EMT Practice Test

1. Question Content...


Question List

Question1: You have been asked to establish a dynamic IPsec VPN between your SRX device and a remote user.
Regarding this scenario, which three statements are correct? (Choose three.)

Question2: Click the Exhibit button.
user@key-server> show security group-vpn server ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address
97 UP bb224408940cc5d 435b9404284083c2 Main 192.168.11.1
98 UP 242c840089404d15 ab19284089408ba8 Main 192.168.11.2
user@key-server> show security group-vpn server ipsec security-associations Group: group-1, Group Id:
1
Total IPsec SAs: 1
IPsec SA Algorithm SPI Lifetime
group-l-sa ESP:3des/shal 1343991c 2736
Group: group-2, Group id: 2
Total IPsec SAs: 1
IPsec SA Algorithm SPI Lifetime
group-2-sa ESP:3des/shal 13be9e9 2741
Group: group-3, Group Id: 3
Total IPsec SAs: 1
IPsec SA Algorithm SPI Lifetime
group-3-sa ESP:3des/shal 20709057 2741
Group: group-4, Group Id: 4
Total IPsec SAs: 1
IPsec SA Algorithm SPI Lifetime
group-4-sa ESP:3des/shal 5111c2e1 2741
Which statement is correct regarding the outputs shown in the exhibit?
Which statement is correct regarding the outputs shown in the exhibit?

Question3: Click the Exhibit button.

Host traffic is traversing through an IPsec tunnel. Users are complaining of intermittent issues with their connection.
Referring to the exhibit, what is the problem?

Question4: Click the Exhibit button.

Traffic is being sent from Host-1 to Host-2 through an IPsec VPN. In this process, SRX-2 is using NAT to change the destination address of Host-2 from 192.168.1.1 to 10.60.60.1 SRX-1 uses the 172.31.50.1 address for its tunnel endpoint and SRX-2 uses the 10.10.50.1 address for its tunnel endpoint.
Referring to the exhibit, which statement is true?

Question5: Which feature is used for layer 2 bridging on an SRX Series device?

Question6: What are three techniques to mark DSCP values on an SRX Series device? (Choose three.)

Question7: What are three advantages of group VPNs? (Choose three.)

Question8: What is a benefit of using a dynamic VPN?

Question9: Click the Exhibit button.

Referring to the exhibit, the application firewall configuration fails to commit. What must you do to allow the configuration to commit?

Question10: Click the Exhibit button.

In the network shown in the exhibit, you want to forward traffic from the employees to ISP1 and ISP2. You want to forward all Web traffic to ISP1 and all other traffic to ISP2. While troubleshooting, you change your filter to forward all traffic to ISP1. However, no traffic is sent to ISP1.
What is causing this behavior?

Question11: You configured a custom signature attack object to match specific components of an attack:
HTTP-request
Pattern .*\x90 90 90 ... 90
Direction: client-to-server
Which client traffic would be identified as an attack?

Question12: Which two statements are true regarding DNS doctoring? (Choose two.)

Question13: Referring to the following output, which command would you enter in the CLI to produce this result?
Ruleset Application Client-to-server Rate(bps) Server-to-client Rate(bps)
http-App-QoS HTTP ftp-C2S 200 ftp-C2S 200
http-App-QoS HTTP ftp-C2S 200 ftp-C2S 200
ftp-App-QoS FTP ftp-C2S 100 ftp-C2S 100

Question14: You have initiated the download of the IPS signature database on your SRX Series device.
Which command would you use to confirm the download has completed?

Question15: Click the Exhibit button.
user@host> show security flow session extensive
Session ID: 1173, Status: Normal
Flag: Ox0
Policy name: two/6
Source NAT pool: interface, Application: junos-ftp/1
Dynamic application: junos:UNKNOWN,
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: 1800, Current timeout: 1756
Session State: Valid
Start time: 4859, Duration: 99
In: 172.20.103.10/56457 --> 10.210.14.130/21;tcp,
Interface: vlan.103,
Session token: Ox8, Flag: Ox21
Route: 0x100010, Gateway: 172.20.103.10, Tunnel: 0
Port sequence: 0, FIN sequence: 0, FIN state: 0,
Pkts: 12, Bytes: 549
Out: 10.210.14.130/21 --> 10.210.14.133/18698;tcp,
Interface: ge-0/0/0.0,
Session token: 0x7, Flag: Ox20
Route: Oxf0010, Gateway: 10.210 14.130, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 8, Bytes: 514
Total sessions: 1
A user complains that they are unable to download files using FTP. They are able to connect to the remote site, but cannot download any files. You investigate and execute the show security flow session extensive command to receive the result shown in the exhibit.
What is the cause of the problem?

Question16: Click the Exhibit button.

Referring to the exhibit, a pair of SRX3600s is in an active/passive chassis cluster configured for transparent mode. Which type of traffic would traverse the secondary SRX3600 (node 1)?

Question17: You want to create a custom IDP signature for a new HTTP attack on your SRX device. You have the exact string that identifies the attack. Which two additional elements do you need to define your custom signature? (Choose two.)

Question18: -- Exhibit --
user@srx> show security flow session
Session ID. 7724, Policy namE. default-permit/4, Timeout: 2
In: 1.1.70.6/17 --> 100.0.0.1/2326;icmp, IF. ge-0/0/3
Out: 10.1.10.5/2326 --> 1.1.70.6/17;icmp, IF. ge-0/0/2
Session ID. 18408, Policy namE. default-permit/4, Timeout: 2
In: 10.1.10.5/64513 --> 1.1.70.6/512;icmp, IF. ge-0/0/2.0
Out: 1.1.70.6/512 --> 100.0.0.1/64513;icmp, IF. ge-0/0/3.10
-- Exhibit --
A user has reported a traffic drop issue between a host with the 10.1.10.5 internal IP address and a host with the 1.1.70.6 IP address. The traffic transits an SRX240 acting as a NAT translator. You are investigating the issue on the SRX240 using the output shown in the exhibit. Regarding this scenario, which two statements are true? (Choose two.)

Question19: Your company's network has seen an increase in Facebook-related traffic. You have been asked to restrict the amount of Facebook-related traffic to less than 100 Mbps regardless of congestion. What are three components used to accomplish this task? (Choose three.)

Question20: Which two statements about AppQoS are true? (Choose two.)

Question21:
Refer to the exhibit. Considering a stable neighborship has been established with multiple eBGP peers, which routers are advertised by the router?

Question22: Which AppSecure module provides Quality of Service?

Question23: You are asked to implement a point-to-multipoint hub-and-spoke topology in a mixed vendor environment.
The hub device is running the Junos OS and the spoke devices are different vendor devices. Regarding this scenario, which statement is correct?

Question24: What are two network scanning methods? (Choose two.)

Question25: You want to implement a hub-and-spoke VPN topology using a single logical interface on the hub. Which st0 interface configuration is correct for the hub device?

