It is more faster and easier to pass the Juniper JN0-633 exam by using Practical Juniper Security, Professional (JNCIP-SEC) questuins and answers. Immediate access to the Up to date JN0-633 Exam and find the same core area JN0-633 questions with professionally verified answers, then PASS your exam with a high score now.
Q41. You are asked to deploy a group VPN between various sites associated with your company. The gateway devices at the remote locations are SRX240 devices.
Which two statements about the new deployment are true? (Choose two.)
A. The networks at the various sites must use NAT.
B. The participating endpoints in the group VPN can belong to a chassis cluster.
C. The networks at the various sites cannot use NAT.
D. The participating endpoints in the group VPN cannot be part of a chassis cluster.
Answer: C,D
Explanation:
Reference :http://www.thomas-krenn.com/redx/tools/mb_download.php/mid.x6d7672335147784949386f3d/Manual_Confi guring_Group_VPN_Juniper_SRX.pdf http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/NT260/SRX_HA_Deployment_Guide_v1.2.pdf
Q42. Click the Exhibit button.
user@host> monitor traffic interface ge-0/0/3
verbose output suppressed, use <detail> or <extensive> for full protocol decode Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay. Address resolution timeout is 4s.
Listening on ge-0/0/3, capture size 96 bytes
Reverse lookup for 172.168.3.254 failed (check DNS reachability). Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lockups on IP addresses.
19:24:16.320907 In arp who-has 172.168.3.254 tell 172.168.3.1 19.24:17.322751 In arp
who has 172.168.3.254 tell 172.168.3.1 19.24:18.328895 In arp who-has 172.168.3.254 tell
172.168.3.1
19.24:18.332956 In arn who has 172.168.3.254 tell 172.168.3.1
A new server has been set up in your environment. The administrator suspects that the firewall is blocking the traffic from the new server. Previously existing servers in the VLAN are working correctly. After reviewing the logs, you do not see any traffic for the new server.
Referring to the exhibit, what is the cause of the problem?
A. The server is in the wrong VLAN.
B. The server has been misconfigured with the wrong IP address.
C. The firewall has been misconfigured with the incorrect routing-instance.
D. The firewall has a filter enabled to blocktrafficfrom the server.
Answer: C
Q43. In the IPS packet processing flow on an SRX Series device, when does application identification occur?
A. before fragmentation processing
B. after protocol decoding
C. before SSL decryption
D. after attack signature matching
Answer: A
Q44. Click the Exhibit button.
user @host> show bgp summary logical-system LSYS1 Groups : 11 Peers : 10 Down peers: 1
Table Tot. Paths Act Paths Suppressed History Damp State Pending
inet.0 141 129 0 0 0 Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
192.168.64.12 65008 11153 11459 0 26 3d
3:10:43 9/10/10/0 0/0/0/0
192.168.72.12 65009 11171 11457 0 26 3d
3:10:39 11/12/12/0 0/0/0/0
192.168.80.12 65010 9480 9729 0 27 3d
3:10:42 11/12/12/0 0/0/0/0
192.168.88.12 65011 11171 11457 0 25 3d
3:10:31 12/13/13/0 0/0/0/0
192.168.96.12 65012 9479 9729 0 26 3d
3:10:34 12/13/13/0 0/0/0/0
192.168.10.12 65013 111689 11460 0 27 3d
3:10:46 9/10/10/0 0/0/0/0
192.168.11.12 65014 111688 11458 0 25 3d
3:10:42 9/10/10/0 0/0/0/0
192.168.12.12 65015 111687 11457 0 25 3d
3:10:38 9/10/10/0 0/0/0/0
192.68.11.12 650168 9478 9729 0 25 3d
3:10:42 9/10/10/0 0/0/0/0
192.168.13.12 65017 111687 11457 0 27 3d
3:10:30 9/10/10/0 0/0/0/0
192.168.16.12 65017 111687 11457 0 27 1w3d2h
Connect
user@host> show interfaces ge-0/0/7.0 extensive
Logical interface ge-0/0/7.0 (Index 76) (SNMP ifIndex 548) (Generation 141)
...
Security: Zone: log
Allowed host-inbound traffic : bootp dns dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rloqin rpm rsh snmp
snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp
Flow Statistics: Flow Input statistics: Self packets: 0
ICMP packets: 0
VPN packets: 0
Multicast packets: 0
Bytes permitted by policy: 0
Connections established: 0 Flow Output statistics: Multicast packets: 0
Bytes permitted by policy: 0
Flow error statistics (Packets dropped due to): Address spoofing: 0
Authentication failed: 0 Incoming NAT errors: 0
Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0
No parent for a gate: 0
No one interested in self pakets: 0 No minor session: 0
No more sessions: 589723 No NAT gate: 0
No route present: 0
No SA for incoming SPI: 0 No tunnel found: 0
No session for a gate: 0
No zone or NULL zone binding 0 Policy denied: 0
Security association not active: 0
TCP sequence number out of window: 0 Syn-attack protection: 0
User authentication errors: 0
Protocol inet, MTU: 1500, Generation: 1685, Route table: 0 Flags: Sendbcast-pkt-to-re
Addresses, F1ags: Is-Preferred Is-Primary
Destination: 10.5.123/24, Local: 10.5.123.3, Broadcast: 10.5.123.255, Generation: 156
Protocol multiservice, MTU: Unlimited, Generation: 1686, Route table: 0 Policer: Input: default_arp_policer
...
