JN0 333 v2
JN0 333 v2
JN0 333 v2
What are two supported hypervisors for hosting a vSRX? (Choose two.)
A. VMware ESXi
B. Solaris Zones
C. KVM
D. Docker
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
You are asked to change when your SRX high availability failover occurs. One network interface is considered
more important than others in the high availability configuration. You want to prioritize failover based on the
state of that interface.
A. Create a VRRP group configuration that lists the reth’s IP address as the VIP while using each physical
interface that make up the reth definition of each SRX HA pair.
B. Configure IP monitoring of the important interface’s IP address and adjust the heartbeat interval and
heartbeat threshold to the shortest settings.
C. Create a separate redundancy group to isolate the important interface; set the priority of the new
redundancy group to 255.
D. Configure interface monitor inside the redundancy group that contains the important physical interface;
adjust the weight associated with the monitored interface to 255.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 3
Which three Encapsulating Security Payload protocols do the SRX Series devices support with IPsec?
(Choose three.)
A. DES
B. RC6
C. TLS
D. AES
E. 3DES
Explanation/Reference:
QUESTION 4
What are three characteristics of session-based forwarding, compared to packet-based forwarding, on an SRX
Series device? (Choose three.)
Explanation/Reference:
QUESTION 5
You have configured source NAT with port address translation. You also need to guarantee that the same IP
address is assigned from the source NAT pool to a specific host for multiple concurrent sessions.
A. port block-allocation
B. port range twin-port
C. address-persistent
D. address-pooling paired
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 6
Click the Exhibit button.
Referring to the exhibit, what will happen if client 172.16.128.50 tries to connect to destination
192.168.150.111 using HTTP?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 7
Click the Exhibit button.
Which feature is enabled with destination NAT as shown in the exhibit?
A. NAT overload
B. block allocation
C. port translation
D. NAT hairpinning
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 8
Which two statements about security policy actions are true? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 9
Which two statements are true about global security policies? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 10
Which statement is true about functional zones?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 11
You have recently configured an IPsec tunnel between two SRX Series devices. One of the devices is
assigned an IP address using DHCP with an IP address that changes frequently. Initial testing indicates that
the IPsec tunnel is not working. Troubleshooting has revealed that Phase 1 negotiations are failing.
A. Verify that the device with the IP address assigned by DHCP is the traffic initiator.
B. Verify that VPN monitoring is enabled.
C. Verify that the IKE policy is configured for aggressive mode.
D. Verify that PKI is properly configured.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 12
Click the Exhibit button.
Which statement would explain why the IP-monitoring feature is functioning incorrectly?
A. The global weight value is too large for the configured global threshold.
B. The secondary IP address should be on a different subnet than the reth IP address.
C. The secondary IP address is the same as the reth IP address.
D. The monitored IP address is not on the same subnet as the reth IP address.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 13
Click the Exhibit button.
You have configured NAT on your network so that Host A can communicate with Server B. You want to
ensure that Host C can initiate communication with Host A using Host A’s reflexive address.
Referring to the exhibit, which parameter should you configure on the SRX Series device to satisfy this
requirement?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 14
Which feature is used when you want to permit traffic on an SRX Series device only at specific times?
A. scheduler
B. pass-through authentication
C. ALGs
D. counters
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 15
Which two modes are supported during the Phase 1 IKE negotiations used to establish an IPsec tunnel?
(Choose two.)
A. transport mode
B. aggressive mode
C. main mode
D. tunnel mode
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 16
Which statement describes the function of NAT?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 17
Click the Exhibit button.
You are monitoring traffic, on your SRX300 that was configured using the factory default security parameters.
You notice that the SRX300 is not blocking traffic between Host A and Host B as expected.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 18
What is the function of redundancy group 0 in a chassis cluster?
A. Redundancy group 0 identifies the node controlling the cluster management interface IP addresses.
B. The primary node for redundancy group 0 identifies the first member node in a chassis cluster.
C. The primary node for redundancy group 0 determines the interface naming for all chassis cluster nodes.
D. The node on which redundancy group 0 is primary determines which Routing Engine is active in the
cluster.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 19
Which statement describes the function of screen options?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 20
You want to protect your SRX Series device from the ping-of-death attack coming from the untrust security
zone.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 21
After an SRX Series device processes the first packet of a session, how are subsequent packets for the same
session processed?