Question26: Click the Exhibit button.

You are asked to implement NAT to translate addresses between the IPv4 and IPv6 networks shown in the exhibit.
What are three configuration requirements? (Choose three.)

Question27: Two companies, A and B, are connected as separate customers on an SRX5800 residing on two virtual routers (VR-A and VR-B). These companies have recently been merged and now operate under a common IT security policy. You have been asked to facilitate communication between these VRs. Which two methods will accomplish this task? (Choose two.)

Question28: A branch SRX Series device in flow mode is forwarding between two virtual routers using a paired set of logical tunnel interfaces. You have a server connected to one virtual router and the client is on the other virtual router.
How many security policies are needed to connect from the client to the server across the logical tunnel link?

Question29: You are asked to allow access to an external application for an internal host subject to address translation.
The application requires multiple sessions initiated from the internal host and expects all the sessions to originate from the same source IP address.
Which Junos feature meets this objective?

Question30: Click the Exhibit button.
[edit security idp-policy test]
user@host# show
rulebase-ips {
rule R3 {
match {
source-address any;
destination-address any;
attacks {
predefined-attacks FTP:USER:ROOT;
}
}
then {
action {
recommended;
}
}
terminal;
}
rule R4 {
match {
source-address any;
destination-address any;
attacks {
predefined-attacks HTTP:HOTMAIL:FILE-UPLOAD;
}
}
then {
action {
recommended;
}
}
}
}
You have just committed the new IDP policy shown in the exhibit. However, you notice no action is taken on traffic matching the R4 IDP rule.
Which two actions will resolve the problem? (Choose two.)

Question31: Click the Exhibit button.

Referring to the exhibit, which feature allows the hosts in the Trust and DMZ zones to route to either ISP, based on source address?

Question32: You are using logical systems to segregate customers. You have a requirement to enable communication between the logical systems. What are two ways to accomplish this goal? (Choose two.)

Question33: You are troubleshooting an SRX240 acting as a NAT translator for transit traffic. Traffic is dropping at the SRX240 in your network. Which three tools would you use to troubleshoot the issue? (Choose three.)

Question34: Click the Exhibit button.

You must configure two SRX devices to enable bidirectional communications between the two networks shown in the exhibit. You have been allocated the 172.16.1.0/24 and 172.16.2.0/24 networks to use for this purpose.
Which configuration will accomplish this task?

Question35: Your management has a specific set of Web-based applications that certain employees are allowed to use.
Which two SRX Series device features would be used to accomplish this task? (Choose two.)

Question36: Click the Exhibit button.

In the exhibit, the SRX device has hosts connected to interface ge-0/0/1 and ge-0/0/6. The devices are not able to ping each other. What is causing this behavior?

Question37: Which statement is true about NAT?

Question38: You are asked to implement the AppFW feature on an SRX Series device.
Which three tasks must be performed to make the feature work? (Choose three.)

Question39: You have configured an IPsec VPN with traffic selectors; however, your IPsec tunnel does not appear to be working properly.
What are two reasons for the problem? (Choose two.)

Question40: Click the Exhibit button.
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:<1.1.1.100/51303->1.1.1.30/3389;6> matched filter MatchTraffic:
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:packet [48] ipid = 5015, @423d7e9e Feb 2 09:00:02
09:00:00.1872004:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 13, common flag Ox0, mbuf Ox423d7d00 Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: flow process pak fast ifl 72
In_ifp fe-0/0/7.0
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: fe-0/0/7.0:1.1.1.100/51303- >1.1.1.30/3389, top, flag 2 syn Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: find flow: table Ox5258d7b0, hash 17008(Oxffff), sa
1.1.1.100, da 1.1.1.30, sp 51303, dp 3389, proto 6, tok
448
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0 Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: flow_first_create_session
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: flow first_in_dst_nat: in <fe-0/0/7.0>, out <N/A> dst_adr
1.1.1.30, sp 51303, dp 3389
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: chose interface fe-0/0/7.0 as incoming nat if.
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_rule_dst_xlate: packet 1.1.1.100->1.1.1.30 nsp2
0.0.0.0->192.168.224.30.
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_routing: call flow_route_lookup() src_ip 1.1.1.100, x_dst_ip 192.168.224.30, in ifp fe-0/0/7.0, out ifp N/A sp 51303, dp 3389, ip_proto 6, tos 0 Feb 2 09:00:02 09:00:00.1872004:CID-O:RT:Doing DESTINATION addr route-lookup Feb 2 09:00:02
09:00:00.1872004:CID-0:RT: routed (x_dst_ip 192 168.224.30)
from untrust (fe-0/0/7.0 in 0) to ge-0/0/0.0, Next-hop: 192.168.224.30
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: policy search from zone untrust-> zone trust Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: policy has timeout 900 Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: app 0, timeout 1800s, curr ageout 20s Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_src_xlate: src nat 0.0.0.0(51303) to 192.168.224.30 (3389) returns status 1, rule/pool id 1/2. Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: dip id = 2/0,
1.1.1.100/51303->192.168.224.3/48810
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: choose interface ge-0/0/0.0 as outgoing phy if Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/0.0, addr:
192.168.224.30, rtt_idx:0
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:sm_flow_interest_check: app_id 0, policy 9, app_svc_en 0, flags Ox2. not interested Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:sm_flow_interest_check: app_id 1, policy 9, app_svc_en 0, flags Ox2. not interested Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_service_lookup(): natp(Ox51ee4680): app_id, 0(0).
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: service lookup identified service O.
Referring to the exhibit, which two statements are correct? (Choose two.)

Question41: You have a group IPsec VPN established with a single key server and five client devices. Regarding this scenario, which statement is correct?

Question42: -- Exhibit --
user@srx# show security datapath-debug
capture-file pkt-cap-file format pcap size 5m;
action-profile {
pkt-cap-profile {
event np-ingress {
packet-dump;
}
}
}
packet-filter pkt-filter {
action-profile pkt-capture;
source-prefix 1.2.3.4/32;
}
-- Exhibit --
You want to capture transit traffic passing through your SRX3600. You add the configuration shown in the exhibit but do not see entries added to the capture file.
What is causing the problem?

Question43: Which two configuration statements are used to share interface routes between routing instances?
(Choose two.)

Question44: How does the SRX5800, in transparent mode, signal failover to the connected switches?

Question45: Click the Exhibit button.
-- Exhibit --

-- Exhibit --
According to the log shown in the exhibit, you notice that the IPsec session is not establishing.
What are two reasons for this behavior? (Choose two.)

