New Year Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Juniper > JNCIP-SEC > JN0-637

JN0-637 Security, Professional (JNCIP-SEC) Question and Answers

Question # 4

Exhibit:

Which two statements are correct about the output shown in the exhibit. (Choose Two)

A.

The data shown requires a traceoptions flag of basic-datapath.

B.

The data shown requires a traceoptions flag of host-traffic.

C.

The packet is dropped by the default security policy.

D.

The packet is dropped by a configured security policy.

Full Access
Question # 5

You want to enable transparent mode on your SRX series device.

In this scenario, which three actions should you perform? (Choose three.)

A.

Enable the ethernet-switching family on your Layer 2 interfaces

B.

Install a Layer 2 feature license.

C.

Reboot the SRX device.

D.

Ensure that no IRB interfaces are configured on the device.

E.

Add your Layer 2 interfaces to a security zone.

Full Access
Question # 6

You want to deploy two vSRX instances in different public cloud providers to provide redundant security services for your network. Layer 2 connectivity between the two vSRX instances is not possible.

What would you configure on the vSRX instances to accomplish this task?

A.

Chassis cluster

B.

Secure wire

C.

Multinode HA

D.

Virtual chassis

Full Access
Question # 7

A customer wants to be able to initiate a return connection to an internal host from a specific

Server.

Which NAT feature would you use in this scenario?

A.

target-host

B.

any-remote-host

C.

port-overloading

D.

target-server

Full Access
Question # 8

Which encapsulation type must be configured on the lt-0/0/0 logical units for an interconnect

logical systems VPLS switch?

A.

encapsulation ethernet-bridge

B.

encapsulation ethernet

C.

encapsulation ethernet-vpls

D.

encapsulation vlan-vpls

Full Access
Question # 9

You are asked to configure tenant systems.

Which two statements are true in this scenario? (Choose two.)

A.

A tenant system can have only one administrator.

B.

After successful configuration, the changes are merged into the primary database for each tenant system.

C.

Tenant systems have their own configuration database.

D.

You can commit multiple tenant systems at a time.

Full Access
Question # 10

Referring to the exhibit, you have been assigned the user LogicalSYS1 credentials shown in

the configuration.

In this scenario, which two statements are correct? (Choose two.)

A.

When you log in to the device, you will be permitted to view all routing tables available on the SRX device

B.

When you log in to the device, you will be permitted to view only the routing tables for Logic

C.

When you log in to the device, you will be located at the operational mode of the Logic

D.

When you log in to the device, you will be located at the operational mode of the main system

Full Access
Question # 11

You want to use a security profile to limit the system resources allocated to user logical systems.

In this scenario, which two statements are true? (Choose two.)

A.

If nothing is specified for a resource, a default reserved resource is set for a specific logical system.

B.

If you do not specify anything for a resource, no resource is reserved for a specific logical system, but the entire system can compete for resources up to the maximum available.

C.

One security profile can only be applied to one logical system.

D.

One security profile can be applied to multiple logical systems.

Full Access
Question # 12

Which two statements are correct about DNS doctoring?

A.

The DNS ALG must be disabled.

B.

Proxy ARP is required if your NAT pool for the server is on the same subnet as the uplink interface.

C.

Proxy ARP is required if your NAT pool for the server is on a different subnet as the uplink interface

D.

The DNS ALG must be enabled.

Full Access
Question # 13

Which two statements are true about the procedures the Junos security device uses when handling traffic destined for the device itself? (Choose two.)

A.

If the received packet is addressed to the ingress interface, then the device first performs a security policy evaluation for the junos-host zone.

B.

If the received packet is destined for an interface other than the ingress interface, then the device performs a security policy evaluation for the junos-host zone.

C.

If the received packet is addressed to the ingress interface, then the device first examines the host-inbound-traffic configuration for the ingress interface and zone.

D.

If the received packet is destined for an interface other than the ingress interface, then the device performs a security policy evaluation based on the ingress and egress zone.

Full Access
Question # 14

Click the Exhibit button.

Referring to the exhibit, which three actions do you need to take to isolate the hosts at the switch port level if they become infected with malware? (Choose three.)

A.

Enroll the SRX Series device with Juniper ATP Cloud.

B.

Use a third-party connector.

C.

Deploy Security Director with Policy Enforcer.