A. They are processed using fast-path processing.
B. They are forwarded to the control plane for deep packet inspection.
C. All packets are processed in the same manner.
D. They are queued on the outbound interface until a matching security policy is found.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 22
You must verify if destination NAT is actively being used by users connecting to an internal server from the
Internet.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 23
Which interface is used exclusively to forward Ethernet-switching traffic between two chassis cluster nodes?
A. swfab0
B. fxp0
C. fab0
D. me0
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 24
Which three statements describes traditional firewalls? (Choose three.)
Explanation/Reference:
QUESTION 25
Which SRX5400 component is responsible for performing first pass security policy inspection?
A. Routing Engine
B. Switch Control Board
C. Services Processing Unit
D. Modular Port Concentrator
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 26
Click the Exhibit button.
The inside server must communicate with the external DNS server. The internal DNS server address is
10.100.75.75. The external DNS server address is 75.75.76.76. Traffic from the inside server to the DNS
server fails.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 27
Click the Exhibit button.
Users at a remote office are unable to access an FTP server located at the remote corporate data center as
expected. The remote FTP server is listening on the non-standard TCP port 2121.
A. The FTP clients must be configured to listen on non-standard client ports for the FTP data channel
negotiations to succeed.
B. Two custom FTP applications must be defined to allow bidirectional FTP communication through the SRX
Series device.
C. The custom FTP application definition does not have the FTP ALG enabled.
D. A new security policy must be defined between the untrust and trust zones.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 28
You want to trigger failover of redundancy group 1 currently running on node 0 and make node 1 the primary
node the redundancy group 1.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 29
You need to configure an IPsec tunnel between a remote site and a hub site. The SRX Series device at the
remote site receives a dynamic IP address on the external interface that you will use for IPsec.
A. NAT-T
B. crypto suite B
C. aggressive mode
D. IKEv2
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 30
Which statement is true about high availability (HA) chassis clusters for the SRX Series device?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 31
What are the maximum number of redundancy groups that would be used on a chassis cluster?
A. The maximum number of redundancy groups use is equal to the number of configured physical interfaces.
B. The maximum number of redundancy groups use is equal to one more than the number of configured
physical interfaces.
C. The maximum number of redundancy groups use is equal to the number of configured logical interfaces.
D. The maximum number of redundancy groups use is equal to one more than the number of configured
logical interfaces.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 32
You want to ensure that any certificates used in your IPsec implementation do not expire while in use by your
SRX Series devices.
A. RSA
B. TLS
C. SCEP
D. CRL
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 33
What are two valid zones available on an SRX Series device? (Choose two.)
A. security zones
B. policy zones
C. transit zones
D. functional zones
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 34
What are three valid virtual interface types for a vSRX? (Choose three.)
A. SR-IOV
B. fxp0
C. eth0
D. VMXNET 3
E. virtio
Correct Answer: ABD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 35
Clients at a remote office are accessing a website that is against your company Internet policy. You change
the action of the security policy that controls HTTP access from permit to deny on the remote office SRX
Series device. After committing the policy change, you notice that new users cannot access the website but
users that have existing sessions on the device still have access. You want to block all user sessions
immediately.
Which change would you make on the SRX Series device to accomplish this task?
A. Add the set security flow tcp-session rst-invalidate-session option to the configuration
and commit the change.
B. Add the set security policies policy-rematch parameter to the configuration and commit the
change.
C. Add the security flow tcp-session strict-syn-check option to the configuration and commit
the change.
D. Issue the commit full command from the top of the configuration hierarchy.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 36
Screens help prevent which three attack types? (Choose three.)
A. SYN flood
B. port scan
C. NTP amplification
D. ICMP fragmentation
E. SQL injection
Explanation/Reference:
QUESTION 37
Click the Exhibit button.
Referring to the exhibit, what will happen if client 172.16.128.50 tries to connect to destination 192.168.150.3
using HTTP?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 38
A link from the branch SRX Series device chassis cluster to the Internet requires more bandwidth.
In this scenario, which command would you issue to begin provisioning a second link?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 39
Click to the Exhibit button.
Referring to the exhibit, what does proxy ARP allow?
A. the internal network to ARP for the internal address of the server
B. the external network to ARP for the internal address of the server
C. the internal network to ARP for the public address of the server
D. the external network to ARP for the public address of the server
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 40
You are asked to support source NAT for an application that requires that its original source port not be
changed.
