Security, Professional (JNCIP-SEC)
Question No: 71
You have a group IPsec VPN established with a single key server and five client devices. Regarding this scenario, which statement is correct?
There is one unique Phase 1 security association and five unique Phase 2 security associations used for this group.
There is one unique Phase 1 security association and one unique Phase 2 security association used for this group.
There are five unique Phase 1 security associations and five unique Phase 2 security
associations used for this group.
There are five unique Phase 1 security associations and one unique Phase 2 security association used for this group.
Answer: D Explanation:
Reference : http://www.thomas- krenn.com/redx/tools/mb_download.php/mid.x6d7672335147784949386f3d/Manual_Confi guring_Group_VPN_Juniper_SRX.pdf
Question No: 72
Click the Exhibit button.
– Exhibit –
– Exhibit –
You have configured an IDP policy as shown in the exhibit. The configuration commits successfully. Which traffic will be examined for attacks?
only originating traffic from source to destination in a session
only reply traffic from destination to source in a session
both originating and reply traffic between hosts in a session
recommended traffic between the source and destination hosts
Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos- security-swconfig-security/config-idp-ips-rulebase-section.html#config-idp-ips-rulebase- section
Question No: 73
Click the Exhibit button.
user@hostgt; monitor traffic interface ge-0/0/3
verbose output suppressed, use lt;detailgt; or lt;extensivegt; for full protocol decode Address resolution is ON. Use lt;no-resolvegt; to avoid any reverse lookup delay. Address resolution timeout is 4s.
Listening on ge-0/0/3, capture size 96 bytes
Reverse lookup for 18.104.22.168 failed (check DNS reachability). Other reverse lookup failures will not be reported.
Use lt;no-resolvegt; to avoid reverse lockups on IP addresses.
19:24:16.320907 In arp who-has 22.214.171.124 tell 126.96.36.199 19.24:17.322751 In arp
who has 188.8.131.52 tell 184.108.40.206 19.24:18.328895 In arp who-has 220.127.116.11 tell
19.24:18.332956 In arn who has 18.104.22.168 tell 22.214.171.124
A new server has been set up in your environment. The administrator suspects that the firewall is blocking the traffic from the new server. Previously existing servers in the VLAN are working correctly. After reviewing the logs, you do not see any traffic for the new server.
Referring to the exhibit, what is the cause of the problem?
The server is in the wrong VLAN.
The server has been misconfigured with the wrong IP address.
The firewall has been misconfigured with the incorrect routing-instance.
The firewall has a filter enabled to block traffic from the server.
Question No: 74
You are attempting to establish an IPsec VPN between two SRX devices. However, there is another device between the SRX devices that does not pass traffic that is using UDP port 4500.
How would you resolve this problem?
Answer: B Explanation:
NAT–T also uses UDP port 4500 (by default) rather than the standard UDP. So disabling NAT-T will resolve this issue.
Reference : https://www.google.co.in/url?sa=tamp;rct=jamp;q=amp;esrc=samp;source=webamp;cd=10amp;cad=rjaamp;ved=0C HsQFjAJamp;url=http://chimera.labs.oreilly.com/books/1234000001633% 2Fch10.htmlamp;ei=NZrtUZHHO4vJrQezmoCwAwamp;usg=AFQjCNGU05bAtnFu1vXNgssixHtC BoNBnwamp;sig2=iKzzPNQqiH2xrsjveXIleAamp;bvm=bv.49478099,d.bmk
Question No: 75
An SRX Series device is configured for inline tap mode. What will occur if Drop Packet is selected?
The SRX Series device drops a matching packet before it can reach its destination but does not close the connection.
The SRX Series device will ignore the action Drop Packet.
The SRX Series device closes the connection and sends an RST packet to both the client and the server.
The SRX Series device drops a matching packet associated with the connection, preventing traffic for the connection from reaching its destination.
Question No: 76
Which two statements about AppQoS are true? (Choose two.)
AppQoS remarking supersedes interface remarking.
AppQoS supports forwarding class assignment.
AppQoS supports rate limiting.
AppQoS supports bandwidth reservation.
Question No: 77
Click the Exhibit button.
user@hostgt; show services application-identification application-system-cache Application System Cache Configurations:
nested-application-cache: on cache-unknown-result: on
cache-entry-timeout: 3600 seconds
You are using the application identification feature on your SRX Series device. The help desk reports that users are complaining about slow Internet connectivity. You issue the command shown in the exhibit.
What must you do to correct the problem?
Modify the configuration with the delete services application-identification no-application- system-cache command and commit the change.
Modify the configuration with the delete services application-identification no-clear- application-system-cache command and commit the change.
Reboot the SRX Series device.
Modify the configuration with the delete services application-identification no-application
-identification command and commit the change.
Question No: 78
Referring to the following output, which command would you enter in the CLI to produce this result?
Ruleset Application Client-to-server Rate(bps) Server-to-client Rate(bps) http-App-QoS HTTP ftp-C2S 200 ftp-C2S 200
http-App-QoS HTTP ftp-C2S 200 ftp-C2S 200
ftp-App-QoS FTP ftp-C2S 100 ftp-C2S 100
show class-of-service interface ge-2/1/0
show interface flow-statistics ge-2/1/0
show security flow statistics
show class-of-service applications-traffic-control statistics rate-limiter
Answer: D Explanation: Reference :
Question No: 79
You want to implement an IPsec VPN on an SRX device using PKI certificates for authentication. As part of the implementation, you are required to ensure that the certificate submission, renewal, and retrieval processes are handled automatically from the certificate authority. Regarding this scenario, which statement is correct?
You can use SCEP to accomplish this behavior.
You can use OCSP to accomplish this behavior.
You can use CRL to accomplish this behavior.
You can use SPKI to accomplish this behavior.
Reference: Page 9
http://www.juniper.net/techpubs/en_US/junos/information-products/topic- collections/nce/pki-conf-trouble/configuring-and-troubleshooting-public-key- infrastructure.pdf
Question No: 80
What is a benefit of using a dynamic VPN?
It provides a layer of redundancy on top of a point-to-point VPN mesh architecture.
It eliminates the need for point-to-point VPN tunnels.
It provides a way to grant VPN access on a per-user-group basis.
It simplifies IPsec access for remote clients.
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|