Question46: Click the Exhibit button.
{primarynode0}[edit security idp idp-policy test-ips-policy]
user@host# show
rulebase-ips {
rule r1 {
match {
source-address any;
attacks {
predefined-attack-groups "HTTP - All";
}
}
then {
action {
drop-packet;
}
}
terminal;
}
rule r2 {
match {
source-address 172.16.0.0/12;
attacks {
predefined-attack-groups "FTP - All";
}
then {
action {
no-action;
}
}
}
rule r3 {
match {
source-address 172.16.0.0/12;
attacks {
predefined-attack-groups "TELNET - All";
}
}
then {
action {
no-action;
}
}
}
rule r4 {
match {
source-address any;
attacks {
predefined-attack-groups "FTP - All";
}
}
then {
action {
drop-packet;
}
}
}
}
A user with IP address 172.301.100 initiates an FTP session to a host with IP address 10.100.1.50 through an SRX Series device and is subject to the IPS policy shown in the exhibit.
cd ~root command, which statement is correct?
If the user tries to execute the

Question47: What are two AppSecure modules? (Choose two.)

Question48: You are asked to deploy dynamic VPNs between the corporate office and remote employees that work from home. The gateway device at the corporate office consists of a pair of SRX650s in a chassis cluster.
Which two statements about the deployment are true? (Choose two.)

Question49: You have an existing group VPN established in your internal network using the group-id 1. You have been asked to configure a second group using the group-id 2. You must ensure that the key server for group 1 participates in group 2 but is not the key server for that group. Which statement is correct regarding the group configuration on the current key server for group 1?

Question50: Which two are required for the SRX device to perform DNS doctoring? (Choose two.)

Question51: You are asked to establish a baseline for your company's network traffic to determine the bandwidth usage per application. You want to undertake this task on the central SRX device that connects all segments together. What are two ways to accomplish this goal? (Choose two.)

Question52: You have implemented a tunnel in your network using DS-Lite. The tunnel is formed between one of the SRX devices in your network and a DS-Lite-compatible CPE device in your customer's network. Which two statements are true about this scenario? (Choose two.)

Question53: You are asked to establish a hub-and-spoke IPsec VPN using your SRX Series device as the hub. All of your spoke devices are third-party devices.
Which statement is correct?

Question54: What are two intrusion protection mechanisms available on SRX Series Services Gateways? (Choose two.)

Question55: -- Exhibit --
user@srx240< show route summary
Router ID.
inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
Direct: 1 routes, 1 active
Local: 1 routes, 1 active
StatiC. 1 routes, 1 active
customer-A.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) Direct: 1 routes, 1 active Local: 1 routes, 1 active
StatiC. 1 routes, 1 active
customer-B.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Direct: 1 routes, 1 active Local: 1 routes, 1 active
OSPF. 1 routes, 1 active
StatiC. 1 routes, 1 active
customer-B.inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) Direct: 2 routes, 2 active Local: 2 routes, 2 active
StatiC. 1 routes, 1 active
-- Exhibit --
In the output, how many user-configured routing instances have active routes?

Question56: You want to configure in-band management of an SRX device in transparent mode. Which command is required to enable this functionality?

Question57: Click the Exhibit button.

Referring to the exhibit, AppTrack is only logging the session closure messages for sessions that last 1 to
3 minutes.
What is causing this behavior?

Question58: You are asked to ensure that your IPS engine blocks attacks. You must ensure that your system continues to drop additional malicious traffic without additional IPS processing for up to 30 minutes. You must ensure that the SRX Series device does send a notification packet when the traffic is dropped.
Which statement is correct?

Question59: Click the Exhibit button.
user@host# show interfaces
ge-0/0/0 {
unit 1 {
family bridge {
interface-mode trunk;
vlan-id-list 20;
vlan-rewrite {
translate 2 20;
}
}
}
}
Referring to the exhibit, which two statements are correct regarding VLAN rewrite? (Choose two.)

Question60: You are deploying a standalone SRX650 in transparent mode for evaluation purposes in a potential client's network. The client will need to access the device to modify security policies and perform other various configurations. Where would you configure a Layer 3 interface to meet this requirement?

Question61: Which two statements are true about an interconnect logical system on an SRX Series device? (Choose two.)

Question62: You are asked to implement a monitoring feature that periodically verifies that the data plane is working across your IPsec VPN. Which configuration will accomplish this task?

Question63: -- Exhibit --
[edit security idp]
user@srx# show
security-package {
url https://services.netscreen.com/cgi-bin/index.cgi;
automatic {
start-time "2012-12-11.01:00:00 +0000";
interval 120;
enable;
}
}
-- Exhibit --
You have configured your SRX device to download and install attack signature updates as shown in the exhibit. You discover that updates are not being downloaded. What are two reasons for this behavior?
(Choose two.)

Question64: You are asked to implement an IPsec VPN between your main office and a new remote office. The remote office receives its IKE gateway address from their ISP dynamically.
Regarding this scenario, which statement is correct?

Question65: You are troubleshooting an IPsec session and see the following IPsec security associations:
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
< 192.168.224.1 500 ESP:aes-256/sha1 d6393645 26/ unlim - 0
> 192.168.224.1 500 ESP:aes-256/sha1 153ec235 26/ unlim - 0
< 192.168.224.1 500 ESP:aes-256/sha1 f9a2db9a 3011/ unlim - 0
> 192.168.224.1 500 ESP:aes-256/sha1 153ec236 3011/ unlim - 0
What are two reasons for this behavior? (Choose two.)

Question66: You are using destination NAT to translate the address of your HTTPS server to a private address on your SRX Series device. You have decided to implement IDP SSL decryption. Upon enabling the decryption, you notice sessions are not decrypted.
Which action resolves the problem?

Question67: You have recently deployed a dynamic VPN. Some remote users are complaining that they cannot authenticate through the SRX device at the corporate network. The SRX device serves as the tunnel endpoint for the dynamic VPN. What are two reasons for this problem? (Choose two.)

Question68: -- Exhibit --
[edit forwarding-options]
user@srx240# show
packet-capture {
file filename my-packet-capture;
maximum-capture-size 1500;
}
-- Exhibit --
Referring to the exhibit, you are attempting to perform a packet capture on an SRX240 to troubleshoot an SSH issue in your network. However, no information appears in the packet capture file.
Which firewall filter must you apply to the necessary interface to collect data for the packet capture?

Question69: You have configured static NAT for a Web server in your DMZ. Both internal and external users can reach the Web server using its IP address. However, only internal users are able to reach the Web server using its DNS name. External users receive an error message from their browser.
Which action would solve this problem?

Question70: You are asked to configure your SRX Series device to support IDP SSL inspections for up to 6,000 concurrent HTTP sessions to a server within your network.
Which two statements are true in this scenario? (Choose two.)

Question71: Which statement is true regarding destination NAT?

Question72: You want to implement an IPsec VPN on an SRX device using PKI certificates for authentication. As part of the implementation, you are required to ensure that the certificate submission, renewal, and retrieval processes are handled automatically from the certificate authority. Regarding this scenario, which statement is correct?

Question73: You are working as a security administrator and must configure a solution to protect against distributed botnet attacks on your company's central SRX cluster.
How would you accomplish this goal?

