New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Juniper JN0-637 Security, Professional (JNCIP-SEC) Exam Practice Test

Demo: 34 questions
Total 115 questions

Security, Professional (JNCIP-SEC) Questions and Answers

Question 1

You need to generate a certificate for a PKI-based site-to-site VPN. The peer is expecting to

user your domain name vpn.juniper.net.

Which two configuration elements are required when you generate your certificate request? (Chose two,)

Options:

A.

ip-address 10.100.0.5

B.

subject CN=vpn.juniper.net

C.

email admin@juniper.net

D.

domain-name vpn.juniper.net

Question 2

In a multinode HA environment, which service must be configured to synchronize between nodes?

Options:

A.

Advanced policy-based routing

B.

PKI certificates

C.

IPsec VPN

D.

IDP

Question 3

Your customer needs embedded security in an EVPN-VXLAN solution.

What are two benefits of adding an SRX Series device in this scenario? (Choose two.)

Options:

A.

It enhances tunnel inspection for VXLAN encapsulated traffic with Layer 4-7 security services.

B.

It adds extra security with the capabilities of an enterprise-grade firewall in the EVPN-VXLAN underlay.

C.

It adds extra security with the capabilities of an enterprise-grade firewall in the EVPN-VXLAN overlay.

D.

It enhances tunnel inspection for VXLAN encapsulated traffic with only Layer 4 security services.

Question 4

You want to deploy two vSRX instances in different public cloud providers to provide redundant security services for your network. Layer 2 connectivity between the two vSRX instances is not possible.

What would you configure on the vSRX instances to accomplish this task?

Options:

A.

Chassis cluster

B.

Secure wire

C.

Multinode HA

D.

Virtual chassis

Question 5

You Implement persistent NAT to allow any device on the external side of the firewall to

initiate traffic.

Referring to the exhibit, which statement is correct?

Options:

A.

The target-host parameter should be used instead of the any-remote-host parameter.

B.

The port-overloading parameter needs to be turned off in the NAT source interface configuration

C.

The target-host-port parameter should be used instead of the any-remote-host parameter

D.

The any-remote-host parameter does not support interface-based NAT and needs an IP pod to work.

Question 6

What are three attributes that APBR queries from the application system cache module. (Choose Three)

Options:

A.

TTL

B.

destination port

C.

service

D.

DSCP

E.

protocol type

Question 7

Click the Exhibit button.

Referring to the exhibit, which three actions do you need to take to isolate the hosts at the switch port level if they become infected with malware? (Choose three.)

Options:

A.

Enroll the SRX Series device with Juniper ATP Cloud.

B.

Use a third-party connector.

C.

Deploy Security Director with Policy Enforcer.

D.

Configure AppTrack on the SRX Series device.

E.

Deploy Juniper Secure Analytics.

Question 8

Which two statements are correct about DNS doctoring?

Options:

A.

The DNS ALG must be disabled.

B.

Proxy ARP is required if your NAT pool for the server is on the same subnet as the uplink interface.

C.

Proxy ARP is required if your NAT pool for the server is on a different subnet as the uplink interface

D.

The DNS ALG must be enabled.

Question 9

Referring to the exhibit, which two statements are true ?

Options:

A.

Every VPN packet that the SRX receives from the VPN peer is outside the ESP sequence window

B.

The SRX is sending traffic into the tunnel and out toward the VPN peer.

C.

The SRX is not sending any packets to the VPN peer.

D.

The SRX is not receiving any packets from the VPN peer.

Question 10

Referring to the exhibit, you are assigned the tenantSYS1 user credentials on an SRX series

device.

In this scenario, which two statements are correct? (Choose two.)

Options:

A.

When you log in to the device, you will be located at the operational mode of the main system hierarchy.

B.

When you log in to the device, you will be located at the operational mode of the Tenant.SY51 logical system hierarchy.

C.

When you log in to the device, you will be permitted to view only the routing tables for the Tenant SYS1 logical system.

D.

When you log in to the device, you will be permitted to view all routing tables available on the on an SYS1 Series device.

Question 11

Exhibit:

Which two statements are correct about the output shown in the exhibit. (Choose Two)

Options:

A.

The data shown requires a traceoptions flag of basic-datapath.

B.

The data shown requires a traceoptions flag of host-traffic.

C.

The packet is dropped by the default security policy.

D.

The packet is dropped by a configured security policy.

Question 12

A customer wants to be able to initiate a return connection to an internal host from a specific

Server.

Which NAT feature would you use in this scenario?

Options:

A.

target-host

B.

any-remote-host

C.

port-overloading

D.

target-server

Question 13

You configure two Ethernet interfaces on your SRX Series device as Layer 2 interfaces and add them to the same VLAN. The SRX is using the default L2-learning setting. You do not add the interfaces to a security zone.

Which two statements are true in this scenario? (Choose two.)

Options:

A.

You are unable to apply stateful security features to traffic that is switched between the two interfaces.