D.

Configure AppTrack on the SRX Series device.

E.

Deploy Juniper Secure Analytics.

Full Access
Question # 15

Exhibit:

Referring to the exhibit, which IKE mode will be configured on the HQ-Gateway and Subsidiary-Gateway?

A.

Main mode on both the gateways

B.

Aggressive mode on both the gateways

C.

Main mode on the HQ-Gateway and aggressive mode on the Subsidiary-Gateway

D.

Aggressive mode on the HQ-Gateway and main mode on the Subsidiary-Gateway

Full Access
Question # 16

You want to test how the device handles a theoretical session without generating traffic on the Junos security device.

Which command is used in this scenario?

A.

request security policies check

B.

show security flow session

C.

show security match-policies

D.

show security policies

Full Access
Question # 17

You configure two Ethernet interfaces on your SRX Series device as Layer 2 interfaces and add them to the same VLAN. The SRX is using the default L2-learning setting. You do not add the interfaces to a security zone.

Which two statements are true in this scenario? (Choose two.)

A.

You are unable to apply stateful security features to traffic that is switched between the two interfaces.

B.

You are able to apply stateful security features to traffic that enters and exits the VLAN.

C.

The interfaces will not forward traffic by default.

D.

You cannot add Layer 2 interfaces to a security zone.

Full Access
Question # 18

You have deployed automated threat mitigation using Security Director with Policy Enforcer, Juniper ATP Cloud, SRX Series devices, and EX Series switches.

In this scenario, which device is responsible for blocking the infected hosts?

A.

Policy Enforcer

B.

Security Director

C.

Juniper ATP Cloud

D.

EX Series switch

Full Access
Question # 19

You want to bypass IDP for traffic destined to social media sites using APBR, but it is not working and IDP is dropping the session.

What are two reasons for this problem? (Choose two.)

A.

The session did not properly reclassify midstream to the correct APBR rule.

B.

IDP disable is not configured on the APBR rule.

C.

The application services bypass is not configured on the APBR rule.

D.

The APBR rule does a match on the first packet.

Full Access
Question # 20

Exhibit:

Host A shown in the exhibit is attempting to reach the Web1 webserver, but the connection is failing. Troubleshooting reveals that when Host A attempts to resolve the domain name of the server (web.acme.com), the request is resolved to the private address of the server rather than its public IP.

Which feature would you configure on the SRX Series device to solve this issue?

A.

Persistent NAT

B.

Double NAT

C.

DNS doctoring

D.

STUN protocol

Full Access
Question # 21

 

You are attempting to ping an interface on your SRX Series device, but the ping is unsuccessful.

 

What are three reasons for this behavior? (Choose three.)

 

A.

    The interface is not assigned to a security zone.

 

B.

    The interface's host-inbound-traffic security zone configuration does not permit ping

 

C.

    The ping traffic is matching a firewall filter.

 

D.

    The device has J-Web enabled.

 

E.

     The interface has multiple logical units configured.

 

Full Access
Question # 22

Which two statements about the differences between chassis cluster and multinode HA on

SRX series devices are true? (Choose Two)

A.

Multinode HA member nodes require Layer 2 connectivity.

B.

Multinode HA supports Layer 2 and Layer 3 connectivity between nodes.

C.

Multinode HA requires Layer 3 connectivity between nodes.

D.

Chassis cluster member nodes require Layer 2 connectivity.

Full Access
Question # 23

Exhibit:

Referring to the exhibit, which two statements are correct? (Choose two.)

A.

You cannot secure intra-VLAN traffic with a security policy on this device.

B.

You can secure inter-VLAN traffic with a security policy on this device.

C.

The device can pass Layer 2 and Layer 3 traffic at the same time.

D.

The device cannot pass Layer 2 and Layer 3 traffic at the same time.

Full Access
Question # 24

Which two statements are correct about automated threat mitigation with Security Director? (Choose two.)

A.

It works with third-party switches.

B.

It provides endpoint protection by running a Juniper ATP Cloud agent on the servers.

C.

It provides endpoint protection by running a Juniper ATP Cloud agent on EX Series devices.

D.

It works with SRX Series devices.

Full Access
Question # 25

Which two statements are true regarding NAT64? (Choose two.)

A.

An SRX Series device should be in packet-based forwarding mode for IPv4.

B.

An SRX Series device should be in packet-based forwarding mode for IPv6.

C.

An SRX Series device should be in flow-based forwarding mode for IPv4.

D.

An SRX Series device should be in flow-based forwarding mode for IPv6.

Full Access
Question # 26

Exhibit:

Your company uses SRX Series devices to establish an IPsec VPN that connects Site-1 and the HQ networks. You want VoIP traffic to receive priority over data traffic when it is forwarded across the VPN.

Which three actions should you perform in this scenario? (Choose three.)

A.

Enable next-hop tunnel binding.

B.

Create a firewall filter that identifies VoIP traffic and associates it with the correct forwarding class.

C.

Configure CoS forwarding classes and scheduling parameters.

D.

Enable the copy-outer-dscp parameter so that DSCP header values are copied to the tunneled packets.

E.

Enable the multi-sa parameter to enable two separate IPsec SAs for the VoIP and data traffic.

Full Access
Question # 27

You are deploying IPsec VPNs to securely connect several enterprise sites with ospf for dynamic

routing. Some of these sites are secured by third-party devices not running Junos.

Which two statements are true for this deployment? (Choose two.)

A.

OSPF over IPsec can be used for intersite dynamic routing.

B.

Sites with overlapping address spaces can be supported.

C.

OSPF over GRE over IPsec is required to enable intersite dynamic routing

D.

Sites with overlapping address spaces cannot be supported.

Full Access
Question # 28

Which two statements are true when setting up an SRX Series device to operate in mixed mode? (Choose two.)

A.

A physical interface can be configured to be both a Layer 2 and a Layer 3 interface at the same time.

B.

User logical systems support Layer 2 traffic processing.

C.

The SRX must be rebooted after configuring at least one Layer 3 and one Layer 2 interface.

D.

Packets from Layer 2 interfaces are switched within the same bridge domain.

Full Access
Question # 29

You have deployed two SRX Series devices in an active/passive multimode HA scenario.

In this scenario, which two statements are correct? (Choose two.)

A.

Services redundancy group 1 (SRG1) is used for services that do not have a control plane state.

B.

Services redundancy group 0 (SRG0) is used for services that have a control plane state.

C.

Services redundancy group 0 (SRG0) is used for services that do not have a control plane state.

D.

Services redundancy group 1 (SRG1) is used for services that have a control plane state.

Full Access
Question # 30

Referring to the exhibit, you are assigned the tenantSYS1 user credentials on an SRX series

device.

In this scenario, which two statements are correct? (Choose two.)

A.

When you log in to the device, you will be located at the operational mode of the main system hierarchy.

B.

When you log in to the device, you will be located at the operational mode of the Tenant.SY51 logical system hierarchy.

C.

When you log in to the device, you will be permitted to view only the routing tables for the Tenant SYS1 logical system.

D.

When you log in to the device, you will be permitted to view all routing tables available on the on an SYS1 Series device.

Full Access
Question # 31

You need to generate a certificate for a PKI-based site-to-site VPN. The peer is expecting to

user your domain name vpn.juniper.net.

Which two configuration elements are required when you generate your certificate request? (Chose two,)

A.

ip-address 10.100.0.5

B.

subject CN=vpn.juniper.net

C.

email admin@juniper.net

D.

domain-name vpn.juniper.net

Full Access
Question # 32

Which two statements about policy enforcer and the forescout integration are true? (Choose two)

A.

802.1X authenticated devices are supported.

B.

802.1X authenticated devices are not supported.

C.

A Forescout CounterACT agent must be installed on third-party devices

D.

A Forescout CounterACT agent is agentless and does not need to be installed on third-party device

Full Access
Question # 33

You are using trace options to troubleshoot a security policy on your SRX Series device.

Referring to the exhibit, which two statements are true? (Choose two.)

A.

The SSH traffic matches an existing session.

B.

No entries are created in the SRX session table.

C.

The traffic is not destined for the root logical system.

D.

The security policy controls traffic destined to the SRX device.

Full Access
Question # 34

You want to configure the SRX Series device to map two peer interfaces together and ensure that there is no switching or routing lookup to forward traffic.

Which feature on the SRX Series device is used to accomplish this task?

A.

Transparent mode

B.

Secure wire

C.

Mixed mode

D.

Switching mode

Full Access