Question74: -- Exhibit --
[edit security]
user@srx# show idp
...
application-ddos Webserver {
service http;
connection-rate-threshold 1000;
context http-get-url {
hit-rate-threshold 60000;
value-hit-rate-threshold 30000;
time-binding-count 10;
time-binding-period 25;
}
}
-- Exhibit --
You are using AppDoS to protect your network against a bot attack, but noticed an approved application has falsely triggered the configured IDP action of drop. You adjusted your AppDoS configuration as shown in the exhibit. However, the approved traffic is still dropped.
What are two reasons for this behavior? (Choose two.)

Question75: Click the Exhibit button.

Based on the output shown in the exhibit, what are two results? (Choose two.)

Question76: An SRX Series device has been configured for multiple IPsec VPNs. The IPsec tunnel is configured for pre-shared keys and is currently down.
Which two commands allow the administrator to troubleshoot this problem? (Choose two.)

Question77: Click the Exhibit button.

Host A cannot resolve the www.target.host.com Web page when using its configured DNS server. As shown in the exhibit, Host A's configured DNS server and the Web server hosting the www.target.host.com Web page are in the same subnet. You have verified bidirectional reachability between Host A and the Web server hosting the Web page.
What would cause this behavior on the SRX device in Company B's network?

Question78: In which situation is NAT proxy NDP required?

Question79: You are responding to a proposal request from an enterprise with multiple branch offices. All branch offices connect to a single SRX device at a centralized location. The request requires each office to be segregated on the central SRX device with separate IP networks and security considerations. No single office should be able to starve the CPU from other branch offices on the central SRX device due to the number of flow sessions. However, connectivity between offices must be maintained. Which three features are required to accomplish this goal? (Choose three.)

Question80: Click the Exhibit button.
root@host# show system login
user user {
uid 2000;
class operator;
authentication {
encrypted-password "$1$4s7ePrk5$9S.MZTwmXTV7sovJZFFsw1"; ## SECRET-DATA
]
}
An SRX Series device has been configured for multiple certificate-based VPNs. The IPsec security association used for data replication is currently down . The administrator is a contractor and has the permissions on the SPX Series device as shown in the exhibit Which command set would allow the administrator to troubleshoot the cause for the VPN being down?

Question81: Click the Exhibit button.
[edit]
user@host# show interfaces
ge-0/0/1 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 20;
}
}
}
ge-0/0/10 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 20;
}
}
}
[edit]
user@host# show bridge-domains
d1 {
domain-type bridge;
vlan-id 20;
}
[edit]
user@host# show security flow bridge
[edit]
user@host# show security zones
security-zone 12 {
host-inbound-traffic {
system-services {
any-service;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/10.0;
}
}
Referring to the exhibit, which statement is true?

Question82:

Question83: Click the Exhibit button.

You have been asked to block YouTube video streaming for internal users. You have implemented the configuration shown in the exhibit, however users are still able to stream videos.
What must be modified to correct the problem?

Question84: As an SRX administrator, you must find all encrypted sessions on an SRX Series device.
Which command would you use to accomplish this task?

Question85: Which three match condition objects are required when creating IPS rules? (Choose three.)

Question86: Which problem is introduced by setting the terminal parameter on an IPS rule?

Question87: You have installed a new IPS license on your SRX device and successfully downloaded the attack signature database. However, when you run the command to install the database, the database fails to install. What are two reasons for the failure? (Choose two.)

Question88: A local user complains that they cannot connect to an FTP server on the DMZ network. You investigate and confirm that the security policy allows FTP traffic from the trust zone to the DMZ zone.
What are two reasons for this problem? (Choose two.)

Question89: Click the Exhibit button.
user@host> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
3271043 UP 7f42284089404673 95fd8408940438d8 Main 172.31.50.2
user@host> show security ipsec security-associations
Total active tunnels: 0
user@host> show log phase2
Feb 2 14:21:18 host kmd[1088]: IKE negotiation failed with error: TS unacceptable. IKE Version: 1, VPN:
vpn-1 Gateway: gate-1, Local: 172.31.50.1/500, Remote: 172.31.50.2/500, Local IKE-ID: 172.31.50.1, Remote IKE-ID: 172.31.50.2, VR-ID: 0 Feb 2 14:21:18 host kmd[1088]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: vpn-1, Peer Proposed traffic-selector local-ip: ipv4(2.2.2.2), Peer Proposed traffic-selector remote-ip: ipv4 (1.1.1.1) Feb 2 14:21:54 host kmd[1088]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: vpn-1 Gateway: gate-1, Local:
172.31.50.1/500, Remote: 172.31.50.2/500, Local IKE-ID: 172.31.50.1, Remote IKE-ID: 172.31.50.2, VR- ID: 0 Feb 2 14:22:19 host kmd[1088]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: vpn-1, Peer Proposed traffic-selector local-ip:
ipv4 (2.2.
2.2), Peer Proposed traffic-selector remote-ip: ipv4(1.1.1.1)
You have recently configured an IPsec VPN between an SRX Series device and another non- Junos security device. The phase one tunnel is up but the phase two tunnel is not present.
Referring to the exhibit, what is the cause of this problem?

Question90: What is a secure key management protocol used by IPsec?

Question91: Which configurable SRX Series device feature allows you to capture transit traffic?

Question92: Which statement is true regarding the dynamic VPN feature for Junos devices?

Question93: You are attempting to establish an IPsec VPN between two SRX devices. However, there is another device between the SRX devices that does not pass traffic that is using UDP port 4500.
How would you resolve this problem?

Question94: Which action will allow an administrator to connect in band to an SRX Series device in transparent mode over SSH?

Question95: Click the Exhibit button.
-- Exhibit --
CID-0:RT: flow process pak fast ifl 71 in_ifp ge-0/0/5.0
CID-0:RT: ge-0/0/5.0:10.0.0.2/55892->192.168.1.2/80, tcp, flag 2 syn
CID-0:RT: find flow: table 0x5a386c90, hash 50728(0xffff), sa 10.0.0.2, da 192.168.1.2, sp 55892, dp 80, proto 6, tok 7 CID-0:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0 CID-0:RT: flow_first_create_session CID-0:RT: flow_first_in_dst_nat: in <ge-0/0/5.0>, out <N/A> dst_adr 192.168.1.2, sp 55892, dp 80 CID-0:RT: chose interface ge-0/0/5.0 as incoming nat if.
CID-0:RT:flow_first_rule_dst_xlatE. DST no-xlatE. 0.0.0.0(0) to 192.168.1.2(80) CID-0:RT:flow_first_routinG. vr_id 0, call flow_route_lookup(): src_ip 10.0.0.2, x_dst_ip 192.168.1.2, in ifp ge-0/0/5.0, out ifp N/A sp 55892, dp 80, ip_proto 6, tos 10 CID-0:RT:Doing DESTINATION addr route-lookup
CID-0:RT: routed (x_dst_ip 192.168.1.2) from LAN (ge-0/0/5.0 in 0) to ge-0/0/1.0, Next-hop: 172.16.32.1 CID-0:RT:flow_first_policy_searcH. policy search from zone LAN-> zone WAN (0x0,0xda540050,0x50) CID-0:RT:Policy lkup: vsys 0 zone(7:LAN) -> zone(6:WAN) scope:0 CID-0:RT: 10.0.0.2/55892 -> 192.168.1.2/80 proto 6
CID-0:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0 CID-0:RT: 10.0.0.2/55892 -> 192.168.1.2/80 proto 6 CID-0:RT: app 6, timeout 1800s, curr ageout 20s
CID-0:RT: packet dropped, denied by policy
CID-0:RT: denied by policy default-policy-00(2), dropping pkt
CID-0:RT: packet dropped, policy deny.
CID-0:RT: flow find session returns error.
CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
CID-0:RT:jsf sess close notify
CID-0:RT:flow_ipv4_del_flow: sess , in hash 32
-- Exhibit --
A host is not able to communicate with a Web server. Based on the logs shown in the exhibit, what is the problem?

