Master the JN0-633 Security, Professional (JNCIP-SEC) content and be ready for exam day success quickly with this Testking JN0-633 free practice exam. We guarantee it!We make it a reality and give you real JN0-633 questions in our Juniper JN0-633 braindumps.Latest 100% VALID Juniper JN0-633 Exam Questions Dumps at below page. You can use our Juniper JN0-633 braindumps and pass your exam.

Q1. Given the following session output:

Session ID., Policy namE.default-policy-00/2, StatE.Active, Timeout: 1794, Valid

In: 2001:660:1000:8c00::b/1053 --> 2001:660:1000:9002::aafe/80;tcp, IF.reth0.0, Pkts: 4,

Bytes: 574

Out: 192.168.203.10/80 --> 192.168.203.1/24770;tcp, IF.reth1.0, Pkts: 3, Bytes:

Which statement is correct about the security flow session output?

A. This session is about to expire.

B. NAT64 is used.

C. Proxy NDP is used for this session.

D. The IPv4 Web server runs services on TCP port 24770.

Answer: B

Explanation:

Reference :http://kb.juniper.net/InfoCenter/index?page=content&id=KB22391


Q2. You have installed a new IPS license on your SRX device and successfully downloaded the attack signature database. However, when you run the command to install the database, the database fails to install.What are two reasons for the failure? (Choose two.)

A. The file system on the SRX device has insufficient free space to install the database.

B. The downloaded signature database is corrupt.

C. The previous version of the database must be uninstalled first.

D. The SRX device does not have the high memory option installed.

Answer: A,B

Explanation:

We don’t need to uninstall the previous version to install a new license, as we can update the same. Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB16491. Also high memory option is licensed feature.

The only reason for failure is either there is no space left or downloaded file is corrupted due to incomplete download because of internet termination in between. Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB23359


Q3. For an SRX chassis cluster in transparent mode, which action occurs to signal a high availability failover to neighboring switches?

A. the SRX chassis cluster generates Spanning Tree messages

B. the SRX chassis cluster generates gratuitous ARPs

C. the SRX chassis cluster flaps the former active interfaces

D. the SRX chassis cluster uses IP address monitoring

Answer: C

Reference: http://books.google.co.in/books?id=2HSLsTJIgEQC&pg=PA246&lpg=PA246&dq=the+SRX+chassis+cluster+flaps+the+former+active+interfaces&source=bl&ots=_eDe_vRMyw&sig= x-Px98kZEi4hZvGflcoybABdMRQ&hl=en&sa=X&ei=iMLzUcDSLcfRrQeQw4CYCA&ved=0CEAQ6AEwBA#v=onepage&q=flap&f=false


Q4. Click the Exhibit button.

-- Exhibit–

-- Exhibit --

Based on the output shown in the exhibit, what are two results? (Choose two.)

A. The output shows source NAT.

B. The output shows destination NAT.

C. The port information is changed.

D. The port information is unchanged.

Answer: B,D

Explanation: Reference:http://junos.com/techpubs/software/junos-security/junos-security10.2/junos-security-cli-reference/index.html?show-security-flow-session.html


Q5. You are performing AppSecure traffic processing to enforce AppFW.

What happens when traffic matching an established security session is newly detected as a different application?

A. The security processing facility of the data plane re-examines the whitelist or blacklist referenced in the security policy to see if the new application is permitted.

B. The newly detected application will not be permitted and session will be torn down unless a specific match exists against the exempt rulebase.

C. Zone-based firewall rules will be re-parsed to determine if a rule exists that permits the newly detected application.

D. The application will not be permitted if doing so would violate the session limit in the screen properties applied to that zone.

Answer: B


Q6. Click the Exhibit button.

-- Exhibit–

-- Exhibit --

Host traffic is traversing through an IPsec tunnel. Users are complaining of intermittent issues with their connection.

Referring to the exhibit, what is the problem?

A. The tunnel is down due to a configuration change.

B. The do-not-fragment bit is copied to the tunnel header.

C. The MSS option on the SYN packet is set to 1300.

D. The TCP SYN check option is disabled for tunnel traffic.

Answer: B


Q7. You want to verify that all application traffic traversing your SRX device uses standard ports. For example, you need to verify that only DNS traffic runs through port 53, and no other protocols.How would you accomplish this goal?

A. Use an IDP policy to identify the application regardless of the port used.

B. Use a custom ALG to detect the application regardless of the port used.

C. Use AppTrack to detect the application regardless of the port used.

D. Use AppID to detect the application regardless of the port used.

Answer: A

Explanation:

AppTrack for detailed visibility of application traffic Also AppTrack is aka AppID Reference :http://forums.juniper.net/t5/SRX-Services-Gateway/What-is-AppTrack-aka- AppID/td-p/63029

An Application Layer Gateway (ALG) is a software component that is designed to manage specific protocols

Reference :http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos- security-swconfig-security/id-79332.html


Q8. You have just created a few hundred application firewall rules on an SRX device and applied them to the appropriate firewall polices. However, you are concerned that the SRX device might become overwhelmed with the increased processing required to process traffic through the application firewall rules.

Which three actions will help reduce the amount of processing required by the application firewall rules? (Choose three.)

A. Use stateless firewall filtering to block the unwanted traffic.

B. Implement AppQoS to drop the unwanted traffic.

C. Implement screen options to block the unwanted traffic.

D. Implement IPS to drop the unwanted traffic.

E. Use security policies to block the unwanted traffic.

Answer: A,C,E

Explanation:

IPS and AppDoS are the most powerful, and thus, the least efficient method of dropping traffic on the SRX, because IPS and AppDoS tend to take up the most processing cycles.

Reference :http://answers.oreilly.com/topic/2036-how-to-protect-your-network-with-security-tools-for-junos/


Q9. You want to query User Group membership directly using the integrated user firewall services from an Active Directory controller to an SRX Series device.

Which two actions are required? (Choose two.)

A. Configure the LDAP base distinguished name.

B. Connect the SRX Series device and the MAG Series device in an enforcer configuration.

C. Configure a domain name, the username and password of the domain, and the name and IP address of the domain controller in the domain.

D. Configure the Access Control Service on the MAG Series device for local user authentication and verify that authentication information is transferred between the devices.

Answer: A,C


Q10. Click the Exhibit button.

Traffic is flowing between the Host-1 and Host-2 devices through a hub-and-spoke IPsec VPN. All devices are SRX Series devices.

Referring to the exhibit, which two statements are correct? (Choose two.)

A. Traffic is encrypted on the Hub device.

B. Traffic is encrypted on the Spoke-2 device.

C. Traffic is not encrypted on the Spoke-2 device.

D. Traffic is not encrypted on the Hub device.

Answer: D