B.

You are able to apply stateful security features to traffic that enters and exits the VLAN.

C.

The interfaces will not forward traffic by default.

D.

You cannot add Layer 2 interfaces to a security zone.

Question 14

You want to test how the device handles a theoretical session without generating traffic on the Junos security device.

Which command is used in this scenario?

Options:

A.

request security policies check

B.

show security flow session

C.

show security match-policies

D.

show security policies

Question 15

 

You are attempting to ping an interface on your SRX Series device, but the ping is unsuccessful.

 

What are three reasons for this behavior? (Choose three.)

 

Options:

A.

    The interface is not assigned to a security zone.

 

B.

    The interface's host-inbound-traffic security zone configuration does not permit ping

 

C.

    The ping traffic is matching a firewall filter.

 

D.

    The device has J-Web enabled.

 

E.

     The interface has multiple logical units configured.

 

Question 16

You have deployed an SRX Series device at your network edge to secure Internet-bound sessions for your local hosts using source NAT. You want to ensure that your users are able to interact with applications on the Internet that require more than one TCP session for the same application session.

Which two features would satisfy this requirement? (Choose two.)

Options:

A.

address persistence

B.

STUN

C.

persistent NAT

D.

double NAT

Question 17

You are configuring an interconnect logical system that is configured as a VPLS switch to allow two logical systems to communicate.

Which two parameters are required when configuring the logical tunnel interfaces? (Choose two.)

Options:

A.

Encapsulation ethernet must be used.

B.

The virtual tunnel interfaces should only be configured with two logical unit pairs per logical system interconnect.

C.

The logical tunnel interfaces should be configured with two logical unit pairs per logical system interconnect.

D.

Encapsulation ethernet-vpls must be used.

Question 18

Which two statements are true when setting up an SRX Series device to operate in mixed mode? (Choose two.)

Options:

A.

A physical interface can be configured to be both a Layer 2 and a Layer 3 interface at the same time.

B.

User logical systems support Layer 2 traffic processing.

C.

The SRX must be rebooted after configuring at least one Layer 3 and one Layer 2 interface.

D.

Packets from Layer 2 interfaces are switched within the same bridge domain.

Question 19

Exhibit:

Referring to the exhibit, which two statements are true? (Choose two.)

Options:

A.

Hosts in the Local zone can be enabled for control plane access to the SRX.

B.

An IRB interface is required to enable communication between the Trust and the Untrust zones.

C.

You can configure security policies for traffic flows between hosts in the Local zone.

D.

Hosts in the Local zone can communicate with hosts in the Trust zone with a security policy.

Question 20

Click the Exhibit button.

Referring to the exhibit, which two statements are correct? (Choose two.)

Options:

A.

This device is the backup node for SRG1.

B.

The ge-0/0/3.0 and ge-0/0/4.0 interfaces are not active and will not respond to ARP requests to the virtual IP MAC address.

C.

This device is the active node for SRG1.

D.

The ge-0/0/3.0 and ge-0/0/4.0 interfaces are active and will respond to ARP requests to the virtual IP MAC address.

Question 21

Referring to the exhibit,

which two statements about User1 are true? (Choose two.)

Options:

A.

User1 has access to the configuration specific to their assigned logical system.

B.

User1 is logged in to logical system LSYS-1.

C.

User1 can add logical units to an interface that a primary administrator has not previously assigned.

D.

User1 can view outputs from other user logical systems.

Question 22

Referring to the exhibit,

which three statements about the multinode HA environment are true? (Choose three.)

Options:

A.

Two services redundancy groups are available.

B.

IP monitoring has failed for the services redundancy group.

C.

Node 1 will host services redundancy group 1 unless it is unavailable.

D.

Session state is synchronized on both nodes.

E.

Node 2 will process transit traffic that it receives for services redundancy group 1.

Question 23

A company has acquired a new branch office that has the same address space as one of its local networks, 192.168.100.0/24. The offices need to communicate with each other.

Which two NAT configurations will satisfy this requirement? (Choose two.)

Options:

A.

[edit security nat source]

user@OfficeA# show rule-set OfficeBtoA {

from zone OfficeB;

to zone OfficeA;

rule 1 {

match {

source-address 192.168.210.0/24;

destination-address 192.168.200.0/24;

}

then {

source-nat { interface; }

}

}

}

B.

[edit security nat static]

user@OfficeA# show rule-set From-Office-B {

from interface ge-0/0/0.0;

rule 1 {

match {

destination-address 192.168.200.0/24;

}

then {

static-nat {

prefix { 192.168.100.0/24; }

}

}

}

}

C.

[edit security nat static]

user@OfficeB# show rule-set From-Office-A {

from interface ge-0/0/0.0;

rule 1 {

match {

destination-address 192.168.210.0/24;

}

then {

static-nat {

prefix { 192.168.100.0/24; }

}

}

}

}

D.