Question96: Somebody has inadvertently configured several security policies with application firewall rule sets on an SRX device. These security policies are now dropping traffic that should be allowed. You must find and remove the application firewall rule sets that are associated with these policies. Which two commands allow you to view these associations? (Choose two.)

Question97: Click the Exhibit button.
user@host> show log message
Feb 4 00:04:17 host rpd[4516]: EVENT <UpDowm> st0.0 index 76 <Up Broadcast Multicast> Feb 4 00:04:17 host-kmd[1391]: KMD_PM_SA ESTABLISHED: Local gateway:
192.168.10.1, Remote gateway: 192.168.10.3, Local ID: ipv4_subnet(any:0,
[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Direction: inbound, SPI: 0x8d5816fd, AUX-SPI: 0, Mode: Tunnel, Type:
dynamic, Traffic-selector:
Feb 4 00:04:17 host rpd[4516]: EVENT UpDown st0.0 index 76 10.10.10.1/24 > (null) <Up Broadcast Multicast> Feb 4 00:04:17 host kmd[1391]: KMD_PM_SA_ESTABLISHED: Local gateway:
192.168.10.1, Remote gateway: 192.168.10.3, Local ID: ipv4_subnet(any:0,
[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Direction: outbound, SPI: 0x77f07d5c, AUX-SPI: 0, Mode: Tunnel, Type:
dynamic, Traffic-selector:
Feb 4 00:04:17 host kmd[1391]: KMD_VPN_UP_ALARM_USER: VPN to-spoke-1 from 192.168.10.3 is up.
Local-ip: 192.168.10.1, gateway name: spoke-1, vpn name:
to-spoke-1, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip:
10.10.10.3, Local IKE-ID: 192.168.10.1, Remote IKE-ID: 192.168.10.3, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet,(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID:
ipv4_subnet(any:11,[0..7]=0.0.0.0/0)
Feb 4 00:04:17 host mib2d[1385]: SNMP_TRAP_LINK_UP: ifIndex 539,
ifAdminSiLatus up(1), ifOperStatus up(1), ifName st0.0
Feb 4 00:04:17 host kmd[1391]: KMD_PM_SA_ESTABLTSHED: Local gateway:
192.168.10.1, Remote gateway: 192.168.10.5, Local ID: ipv4 subnet(any:0,
[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Direction: inbound, SPI: 0x2790a42c, AUX-SPI: 0, Mode: Tunnel, Type:
dynamic, Traffic-selector:
Feb 4 00:04:17 host kmd[1391]: KMD_PM_SA_ESTABLISHED: Local gateway:
192.168.10.1, Remote gateway: 192.168.10.5, Local ID: ipv4_subnet(any:0,
[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Direction: outbound, SPI: 0x2df17ea8, AUX-SPI: 0, Mode: Tunnel, Type:
dynamic, Traffic-selector:
Feb 4 00:04:17 host kmd[1391]: KMD_VPN_UP_ALARM_USER: VPN to-spoke-3 from 192.168.10.5 is up.
Local-ip: 192.168.10.1, gateway name: spoke-3, vpn name:
to-spoke-3, tunnel-id: 131076, local tunnel-if: st0.0, remote tunnel-ip:
Not-Available, Local IKE-ID: 192.168.10.1, Remote IKE-ID: 192.168.10.5, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic- selector local TD: ipv4_subnet (any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0._7]=0.0.0.0/0) Feb 4 00:04:17 host kmd[1391]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: to-spoke-2 Gateway: spoke-2, Local:
192.168.10.1/500, Remote: 192.168.10.4/500, Local IKE-ID: Not-Available, Remote Not-Available, VR-ID:
0
Referring to the exhibit, which statement is correct?
to-spoke-3 VPN is failing.

Question98: You have been asked to configure traffic to flow between two virtual routers (VRs) residing on two unique logical systems (LSYSs) on the same SRX5800.
How would you accomplish this task?

Question99: Which statement is true about Layer 2 zones when implementing transparent mode security?

Question100: You must configure a central SRX device connected to two branch offices with overlapping IP address space. The branch office connections to the central SRX device must reside in separate routing instances.
Which two components are required? (Choose two.)

Question101: Click the Exhibit button.
[edit protocols ospf area 0.0.0.0]
user@host# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote
Address
3289542 UP 48d928408940de28 e418fc7702fe483b Main
172.31.50.1
3289543 UP eb45940484082b14 428086b100427326 Main 10.10.50.1
[edit protocols ospf area 0.0.0.0]
user@host# run show security ipsec; security-associations
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:des/ shal 6d40899b 1360/ unlim - root 500 10.10.50.1
>131073 ESP:des/ shal 5a89400e 1360/ unlim - root 500 10.10.50.1
<131074 ESP:des/ shal c04046f 1359/ unlim - root 500 172.31.50.1
>131074 ESP:des/ shal 5508946c 1359/ unlim - root 500 172.31.50.1
[edit protocols ospf area 0.0.0.0]
user@host# run show ospf neighbor
Address Interface State ID Pri Dead
10.40.60.1 st0.0 Init 10.30.50.1 128 35
10.40.60.2 st0.0 Full 10.30.50.1 128 31
[edit protocols ospf area 0.0.0.0]
user@host# show
interface st0.0;
You have already configured a hub-and-spoke VPN with one hub device and two spoke devices. However, the hub device has one neighbor in the Init state and one neighbor in the Full state.
What would you do to resolve this problem?

Question102: What is a benefit of using a group VPN?

Question103: HostA (1.1.1.1) is sending TCP traffic to HostB (2.2.2.2). You need to capture the TCP packets locally on the SRX240. Which configuration would you use to enable this capture?

Question104: Your company has added a connection to a new ISP and you have been asked to send specific traffic to the new ISP. You have decided to implement filter-based forwarding. You have configured new routing instances with type forwarding. You must direct traffic into each instance. Which step would accomplish this goal?

Question105: When configuring AutoVPN, which two actions are required for an administrator to establish communication from the hub site to the spoke sites? (Choose two.)

Question106: You are asked to implement the AppFW feature on an SRX Series device.
Which three tasks must be performed to make the feature work? (Choose three.)

Question107: Click the Exhibit button.

Referring to the topology shown in the exhibit, which two configuration tasks will allow Host A to telnet to the public IP address associated with Server B? (Choose two.)

Question108: -- Exhibit --
[edit security idp]
user@srx# show | no-more
idp-policy basic {
rulebase-ips {
rule 1 {
match {
from-zone untrust;
source-address any;
to-zone trust;
destination-address any;
application default;
attacks {
custom-attacks data-inject;
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
}
}
active-policy basic;
custom-attack data-inject {
recommended-action close;
severity critical;
attack-type {
signature {
context mssql-query;
pattern "SELECT * FROM accounts";
direction client-to-server;
}
}
}
-- Exhibit --
You have configured the custom attack signature shown in the exhibit. This configuration is valid, but you want to improve the efficiency and performance of your IDP.
Which two commands should you use? (Choose two.)

Question109: You recently implemented application firewall rules on an SRX device to act upon encrypted traffic.
However, the encrypted traffic is not being correctly identified. Which two actions will help the SRX device correctly identify the encrypted traffic? (Choose two.)

Question110: What are the three types of attack objects used in an IPS engine? (Choose three.)

Question111: Your company is providing multi-tenant security services on an SRX5800 cluster. You have been asked to create a new logical system (LSYS) for a customer. The customer must be able to access and manage new resources within their LSYS.
How do you accomplish this goal?

Question112: Click the Exhibit button.
[edit] user@host# run show log debug
Feb 3 22:04:31 22:04:31.824294:CID-0:RT:flow_first_policy_search: policy search from zone host-> zone attacker (Ox0,0xe4089404,0x17) Feb 3 22:04:31 22:04:31.824297:CID-0:RT:Policy lkup: vsys 0 zone(9:host) -> zone(10:attacker) scope:
0
Feb 3 22:04:31 22:04:31.824770:CID-0:RT: 5.0.0.25/59028 -> 25.0.0.25/23 proto 6 Feb 3 22:04:31 22:04:31.824778:CID-0:RT:Policy lkup: vsys 0 zone(5:Umkmowm) -> zone (5:Umkmowm) scope: 0 Feb 3 22:04:31 22:04:31.824780:CID-0:RT: 5.0.0.25/59028 -> 25.0.0.25/23 proto 6 Feb 3 22:04:31 22:04:31.824783:CID-0:RT: app 10, timeout 1800s, curr ageout 20s Feb 3 22:04:31 22:04:31.824785:CID-0:RT: permitted by policy default-policy-00(2) Feb 3 22:04:31 22:04:31.824787:CID-0:RT: packet passed, Permitted by policy.
Feb 3 22:04:31 22:04:31.824790:CID-0:RT:flow_first_src_xlate:
nat_src_xlated: False, nat_src_xlate_failed; False
Feb 3 22:04:31 22:04:31.824834:CID-0:RT:flow_first_src_xlate: incoming src port is: 38118 Which two statements are true regarding the output shown in the exhibit? (Choose two.)

Question113: -- Exhibit --
[edit security]
user@srx# show
idp {
idp-policy NewPolicy {
rulebase-exempt {
rule 1 {
description AllowExternalRule;
match {
source-address any;
destination-address
}
}
}
}
}
-- Exhibit --
You are performing the initial IDP installation on your new SRX device. You have configured the IDP exempt rulebase as shown in the exhibit, but the commit is not successful.
Referring to the exhibit, what solves the issue?

Question114: You are asked to ensure traffic from your executive staff does not use the same ISP connection as your other traffic.
Which three actions are required to accomplish this task? (Choose three)

Question115: You are asked to apply individual upload and download bandwidth limits to YouTube traffic. Where in the configuration would you create the necessary bandwidth limits?

Question116: Click the Exhibit button.
user @host> show bgp summary logical-system LSYS1
Groups : 11 Peers : 10 Down peers: 1
Table Tot. Paths Act Paths Suppressed History Damp State
Pending
inet.0 141 129 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/ Damped...
192.168.64.12 65008 11153 11459 0 26 3d
3:10:43 9/10/10/0 0/0/0/0
192.168.72.12 65009 11171 11457 0 26 3d
3:10:39 11/12/12/0 0/0/0/0
192.168.80.12 65010 9480 9729 0 27 3d
3:10:42 11/12/12/0 0/0/0/0
192.168.88.12 65011 11171 11457 0 25 3d
3:10:31 12/13/13/0 0/0/0/0
192.168.96.12 65012 9479 9729 0 26 3d
3:10:34 12/13/13/0 0/0/0/0
192.168.10.12 65013 111689 11460 0 27 3d
3:10:46 9/10/10/0 0/0/0/0
192.168.11.12 65014 111688 11458 0 25 3d
3:10:42 9/10/10/0 0/0/0/0
192.168.12.12 65015 111687 11457 0 25 3d
3:10:38 9/10/10/0 0/0/0/0
192.68.11.12 650168 9478 9729 0 25 3d
3:10:42 9/10/10/0 0/0/0/0
192.168.13.12 65017 111687 11457 0 27 3d
3:10:30 9/10/10/0 0/0/0/0
192.168.16.12 65017 111687 11457 0 27 1w3d2h
Connect
user@host> show interfaces ge-0/0/7.0 extensive
Logical interface ge-0/0/7.0 (Index 76) (SNMP ifIndex 548) (Generation 141)
...
Security: Zone: log
Allowed host-inbound traffic : bootp dns dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rloqin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip
r2cp
Flow Statistics:
Flow Input statistics:
Self packets: 0
ICMP packets: 0
VPN packets: 0
Multicast packets: 0
Bytes permitted by policy: 0
Connections established: 0
Flow Output statistics:
Multicast packets: 0
Bytes permitted by policy: 0
Flow error statistics (Packets dropped due to):
Address spoofing: 0
Authentication failed: 0
Incoming NAT errors: 0
Invalid zone received packet: 0
Multiple user authentications: 0
Multiple incoming NAT: 0
No parent for a gate: 0
No one interested in self pakets: 0
No minor session: 0
No more sessions: 589723
No NAT gate: 0
No route present: 0
No SA for incoming SPI: 0
No tunnel found: 0
No session for a gate: 0
No zone or NULL zone binding 0
Policy denied: 0
Security association not active: 0
TCP sequence number out of window: 0
Syn-attack protection: 0
User authentication errors: 0
Protocol inet, MTU: 1500, Generation: 1685, Route table: 0
Flags: Sendbcast-pkt-to-re
Addresses, F1ags: Is-Preferred Is-Primary
Destination: 10.5.123/24, Local: 10.5.123.3, Broadcast:
10.5.123.255, Generation: 156
Protocol multiservice, MTU: Unlimited, Generation: 1686, Route table: 0 Policer: Input: __default_arp_policer__
...
...
An SRX Series device has been configured with a logical system LSYS1. One of the BGP peers is down.
Referring to the exhibit, which statement explains this problem?