A. Configure a source NAT rule that references an IP address pool with interface proxy ARP enabled.
B. Configure the egress interface to source NAT fixed-port status.
C. Configure a source NAT rule that references an IP address pool with the port no-translation
parameter enabled.
D. Configure a source NAT rule that sets the egress interface to the overload status.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 41
Click the Exhibit button.
Host A is attempting to connect to Host B using the domain name, which is tied to a public IP address. All
attempts to connect to Host B have failed. You have examined the configuration on your SRX340 and
determined that a NAT policy is required.
Referring to the exhibit, which two NAT types will allow Host A to connect to Host B? (Choose two.)
A. source NAT
B. NAT-T
C. destination NAT
D. static NAT
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 42
Click the exhibit button.
Referring to the exhibit, which statement is true?
A. Packets entering the interface are being dropped because of a stateless filter.
B. Packets entering the interface matching an ALG are getting dropped.
C. TCP packets entering the interface are failing the TCP sequence check.
D. Packets entering the interface are getting dropped because the interface is not bound to a zone.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 43
Which three elements does AH provide in an IPsec implementation? (Choose three.)
A. confidentiality
B. authentication
C. integrity
D. availability
E. replay attack protection
Explanation/Reference:
QUESTION 44
What is the correct ordering of Junos policy evaluation from first to last?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 45
Click the Exhibit button.
A customer would like to monitor their VPN using dead peer detection.
Referring to the exhibit, for how many minutes was the peer down before the customer was notified?
A. 5
B. 3
C. 4
D. 2
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 46
Click the Exhibit button.
Referring to the exhibit, which action will be taken for traffic coming from the untrust zone going to the trust
zone?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 47
Click the Exhibit button.
Referring to the exhibit, which statement is true?
A. TCP packets entering the interface are failing the TCP sequence check.
B. Packets entering the interface are being dropped due to a stateless filter.
C. Packets entering the interface are getting dropped because there is no route to the destination.
D. Packets entering the interface matching an ALG are getting dropped.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 48
Click the exhibit button.
You are configuring security policies with Junos Space Security Director.
Referring to the exhibit, which two statements are true? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 49
Which process describes the implementation of screen options on an SRX Series device?
A. Configured screen options are only applied when traffic does not match a valid route.
B. Configured screen options are applied only to the first packet that is processed in a stateful session.
C. Configured screen options are applied to all packets that are processed by the stateful session firewall
processor.
D. Configured screen options are only applied when traffic does not match a valid policy.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 50
Which two statements are true when implementing source NAT on an SRX Series device? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 51
What are three defined zone types on an SRX Series device?
A. dynamic
B. junos-host
C. null
D. functional
E. routing
Explanation/Reference:
QUESTION 52
Which host-inbound-traffic security zone parameter would allow access to the REST API configured to listen
on custom TCP port 5080?
A. http
B. all
C. xnm-clear-text
D. any-service
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 53
A session token on an SRX Series device is derived from what information? (Choose two.)
A. routing instance
B. zone
C. screen
D. MAC address
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 54
You want to implement IPsec on your SRX Series devices, but you do not want to use a preshared key.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 55
Your network includes IPsec tunnels. One IPsec tunnel transits an SRX Series device with NAT configured.
You must ensure that the IPsec tunnels function properly.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 56
You recently configured an IPsec VPN between two SRX Series devices. You notice that the Phase 1
negotiation succeeds and the Phase 2 negotiation fails.
Which two configuration parameters should you verify are correct? (Choose two.)
A. Verify that the IKE gateway proposals on the initiator and responder are the same.
B. Verify that the VPN tunnel configuration references the correct IKE gateway.
C. Verify that the IPsec policy references the correct IKE proposals.
D. Verify that the IKE initiator is configured for main mode.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 57
You are changing the default vCPU allocation on a vSRX.
A. The vCPU are allocated equally across the Junos control plane and packet forwarding engine.
B. One dedicated vCPU is allocated for the Junos control plane and the remaining vCPUs for the packet
forwarding engine.
C. One dedicated vCPU is allocated for the packet forwarding engine, one for the Junos control plane, and
the remaining vCPUs are equally balanced.