[edit security nat source]

user@OfficeB# show rule-set OfficeAtoB {

from zone OfficeA;

to zone OfficeB;

rule 1 {

match {

source-address 192.168.200.0/24;

destination-address 192.168.210.0/24;

}

then {

source-nat { interface; }

}

}

}

Question 24

You are asked to see if your persistent NAT binding table is exhausted.

Which show command would you use to accomplish this task?

Options:

A.

show security nat source persistent-nat-table summary

B.

show security nat source summary

C.

show security nat source pool all

D.

show security nat source persistent-nat-table all

Question 25

Exhibit:

You are asked to ensure that Internet users can access the company's internal webserver using its FQDN. However, the internal DNS server's A record only points to the webserver's private address.

Referring to the exhibit, which two actions are required to complete this task? (Choose two.)

Options:

A.

Disable the DNS ALG.

B.

Configure static NAT for both the DNS server and the webserver.

C.

Configure destination NAT for both the DNS server and the webserver.

D.

Configure proxy ARP on ge-0/0/3.

Question 26

Click the Exhibit button.

You have configured a CoS-based VPN that is not functioning correctly.

Referring to the exhibit, which action will solve the problem?

Options:

A.

You must change the loss priorities of the forwarding classes to low.

B.

You must change the code point for the DB-data forwarding class to 10000.

C.

You must use inet precedence instead of DSCP.

D.

You must delete one forwarding class.

Question 27

Referring to the exhibit, you are attempting to set up a remote access VPN on your SRX series devices.

However you are unsure of which system services you should allow and in which zones they should be allowed to correctly finish the remote access VPN configuration

Which two statements are correct? (Choose two.)

Options:

A.

You should add the host-inbound-traffic system-service ike statement to the Untrust zone.

B.

You should add the host-inbound-traffic system-service ike statement to the VPN zone.

C.

You should add the host-inbound-traffic system-service tcp-encap statement to the Untrust zone

D.

You should add the host-inbound-traffic system-service tcp-encap statement to the VPN zone

Question 28

You are using ADVPN to deploy a hub-and-spoke VPN to connect your enterprise sites.

Which two statements are true in this scenario? (Choose two.)

Options:

A.

ADVPN creates a full-mesh topology.

B.

IBGP routing is required.

C.

OSPF routing is required.

D.

Certificate-based authentication is required.

Question 29

You want to enable transparent mode on your SRX series device.

In this scenario, which three actions should you perform? (Choose three.)

Options:

A.

Enable the ethernet-switching family on your Layer 2 interfaces

B.

Install a Layer 2 feature license.

C.

Reboot the SRX device.

D.

Ensure that no IRB interfaces are configured on the device.

E.

Add your Layer 2 interfaces to a security zone.

Question 30

You are deploying IPsec VPNs to securely connect several enterprise sites with ospf for dynamic

routing. Some of these sites are secured by third-party devices not running Junos.

Which two statements are true for this deployment? (Choose two.)

Options:

A.

OSPF over IPsec can be used for intersite dynamic routing.

B.

Sites with overlapping address spaces can be supported.

C.

OSPF over GRE over IPsec is required to enable intersite dynamic routing

D.

Sites with overlapping address spaces cannot be supported.

Question 31

Which two statements about the differences between chassis cluster and multinode HA on

SRX series devices are true? (Choose Two)

Options:

A.

Multinode HA member nodes require Layer 2 connectivity.

B.

Multinode HA supports Layer 2 and Layer 3 connectivity between nodes.

C.

Multinode HA requires Layer 3 connectivity between nodes.

D.

Chassis cluster member nodes require Layer 2 connectivity.

Question 32

You are attempting to ping the IP address that is assigned to the loopback interface on the

SRX series device shown in the exhibit.

What is causing this problem?

Options:

A.

The loopback interface requires encapsulation.

B.

The loopback interface is not assigned to a security zone.

C.

The incorrect interface index ID is assigned to the loopback interface.

D.

The IP address on the loopback interface is a private address.

Question 33

Which two statements are correct about advanced policy-based routing?

Options:

A.

It can use the application system cache to route traffic.

B.

The associated routing instance should be configured as a virtual router instance.

C.

It cannot use the application system cache to route traffic.

D.

The associated routing instance should be configured as a forwarding instance.

Question 34

Exhibit:

You have deployed a pair of SRX series devices in a multimode HA environment. You need to enable IPsec encryption on the interchassis link.

Referring to the exhibit, which three steps are required to enable ICL encryption? (Choose three.)

Options:

A.

Install the Junos IKE package on both nodes.

B.

Enable OSPF for both interchassis link interfaces and tum on the dynamic-neighbors parameter.

C.

Configure a VPN profile for the HA traffic and apply to both nodes.

D.

Enable HA link encryption in the IPsec profile on both nodes.

E.

Enable HA link encryption in the IKE profile on both nodes,

Demo: 34 questions
Total 115 questions