Question117: Which configuration statement would allow the SRX Series device to match a signature only on the first match, and not subsequent signature matches in a connection?

Question118: -- Exhibit --
security {
nat {
destination {
pool Web-Server {
address 10.0.1.5/32;
}
rule-set From-Internet {
from zone Untrust;
rule To-Web-Server {
match {
source-address 0.0.0.0/0;
destination-address 172.16.1.7/32;
}
then {
destination-nat pool Web-Server;
}
}
}
}
}
zones {
security-zone Untrust {
address-book {
address Web-Server-External 172.16.1.7/32;
address Web-Server-Internal 10.0.1.5/32;
}
interfaces {
ge-0/0/0.0;
}
}
security-zone DMZ {
address-book {
address Web-Server-External 172.16.1.7/32;
address Web-Server-Internal 10.0.1.5/32;
}
interfaces {
ge-0/0/1.0;
}
}
}
}
-- Exhibit --
You are migrating from one external address block to a different external address block. You want to enable a smooth transition to the new address block. You temporarily want to allow external users to contact the Web server using both the existing external address as well as the new external address
192.168.1.1.
How do you accomplish this goal?

Question119: Your SRX device is performing NAT to provide an internal resource with a public address. Your DNS server is on the same network segment as the server. You want your internal hosts to be able to reach the internal resource using the DNS name of the resource.
How do you accomplish this goal?

Question120: Click the Exhibit button.

Traffic is flowing between the Host-1 and Host-2 devices through a hub-and-spoke IPsec VPN. All devices are SRX Series devices.
Referring to the exhibit, which two statements are correct? (Choose two.)

Question121: Click the Exhibit button.
user@host# run show security flow session
...
Session ID: 28, Policy name: allow/5, Timeout: 2, Valid
In: 172.168.1.2/24800 --> 66.168.100.100/8001; tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 64 Out: 10.168.100.1/8001 --> 172.168.1.2/24800; tcp, If: ge-0/0/6.0, Pkts: 1, Bytes: 40 Your customer is unable to reach your HTTP server that is connected to the ge-0/0/6 interface. The HTTP server has an address of 10.168.100.1 on port 80 internally, but is accessed publicly using interface ge-
0/0/3 with the address 66.168.100.100 on port 8001.
Referring to the exhibit, what is causing this problem?

Question122: What is the default action for an SRX device in transparent mode to determine the outgoing interface for an unknown destination MAC address?

Question123: You must ensure that your Layer 2 traffic is secured on your SRX Series device in transparent mode.
What must be considered when accomplishing this task?

Question124: You want to implement persistent NAT for an internal resource so that external hosts are able to initiate communications to the resource, without the internal resource having previously sent packets to the external hosts. Which configuration setting will accomplish this goal?

Question125: You are asked to configure class of service (CoS) on an SRX device running in transparent mode. Which command would you use?

Question126: Click the Exhibit button.

An attacker is using a nonstandard port for HTTP for reconnaissance into your network. Referring to the exhibit, which two statements are true? (Choose two.)

Question127: Your company provides managed services for two customers. Each customer has been segregated within its own routing instance on your SRX device. Customer A and customer B inform you that they need to be able to reach certain hosts on each other's network. Which two configuration settings would be used to share routes between these routing instances? (Choose two.)

Question128: You are using the AppDoS feature to control against malicious bot client attacks. The bot clients are using file downloads to attack your server farm. You have configured a context value rate of 10,000 hits in 60 seconds. At which threshold will the bot clients no longer be classified as malicious?

Question129: Click the Exhibit button
[edit security]
user@host# show policies
global {
policy new-policy {
match {
source-address any;
destination-address any;
application junos-https;
}
then {
permit {
application-services {
application-firewall {
rule-set appfw;
}
}
}
}
}
}
[edit security]
user@host# show application-firewall
rule-sets appfw {
rule 1 {
match {
dynamic-application junos:SSL;
}
then {
permit;
}
}
rule 2 {
match {
dynamic-application junos:HTTP;
}
then {
reject;
}
}
default-rule {
permit;
}
}
Referring to the exhibit, which two statements are correct? (Choose two.)

Question130: Your manager asks you to show which attacks have been detected on your SRX Series device using the IPS feature.
Which command would you use to accomplish this task?

Question131: What are two configurable routing instance types? (Choose two.)

Question132: You are asked to change the configuration of your company's SRX device so that you can block nested traffic from certain Web sites, but the main pages of these Web sites must remain available to users.
Which two methods will accomplish this goal? (Choose two.)

Question133: You want to route traffic between two newly created virtual routers without the use of logical systems using the configuration options on the SRX5800.
Which two methods of forwarding, between virtual routers, would you recommend? (Choose two.)

Question134: You are asked to secure your company's Web presence. This includes using an SRX Series device to inspect SSL traffic going to the Web servers in your DMZ.
Which two actions are required to accomplish this task? (Choose two.)

Question135: Click the Exhibit button.

Referring to the exhibit, the session close log was generated by the application firewall rule set HTTP.
Why did the session close?

Question136: Which two statements are true about persistent NAT? (Choose two.)

Question137: You want requests from the same internal transport address to be mapped to the same external transport address. Only internal hosts can initialize the session. Which Junos configuration setting supports the requirements?

Question138: Click the Exhibit button.

You receive complaints from users that their Web browsing sessions keep dropping prematurely. Upon investigation, you find that the IDP policy shown in the exhibit is detecting the users' sessions as HTTP:WIN-CMD:WIN-CMD-EXE attacks, even though their sessions are not actual attacks. You must allow these sessions but still inspect for all other relevant attacks.
How would you configure your SRX device to meet this goal?

Question139: You are asked to design a solution to verify IPsec peer reachability with data path forwarding.
Which feature would meet the design requirements?

Question140: Which QoS function is supported in transparent mode?

Question141: Which two configuration components are required for enabling transparent mode on an SRX device?
(Choose two.)

Question142: You are asked to merge the corporate network with the network from a recently acquired company. Both networks use the same private IPv4 address space (172.25.126.0/24). An SRX device serves as the gateway for each network. Which solution allows you to merge the two networks without adjusting the current address assignments?

Question143: Click the Exhibit button.

Referring to the exhibit, which two statements are true? (Choose two.)

Question144: You are asked to deploy a group VPN between various sites associated with your company. The gateway devices at the remote locations are SRX240 devices. Which two statements about the new deployment are true? (Choose two.)

Question145: You are asked to implement a Dynamic IPsec VPN on your new SRX240. You are required to facilitate up to 5 simultaneous users.
Which two statements must be considered when accomplishing the task?