An SRX Series device has been configured with a logical system LSYS1. One of the BGP peers is down.
Referring to the exhibit, which statement explains this problem?
A. The LSYS license only allows up to ten BGP peerings.
B. The maximum number of allowed flows is set to low.
C. The allocated memory is not sufficient for this LSYS.
D. The minimum number of flows is set to high.
Answer: B
Q45. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
In the network shown in the exhibit, you want to forward traffic from the employees to ISP1 and ISP2. You want to forward all Web traffic to ISP1 and all other traffic to ISP2. While troubleshooting, you change your filter to forward all traffic to ISP1. However, no traffic is sent to ISP1.
What is causing this behavior?
A. The filter is applied to the wrong interface.
B. The filter should use the next-hop action instead of the routing-instance action.
C. The filter term does not have a required from statement.
D. The filter term does not have the accept statement.
Answer: A
Explanation: Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB24821
Q46. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
An attacker is using a nonstandard port for HTTP for reconnaissance into your network. Referring to the exhibit, which two statements are true? (Choose two.)
A. The IPS engine will not detect the application due to the nonstandard port.
B. The IPS engine will detect the application regardless of the nonstandard port.
C. The IPS engine will perform application identification until the session is established.
D. The IPS engine will perform application identification until it processes the first 256 bytes of the packet.
Answer: B,D
Explanation: Reference:https://www.juniper.net/techpubs/en_US/idp/topics/example/simple/intrusion-detection-prevention-idp-rulebase-default-service-usage.html
Q47. You are asked to deploy dynamic VPNs between the corporate office and remote employees that work from home. The gateway device at the corporate office consists of a pair of SRX650s in a chassis cluster.Which two statements about the deployment are true? (Choose two.)
A. The SRX650s must be separated as standalone devices to support the dynamic VPNs.
B. The remote clients must install client software to establish a tunnel with the corporate network.
C. The remote clients must reside behind an SRX device configured as the local tunnel endpoint.
D. The SRX650 must have HTTP or HTTPS enabled to aid in the client software distribution process.
Answer: B,D
Explanation:
Reference :http://www.juniper.net/us/en/local/pdf/app-notes/3500201-en.pdf
Q48. Click the Exhibit button.
-- Exhibit --
[edit security idp] user@srx# show | no-more idp-policy basic {
rulebase-ips { rule 1 { match {
from-zone untrust; source-address any; to-zone trust;
destination-address any; application default; attacks {
custom-attacks data-inject;
}
}
then { action {
recommended;
}
notification { log-attacks;
}
}
}
}
}
active-policy basic; custom-attack data-inject {
recommended-action close; severity critical;
attack-type { signature {
context mssql-query;
pattern "SELECT * FROM accounts"; direction client-to-server;
}
}
}
-- Exhibit --
You have configured the custom attack signature shown in the exhibit. This configuration is valid, but you want to improve the efficiency and performance of your IDP.
Which two commands should you use? (Choose two.)
A. set custom attack data-inject recommended-action drop
B. set custom-attack data-inject attack-type signature protocol-binding tcp
C. set idp-policy basic rulebase-ips rule 1 match destination-address webserver
D. set idp-policy basic rulebase-ips rule 1 match application any
Answer: B,C
Q49. Two companies, A and B, are connected as separate customers on an SRX5800 residing on two virtual routers (VR-A and VR-B). These companies have recently been merged and now operate under a common IT security policy. You have been asked to facilitate communication between these VRs. Which two methods will accomplish this task? (Choose two.)
A. Use instance-import to share the routes between the two VRs.
B. Create logical tunnel interfaces to interconnect the two VRs.
C. Use a physical connection between VR-A and VR-B to interconnect them.
D. Create a static route using the next-table action in both VRs.
Answer: A,D
Explanation:
Logical or physical connections between instances on the same Junos device and route between the connected instances
Reference :http://kb.juniper.net/InfoCenter/index?page=content&id=KB21260
Q50. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
Referring to the exhibit, which two statements are true? (Choose two.)
A. Packets may get fragmented.
B. The tunnel automatically fragments packets based on MTU discovery.
C. The Phase 2 association will never expire.
D. The Phase 2 association will expire without traffic.
Answer: A,D