lite-compatible CPE device in your customer's network.Which two statements are true about this scenario? (Choose two.)

A. The SRX device will serve as the softwire initiator and the customer CPE device will serve as the softwire concentrator.

B. The SRX device will serve as the softwire concentrator and the customer CPE device will serve as the softwire initiator.

C. The infrastructure network supporting the tunnel will be based on IPv4.

D. The infrastructure network supporting the tunnel will be based on IPv6.

Answer: B,D

Explanation: Reference:http://www.juniper.net/techpubs/en_US/junos10.4/topics/concept/ipv6-ds-lite-overview.html


Q28. You want to implement a hub-and-spoke VPN topology using a single logical interface on the hub.Which st0 interface configuration is correct for the hub device?

A. [edit interfaces] user@srx# show st0 {

multipoint unit 0 { family inet {

address 10.10.10.1/24;

}

}

}

B. [edit interfaces] user@srx# show st0 {

unit 0 { family inet {

address 10.10.10.1/24;

}

}

}

C. [edit interfaces] user@srx# show st0 {

unit 0 {

point-to-point; family inet {

address 10.10.10.1/24;

}

}

}

D. [edit interfaces] user@srx# show st0 {

unit 0 { multipoint; family inet {

address 10.10.10.1/24;

}

}

}

Answer: D

Explanation: Reference: http://junos.com/techpubs/en_US/junos12.1/topics/example/ipsec-hub-and-spoke-configuring.html


Q29. Which two statements are true regarding DNS doctoring? (Choose two.)

A. DNS doctoring translates the DNS CNAME payload.

B. DNS doctoring for IPv4 is supported on SRX devices.

C. DNS doctoring for IPv4 and IPv6 is supported on SRX devices.

D. DNS doctoring translates the DNS A-record.

Answer: B,D

Explanation:

Reference :http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/security/index.html?topic-61847.html


Q30. Click the Exhibit button.

-- Exhibit --

user@srx> show security flow session

Session ID.7724, Policy namE.default-permit/4, Timeout: 2 In: 1.1.70.6/17 --> 100.0.0.1/2326;icmp, IF.ge-0/0/3

Out: 10.1.10.5/2326 --> 1.1.70.6/17;icmp, IF.ge-0/0/2

Session ID.18408, Policy namE.default-permit/4, Timeout: 2 In: 10.1.10.5/64513 --> 1.1.70.6/512;icmp, IF.ge-0/0/2.0 Out: 1.1.70.6/512 --> 100.0.0.1/64513;icmp, IF.ge-0/0/3.10

-- Exhibit --

A user has reported a traffic drop issue between a host with the 10.1.10.5 internal IP address and a host with the 1.1.70.6 IP address. The traffic transits an SRX240 acting as a NAT translator. You are investigating the issue on the SRX240 using the output shown in the exhibit.

Regarding this scenario, which two statements are true? (Choose two.)

A. The sessions shown indicate interface-based NAT processing.

B. The sessions shown indicate static NAT processing.

C. ICMP traffic is passing in both directions.

D. ICMP traffic is passing in one direction.

Answer: B,C