Question146: An SRX Series device is configured for inline tap mode.
What will occur if Drop Packet is selected?

Question147: When does attack signature matching occur in the IPS packet processing flow on an SRX Series device?

Question148: You want to query User Group membership directly using the integrated user firewall services from an Active Directory controller to an SRX Series device.
Which two actions are required? (Choose two.)

Question149: Microsoft has altered the way their Web-based Hotmail application works. You want to update your application firewall policy to correctly identify the altered Hotmail application. Which two steps must you take to modify the application? (Choose two.)

Question150: [edit]
useu@host# run show log debug
Feb 3 22:04:32 22:04:31.983991:CID-0:RT: ge-0/0/1.0:5.0.0.25/59028-
>25.0.0.25/23, tcp, flag 18
Feb 3 22:04:32 22:04:31.983997:CID-0:RT: find flow: table 0x582738c0, hash
53561(0xffff), sa 5.0.0.25, da 5.0.0.25, sp 59028, dp 23, proto 6, tok 20489 Feb 3 22:04:32 22:04:31.984004:CID-0:RT:Found: session id 0x14f98. sess tok
20489
Feb 3 22:04:32 22:04:31.984005:CID-0:RT: flow got session.
Feb 3 22:04:32 22:04:31.984006:CID-0:RT: flow session id 85912
Feb 3 22:04:32 22:04:31.984009:CID-0:RT: vector bits 0x2 vector 0x53a949e8 Feb 3 22:04:32 22:04:31.984012:CID-0:RT: tcp sec check.
Feb 3 22:04:32 22:04:31.984015:CID-0:RT:mbuf 0x4a82cd80, exit nh 0xa0010 Which two statements are true regarding the output shown in the exhibit? (Choose two.)

Question151: Click the Exhibit button.
[edit security application-firewall]
user@host# show
rule-sets web {
rule one {
match {
dynamic-application junos:HTTP;
}
then {
permit;
}
}
default-rule {
reject;
}
}
What will happen to non-HTTP traffic that matches the application-firewall policy shown in the exhibit?

Question152: An external host is attacking your network. The host sends an HTTP request to a Web server, but does not include the version of HTTP in the request.
Which type of attack is being performed?

Question153: Given the following session output:
Session ID. , Policy namE. default-policy-00/2, StatE. Active, Timeout: 1794, Valid In: 2001:660:1000:8c00::b/1053 --> 2001:660:1000:9002::aafe/80;tcp, IF. reth0.0, Pkts: 4, Bytes: 574 Out: 192.168.203.10/80 --> 192.168.203.1/24770;tcp, IF. reth1.0, Pkts: 3, Bytes:
Which statement is correct about the security flow session output?

Question154: Click the Exhibit button.

TCP traffic sourced from Host A destined for Host B is being redirected using filter-based forwarding to use the Red network. However, return traffic from Host B destined for Host A is using the Blue network and getting dropped by the SRX device.
Which action will resolve the issue?

Question155: Click the Exhibit button.

[edit security nat static rule-set 12]
user@SRX2# show
from zone untrust;
rule 1 {
match {
destination-address 192.168.1.1/32;
}
then {
static-nat {
prefix {
10.60.60.1/32;
}
}
}
}
Host-2 initiates communication with Host-1. All other routing and policies are in place to allow the traffic.
What is the result of the communication?

Question156: You have recently deployed a dynamic VPN. The remote users are complaining that communications with devices on the same subnet as the SRX device are intermittent and often fail. The tunnel is stable and up, and communications with remote devices on different subnets work without any issues. Which configuration setting would resolve this issue?

Question157: Click the Exhibit button.

IPv6 to IPv4 addresses are not being translated as shown in the exhibit.
Which two configurations would resolve the problem? (Choose two.)

Question158: You are asked to provide access for an external VoIP server to VoIP phones in your network using private addresses. However, due to security concerns, the VoIP server should only be able to initiate connections to each phone once the phone has logged into the VoIP server. The VoIP server requires access to the phones using multiple ports.
Which type of persistent NAT is required?

Question159: Click the Exhibit button.
-- Exhibit --
[edit]
user@srx# run show route
inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 01:09:08
> to 172.18.1.1 via ge-0/0/3.0
10.210.14.128/27 *[Direct/0] 8w6d 15:43:09
> via ge-0/0/0.0
10.210.14.135/32 *[Local/0] 11w0d 06:43:04
Local via ge-0/0/0.0
172.18.1.0/30 *[Direct/0] 8w6d 15:43:01
> via ge-0/0/3.0
172.18.1.2/32 *[Local/0] 11w0d 06:43:03
Local via ge-0/0/3.0
172.19.1.0/24 *[Direct/0] 03:46:56
> via ge-0/0/1.0
172.19.1.1/32 *[Local/0] 03:46:56
Local via ge-0/0/1.0
172.20.105.0/24 *[Direct/0] 03:46:56
> via ge-0/0/4.105
172.20.105.1/32 *[Local/0] 03:46:56
Local via ge-0/0/4.105
192.168.30.1/32 *[Direct/0] 4d 03:44:41
> via lo0.0
fbf.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:00:11
> to 172.19.1.2 via ge-0/0/1.0
172.19.1.0/24 *[Direct/0] 00:00:11
> via ge-0/0/1.0
[edit]
user@srx# show routing-instances
fbf {
routing-options {
static {
route 0.0.0.0/0 next-hop 172.19.1.2;
}
}
}
[edit]
user@srx# show routing-options
interface-routes {
rib-group inet fbf-int;
}
static {
route 0.0.0.0/0 next-hop 172.18.1.1;
}
rib-groups {
fbf-int {
import-rib [ inet.0 fbf.inet.0 ];
import-policy fbf-pol;
}
}
[edit]
user@srx# show policy-options policy-statement fbf-pol
term 1 {
from interface ge-0/0/1.0;
to rib fbf.inet.0;
then accept;
}
term 2 {
then reject;
}
-- Exhibit --
Referring to the exhibit, you notice that filter-based forwarding is not working.
What is the reason for this behavior?

Question160: You are asked to configure your SRX Series device to support IDP SSL inspections for up to 6,000 concurrent HTTP sessions to a server within your network.
Which two statements are true in this scenario? (Choose two.)

Question161: You are asked to deploy dynamic VPNs between the corporate office and remote employees that work from home. The gateway device at the corporate office is a chassis cluster formed from two SRX240s.
Which two statements about this deployment are true? (Choose two.)

Question162: Click the Exhibit button.

In the network shown in the exhibit, you want to forward traffic from the employees to ISP1 and ISP2. You want to forward all Web traffic to ISP1 and all other traffic to ISP2. However, your configuration is not producing the expected results. Part of the configuration is shown in the exhibit. When you run the show route table isp1 command, you do not see the default route listed.
What is causing this behavior?