D. One dedicated vCPU is allocated for the packet forwarding engine and the remaining vCPUs for the Junos
plane.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 58
Which action will restrict SSH access to an SRX Series device from a specific IP address which is connected
to a security zone named trust?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 59
Click the Exhibit button.
You notice that your SRX Series device is not blocking HTTP traffic as expected.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 60
Your internal webserver uses port 8088 for inbound connections. You want to allow external HTTP traffic to
connect to the webserver.
A. Create a custom application for port 8088 and create a security policy that permits the custom-http
application.
B. Remap port 80 to port 8088 in the junos-http application and create a security policy that permits the
junos-http application.
C. Use destination NAT to remap incoming traffic from port 80 to port 8088.
D. Create an Application Layer Gateway to permit HTTP traffic on port 8088.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 61
Which type of VPN provides a secure method of transporting encrypted IP traffic?
A. IPsec
B. Layer 3 VPN
C. VPLS
D. Layer 2 VPN
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 62
Which statement is true about Perfect Forward Secrecy (PFS)?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 63
What are two fields that an SRX Series device examines to determine if a packet is associated with an
existing flow? (Choose two.)
A. protocol
B. source IP address
C. source MAC address
D. type of service
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 64
In a chassis cluster, which two characteristics are true regarding reth interfaces? (Choose two.)
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 65
Click the Exhibit button.
You have an IPsec tunnel between two devices. You clear the IKE security associations, but traffic continues
to flow across the tunnel.
A. The IPsec security association is independent from the IKE security association
B. The traffic is no longer encrypted
C. The IKE security association immediately reestablishes
D. The traffic is using an alternate path
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 66
Click to the Exhibit button.
Referring to the exhibit, which two statements are true? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 67
Which statement is true when destination NAT is performed?
A. The source IP address is translated according to the configured destination NAT rules and then the
security policies are applied.
B. The destination IP address is translated according to the configured source NAT rules and then the
security policies are applied.
C. The destination IP address is translated according to the configured security policies and then the security
destination NAT rules are applied.
D. The destination IP address is translated according to the configured destination NAT rules and then the
security policies are applied.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 68
Which UDP port is used in Ipsec tunneling when NAT-T is in use?
A. 50
B. 4500
C. 500
D. 51
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 69
What are the maximum number of supported interfaces on a vSRX hosted in a VMware environment?
A. 12
B. 3
C. 10
D. 4
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 70
Click the Exhibit button.
You are trying to create a security policy on your SRX Series device that permits HTTP traffic from your
private 172.25.11.0/24 subnet to the Internet. You create a policy named permit – http between the trust
and untrust zones that permits HTTP traffic.
When you issue a commit command to apply the configuration changes, the commit fails with the error shown
in the exhibit.
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 71
Click the Exhibit button.
You are configuring an OSPF session between two SRX Series devices. The session will not come up.
Referring to the exhibit, which configuration change will solve this problem?
A. Configure a loopback interface and add it to the trust zone.
B. Configure the host-inbound-traffic protocols ospf parameter in the trust security zone.
C. Configure the application junos-ospf parameter in the allow-trusted-traffic security policy.
D. Configure the host-inbound-traffic system-services any-service parameter in the trust
security zone.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 72
Click the Exhibit button. Referring to the exhibit, what will happen if client 172.16.128.50 tries to connect to
destination 192.168.150.3 using HTTP?
A. The client will be permitted by policy p1.
B. The client will be denied by policy p3.
C. The client will be denied by policy p2.
D. The client will be permitted by the global policy.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 73
You want to support reth LAG interfaces on a chassis cluster.
Which setting must be enabled on the interconnecting switch to accomplish this task?
A. RSTP
B. 802.3ad
C. swfab
D. LLDP
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 74
You recently configured an IPsec VPN between two SRX Series devices. You notice that the Phase1
negotiation succeeds and the Phase 2 negotiation fails.
Which two configuration parameters should you verify are correct? (Choose two.)
A. Verify that the IKE gateway proposals on the initiator and responder are the same.
B. Verify that the VPN tunnel configuration references the correct IKE gateway.
C. Verify that the IKE initiator is configured for main mode.
D. Verify that the IPsec policy references the correct IKE proposals.
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 75
Click the Exhibit button.
Which two statements describe the output shown in the exhibit? (Choose two.)
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference: