Exam JN0-633

Juniper JN0-633
Exam JN0-633
Title Security, Professional (JNCIP-SEC)
Updated Version: 8.0
Product
175 Q&A
Type
Best Material, Great Results. www.certkingdom.com 1

Juniper JN0-633
QUESTION 1
Click the Exhibit button.
user@host# show interfaces ge-0/0/0 {
unit 1 {
family bridge { interface-mode trunk; vlan-id-list 20; vlan-rewrite { translate 2 20;
}
}
}
}
Referring to the exhibit, which two statements are correct regarding VLAN rewrite? (Choose two.)
A. An incoming packet with VLAN tag 20 will be translated to VLAN tag 2.

B. An outgoing packet with VLAN tag 2 will be translated to VLAN tag 20.
C. An incoming packet with VLAN tag 2 will be translated to VLAN tag 20.
D. An outgoing packet with VLAN tag 20 will be translated to VLAN tag 2.
Answer: C
QUESTION 2
Which AppSecure module provides Quality of Service?
A. AppTrack
B. AppFW
C. AppID
D. AppQoS
Answer: D
QUESTION 3
You are asked to configure your SRX Series device to support IDP SSL inspections for up to 6,000 concurrent
HTTP sessions to a server within your network.
Which two statements are true in this scenario? (Choose two.)
A. You must add at least one PKI certificate.

B. Junos does not support more than 5000 sessions in this scenario.
C. You must enable SSL decoding.
D. You must enable SSL inspection.
Answer: C,D
QUESTION 4
You are troubleshooting an SRX240 acting as a NAT translator for transit traffic. Traffic is dropping at the
SRX240 in your network.Which three tools would you use to troubleshoot the issue? (Choose three.)
A. security flow traceoptions

B. monitor interface traffic
C. show security flow session
Juniper JN0-633
D. monitor traffic interface

E. debug flow basic
Answer: A,B,C
Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB16110
QUESTION 5
You are asked to establish a baseline for your company's network traffic to determine the bandwidth usage per
application. You want to undertake this task on the central SRX device that connects all segments
together.What are two ways to accomplish this goal? (Choose two.)
A. Configure a mirror port on the SRX device to capture all traffic on a data collection server for further
investigation.
B. Use interface packet counters for all permitted and denied traffic and calculate the values using Junos scripts.
C. Send SNMP traps with bandwidth usage to a central SNMP server.
D. Enable AppTrack on the SRX device and configure a remote syslog server to receive AppTrack messages.
Answer: A,D
Explanation:
AppTrack is used for visibility for application usage and bandwidth
Reference:http://www.juniper.net/us/en/local/pdf/datasheets/1000327-en.pdf
QUESTION 6
-- Exhibit

Juniper JN0-633
-- Exhibit --
In the network shown in the exhibit, you want to forward traffic from the employees to ISP1 and ISP2. You
want to forward all Web traffic to ISP1 and all other traffic to ISP2. However, your configuration is not
producing the expected results. Part of the configuration is shown in the exhibit. When you run the show route
table isp1 command, you do not see the default route listed.
What is causing this behavior?
A. The autonomous system number is incorrect, which is preventing the device from receiving a default route
from ISP1.
B. The device is not able to resolve the next-hop.
C. The isp1 routing instance is configured with an incorrect instance-type.
D. The show route table isp1 command does not display the default route unless you add the exact 0.0.0.0/0
option.
Answer: B
Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223
QUESTION 7
-- Exhibit --
[edit security idp] user@srx# show | no-more idp-policy basic { rulebase-ips {
rule 1 { match {
from-zone untrust; source-address any; to-zone trust; destination-address any; application default; attacks {
custom-attacks data-inject;
}
}
then { action {
recommended;
}
notification { log-attacks;
}
}
}
}
}
active-policy basic;
custom-attack data-inject {
recommended-action close;
severity critical;
attack-type {
signature {
context mssql-query;
pattern "SELECT * FROM accounts";
direction client-to-server;
}
}
Juniper JN0-633
}
-- Exhibit --
You have configured the custom attack signature shown in the exhibit. This configuration is valid, but you want
to improve the efficiency and performance of your IDP.
Which two commands should you use? (Choose two.)
A. set custom attack data-inject recommended-action drop

B. set custom-attack data-inject attack-type signature protocol-binding tcp
C. set idp-policy basic rulebase-ips rule 1 match destination-address webserver
D. set idp-policy basic rulebase-ips rule 1 match application any
Answer: B,C
QUESTION 8
You are asked to implement a Dynamic IPsec VPN on your new SRX240. You are required to facilitate up to 5
simultaneous users.
Which two statements must be considered when accomplishing the task?
A. You must acquire at least three additional licenses.

B. Your devices must be in a chassis cluster.
C. You must be a policy-based VPN.
D. You must use main mode for your IKE phase 1 policy.
Answer: A,C
QUESTION 9
user@key-server> show security group-vpn server ike security-associations Index State Initiator cookie
Responder cookie Mode Remote Address
97 UP bb224408940cc5d 435b9404284083c2 Main 192.168.11.1
98 UP 242c840089404d15 ab19284089408ba8 Main 192.168.11.2
user@key-server> show security group-vpn server ipsec security-associations Group: group-1, Group Id: 1
Total IPsec SAs: 1
IPsec SA Algorithm SPI Lifetime
group-l-sa ESP:3des/shal 1343991c 2736
Group: group-2, Group id: 2
Total IPsec SAs: 1
group-2-sa ESP:3des/shal 13be9e9 2741
Group: group-3, Group Id: 3
Total IPsec SAs: 1
group-3-sa ESP:3des/shal 20709057 2741
Group: group-4, Group Id: 4
Total IPsec SAs: 1
group-4-sa ESP:3des/shal 5111c2e1 2741
Which statement is correct regarding the outputs shown in the exhibit?
Juniper JN0-633
A. Two established peers are in the group VPNs.

B. One established peer is in the group VPNs.
C. No established peer is in the group VPNs.
D. Four established peers are in the group VPNs.
Answer: A
QUESTION 10
Which two statements are true regarding DNS doctoring? (Choose two.)
A. DNS doctoring translates the DNS CNAME payload.

B. DNS doctoring for IPv4 is supported on SRX devices.
C. DNS doctoring for IPv4 and IPv6 is supported on SRX devices.
D. DNS doctoring translates the DNS A-record.
Answer: B,D
Explanation:
Reference :http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-
collections/security/software-all/security/index.html?topic-61847.html
QUESTION 11
You have configured static NAT for a Web server in your DMZ. Both internal and external users can reach the
Web server using its IP address. However, only internal users are able to reach the Web server using its DNS
name. External users receive an error message from their browser.
Which action would solve this problem?
A. Modify the security policy.

B. Disable Web filtering.
C. Use destination NAT instead of static NAT.
D. Use DNS doctoring.
Answer: D
Explanation:
Reference :http://www.networker.co.in/2013/03/dns-doctoring.html
QUESTION 12
You are troubleshooting an IPsec session and see the following IPsec security associations:
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
< 192.168.224.1 500 ESP:aes-256/sha1 d6393645 26/ unlim - 0 > 192.168.224.1 500 ESP:aes-256/sha1
153ec235 26/ unlim - 0
< 192.168.224.1 500 ESP:aes-256/sha1 f9a2db9a 3011/ unlim - 0 > 192.168.224.1 500 ESP:aes-256/sha1
153ec236 3011/ unlim - 0
What are two reasons for this behavior? (Choose two.)
A. Both peers are trying to establish IKE Phase 1 but are not successful.
Juniper JN0-633
B. Both peers have established SAs with one another, resulting in two IPsec tunnels.
C. The lifetime of the Phase 2 negotiation is close to expiration.
D. Both peers have establish-tunnels immediately configured.
Answer: C,D
Reference: http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swcmdref/show-security-
ipsec-security-associations.html
QUESTION 13
Which feature is used for layer 2 bridging on an SRX Series device?
A. route mode
B. packet mode
C. transparent mode
D. MPLS mode
Answer: C
QUESTION 14
An external host is attacking your network. The host sends an HTTP request to a Web server, but does not
include the version of HTTP in the request.
Which type of attack is being performed?
A. signature-based attack
B. application identification
C. anomaly
D. fingerprinting
Answer: C
Explanation:
Reference;https://services.netscreen.com/restricted/sigupdates/nsm-
updates/HTML/HTTP%3AINVALID%3AMSNG-HTTP-VER.html
QUESTION 15
Which statement is true regarding the dynamic VPN feature for Junos devices?
A. Only route-based VPNs are supported.

B. Aggressive mode is not supported.
C. Preshared keys for Phase 1 must be used.
D. It is supported on all SRX devices.
Answer: C
Reference:http://www.juniper.net/techpubs/en_US/junos12.1x45/information-products/pathway-
pages/security/security-vpn-dynamic.pdf
QUESTION 16
Which configurable SRX Series device feature allows you to capture transit traffic?
Juniper JN0-633
A. syslog
B. traceoptions
C. packet-capture
D. archival
Answer: B
QUESTION 17
You are asked to merge the corporate network with the network from a recently acquired company. Both
networks use the same private IPv4 address space (172.25.126.0/24). An SRX device serves as the gateway for
each network.Which solution allows you to merge the two networks without adjusting the current address
assignments?
A. source NAT
B. persistent NAT
C. double NAT
D. NAT444
Answer: C
Explanation:
Reference :http://class10e.com/juniper/what-should-you-do-to-meet-the-requirements/
QUESTION 18
Which problem is introduced by setting the terminal parameter on an IPS rule?
A. The SRX device will stop IDP processing for future sessions.
B. The SRX device might detect more false positives.
C. The SRX device will terminate the session in which the terminal rule detected the attack.
D. The SRX device might miss attacks.
Answer: D
Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-
swconfig-security/topic-42464.html
QUESTION 19
-- Exhibit
-- Exhibit --
Based on the output shown in the exhibit, what are two results? (Choose two.)
Juniper JN0-633
A. The output shows source NAT.

B. The output shows destination NAT.
C. The port information is changed.
D. The port information is unchanged.
Answer: B,D
Reference:http://junos.com/techpubs/software/junos-security/junos-security10.2/junos-security-cli-
reference/index.html?show-security-flow-session.html
QUESTION 20
-- Exhibit --
user@srx# show security datapath-debug capture-file pkt-cap-file format pcap size 5m; action-profile {
pkt-cap-profile { event np-ingress { packet-dump;
}
}
}
packet-filter pkt-filter { action-profile pkt-capture; source-prefix 1.2.3.4/32;
}
-- Exhibit --
You want to capture transit traffic passing through your SRX3600. You add the configuration shown in the
exhibit but do not see entries added to the capture file.
What is causing the problem?
A. You are missing the configuration set security datapath-debug maximum-capture-size 1500.
B. You are missing the configuration set security datapath-debug packet-filter pkt-filter destination-prefix
5.6.7.8/32.
C. You must start the capture from operational mode with the command request security
datapath-debug capture start.
D. You must start the capture from operational mode with the command monitor start capture.
Answer: C
QUESTION 21
You want to implement persistent NAT for an internal resource so that external hosts are able to initiate
communications to the resource, without the internal resource having previously sent packets to the external
hosts.Which configuration setting will accomplish this goal?
A. persistent-nat permit target-host

B. persistent-nat permit any-remote-host
C. persistent-nat permit target-host-port
D. address-persistent
Answer: B
Explanation:
Juniper JN0-633
Reference :http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig-
security/understand-persistent-nat-section.html
QUESTION 22
As an SRX administrator, you must find all encrypted sessions on an SRX Series device.
Which command would you use to accomplish this task?
A. show security flow session tunnel

B. show security ike tunnel-map
C. show security ike security-associations
D. show security flow session encrypted
Answer: D
QUESTION 23
user@host> show security flow session extensive Session ID: 1173, Status: Normal
Flag: Ox0
Policy name: two/6
Source NAT pool: interface, Application: junos-ftp/1 Dynamic application: junos:UNKNOWN,
Application traffic control rule-set: INVALID, Rule: INVALID Maximum timeout: 1800, Current timeout:
1756
Session State: Valid
Start time: 4859, Duration: 99
In: 172.20.103.10/56457 --> 10.210.14.130/21;tcp, Interface: vlan.103,
Session token: Ox8, Flag: Ox21
Route: 0x100010, Gateway: 172.20.103.10, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, Pkts: 12,
Bytes: 549
Out: 10.210.14.130/21 --> 10.210.14.133/18698;tcp, Interface: ge-0/0/0.0,
Session token: 0x7, Flag: Ox20
Route: Oxf0010, Gateway: 10.210 14.130, Tunnel: 0 Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 8, Bytes: 514
Total sessions: 1
A user complains that they are unable to download files using FTP. They are able to connect to the remote site,
but cannot download any files. You investigate and execute the show security flow session extensive command
to receive the result shown in the exhibit.
What is the cause of the problem?
A. The NAT translation is incorrect.

B. The FTP ALG has been disabled.
C. Passive mode FTP is not enabled.
D. The FTP session is using the wrong port number.
Answer: B
QUESTION 24
You are asked to change the configuration of your company's SRX device so that you can block nested traffic
Juniper JN0-633
from certain Web sites, but the main pages of these Web sites must remain available to users.Which two
methods will accomplish this goal? (Choose two.)
A. Enable the HTTP ALG.

B. Implement a firewall filter for Web traffic.
C. Use an IDP policy to inspect the Web traffic.
D. Configure an application firewall rule set.
Answer: B,D
Reference: An application layer gateway (ALG) is a feature on ScreenOS gateways that enables the gateway to
parse application layer payloads and take decisions on them.ALGs are typically employedto support
applications that use the application layer payload to communicate the dynamic Transmission Control Protocol
(TCP) or User Datagram Protocol (UDP) ports on which the applications open data connections
(http://kb.juniper.net/InfoCenter/index?page=content&id=KB13530)
IDP policy defines the rule for defining the type of traffic permittedon
network(http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-swconfig-
security/enable-idp-security-policy-section.html)
QUESTION 25
What are three techniques to mark DSCP values on an SRX Series device? (Choose three.)
A. IDP attack action-based DSCP rewriters

B. 802.11Q
C. VLAN rewrite
D. ALG-based DSCP rewriters
E. Layer 7 application-based DSCP rewriters.
Answer: A,D,E
QUESTION 26
You have been asked to configure traffic to flow between two virtual routers (VRs) residing on two unique
logical systems (LSYSs) on the same SRX5800.
How would you accomplish this task?
A. Configure a security policy that contains the context from VR1 to VR2 to permit the relevant traffic.
B. Configure a security policy that contains the context from LSYS1 to LSYS2 and relevant match conditions in
the rule set to allow traffic between the IP networks in VR1 and VR2.
C. Configure logical tunnel interfaces between VR1 and VR2 and security policies that allow relevant traffic
between VR1 and VR2 over that link.
D. Configure an interconnect LSYS to facilitate a connection between LSYS1 and LSYS2 and relevant policies
to allow the traffic.
Answer: C
Explanation:
Reference :http://kb.juniper.net/InfoCenter/index?page=content&id=KB21260

Juniper JN0-633
QUESTION 27
You have recently deployed a dynamic VPN. Some remote users are complaining that they cannot authenticate
through the SRX device at the corporate network. The SRX device serves as the tunnel endpoint for the
dynamic VPN.What are two reasons for this problem?
(Choose two.)
A. The supported number of users has been exceeded for the applied license.
B. The users are connecting to the portal using Windows Vista.
C. The SRX device does not have the required user account definitions.
D. The SRX device does not have the required access profile definitions.
Answer: A,D
Explanation:
Reference :https://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-
collections/syslog-messages/index.html?jd0e28566.html
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16477
QUESTION 28
You are asked to provide access for an external VoIP server to VoIP phones in your network using private
addresses. However, due to security concerns, the VoIP server should only be able to initiate connections to
each phone once the phone has logged into the VoIP server. The VoIP server requires access to the phones
using multiple ports.
Which type of persistent NAT is required?
A. any-remote-host
B. target-host
C. target-host-port
D. remote-host
Answer: B
Explanation:
QUESTION 29
You are asked to secure your companys Web presence. This includes using an SRX Series device to inspect
SSL traffic going to the Web servers in your DMZ.
Which two actions are required to accomplish this task? (Choose two.)
A. Load your Web servers private key in the IDP configuration.

B. Load your Web servers public key in the IDP configuration.
C. Generate a root certificate on the SRX Series device for your Web servers.
D. Specify the number of sessions in the SSL sensor configuration.
Answer: A,D

Juniper JN0-633
QUESTION 30
You want to query User Group membership directly using the integrated user firewall services from an Active
Directory controller to an SRX Series device.
Which two actions are required? (Choose two.)
A. Configure the LDAP base distinguished name.

B. Connect the SRX Series device and the MAG Series device in an enforcer configuration.
C. Configure a domain name, the username and password of the domain, and the name and IP address of the
domain controller in the domain.
D. Configure the Access Control Service on the MAG Series device for local user authentication and verify that
authentication information is transferred between the devices.
Answer: A,C
QUESTION 31
[edit security nat static rule-set 12] user@SRX2# show
from zone untrust; rule 1 {
match {
destination-address 192.168.1.1/32;
}
then {
static-nat {
prefix {
10.60.60.1/32;
}
}
}
}
Host-2 initiates communication with Host-1. All other routing and policies are in place to allow the traffic.
What is the result of the communication?
A. The 192.168.0.1 address is translated to the 10.60.60.1 address.

B. The 10.60.60.1 address is translated to the 192.168.1.1 address.
C. No translation occurs.
D. The 192.168.0.1 address is translated to the 192.168.1.1 address.
Answer: B
QUESTION 32
You want to verify that all application traffic traversing your SRX device uses standard ports. For example, you
need to verify that only DNS traffic runs through port 53, and no other protocols.How would you accomplish
this goal?
A. Use an IDP policy to identify the application regardless of the port used.
B. Use a custom ALG to detect the application regardless of the port used.
C. Use AppTrack to detect the application regardless of the port used.
D. Use AppID to detect the application regardless of the port used.
Juniper JN0-633
Answer: A
Explanation:
AppTrack for detailed visibility of application traffic Also AppTrack is aka AppID
Reference :http://forums.juniper.net/t5/SRX-Services-Gateway/What-is-AppTrack-aka-AppID/td-p/63029
An Application Layer Gateway (ALG) is a software component that is designed to manage specific protocols
security/id-79332.html
QUESTION 33
A branch SRX Series device in flow mode is forwarding between two virtual routers using a paired set of
logical tunnel interfaces. You have a server connected to one virtual router and the client is on the other virtual
router.
How many security policies are needed to connect from the client to the server across the logical tunnel link?
A. 0
B. 2
C. 3
D. 1
Answer: D
QUESTION 34
Referring to the exhibit, you must send traffic from Host-1 to Host-2. These two hosts can only communicate
with IPv4.
Which feature would you use to permit communication between Host-1 and Host-2?
A. 6rd
B. DS-Lite
C. NAT46
D. NAT444
Answer: B
QUESTION 35
Given the following session output:
Session ID., Policy namE.default-policy-00/2, StatE.Active, Timeout: 1794, Valid
In: 2001:660:1000:8c00::b/1053 --> 2001:660:1000:9002::aafe/80;tcp, IF.reth0.0, Pkts: 4, Bytes: 574
Out: 192.168.203.10/80 --> 192.168.203.1/24770;tcp, IF.reth1.0, Pkts: 3, Bytes:
Which statement is correct about the security flow session output?
A. This session is about to expire.

B. NAT64 is used.
C. Proxy NDP is used for this session.
D. The IPv4 Web server runs services on TCP port 24770.

Juniper JN0-633
Answer: B
Explanation:
QUESTION 36
-- Exhibit
-- Exhibit --
You are asked to implement NAT to translate addresses between the IPv4 and IPv6 networks shown in the
exhibit.
What are three configuration requirements? (Choose three.)
A. Disable SYN checking.

B. Enable IPv6 flow mode.
C. Configure proxy ARP.
D. Configure stateless filtering.
E. Configure proxy NDP.
Answer: B,C,E
Reference:http://forums.juniper.net/jnet/attachments/jnet/srx/16228/1/NAT64-Overview.pdf
QUESTION 37
-- Exhibit --
[edit security]
user@srx# show
idp {
idp-policy NewPolicy {
rulebase-exempt {
rule 1 {
description AllowExternalRule;
match {
source-address any;
destination-address
}
}
Juniper JN0-633
}
}
}
-- Exhibit --
You are performing the initial IDP installation on your new SRX device. You have configured the IDP exempt
rulebase as shown in the exhibit, but the commit is not successful.
Referring to the exhibit, what solves the issue?
A. You must configure the destination zone match.

B. You must configure the IPS exempt accept action.
C. You must configure the IPS rulebase.
D. You must configure the IPS engine flow action to ignore.
Answer: C
Reference:http://jncie-sec.exactnetworks.net/2013/01/srx-idp-overview-initial-setup.html
QUESTION 38
You are asked to ensure traffic from your executive staff does not use the same ISP connection as your other
traffic.
Which three actions are required to accomplish this task? (Choose three)
A. Create a firewall filter to match this traffic and send this traffic to the routing instance.
B. Create a routing instance and define the type asno-forwarding.
C. Assign the outgoing interface to theno-forwardinginstance.
D. Create a routing instance and define the type asforwarding.
E. Create a RIB group to share routes between the main instance and the routing instance.
Answer: A,D,E
QUESTION 39
You want to create a custom IDP signature for a new HTTP attack on your SRX device. You have the exact
string that identifies the attack.Which two additional elements do you need to define your custom signature?
(Choose two.)
A. service context
B. protocol number
C. direction
D. source IP address of the attacker
Answer: A,C
Reference: http://rtoodtoo.net/2011/09/22/how-to-write-srx-idp-custom-attacksignature/
QUESTION 40
-- Exhibit

Juniper JN0-633
-- Exhibit --
Referring to the topology shown in the exhibit, which two configuration tasks will allow Host A to telnet to the
public IP address associated with Server B? (Choose two.)
A. Configure transparent mode to bypass the NAT processing of Server B's public IP address.
B. Configure a stateless filter redirecting local traffic destined to Server B's public IP address.
C. Configure a destination NAT rule that matches local traffic destined to Server B's public IP address.
D. Configure a source NAT rule that matches local traffic destined to Server B's public IP address.
Answer: C,D
Explanation:
In this scenario wehave a host be accessible on the Internet by one address, but have it be translated to another
address when it initiates connections out to the Internet.So we need to combine Source and destination NAT.
Reference:http://chimera.labs.oreilly.com/books/1234000001633/ch09.html#destination_na t
QUESTION 41
You are working as a security administrator and must configure a solution to protect against distributed botnet
attacks on your company's central SRX cluster.
How would you accomplish this goal?
A. Configure AppTrack to inspect and drop traffic from the malicious hosts.
B. Configure AppQoS to block the malicious hosts.
C. Configure AppDoS to rate limit connections from the malicious hosts.
D. Configure AppID with a custom application to block traffic from the malicious hosts.
Answer: C
Explanation:
Juniper JN0-633
Reference :Page No 2 Figure 1

http://www.juniper.net/us/en/local/pdf/datasheets/1000327-en.pdf
QUESTION 42
What are two AppSecure modules? (Choose two.)
A. AppDoS
B. AppFlow
C. AppTrack
D. AppNAT
Answer: A,C
Explanation:
Reference :Page No 2 Figure 1 http://www.juniper.net/us/en/local/pdf/datasheets/1000327-en.pdf
QUESTION 43
You are attempting to establish an IPsec VPN between two SRX devices. However, there is another device
between the SRX devices that does not pass traffic that is using UDP port 4500.
How would you resolve this problem?
A. Enable NAT-T.
B. Disable NAT-T.
C. Disable PAT.
D. Enable PAT.
Answer: B
Explanation:
NAT-T also uses UDP port 4500 (by default) rather than the standard UDP. So disabling NAT-T will resolve
this issue.
Reference : https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&cad=rja&ved=0C
HsQFjAJ&url=http%3A%2F%2Fchimera.labs.oreilly.com%2Fbooks%2F1234000001633%
2Fch10.html&ei=NZrtUZHHO4vJrQezmoCwAw&usg=AFQjCNGU05bAtnFu1vXNgssixHtC
BoNBnw&sig2=iKzzPNQqiH2xrsjveXIleA&bvm=bv.49478099,d.bmk
QUESTION 44
userehost# run show route
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:05:06
> to 172.16.1.1 via ge-0/0/1.0 172.16.1.0/24 *[Direct/O] 00:05:06
> via ge-0/0/1.0
172.16.1.3/32 *[Local/0] 00:05:07
Local via ge-0/0/1.0
192.168.200.2/32 *[Local/0] 00:05:07
Reject
vr-a.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
Juniper JN0-633
192.168.1.0/24 *[Direct/0] 00:01:05

> via ge-0/0/2.0
192.168.1.1/32 *[Local/0] 00:01:05
vr-b.inet.0: 2 destinations, 2 routes (2 active, 0 holddcwn, 0 hidden) + = Active Route, - = Last Active, * = Both
192.168.1.0/24 *[Direct/O] 00:01:05
> via go-0/0/3.0
192.168.1.1/32 *[Local/0] 00:01:05
User 1 will access Server 1 using IP address 10.2.1.1. You need to ensure that return traffic is able to reach User
1 from Server 1.
Referring to the exhibit, which two configurations allow this communication (Choose two.)
A. [edit security nat static] user@host# show rule-set server-nat {

from zone [ untrust ]; rule 1 {
match {
}
then {
static-nat { prefix { 192.168.1.2/32;
}
}
}
}
}
B. [edit security nat static] user@host# show rule-set server-nat {
from zone [ junos-host untrust ]; rule 1 {
match {
}
then { static-nat { prefix { 192.168.1.2/32;
routing-instance vr-b;
}
}
}
}
}
C. [edit security nat static] user@host# show rule-set server-nat {
from zone untrust; rule 1 {
match {
}
then { static-nat { prefix { 192.168.1.2/32;
routing-instance vr-a;
}
}
}
}
Juniper JN0-633
}
D. [edit security nat static] user@host# show
rule-set in {
from zone untrust; to zone cust-a; rule overload { match {
source-address 0.0.0.0/0;
}
then { source-nat { interface;
}
}
}
}
Answer: B
QUESTION 45
Which action will allow an administrator to connect in band to an SRX Series device in transparent mode over
SSH?
A. Use a VLAN interface.

B. Use the loopback interface.
C. Use a logical interface.
D. Use an irb interface.
Answer: D
QUESTION 46
-- Exhibit --
[edit]
user@srx# run show route
inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 01:09:08
> to 172.18.1.1 via ge-0/0/3.0 10.210.14.128/27 *[Direct/0] 8w6d 15:43:09
> via ge-0/0/0.0
10.210.14.135/32 *[Local/0] 11w0d 06:43:04 Local via ge-0/0/0.0
172.18.1.0/30 *[Direct/0] 8w6d 15:43:01 > via ge-0/0/3.0
172.18.1.2/32 *[Local/0] 11w0d 06:43:03 Local via ge-0/0/3.0
172.19.1.0/24 *[Direct/0] 03:46:56 > via ge-0/0/1.0
172.19.1.1/32 *[Local/0] 03:46:56 Local via ge-0/0/1.0 172.20.105.0/24 *[Direct/0] 03:46:56 > via ge-
0/0/4.105
172.20.105.1/32 *[Local/0] 03:46:56 Local via ge-0/0/4.105 192.168.30.1/32 *[Direct/0] 4d 03:44:41
> via lo0.0
fbf.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:00:11
> to 172.19.1.2 via ge-0/0/1.0 172.19.1.0/24 *[Direct/0] 00:00:11
> via ge-0/0/1.0
[edit]
user@srx# show routing-instances fbf {
Juniper JN0-633
routing-options { static {
route 0.0.0.0/0 next-hop 172.19.1.2;
}
}
}
[edit]
user@srx# show routing-options interface-routes {
rib-group inet fbf-int;
}
static {
route 0.0.0.0/0 next-hop 172.18.1.1;
}
rib-groups { fbf-int {
import-rib [ inet.0 fbf.inet.0 ]; import-policy fbf-pol;
}
}
[edit]
user@srx# show policy-options policy-statement fbf-pol
term 1 {
from interface ge-0/0/1.0;
to rib fbf.inet.0;
then accept;
}
term 2 {
then reject;
}
-- Exhibit --
Referring to the exhibit, you notice that filter-based forwarding is not working.
What is the reason for this behavior?
A. The RIB group is configured incorrectly.

B. The routing policy is configured incorrectly.
C. The routing instance is configured incorrectly.
D. The default static routes are configured incorrectly.
Answer: C
Explanation:
Bydefault, wehave a static route in a routing instancesendingthe default route to 172.19.1.2.Wewant to hijack
traffic matching a particular filter and send the traffic to a different next-hop, 172.18.1.1. Weshouldcreate your
rib group by importing FIRST the table belonging to your virtual router and SECOND the table for the
forwarding instancethat has the next-hop specified.
QUESTION 47
You have been asked to establish a dynamic IPsec VPN between your SRX device and a remote user.Regarding
this scenario, which three statements are correct? (Choose three.)

Juniper JN0-633
A. You must use preshared keys.

B. IKE aggressive mode must be used.
C. Only predefined proposal sets can be used.
D. Only policy-based VPNs are supported.
E. You can use all methods of encryption.
Answer: A,B,D
Explanation:
Reference
:http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/dynamic-vpn-
appnote-v12.pdf
QUESTION 48
You are using destination NAT to translate the address of your HTTPS server to a private address on your SRX
Series device. You have decided to implement IDP SSL decryption. Upon enabling the decryption, you notice
sessions are not decrypted.
Which action resolves the problem?
A. Replace the server SSL certificate to use the public address.

B. Reboot the SRX Series device.
C. Increase the SSLsession-id-cache-timeoutvalue to any value greater than 5000 seconds.
D. Enable the IDPsensor-configurationdetector to detect address translation.
Answer: D
QUESTION 49
What are two configurable routing instance types? (Choose two.)
A. IPsec
B. VPLS
C. GRE
D. VRF
Answer: B,D
QUESTION 50
You want to implement an IPsec VPN on an SRX device using PKI certificates for authentication. As part of
the implementation, you are required to ensure that the certificate submission, renewal, and retrieval processes
are handled automatically from the certificate authority.Regarding this scenario, which statement is correct?
A. You can use SCEP to accomplish this behavior.

B. You can use OCSP to accomplish this behavior.
C. You can use CRL to accomplish this behavior.
D. You can use SPKI to accomplish this behavior.
Answer: A
Reference: Page 9
Juniper JN0-633
http://www.juniper.net/techpubs/en_US/junos/information-products/topic-collections/nce/pki-conf-
trouble/configuring-and-troubleshooting-public-key-infrastructure.pdf
QUESTION 51
Which statement is true about Layer 2 zones when implementing transparent mode security?
A. All interfaces in the zone must be configured with the protocol family mpls.
B. All interfaces in the zone must be configured with the protocol family inet.
C. All interfaces in the zone must be configured with the protocol family bridge.
D. All interfaces in the zone must be configured with the protocol family inet6.
Answer: C
Explanation:
Reference (page no 12) http://www.juniper.net/techpubs/en_US/junos12.1x44/information-products/pathway-
pages/security/security-layer2-bridging-transparent-mode.pdf
QUESTION 52
-- Exhibit --
Feb 8 10:39:40 Unable to find phase-1 policy as remote peer:2.2.2.2 is not recognized.
Feb 8 10:39:40 KMD_PM_P1_POLICY_LOOKUP_FAILURE.Policy lookup for Phase-1 [responder] failed for
p1_local=ipv4(any:0,[0..3]=1.1.1.2) p1_remote=ipv4(any:0,[0..3]=2.2.2.2)
Feb 8 10:39:40 1.1.1.2:500 (Responder) <-> 2.2.2.2:500 { dbe1d0af - a4d6d829 f9ed3bba [-1] / 0x00000000 }
IP; Error = No proposal chosen (14)
-- Exhibit --
According to the log shown in the exhibit, you notice that the IPsec session is not establishing.
A. mismatched preshared key

B. mismatched proxy ID
C. incorrect peer address
D. mismatched peer ID
Answer: C,D
Explanation:
If the peer was not matched with the peer ID, the line "Unable to find phase-1 policy as remote
peer:192.168.1.60 is not recognized." should be shown
Reference :http://kb.juniper.net/InfoCenter/index?page=content&id=KB10097&pmv=print

Juniper JN0-633
QUESTION 53
-- Exhibit
-- Exhibit --
You have configured an IDP policy as shown in the exhibit. The configuration commits successfully. Which
traffic will be examined for attacks?
A. only originating traffic from source to destination in a session

B. only reply traffic from destination to source in a session
C. both originating and reply traffic between hosts in a session
D. recommended traffic between the source and destination hosts
Answer: C
Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig-
security/config-idp-ips-rulebase-section.html#config-idp-ips-rulebase-section

Juniper JN0-633
QUESTION 54
Traffic is being sent from Host-1 to Host-2 through an IPsec VPN. In this process, SRX-2 is using NAT to
change the destination address of Host-2 from 192.168.1.1 to 10.60.60.1 SRX-1 uses the 172.31.50.1 address
for its tunnel endpoint and SRX-2 uses the 10.10.50.1 address for its tunnel endpoint.
Referring to the exhibit, which statement is true?
A. The security policy on SRX-2 must permit traffic from the 172.31.50.1 destination address.
B. The security policy on SRX-2 must permit traffic from the 10.10.50.1destination address.
C. The security policy on SRX-2 must permit traffic from the 10.60.60.1 destination address.
D. The security policy on SRX-2 must permit traffic from the 192.168.1.1destination address.
Answer: C
QUESTION 55
What are three advantages of group VPNs? (Choose three.)
A. Supports any-to-any member connectivity.

B. Provides redundancy with cooperative key servers.
C. Eliminates the need for full mesh VPNs.
D. Supports translating private to public IP addresses.
E. Preserves original IP source and destination addresses.
Answer: A,C,E
Explanation:
Reference :http://www.thomas-
krenn.com/redx/tools/mb_download.php/mid.x6d7672335147784949386f3d/Manual_Confi
guring_Group_VPN_Juniper_SRX.pdf
QUESTION 56
user@host# run show security flow session
...
Session ID: 28, Policy name: allow/5, Timeout: 2, Valid
In: 172.168.1.2/24800 --> 66.168.100.100/8001; tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 64
Out: 10.168.100.1/8001 --> 172.168.1.2/24800; tcp, If: ge-0/0/6.0, Pkts: 1, Bytes: 40
Your customer is unable to reach your HTTP server that is connected to the ge-0/0/6 interface. The HTTP
server has an address of 10.168.100.1 on port 80 internally, but is accessed publicly using interface ge-0/0/3
with the address 66.168.100.100 on port 8001.
Referring to the exhibit, what is causing this problem?
A. The traffic is originated with incorrect IP address from the customer.

B. The traffic is translated with the incorrect IP address for the HTTP server.
C. The traffic is translated with the incorrect port number for the HTTP server.
D. The traffic is originated with the incorrect port number from the customer.
Answer: C
Juniper JN0-633
QUESTION 57
For an SRX chassis cluster in transparent mode, which action occurs to signal a high availability failover to
neighboring switches?
A. the SRX chassis cluster generates Spanning Tree messages

B. the SRX chassis cluster generates gratuitous ARPs
C. the SRX chassis cluster flaps the former active interfaces
D. the SRX chassis cluster uses IP address monitoring
Answer: C
Reference:
http://books.google.co.in/books?id=2HSLsTJIgEQC&pg=PA246&lpg=PA246&dq=the+SRX
+chassis+cluster+flaps+the+former+active+interfaces&source=bl&ots=_eDe_vRMyw&sig= x-
Px98kZEi4hZvGflcoybABdMRQ&hl=en&sa=X&ei=iMLzUcDSLcfRrQeQw4CYCA&ved=0CE
AQ6AEwBA#v=onepage&q=flap&f=false
QUESTION 58
You are asked to deploy a group VPN between various sites associated with your company. The gateway
devices at the remote locations are SRX240 devices.
Which two statements about the new deployment are true? (Choose two.)
A. The networks at the various sites must use NAT.

B. The participating endpoints in the group VPN can belong to a chassis cluster.
C. The networks at the various sites cannot use NAT.
D. The participating endpoints in the group VPN cannot be part of a chassis cluster.
Answer: C,D
Explanation:
http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/NT260/SRX_HA_Deplo
yment_Guide_v1.2.pdf
QUESTION 59
-- Exhibit

Juniper JN0-633
-- Exhibit --
Referring to the exhibit, which two statements are true? (Choose two.)
A. Packets may get fragmented.

B. The tunnel automatically fragments packets based on MTU discovery.
C. The Phase 2 association will never expire.
D. The Phase 2 association will expire without traffic.
Answer: A,D
QUESTION 60
You are asked to ensure that your IPS engine blocks attacks. You must ensure that your system continues to
drop additional malicious traffic without additional IPS processing for up to 30 minutes. You must ensure that
the SRX Series device does send a notification packet when the traffic is dropped.
Which statement is correct?
A. Use the IP-Block action.

B. Use the Drop Packet action.
C. Use the Drop Connection action.
D. Use the IP-Close action.
Answer: D

Juniper JN0-633
QUESTION 61
Somebody has inadvertently configured several security policies with application firewall rule sets on an SRX
device. These security policies are now dropping traffic that should be allowed.You must find and remove the
application firewall rule sets that are associated with these policies.Which two commands allow you to view
these associations? (Choose two.)
A. show security policies

B. show services application-identification application-system-cache
C. show security application-firewall rule-set all
D. show security policies application-firewall
Answer: A,D
Reference:http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/application-firewall-
configuring.html
QUESTION 62
-- Exhibit

Juniper JN0-633
-- Exhibit --
You receive complaints from users that their Web browsing sessions keep dropping prematurely. Upon
investigation, you find that the IDP policy shown in the exhibit is detecting the users' sessions as HTTP:WIN-
CMD:WIN-CMD-EXE attacks, even though their sessions are not actual attacks. You must allow these sessions
but still inspect for all other relevant attacks.
How would you configure your SRX device to meet this goal?
A. Create a new security policy that allows HTTP for all users and does not apply IDP.
B. Modify the security policy to add an application exception.
C. Modify the IDP policy to delete this particular attack from the IDP rulebase.
D. Modify the IDP policy to add an exempt rulebase rule to not inspect for this attack.
Answer: D
QUESTION 63
You are asked to implement the AppFW feature on an SRX Series device.
Which three tasks must be performed to make the feature work? (Choose three.)
A. Configure a firewall filter that includes the application-firewall policy.

B. Install an IPS license.
C. Install an AppSecure license.
D. Configure a security policy that includes the application-firewall policy.
E. Configure an application-firewall policy.
Answer: C,D,E
QUESTION 64
user @host> show bgp summary logical-system LSYS1 Groups : 11 Peers : 10 Down peers: 1
Table Tot. Paths Act Paths Suppressed History Damp State
Pending
inet.0 141 129 0 0 0 Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
192.168.64.12 65008 11153 11459 0 26 3d
3:10:43 9/10/10/0 0/0/0/0
192.168.72.12 65009 11171 11457 0 26 3d 3:10:39 11/12/12/0 0/0/0/0
192.168.80.12 65010 9480 9729 0 27 3d 3:10:42 11/12/12/0 0/0/0/0
192.168.88.12 65011 11171 11457 0 25 3d 3:10:31 12/13/13/0 0/0/0/0
192.168.96.12 65012 9479 9729 0 26 3d 3:10:34 12/13/13/0 0/0/0/0
192.168.10.12 65013 111689 11460 0 27 3d 3:10:46 9/10/10/0 0/0/0/0
192.168.11.12 65014 111688 11458 0 25 3d 3:10:42 9/10/10/0 0/0/0/0
192.168.12.12 65015 111687 11457 0 25 3d 3:10:38 9/10/10/0 0/0/0/0
192.68.11.12 650168 9478 9729 0 25 3d 3:10:42 9/10/10/0 0/0/0/0
192.168.13.12 65017 111687 11457 0 27 3d 3:10:30 9/10/10/0 0/0/0/0
192.168.16.12 65017 111687 11457 0 27 1w3d2h Connect
user@host> show interfaces ge-0/0/7.0 extensive
Juniper JN0-633
Logical interface ge-0/0/7.0 (Index 76) (SNMP ifIndex 548) (Generation 141)
...
Security: Zone: log
Allowed host-inbound traffic : bootp dns dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-
telnet reverse-ssh rloqin rpm rsh snmp
snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp
Flow Statistics: Flow Input statistics: Self packets: 0 ICMP packets: 0
VPN packets: 0
Multicast packets: 0
Bytes permitted by policy: 0
Connections established: 0
Flow Output statistics:
Multicast packets: 0
Bytes permitted by policy: 0
Flow error statistics (Packets dropped due to):
Address spoofing: 0
Authentication failed: 0
Incoming NAT errors: 0
Invalid zone received packet: 0
Multiple user authentications: 0
Multiple incoming NAT: 0
No parent for a gate: 0
No one interested in self pakets: 0
No minor session: 0
No more sessions: 589723
No NAT gate: 0
No route present: 0
No SA for incoming SPI: 0
No tunnel found: 0
No session for a gate: 0
No zone or NULL zone binding 0
Policy denied: 0
Security association not active: 0
TCP sequence number out of window: 0
Syn-attack protection: 0
User authentication errors: 0
Protocol inet, MTU: 1500, Generation: 1685, Route table: 0
Flags: Sendbcast-pkt-to-re
Addresses, F1ags: Is-Preferred Is-Primary
Destination: 10.5.123/24, Local: 10.5.123.3, Broadcast:
10.5.123.255, Generation: 156
Protocol multiservice, MTU: Unlimited, Generation: 1686, Route table: 0
Policer: Input: __default_arp_policer__
...
An SRX Series device has been configured with a logical system LSYS1. One of the BGP peers is down.
Referring to the exhibit, which statement explains this problem?
A. The LSYS license only allows up to ten BGP peerings.

Juniper JN0-633
B. The maximum number of allowed flows is set to low.

C. The allocated memory is not sufficient for this LSYS.
D. The minimum number of flows is set to high.
Answer: B
QUESTION 65
You recently implemented application firewall rules on an SRX device to act upon encrypted traffic. However,
the encrypted traffic is not being correctly identified.
Which two actions will help the SRX device correctly identify the encrypted traffic? (Choose two.)
A. Enable heuristics to detect the encrypted traffic.

B. Disable the application system cache.
C. Use the junos:UNSPECIFIED-ENCRYPTED application signature.
D. Use the junos:SPECIFIED-ENCRYPTED application signature.
Answer: A,C
Reference:http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/encrypted-p2p-heuristics-
detection.html
QUESTION 66
You must configure a central SRX device connected to two branch offices with overlapping IP address space.
The branch office connections to the central SRX device must reside in separate routing instances.Which two
components are required? (Choose two.)
A. virtual routing instance

B. forwarding instance
C. static NAT
D. persistent NAT
Answer: A,C
Explanation:
QUESTION 67
Which three match condition objects are required when creating IPS rules? (Choose three.)
A. attack objects
B. address objects
C. terminal objects
D. IP action objects
E. zone objects
Answer: A,B,E
Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-
swconfig-security/topic-42453.html#understand-rule-match-cond-section

Juniper JN0-633
QUESTION 68
-- Exhibit
-- Exhibit --
Host A cannot resolve the www.target.host.com Web page when using its configured DNS server. As shown in
the exhibit, Host A's configured DNS server and the Web server hosting the www.target.host.com Web page are
in the same subnet. You have verified bidirectional reachability between Host A and the Web server hosting the
Web page.
What would cause this behavior on the SRX device in Company B's network?
A. DNS replication is enabled.

B. DNS doctoring is enabled.
C. DNS replication is disabled.
D. DNS doctoring is disabled.
Answer: D
Reference:http://www.trapezenetworks.com/techpubs/en_US/junos12.2/topics/concept/dns -alg-nat-doctoring-
overview.html
QUESTION 69
You have installed a new IPS license on your SRX device and successfully downloaded the attack signature
database. However, when you run the command to install the database, the database fails to install.What are two
reasons for the failure? (Choose two.)
A. The file system on the SRX device has insufficient free space to install the database.
B. The downloaded signature database is corrupt.
C. The previous version of the database must be uninstalled first.
D. The SRX device does not have the high memory option installed.
Juniper JN0-633
Answer: A,B
Explanation:
We dont need to uninstall the previous version to install a new license, as we can update the same.
Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB16491. Also high memory option is
licensed feature.
The only reason for failure is either there is no space left or downloaded file is corrupted due to incomplete
download because of internet termination in between.
QUESTION 70
-- Exhibit
-- Exhibit --
TCP traffic sourced from Host A destined for Host B is being redirected using filter-based forwarding to use the
Red network. However, return traffic from Host B destined for Host A is using the Blue network and getting
dropped by the SRX device.
Which action will resolve the issue?
A. Enable asyncronous-routing under the Blue zone.

B. Configure ge-0/0/1 to belong to the Red zone.
C. Disable RPF checking.
D. Disable TCP sequence checking.
Answer: B
Reference:https://kb.juniper.net/InfoCenter/index?page=content&id=KB21046
QUESTION 71
What is the default action for an SRX device in transparent mode to determine the outgoing interface for an
unknown destination MAC address?
A. Perform packet flooding.

B. Send an ARP query.
C. Send an ICMP packet with a TTL of 1.
Juniper JN0-633
D. Perform a traceroute request.
Answer: A
Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-swconfig-
interfaces-and-routing/understand-l2-forwarding-tables-section.html
QUESTION 72
In the IPS packet processing flow on an SRX Series device, when does application identification occur?
A. before fragmentation processing

B. after protocol decoding
C. before SSL decryption
D. after attack signature matching
Answer: A
QUESTION 73
[edit security application-firewall]
user@host# show
rule-sets web {
rule one {
match {
dynamic-application junos:HTTP;
}
then {
permit;
}
}
default-rule {
reject;
}
}
What will happen to non-HTTP traffic that matches the application-firewall policy shown in the exhibit?
A. It will be denied because this is a blacklist policy.

B. It will be dropped and an error will be sent to the source.
C. It will be silently dropped.
D. It will be allowed because this is a whitelist policy.
Answer: C
QUESTION 74
-- Exhibit

Juniper JN0-633
-- Exhibit --
An attacker is using a nonstandard port for HTTP for reconnaissance into your network.
Referring to the exhibit, which two statements are true? (Choose two.)
A. The IPS engine will not detect the application due to the nonstandard port.
B. The IPS engine will detect the application regardless of the nonstandard port.
C. The IPS engine will perform application identification until the session is established.
D. The IPS engine will perform application identification until it processes the first 256 bytes of the packet.
Answer: B,D
Reference:https://www.juniper.net/techpubs/en_US/idp/topics/example/simple/intrusion-detection-prevention-
idp-rulebase-default-service-usage.html
QUESTION 75
How does the SRX5800, in transparent mode, signal failover to the connected switches?
A. It initiates spanning-tree BPDUs.

B. It sends out gratuitous ARPs.
C. It flaps the impaired interfaces.
D. It uses an IP address monitoring configuration.
Answer: B
QUESTION 76
IPv6 to IPv4 addresses are not being translated as shown in the exhibit.
Which two configurations would resolve the problem? (Choose two.)
Juniper JN0-633
A. set security nat natv6v4 no-6-frag-header

B. set security nat proxy-arp interface ge-0/0/0.0
C. set security nat source port-randomization disable
D. set security nat proxy-ndp interface ge-0/0/1.0
Answer: D
QUESTION 77
Microsoft has altered the way their Web-based Hotmail application works. You want to update your application
firewall policy to correctly identify the altered Hotmail application.
Which two steps must you take to modify the application? (Choose two.)
A. user@srx> request services application-identification application copy junos:HOTMAIL

B. user@srx> request services application-identification application enable junos:HOTMAIL
C. user@srx# edit services custom application-identification my:HOTMAIL
D. user@srx# edit services application-identification my:HOTMAIL
Answer: A,D
Reference:http://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/command-summary/request-
services-application-identification-application.html
QUESTION 78
-- Exhibit

Juniper JN0-633
-- Exhibit --
In the exhibit, the SRX device has hosts connected to interface ge-0/0/1 and ge-0/0/6. The devices are not able
to ping each other.What is causing this behavior?
A. The interfaces must be in trunk mode.

B. The interfaces need to be configured for Ethernet switching.
C. The default security policy does not apply to transparent mode.
D. A bridge domain has not been defined.
Answer: D

Juniper JN0-633
QUESTION 79
[edit] user@host# run show log debug
Feb3 22:04:31 22:04:31.824294:CID-0:RT:flow_first_policy_search: policy search from zone host-> zone
attacker (Ox0,0xe4089404,0x17)
Feb3 22:04:31 22:04:31.824297:CID-0:RT:Policy lkup: vsys 0 zone(9:host) -> zone(10:attacker) scope: 0
Feb3 22:04:31 22:04:31.824770:CID-0:RT:5.0.0.25/59028 -> 25.0.0.25/23 proto 6
Feb3 22:04:31 22:04:31.824778:CID-0:RT:Policy lkup: vsys 0 zone(5:Umkmowm) -> zone(5:Umkmowm)
scope: 0
Feb3 22:04:31 22:04:31.824780:CID-0:RT:5.0.0.25/59028 -> 25.0.0.25/23 proto 6
Feb3 22:04:31 22:04:31.824783:CID-0:RT: app 10, timeout 1800s, curr ageout 20s
Feb3 22:04:31 22:04:31.824785:CID-0:RT: permitted by policy default-policy-00(2)
Feb3 22:04:31 22:04:31.824787:CID-0:RT: packet passed, Permitted by
policy.
Feb3 22:04:31 22:04:31.824790:CID-0:RT:flow_first_src_xlate:
nat_src_xlated: False, nat_src_xlate_failed; False
Feb3 22:04:31 22:04:31.824834:CID-0:RT:flow_first_src_xlate: incoming src port is: 38118
Which two statements are true regarding the output shown in the exhibit? (Choose two.)
A. The packet does not match any user-configured security policies.

B. The user has configured a security policy to allow the packet.
C. The log is showing the first path packet flow.
D. The log shows the reverse flow of the session.
Answer: C
QUESTION 80
user@host> show log message
Feb4 00:04:17 host rpd[4516]: EVENT <UpDowm> st0.0 index 76 <Up Broadcast Multicast>
Feb4 00:04:17 host-kmd[1391]: KMD_PM_SA ESTABLISHED: Local gateway:
192.168.10.1, Remote gateway: 192.168.10.3, Local ID: ipv4_subnet(any:0,
[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Direction: inbound, SPI: 0x8d5816fd, AUX-SPI: 0, Mode: Tunnel, Type:
dynamic, Traffic-selector:
Feb4 00:04:17 host rpd[4516]: EVENT UpDown st0.0 index 76 10.10.10.1/24
> (null) <Up Broadcast Multicast>
Feb4 00:04:17 host kmd[1391]: KMD_PM_SA_ESTABLISHED: Local gateway:
192.168.10.1, Remote gateway: 192.168.10.3, Local ID: ipv4_subnet(any:0,
[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Direction: outbound, SPI: 0x77f07d5c, AUX-SPI: 0, Mode: Tunnel, Type:
dynamic, Traffic-selector:
Feb4 00:04:17 host kmd[1391]: KMD_VPN_UP_ALARM_USER: VPNto-spoke-1 from
192.168.10.3 is up. Local-ip: 192.168.10.1, gateway name: spoke-1, vpn name:
to-spoke-1, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 10.10.10.3, Local IKE-ID: 192.168.10.1,
Remote IKE-ID: 192.168.10.3, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector
local ID:ipv4_subnet,(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:11,[0..7]=0.0.0.0/0)
Feb4 00:04:17 host mib2d[1385]: SNMP_TRAP_LINK_UP: ifIndex 539, ifAdminSiLatus up(1), ifOperStatus
Juniper JN0-633
up(1), ifName st0.0

Feb4 00:04:17 host kmd[1391]: KMD_PM_SA_ESTABLTSHED: Local gateway: 192.168.10.1, Remote
gateway: 192.168.10.5, Local ID: ipv4 subnet(any:0, [0..7]=0.0.0.0/0), Remote ID:
ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Direction: inbound, SPI: 0x2790a42c, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Feb4 00:04:17 host kmd[1391]: KMD_PM_SA_ESTABLISHED: Local gateway: 192.168.10.1, Remote
gateway: 192.168.10.5, Local ID: ipv4_subnet(any:0, [0..7]=0.0.0.0/0), Remote ID:
ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
Direction: outbound, SPI: 0x2df17ea8, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Feb4 00:04:17 host kmd[1391]: KMD_VPN_UP_ALARM_USER: VPN to-spoke-3 from 192.168.10.5 is up.
Local-ip: 192.168.10.1, gateway name: spoke-3, vpn name: to-spoke-3, tunnel-id: 131076, local tunnel-if: st0.0,
remote tunnel-ip:
Not-Available, Local IKE-ID: 192.168.10.1, Remote IKE-ID: 192.168.10.5, XAUTH username: Not-
Applicable, VR id: 0, Traffic-selector: , Traffic-selector local TD: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-
selector remote ID: ipv4_subnet(any:0,[0._7]=0.0.0.0/0)
Feb4 00:04:17 host kmd[1391]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN:
to-spoke-2 Gateway: spoke-2, Local:
192.168.10.1/500, Remote: 192.168.10.4/500, Local IKE-ID: Not-Available,
Remote Not-Available, VR-ID: 0
Referring to the exhibit, which statement is correct?
A. The phase 1 security association for theto-spoke-3VPN is failing.

B. The phase 2 security association for theto-spoke-1VPN is failing.
C. The phase 2 security association for theto-spoke-3VPN is failing.
D. The phase 1 security association for theto-spoke-2VPN is failing.
Answer: B
QUESTION 81
You are asked to implement IPsec tunnels between your SRX devices located at various locations. You will use
the public key infrastructure (PKI) to verify the identification of the endpoints.What are two certificate
enrollment options available for this deployment?
(Choose two.)
A. Manually generating a PKCS10 request and submitting it to an authorized C

A.
B. Dynamically generating and sending a certificate request to an authorized CA using OCSP.
C. Manually generating a CRL request and submitting that request to an authorized C
A.
D. Dynamically generating and sending a certificate request to an authorized CA using SCEP.
Answer: A,D
Reference:Page 9
http://www.juniper.net/techpubs/en_US/junos/information-products/topic-collections/nce/pki-conf-
trouble/configuring-and-troubleshooting-public-key-infrastructure.pdf
QUESTION 82
You are asked to establish a hub-and-spoke IPsec VPN using your SRX Series device as the hub. All of your
Juniper JN0-633
spoke devices are third-party devices.

Which statement is correct?
A. You must create a policy-based VPN on the hub device when peering with third-party devices.
B. You must always peer using loopback addresses when using non-Junos devices as your spokes.
C. You must statically configure the next-hop tunnel binding table entries for each of the third-party spoke
devices.
D. You must ensure that you are using aggressive mode when incorporating third-party devices as your spokes.
Answer: C
QUESTION 83
user@host> show services application-identification application-systemcache
Application System Cache Configurations:
Application-cache: off
nested-application-cache: on
cache-unknown-result: on
cache-entry-timeout: 3600 seconds
You are using the application identification feature on your SRX Series device. The help desk reports that users
are complaining about slow Internet connectivity. You issue the command shown in the exhibit.
What must you do to correct the problem?
A. Modify the configuration with thedelete services application-identification no-application-system-

cachecommand and commit the change.
B. Modify the configuration with thedelete services application-identification no-clear-
application-system-cachecommand and commit the change.
C. Reboot the SRX Series device.
D. Modify the configuration with thedelete services application-identification no-application
identificationcommand and commit the change.
Answer: B
QUESTION 84
Which statement is true about NAT?
A. When you implement destination NAT, the router does not apply ALG services.
B. When you implement destination NAT, the router skips source NAT rules for the initiating traffic flow.
C. When you implement static NAT, each packet must go through a route lookup.
D. When you implement static NAT, the router skips destination NAT rules for the initiating traffic flow.
Answer: D
Explanation: The NAT type determines the order in which NAT rules are processed.
During the first packet processing for a flow, NAT rules are applied in the following order:
? Static NAT rules
? Destination NAT rules
? Route lookup
Juniper JN0-633
Reference :http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-
QUESTION 85
-- Exhibit --
[edit security idp]
user@srx# show
security-package {
url https://services.netscreen.com/cgi-bin/index.cgi;
automatic {
start-time "2012-12-11.01:00:00 +0000";
interval 120;
enable;
}
}
-- Exhibit --
You have configured your SRX device to download and install attack signature updates as shown in the exhibit.
You discover that updates are not being downloaded.
A. No security policy is configured to allow the SRX device to contact the update server.
B. The SRX device does not have a DNS server configured.
C. The management zone interface does not have an IP address configured.
D. The SRX device has no Internet connectivity.
Answer: B,D
Explanation:
Configuration is correct. Only reason is that SRZ device is not able to connect to definition
server.
QUESTION 86
What are two network scanning methods? (Choose two.)
A. SYN flood
B. ping of death
C. ping sweep
D. UDP scan
Answer: C,D
Explanation:
The question is about the network scanning. So correct answers are ping sweep and UDP scan as both are port
scanning types.
Reference:URL:http://althing.cs.dartmouth.edu/local/Network_Scanning_Techniques.pdf

Juniper JN0-633
QUESTION 87
What are the three types of attack objects used in an IPS engine? (Choose three.)
A. signature
B. chargen
C. compound
D. component
E. anomaly
Answer: A,C,E
Reference:http://www.juniper.net/techpubs/en_US/idp5.0/topics/concept/intrusion-detection-prevention-idp-
rulebase-attack-object-using.html
QUESTION 88
You want to implement a hub-and-spoke VPN topology using a single logical interface on the hub.Which st0
interface configuration is correct for the hub device?
A. [edit interfaces] user@srx# show st0 {

multipoint unit 0 { family inet {
address 10.10.10.1/24;
}
}
}
B. [edit interfaces]
user@srx# show st0 {
unit 0 { family inet {
address 10.10.10.1/24;
}
}
}
C. [edit interfaces] user@srx# show st0 {
unit 0 { point-to-point; family inet {
address 10.10.10.1/24;
}
}
}
D. [edit interfaces] user@srx# show st0 {
unit 0 { multipoint; family inet {
address 10.10.10.1/24;
}
}
}
Answer: D
Reference: http://junos.com/techpubs/en_US/junos12.1/topics/example/ipsec-hub-and-spoke-configuring.html
QUESTION 89
Which two configuration components are required for enabling transparent mode on an SRX device? (Choose
Juniper JN0-633
two.)
A. IRB
B. bridge domain
C. interface family bridge
D. interface family ethernet-switching
Answer: B,C
QUESTION 90
You are asked to configure class of service (CoS) on an SRX device running in transparent mode. Which
command would you use?
A. set interfaces ge-0/0/0 unit 0 classifiers dscp priority-app

B. set class-of-service interfaces ge-0/0/0 unit 0 classifiers dscp priority-app
C. set class-of-service interfaces ge-0/0/0 unit 0 classifiers ieee-802.1 priority-app
D. set interfaces ge-0/0/0 unit 0 classifiers inet-precedence priority-app
Answer: C
QUESTION 91
[edit security idp-policy test] user@host# show rulebase-ips {
rule R3 { match {
source-address any; destination-address any; attacks {
predefined-attacks FTP:USER:ROOT;
}
}
then { action {
recommended;
}
}
terminal;
}
rule R4 { match {
source-address any; destination-address any; attacks {
predefined-attacks HTTP:HOTMAIL:FILE-UPLOAD;
}
}
then { action {
recommended;
}
}
}
}
You have just committed the new IDP policy shown in the exhibit. However, you notice no
Juniper JN0-633
action is taken on traffic matching the R4 IDP rule.

Which two actions will resolve the problem? (Choose two.)
A. Change the R4 rule to match on a predefined attack group.

B. Insert the R4 rule above the R3 rule.
C. Delete theterminalstatement from the R3 rule.
D. Change the IPS rulebase to an exempt rulebase.
Answer: C
QUESTION 92
-- Exhibit
-- Exhibit --
Referring to the exhibit, the session close log was generated by the application firewall rule set HTTP.
Why did the session close?
A. The application identification engine was unable to determine which application was in use, which caused
the SRX device to close the session.
B. The host with the IP address of 192.168.1.123 received a TCP segment with the FIN flag set from the host
with the IP address of 65.197.244.218.
C. The SRX device was unable to determine the user and role in the allotted time, which caused the session to
close.
D. The host with the IP address of 192.168.1.123 sent a TCP segment with the FIN flag set to the host with the
IP address of 65.197.244.218.
Answer: D
Reference:http://netscreen.com/techpubs/software/junos/junos92/syslog-messages/download/rt.pdf
QUESTION 93
[edit]
useu@host# run show log debug
Feb3 22:04:32 22:04:31.983991:CID-0:RT:ge-0/0/1.0:5.0.0.25/59028-
>25.0.0.25/23, tcp, flag 18
Feb3 22:04:32 22:04:31.983997:CID-0:RT: find flow: table 0x582738c0, hash
53561(0xffff), sa 5.0.0.25, da 5.0.0.25, sp 59028, dp 23, proto 6, tok 20489
Feb3 22:04:32 22:04:31.984004:CID-0:RT:Found: session id 0x14f98. sess tok
20489
Feb3 22:04:32 22:04:31.984005:CID-0:RT: flow got session.
Feb3 22:04:32 22:04:31.984006:CID-0:RT: flow session id 85912
Juniper JN0-633
Feb3 22:04:32 22:04:31.984009:CID-0:RT: vector bits 0x2 vector 0x53a949e8

Feb3 22:04:32 22:04:31.984012:CID-0:RT: tcp sec check.
Feb3 22:04:32 22:04:31.984015:CID-0:RT:mbuf 0x4a82cd80, exit nh 0xa0010
Which two statements are true regarding the output shown in the exhibit? (Choose two.)
A. The outgoing interface is ge-0/0/1.0.

B. The packet is subject to fast-path packet processing.
C. The packet is part of the first-packet path processing.
D. TCP sequence checking is enabled.
Answer: C,D
QUESTION 94
Which configuration statement would allow the SRX Series device to match a signature only on the first match,
and not subsequent signature matches in a connection?
A. user@host# set security idp idp-policy test rulebase-ips rule 1 then action recommended
B. user@host# set security idp idp-policy test rulebase-ips rule 1 then action ignore-connection
C. user@host# set security idp idp-policy test rulebase-ips rule 1 then action no-action
D. user@host# set security idp idp-policy test rulebase-ips rule 1 then action drop-connection
Answer: B
QUESTION 95
What are two intrusion protection mechanisms available on SRX Series Services Gateways? (Choose two.)
A. routing update detection

B. traffic anomaly detection
C. NAT anomaly protection
D. DoS protection
Answer: B,D
Explanation:
Juniper IPS system prevents Traffic Anamoly detection and DoS/DDoS attacks.
Reference: http://www.juniper.net/in/en/products-services/software/router-services/ips/
QUESTION 96
Which two are required for the SRX device to perform DNS doctoring? (Choose two.)
A. DNS ALG
B. dns-doctoring stanza
C. name-server
D. static NAT
Answer: A,D
Explanation:
Juniper JN0-633
Reference :http://www.juniper.net/techpubs/en_US/junos12.1x44/information-products/pathway-
pages/security/security-alg-dns.pdf
QUESTION 97
You configured a custom signature attack object to match specific components of an attack:
HTTP-request
Pattern .*\x90 90 90 90
Direction: client-to-server
Which client traffic would be identified as an attack?
A. HTTP GET .*\x90 90 90 90

B. HTTP POST .*\x90 90 90 90
C. HTTP GET .*x909090 90
D. HTTP POST .*x909090 90
Answer: A
Reference: http://www.juniper.net/techpubs/en_US//idp/topics/task/configuration/intrusion-detection-
prevention-signature-attack-object-creating-nsm.html
QUESTION 98
user@host> monitor traffic interface ge-0/0/3
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/3, capture size 96 bytes
Reverse lookup for 172.168.3.254 failed (check DNS reachability). Other reverse lookup failures will not be
reported.
Use <no-resolve> to avoid reverse lockups on IP addresses.
19:24:16.320907 In arp who-has 172.168.3.254 tell 172.168.3.1 19.24:17.322751 In arp who has 172.168.3.254
tell 172.168.3.1 19.24:18.328895 In arp who-has 172.168.3.254 tell 172.168.3.1
19.24:18.332956 In arn who has 172.168.3.254 tell 172.168.3.1
A new server has been set up in your environment. The administrator suspects that the firewall is blocking the
traffic from the new server. Previously existing servers in the VLAN are working correctly. After reviewing the
logs, you do not see any traffic for the new server.
Referring to the exhibit, what is the cause of the problem?
A. The server is in the wrong VLAN.

B. The server has been misconfigured with the wrong IP address.
C. The firewall has been misconfigured with the incorrect routing-instance.
D. The firewall has a filter enabled to blocktrafficfrom the server.
Answer: C
QUESTION 99
An SRX Series device is configured for inline tap mode.
What will occur if Drop Packet is selected?

Juniper JN0-633
A. The SRX Series device drops a matching packet before it can reach its destination but does not close the
connection.
B. The SRX Series device will ignore the action Drop Packet.
C. The SRX Series device closes the connection and sends an RST packet to both the client and the server.
D. The SRX Series device drops a matching packet associated with the connection, preventing traffic for the
connection from reaching its destination.
Answer: D
QUESTION 100
[edit]
user@host# show interfaces ge-0/0/1 {
unit 0 {
family bridge { interface-mode access; vlan-id 20;
}
}
}
ge-0/0/10 { unit 0 {
family bridge { interface-mode access; vlan-id 20;
}
}
}
[edit]
user@host# show bridge-domains d1 {
domain-type bridge; vlan-id 20;
}
[edit]
user@host# show security flow bridge
[edit]
user@host# show security zones security-zone 12 { host-inbound-traffic { system-services {
any-service;
}
}
interfaces { ge-0/0/1.0; ge-0/0/10.0;
}
}
Referring to the exhibit, which statement is true?
A. Packets sent tom the SRX Series device are sent to the RE.
B. Packets sent to the SRX Series device are discarded.
C. Only frames that have a VLAN ID of 20 are accepted.
D. Only frames that do not have any VLAN tags are accepted.
Answer: C
QUESTION 101
Juniper JN0-633
user@host> show security ike security-associations

Index State Initiator cookie Responder cookie ModeRemote Address
3271043 UP7f42284089404673 95fd8408940438d8 Main 172.31.50.2
user@host> show security ipsec security-associations
Total active tunnels: 0
user@host> show log phase2
Feb 2 14:21:18 host kmd[1088]: IKE negotiation failed with error: TS unacceptable. IKE Version: 1, VPN: vpn-
1 Gateway: gate-1, Local: 172.31.50.1/500, Remote: 172.31.50.2/500, Local IKE-ID: 172.31.50.1, Remote
IKE-ID: 172.31.50.2, VR-ID: 0
Feb 2 14:21:18 host kmd[1088]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: vpn-1,
Peer Proposed traffic-selector local-ip: ipv4(2.2.2.2), Peer Proposed traffic-selector remote-ip: ipv4 (1.1.1.1)
Feb 2 14:21:54 host kmd[1088]: IKE negotiation failed with error: No proposal chosen. IKE
Version: 1, VPN: vpn-1 Gateway: gate-1, Local:
172.31.50.1/500, Remote: 172.31.50.2/500, Local IKE-ID: 172.31.50.1, Remote IKE-ID: 172.31.50.2, VR-ID:
0
Feb 2 14:22:19 host kmd[1088]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: vpn-1,
Peer Proposed traffic-selector local-ip:
ipv4 (2.2.
2.2), Peer Proposed traffic-selector remote-ip: ipv4(1.1.1.1)
You have recently configured an IPsec VPN between an SRX Series device and another non-Junos security
device. The phase one tunnel is up but the phase two tunnel is not present.
Referring to the exhibit, what is the cause of this problem?
A. preshared key mismatch

B. mode mismatch
C. proposal mismatch
D. proxy-ID mismatch
Answer: D
QUESTION 102
You want requests from the same internal transport address to be mapped to the same external transport address.
Only internal hosts can initialize the session.
Which Junos configuration setting supports the requirements?
A. any-remote-host
B. target-host
C. source-host
D. address-persistent
Answer: D
Explanation:
QUESTION 103
You are using logical systems to segregate customers. You have a requirement to enable communication
Juniper JN0-633
between the logical systems.What are two ways to accomplish this goal? (Choose two.)
A. Use a shared DMZ zone to connect the logical systems together.

B. Use a virtual tunnel (vt-) interface to connect the logical systems together.
C. Use an external cable to connect the ports from the two logical systems.
D. Use an interconnect LSYS to connect the logical systems together.
Answer: C,D
Explanation:
Reference :http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-
collections/security/software-all/logical-systems-config/index.html?topic-53861.html
QUESTION 104
{primarynode0}[edit security idp idp-policy test-ips-policy] user@host# show
rulebase-ips { rule r1 { match {
source-address any; attacks {
predefined-attack-groups HTTP - All;
}
}
then { action { drop-packet;
}
}
terminal;
}
rule r2 { match {
source-address 172.16.0.0/12; attacks {
predefined-attack-groups FTP - All;
}
then { action { no-action;
}
}
}
rule r3 { match {
source-address 172.16.0.0/12; attacks {
predefined-attack-groups TELNET - All;
}
}
then { action { no-action;
}
}
}
rule r4 {
match {
source-address any;
attacks {
predefined-attack-groups FTP - All;
Juniper JN0-633
}
}
then {
action {
drop-packet;
}
}
}
}
A user with IP address 172.301.100 initiates an FTP session to a host with IP address 10.100.1.50 through an
SRX Series device and is subject to the IPS policy shown in the exhibit.
If the user tries to execute thecd ~rootcommand, which statement is correct?
A. The FTP command will be denied with the offending packet dropped and the session will be closed by the
SRX device.
B. The FTP command will be denied with the offending packet dropped and the rest of the
FTP session will be inspected by the IPS policy.
C. The FTP command will be allowed to execute and the rest of the FTP session will be ignored by the IPS
policy.
D. The FTP command will be allowed to execute but any other attacks executed during the session will be
inspected.
Answer: D
QUESTION 105
-- Exhibit

Juniper JN0-633
-- Exhibit --
You have been asked to block YouTube video streaming for internal users. You have implemented the
configuration shown in the exhibit, however users are still able to stream videos.
What must be modified to correct the problem?
A. The application firewall rule needs to be applied to an IDP policy.

B. You must create a custom application to block YouTube streaming.
C. The application firewall rule needs to be applied to the security policy.
D. You must apply the dynamic application to the security policy
Answer: C
Reference:http://www.redelijkheid.com/blog/2013/5/10/configure-application-firewalling-on
QUESTION 106
You are asked to deploy dynamic VPNs between the corporate office and remote employees that work from
home. The gateway device at the corporate office is a chassis cluster formed from two SRX240s.Which two
statements about this deployment are true? (Choose two.)
A. You must remove the SRX240s from the chassis cluster before enabling the dynamic VPNs.
B. The remote clients can run Windows XP, Windows Vista, Windows 7, or OS X operating systems.
C. If more than two dynamic VPN tunnels are required, you must purchase and install a new license.

Juniper JN0-633
D. The remote users can be authenticated by the SRX240s or a configured RADIUS server.
Answer: C,D
Explanation:
Reference :http://www.juniper.net/us/en/local/pdf/app-notes/3500201-en.pdf
QUESTION 107
You are deploying a standalone SRX650 in transparent mode for evaluation purposes in a potential client's
network. The client will need to access the device to modify security policies and perform other various
configurations.Where would you configure a Layer 3 interface to meet this requirement?
A. fxp0.0
B. vlan.1
C. irb.1
D. ge-0/0/0.0
Answer: C
Reference: http://safetynet.trapezenetworks.com/techpubs/en_US/junos12.1/information-products/topic-
collections/security/software-all/layer-2/index.html?topic-52755.html
QUESTION 108
Your management has a specific set of Web-based applications that certain employees are allowed to use.
Which two SRX Series device features would be used to accomplish this task? (Choose two.)
A. UserFW
B. IDP
C. AppFW
D. firewall filter
Answer: C
QUESTION 109
Which statement is true regarding dual-stack lite?
A. The softwire is an IPv4 tunnel over an IPv6 network.

B. The softwire initiator (SI) encapsulates IPv6 packets in IPv4.
C. The softwire concentrator (SC) decapsulates softwire packets.
D. SRX devices support the softwire concentrator and softwire initiator functionality.
Answer: C
Reference:http://www.juniper.net/techpubs/en_US/junos/topics/concept/ipv6-ds-lite-overview.html
QUESTION 110
Your company's network has seen an increase in Facebook-related traffic. You have been asked to restrict the
amount of Facebook-related traffic to less than 100 Mbps regardless of congestion.
What are three components used to accomplish this task? (Choose three.)

Juniper JN0-633
A. IDP policy
B. application traffic control
C. application firewall
D. security policy
E. application signature
Answer: B,D,E
Explanation:
An IDP policy defines how your device handles the networktraffic.It will not limit the rate.
Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig-
security/idp-policy-overview-section.html)
Application Firewallenforces protocol and policy control at Layer 7. It inspects the actual content of the payload
and ensures that it conforms to the policy, rather thanlimiting the rate.
Reference:http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/application -firewall-
overview.html
QUESTION 111
Your company has added a connection to a new ISP and you have been asked to send specific traffic to the new
ISP. You have decided to implement filter-based forwarding. You have configured new routing instances with
type forwarding. You must direct traffic into each instance.Which step would accomplish this goal?
A. Add a firewall filter to the ingress interface that specifies the intended routing instance as the action.
B. Create a routing policy to direct the traffic to the required forwarding instances.
C. Configure the ingress and egress interfaces in each forwarding instance.
D. Create a static default route for each ISP in inet.0, each pointing to a different forwarding instance.
Answer: A
Explanation:
QUESTION 112
-- Exhibit

Juniper JN0-633
-- Exhibit --
Referring to the exhibit, a pair of SRX3600s is in an active/passive chassis cluster configured for transparent
mode. Which type of traffic would traverse the secondary SRX3600 (node 1)?
A. all traffic including non-IP traffic

B. any IP traffic
C. only TCP and UDP traffic
D. only BPDU traffic
Answer: D
QUESTION 113
What is a benefit of using a dynamic VPN?
A. It provides a layer of redundancy on top of a point-to-point VPN mesh architecture.

B. It eliminates the need for point-to-point VPN tunnels.
C. It provides a way to grant VPN access on a per-user-group basis.
D. It simplifies IPsec access for remote clients.
Answer: D
Reference:http://tutarticle.com/networking/benefits-of-dynamic-multipoint-vpn-dmvpn/
QUESTION 114
You have an existing group VPN established in your internal network using the group-id 1. You have been
asked to configure a second group using the group-id 2. You must ensure that the key server for group 1
participates in group 2 but is not the key server for that group.Which statement is correct regarding the group
configuration on the current key server for group 1?
Juniper JN0-633
A. You must configure both groups at the [edit security ipsec vpn] hierarchy.
B. You must configure both groups at the [edit security group-vpn member] hierarchy.
C. You must configure both groups at the [edit security ike] hierarchy.
D. You must configure both groups at the [edit security group-vpn] hierarchy.
Answer: D
Reference: http://www.jnpr.net/techpubs/en_US/junos11.4/information-products/topic-
collections/security/software-all/security/index.html?topic-45791.html
QUESTION 115
Traffic is flowing between the Host-1 and Host-2 devices through a hub-and-spoke IPsec VPN. All devices are
SRX Series devices.
Referring to the exhibit, which two statements are correct? (Choose two.)
A. Traffic is encrypted on the Hub device.

B. Traffic is encrypted on the Spoke-2 device.
C. Traffic is not encrypted on the Spoke-2 device.
D. Traffic is not encrypted on the Hub device.
Answer: D
QUESTION 116
Where does the AppSecure suite of functions occur in the security flow process on an SRX Series device?
A. services
B. security policy
C. NAT
D. session initiation
Answer: A
QUESTION 117
Which two statements are true about persistent NAT? (Choose two.)
A. Thepermit target-host-portstatement allows an external host to initiate a session to an internal host on any
port, provided the internal host previously sent a packet to the external host.
B. Thepermit target-hoststatement allows an external host to initiate a session to an internal host on any port,
provided the internal host previously sent a packet to the external host.
C. Port overloading must be enabled for Interface-based persistent NAT.
D. Port overloading must be disabled for Interface-based persistent NAT.
Answer: B,D
QUESTION 118
You want to route traffic between two newly created virtual routers without the use of logical systems using the
configuration options on the SRX5800.
Juniper JN0-633
Which two methods of forwarding, between virtual routers, would you recommend? (Choose two.)
A. Use a static route to forward traffic across virtual routers using the next-table option. Enable the return route
by using a RIB group.
B. Create static routes in each virtual router using thenext-tablecommand.
C. Use a RIB group to share the internal routing protocol routes from the master routing instance. D. Connect a
direct cable between boo physical interfaces, one in each virtual router and use static routes with thenext-
hopcommand.
Answer: B
QUESTION 119
-- Exhibit -- security { nat { destination {
pool Web-Server { address 10.0.1.5/32;
}
rule-set From-Internet { from zone Untrust; rule To-Web-Server { match {
source-address 0.0.0.0/0; destination-address 172.16.1.7/32;
}
then {
destination-nat pool Web-Server;
}
}
}
}
}
zones {
security-zone Untrust { address-book {
address Web-Server-External 172.16.1.7/32; address Web-Server-Internal 10.0.1.5/32;
}
interfaces { ge-0/0/0.0;
}
}
security-zone DMZ { address-book {
address Web-Server-External 172.16.1.7/32; address Web-Server-Internal 10.0.1.5/32;
}
interfaces { ge-0/0/1.0;
}
}
}
}
-- Exhibit --
You are migrating from one external address block to a different external address block. You want to enable a
smooth transition to the new address block. You temporarily want to allow external users to contact the Web
server using both the existing external address as well as the new external address 192.168.1.1.
How do you accomplish this goal?
A. Add address 192.168.1.1/32 under [edit security nat destination pool Web-Server].
Juniper JN0-633
B. Change the address Web-Server-Ext objects to be address-set objects that include both addresses.
C. Change the destination address under [edit security nat destination rule-set From-Internet rule To-Web-
Server match] to include both 172.16.1.7/32 and 192.168.1.2/32.
D. Create a new rule for the new address in the [edit security nat destination rule-set From-Internet] hierarchy.
Answer: D
Reference:http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/nat-security-source-and-
destination-nat-translation-configuring.html
QUESTION 120
What is a benefit of using a group VPN?
A. It provides a layer of redundancy on top of a point-to-point VPN mesh architecture.

B. It eliminates the need for point-to-point VPN tunnels.
C. It provides a way to grant VPN access on a per-user-group basis.
D. It simplifies IPsec access for remote clients.
Answer: B
Explanation:
Reference :Page 4
http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CC
kQFjAA&url=http%3A%2F%2Fwww.thomas-
krenn.com%2Fredx%2Ftools%2Fmb_download.php%2Fmid.x6d7672335147784949386f3
d%2FManual_Configuring_Group_VPN_Juniper_SRX.pdf%3Futm_source%3Dthomas-
krenn.com%26utm_medium%3DRSS-
Feed%26utm_content%3DConfiguring%2520Group%2520VPN%26utm_campaign%3DDo
wnloads&ei=C2HrUaSWD8WJrQfXxYGYBA&usg=AFQjCNFgKnv9ZLwqZMmbzAfvGDPvo
Mz7dw&bvm=bv.49478099,d.bmk
QUESTION 121
Which statement is true regarding destination NAT?
A. Destination NAT changes the content of the source IP address field.

B. Destination NAT changes the content of the destination IP address field.
C. Destination NAT matches on the destination IP address and changes the source IP address.
D. Destination NAT matches on the destination IP address and changes the source port.
Answer: B
QUESTION 122
A local user complains that they cannot connect to an FTP server on the DMZ network. You investigate and
confirm that the security policy allows FTP traffic from the trust zone to the DMZ zone.
What are two reasons for this problem? (Choose two.)
A. The FTP server has no route back to the local network.

B. No route is configured to the DMZ network.
C. No security policy exists for traffic from the DMZ zone to the trust zone.
Juniper JN0-633
D. The FTP ALG is disabled.
Answer: A,D
QUESTION 123
In which situation is NAT proxy NDP required?
A. when translated addresses belong to the same subnet as the ingress interface
B. when filter-based forwarding and static NAT are used on the same interface
C. when working with static NAT scenarios
D. when the security device operates in transparent mode
Answer: C
Explanation:
WhenIP addressesarein the same subnet of the ingressinterface,NAT proxy ARPconfigured
Reference :http://www.juniper.net/techpubs/en_US/junos12.1x44/information-products/pathway-
pages/security/security-nat.pdf
Reference :http://www.juniper.net/techpubs/en_US/junos-space12.2/topics/concept/junos-space-security-
designer-whiteboard-nat-overview.html
QUESTION 124
Your company provides managed services for two customers. Each customer has been segregated within its
own routing instance on your SRX device. Customer A and customer B inform you that they need to be able to
reach certain hosts on each other's network.
Which two configuration settings would be used to share routes between these routing instances? (Choose two.)
A. routing-group
B. instance-import
C. import-rib
D. next-table
Answer: B,D
Explanation:
Reference :http://aconaway.com/2013/03/02/junos-logical-tunnel-interfaces-with-virtual-routers/
QUESTION 125
Two companies, A and B, are connected as separate customers on an SRX5800 residing on two virtual routers
(VR-A and VR-B). These companies have recently been merged and now operate under a common IT security
policy. You have been asked to facilitate communication between these VRs. Which two methods will
accomplish this task? (Choose two.)
A. Use instance-import to share the routes between the two VRs.

B. Create logical tunnel interfaces to interconnect the two VRs.
C. Use a physical connection between VR-A and VR-B to interconnect them.
D. Create a static route using the next-table action in both VRs.

Juniper JN0-633
Answer: A,D
Explanation:
Logical or physical connections between instances on the same Junos device and route between the connected
instances
QUESTION 126
You have just created a few hundred application firewall rules on an SRX device and applied them to the
appropriate firewall polices. However, you are concerned that the SRX device might become overwhelmed with
the increased processing required to process traffic through the application firewall rules.
Which three actions will help reduce the amount of processing required by the application firewall rules?
(Choose three.)
A. Use stateless firewall filtering to block the unwanted traffic.

B. Implement AppQoS to drop the unwanted traffic.
C. Implement screen options to block the unwanted traffic.
D. Implement IPS to drop the unwanted traffic.
E. Use security policies to block the unwanted traffic.
Answer: A,C,E
Explanation:
IPS and AppDoS are the most powerful, and thus, the least efficient method of dropping traffic on the SRX,
because IPS and AppDoS tend to take up the most processing cycles.
Reference :http://answers.oreilly.com/topic/2036-how-to-protect-your-network-with-security-tools-for-junos/
QUESTION 127
You are asked to implement a point-to-multipoint hub-and-spoke topology in a mixed vendor environment. The
hub device is running the Junos OS and the spoke devices are different vendor devices.Regarding this scenario,
which statement is correct?
A. The NHTB table must be statically defined.

B. The NHTB table is automatically created during Phase 2.
C. The NHTB table is automatically created during Phase 1.
D. The NHTB table must be imported from each spoke.
Answer: A
Explanation:
Referencehttp://www.juniper.net/techpubs/en_US/junos/topics/example/vpn-hub-spoke-
nhtb-example-configuring.html
QUESTION 128
Click the Exhibit button
[edit security]
user@host# show policies
global {
Juniper JN0-633
policy new-policy { match { source-address any;

destination-address any; application junos-https;
}
then { permit {
application-services { application-firewall { rule-set appfw;
}
}
}
}
}
}
[edit security]
user@host# show application-firewall rule-sets appfw {
rule 1 { match {
dynamic-application junos:SSL;
}
then { permit;
}
}
rule 2 {
match {
dynamic-application junos:HTTP;
}
then {
reject;
}
}
default-rule {
permit;
}
}
A. HTTP traffic is permitted.

B. HTTP traffic is dropped.
C. HTTPS traffic is permitted.
D. HTTPS traffic is dropped.
Answer: B,C
QUESTION 129
-- Exhibit

Juniper JN0-633
-- Exhibit --
In the network shown in the exhibit, you want to forward traffic from the employees to ISP1 and ISP2. You
want to forward all Web traffic to ISP1 and all other traffic to ISP2. While troubleshooting, you change your
filter to forward all traffic to ISP1. However, no traffic is sent to ISP1.
A. The filter is applied to the wrong interface.

B. The filter should use the next-hop action instead of the routing-instance action.
C. The filter term does not have a required from statement.
D. The filter term does not have the accept statement.
Answer: A
QUESTION 130
You are performing AppSecure traffic processing to enforce AppFW.
What happens when traffic matching an established security session is newly detected as a different application?
A. The security processing facility of the data plane re-examines the whitelist or blacklist referenced in the
security policy to see if the new application is permitted.
B. The newly detected application will not be permitted and session will be torn down unless a specific match
exists against the exempt rulebase.
C. Zone-based firewall rules will be re-parsed to determine if a rule exists that permits the newly detected
application.
D. The application will not be permitted if doing so would violate the session limit in the screen properties

Juniper JN0-633
applied to that zone.
Answer: B
QUESTION 131
Referring to the following output, which command would you enter in the CLI to produce this result?
Pic2/1
Ruleset Application Client-to-server Rate(bps) Server-to-client Rate(bps) http-App-QoS HTTP ftp-C2S 200 ftp-
C2S 200
http-App-QoS HTTP ftp-C2S 200 ftp-C2S 200 ftp-App-QoS FTP ftp-C2S 100 ftp-C2S 100
A. show class-of-service interface ge-2/1/0

B. show interface flow-statistics ge-2/1/0
C. show security flow statistics
D. show class-of-service applications-traffic-control statistics rate-limiter
Answer: D
Explanation:
Reference
:http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/reference/command-
summary/show-class-of-service-application-traffic-control-statistics-rate-limiter.html
QUESTION 132
The IPsec VPN on your SRX Series device establishes both the Phase 1 and Phase 2 security associations.
Users are able to pass traffic through the VPN. During peak VPN usage times, users complain about decreased
performance. Network connections outside of the VPN are not seriously impacted.
Which two actions will resolve the problem? (Choose two.)
A. Lower the MTU size on the interface to reduce the likelihood of packet fragmentation.
B. Verify that NAT-T is not disabled in the properties of the phase 1 gateway.
C. Lower the MSS setting in the security flow stanza for IPsec VPNs.
D. Verify that the PKI certificate used to establish the VPN is being properly verified using either the CPL or
OCSP.
Answer: A,C
QUESTION 133
root@host# show system login user user {
uid 2000; class operator; authentication {
encrypted-password "$1$4s7ePrk5$9S.MZTwmXTV7sovJZFFsw1"; ## SECRET-DATA
]
}
An SRX Series device has been configured for multiple certificate-based VPNs. The IPsec security association
used for data replication is currently down . The administrator is a contractor and has the permissions on the
SPX Series device as shown in the exhibit
Which command set would allow the administrator to troubleshoot the cause for the VPN being down?
Juniper JN0-633
A. set security ipsec traceoptions file ipsec

set security ipsec traceoptions flag security-associations
B. set security ike traceoptions file ike set security ike traceoptions flag ike
C. request security pki verify-integrity-status
D. request security ike debug-enable local <ip of the local gateway> remote <ip of the remote gateway
Answer: C
QUESTION 134
You are asked to deploy dynamic VPNs between the corporate office and remote employees that work from
home. The gateway device at the corporate office consists of a pair of SRX650s in a chassis cluster.Which two
statements about the deployment are true? (Choose two.)
A. The SRX650s must be separated as standalone devices to support the dynamic VPNs.
B. The remote clients must install client software to establish a tunnel with the corporate network.
C. The remote clients must reside behind an SRX device configured as the local tunnel endpoint.
D. The SRX650 must have HTTP or HTTPS enabled to aid in the client software distribution process.
Answer: B,D
Explanation:
Reference :http://www.juniper.net/us/en/local/pdf/app-notes/3500201-en.pdf
QUESTION 135
-- Exhibit
-- Exhibit --
You must configure two SRX devices to enable bidirectional communications between the two networks shown
in the exhibit. You have been allocated the 172.16.1.0/24 and 172.16.2.0/24 networks to use for this purpose.
Which configuration will accomplish this task?
A. Use an IPsec VPN to connect the two networks and hide the addresses from the Internet.
B. Using destination NAT, translate traffic destined to 172.16.1.0/24 to Site1's addresses, and translate traffic
destined to 172.16.2.0/24 to Site2's addresses.
C. Using source NAT, translate traffic from Site1's addresses to 172.16.1.0/24, and translate traffic from Site2's
addresses to 172.16.2.0/24.
D. Using static NAT, translate traffic destined to 172.16.1.0/24 to Site1's addresses, and translate traffic
destined to 172.16.2.0/24 to Site2's addresses.
Answer: D
Juniper JN0-633
Explanation:
To examine bidirectional communication you need multiple packet filters, one for each
direction.
Reference
:http://my.safaribooksonline.com/book/networking/junos/9781449381721/security-
policy/troubleshooting_security_policy_and_traf
QUESTION 136
-- Exhibit
-- Exhibit --
Referring to the exhibit, which feature allows the hosts in the Trust and DMZ zones to route to either ISP, based
on source address?
A. source NAT
B. static NAT
C. filter-based forwarding
D. source-based routing
Answer: C
Reference:http://www.juniper.net/techpubs/en_US/junos12.2/topics/example/logical-systems-filter-based-
forwarding.html
QUESTION 137
You are asked to troubleshoot ongoing problems with IPsec tunnels and security policy processing. Your
network consists of SRX240s and SRX5600s.
Regarding this scenario, which two statements are true? (Choose two.)
Juniper JN0-633
A. You must enable data plane logging on the SRX240 devices to generate security policy logs.
B. You must enable data plane logging on the SRX5600 devices to generate security policy logs.
C. IKE logs are written to the kmd log file by default.
D. IPsec logs are written to the kmd log file by default.
Answer: B,D
http://www.google.co.in/url?sa=t&rct=j&q=IKE%20logs%20are%20written%20to%20the%2
0kmd%20log%20file%20by%20default&source=web&cd=2&ved=0CC8QFjAB&url=http%3
A%2F%2Fwww.juniper.net%2Fus%2Fen%2Flocal%2Fpdf%2Fapp-notes%2F3500175-
en.pdf&ei=SNHzUZntEcaPrQfnpICYDQ&usg=AFQjCNGb-rMrVcm6cqqBLWDif54CaCTrrw
QUESTION 138
-- Exhibit -- [edit security]
user@srx# show idp
application-ddos Webserver { service http; connection-rate-threshold 1000; context http-get-url { hit-rate-

threshold 60000; value-hit-rate-threshold 30000; time-binding-count 10; time-binding-period 25;
}
}
-- Exhibit --
You are using AppDoS to protect your network against a bot attack, but noticed an approved application has
falsely triggered the configured IDP action of drop. You adjusted your AppDoS configuration as shown in the
exhibit. However, the approved traffic is still dropped.
A. The approved traffic results in 50,000 HTTP GET requests per minute.
B. The approved traffic results in 25 HTTP GET requests within 10 seconds from a single host.
C. The active IDP policy has not been defined in the security configuration.
D. The IDP action is still in effect due to the timeout configuration.
Answer: A,D
Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-
security/appddos-protection-overview.html
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-
security/appddos-proctecting-against.html#appddos-proctecting-against
QUESTION 139
You are using the AppDoS feature to control against malicious bot client attacks. The bot clients are using file
downloads to attack your server farm. You have configured a context value rate of 10,000 hits in 60 seconds.At
which threshold will the bot clients no longer be classified as malicious?
A. 5000 hits in 60 seconds

B. 8000 hits in 60 seconds
C. 7500 hits in 60 seconds
D. 9999 hits in 60 seconds
Juniper JN0-633
Answer: B
Explanation:
Reference :
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-
security/appddos-protection-overview.html
QUESTION 140
At which two times does the IPS rulebase inspect traffic on an SRX device? (Choose two.)
A. When traffic matches the active IDP policy.

B. When traffic first matches an IDP rule with the terminal parameter.
C. When traffic uses the application layer gateway.
D. When traffic is established in the firewall session table.
Answer: A,B
Reference:
http://books.google.co.in/books?id=2HSLsTJIgEQC&pg=PA814&lpg=PA814&dq=what+tim
e+IPS+rulebase+inspects+traffic+on+SRX&source=bl&ots=_eDe_vLNBA&sig=1I4yX_S0O vkQVP-
rqL273laMCyE&hl=en&sa=X&ei=nqvzUfn1Is-
rrAf71oHYBA&ved=0CC4Q6AEwAQ#v=onepage&q=what%20time%20IPS%20rulebase%
20inspects%20traffic%20on%20SRX&f=false
QUESTION 141
Your SRX device is performing NAT to provide an internal resource with a public address. Your DNS server is
on the same network segment as the server. You want your internal hosts to be able to reach the internal
resource using the DNS name of the resource.
A. Implement proxy ARP.

B. Implement NAT-Traversal.
C. Implement NAT hairpinning.
D. Implement persistent NAT.
Answer: A
Explanation:
Reference :http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-
security-swconfig-security/prxy-arp-nat_srx.html
QUESTION 142
You have implemented a tunnel in your network using DS-Lite. The tunnel is formed between one of the SRX
devices in your network and a DS-Lite-compatible CPE device in your customer's network.Which two
statements are true about this scenario? (Choose two.)
A. The SRX device will serve as the softwire initiator and the customer CPE device will serve as the softwire
concentrator.
Juniper JN0-633
B. The SRX device will serve as the softwire concentrator and the customer CPE device will serve as the
softwire initiator.
C. The infrastructure network supporting the tunnel will be based on IPv4.
D. The infrastructure network supporting the tunnel will be based on IPv6.
Answer: B,D
Reference:http://www.juniper.net/techpubs/en_US/junos10.4/topics/concept/ipv6-ds-lite-overview.html
QUESTION 143
-- Exhibit --
[edit forwarding-options] user@srx240# show packet-capture {
file filename my-packet-capture; maximum-capture-size 1500;
}
-- Exhibit --
Referring to the exhibit, you are attempting to perform a packet capture on an SRX240 to troubleshoot an SSH
issue in your network. However, no information appears in the packet capture file.
Which firewall filter must you apply to the necessary interface to collect data for the packet capture?
A. user@srx240# show filter pkt-capture {

term pkt-capture-term { from {
protocol tcp; port ssh;
}
then packet-mode;
}
term allow-all { then accept;
}
}
[edit firewall family inet]
B. user@srx240# show filter pkt-capture {
}
then {
count packet-capture;
}
}
}
}
C. user@srx240# show filter pkt-capture {
}
then {
routing-instance packet-capture;
}
Juniper JN0-633
}
}
}
[edit firewall family inet] D. user@srx240# show filter pkt-capture {
}
then { sample; accept;
}
}
}
}
Answer: D
QUESTION 144
Your manager asks you to show which attacks have been detected on your SRX Series device using the IPS
feature.
Which command would you use to accomplish this task?
A. show security idp attack detail

B. show security idp attack table
C. show security idp memory
D. show security idp counters
Answer: B
QUESTION 145
-- Exhibit

Juniper JN0-633
-- Exhibit --
Referring to the exhibit, AppTrack is only logging the session closure messages for sessions that last 1 to 3
minutes.
A. AppTrack is not properly configured under the [edit security application-tracking] hierarchy.
B. AppTrack only generates session update messages.
C. AppTrack only generates session closure messages.
D. AppTrack generates other messages only when the update interval is surpassed.
Answer: D
Explanation:
Reference :http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-
QUESTION 146
You have a group IPsec VPN established with a single key server and five client devices.
Regarding this scenario, which statement is correct?
A. There is one unique Phase 1 security association and five unique Phase 2 security associations used for this
group.
B. There is one unique Phase 1 security association and one unique Phase 2 security association used for this
group.
C. There are five unique Phase 1 security associations and five unique Phase 2 security associations used for
this group.
D. There are five unique Phase 1 security associations and one unique Phase 2 security association used for this
group.
Answer: D
Explanation:
QUESTION 147
You are asked to apply individual upload and download bandwidth limits to YouTube traffic.
Where in the configuration would you create the necessary bandwidth limits?
A. under the [edit security application-firewall] hierarchy

B. under the [edit security policies] hierarchy
C. under the [edit class-of-service] hierarchy
D. under the [edit firewall policer <policer-name>] hierarchy
Answer: D
Juniper JN0-633
Explanation:
Reference :http://forums.juniper.net/t5/SRX-Services-Gateway/Need-help-with-bandwidth-uploading-
downloading-polcier/td-p/146666
QUESTION 148
Which QoS function is supported in transparent mode?
A. 802.1p
B. DSCP
C. IP precedence
D. MPLS EXP
Answer: A
Reference: http://chimera.labs.oreilly.com/books/1234000001633/ch06.html
QUESTION 149
Which two statements about AppQoS are true? (Choose two.)
A. AppQoS remarking supersedes interface remarking.

B. AppQoS supports forwarding class assignment.
C. AppQoS supports rate limiting.
D. AppQoS supports bandwidth reservation.
Answer: B,C
QUESTION 150
You have recently deployed a dynamic VPN. The remote users are complaining that communications with
devices on the same subnet as the SRX device are intermittent and often fail. The tunnel is stable and up, and
communications with remote devices on different subnets work without any issues.Which configuration setting
would resolve this issue?
A. adding local-redirect at the [edit security nat] hierarchy

B. adding local-redirect at the [edit interfaces <interface-name>] hierarchy
C. adding proxy-arp at the [edit security nat] hierarchy
D. adding proxy-arp at the [edit interfaces <interface-name>] hierarchy
Answer: C
Explanation:
Reference : http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf
QUESTION 151
Which two configuration statements are used to share interface routes between routing instances? (Choose two.)
A. export-rib
B. static rib-group
C. interface-routes rib-group
Juniper JN0-633
D. import-rib
Answer: C,D
QUESTION 152
-- Exhibit --
CID-0:RT: flow process pak fast ifl 71 in_ifp ge-0/0/5.0

CID-0:RT: ge-0/0/5.0:10.0.0.2/55892->192.168.1.2/80, tcp, flag 2 syn
CID-0:RT: find flow: table 0x5a386c90, hash 50728(0xffff), sa 10.0.0.2, da 192.168.1.2, sp 55892, dp 80, proto
6, tok 7
CID-0:RT: no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0 CID-0:RT:
flow_first_create_session
CID-0:RT: flow_first_in_dst_nat: in <ge-0/0/5.0>, out <N/A> dst_adr 192.168.1.2, sp 55892, dp 80
CID-0:RT: chose interface ge-0/0/5.0 as incoming nat if. CID-0:RT:flow_first_rule_dst_xlatE.DST no-
xlatE.0.0.0.0(0) to 192.168.1.2(80)
CID-0:RT:flow_first_routinG.vr_id 0, call flow_route_lookup(): src_ip 10.0.0.2, x_dst_ip 192.168.1.2, in ifp
ge-0/0/5.0, out ifp N/A sp 55892, dp 80, ip_proto 6, tos 10
CID-0:RT:Doing DESTINATION addr route-lookup
CID-0:RT: routed (x_dst_ip 192.168.1.2) from LAN (ge-0/0/5.0 in 0) to ge-0/0/1.0, Next-hop: 172.16.32.1
CID-0:RT:flow_first_policy_searcH.policy search from zone LAN-> zone WAN (0x0,0xda540050,0x50)
CID-0:RT:Policy lkup: vsys 0 zone(7:LAN) -> zone(6:WAN) scope:0 CID-0:RT: 10.0.0.2/55892 ->
192.168.1.2/80 proto 6
CID-0:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0 CID-0:RT: 10.0.0.2/55892 ->
192.168.1.2/80 proto 6
CID-0:RT: app 6, timeout 1800s, curr ageout 20s
CID-0:RT: packet dropped, denied by policy
Juniper JN0-633
CID-0:RT: denied by policy default-policy-00(2), dropping pkt CID-0:RT: packet dropped, policy deny.
CID-0:RT: flow find session returns error. CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1) CID-0:RT:jsf sess
close notify CID-0:RT:flow_ipv4_del_flow: sess , in hash 32
-- Exhibit --
A host is not able to communicate with a Web server.
Based on the logs shown in the exhibit, what is the problem?
A. A policy is denying the traffic between these two hosts.

B. A session has not been created for this flow.
C. A NAT policy is translating the address to a private address.
D. The session table is running out of resources.
Answer: A
QUESTION 153
You are asked to design a solution to verify IPsec peer reachability with data path forwarding.
Which feature would meet the design requirements?
A. DPD over Phase 1 SA

B. DPD over Phase 2 SA
C. VPN monitoring over Phase 1 SA
D. VPN monitoring over Phase 2 SA
Answer: D
Explanation:
Reference :http://forums.juniper.net/t5/SRX-Services-Gateway/dead-peer-detection-VS-
VPN-monitor-in-IPSEC/td-p/176671
QUESTION 154
-- Exhibit

Juniper JN0-633
-- Exhibit --
Referring to the exhibit, the application firewall configuration fails to commit. What must you do to allow the
configuration to commit?
A. Each firewall rule set must only have one rule.

B. A firewall rule set cannot mix dynamic applications and dynamic application groups.
C. The action in the rules must be different than the action in the default rule.
D. The action in the default rule must be set to deny.
Answer: C
Reference:http://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/application-firewall-overview.html
QUESTION 155
-- Exhibit --
user@srx> show security flow session
Session ID.7724, Policy namE.default-permit/4, Timeout: 2
In: 1.1.70.6/17 --> 100.0.0.1/2326;icmp, IF.ge-0/0/3
Out: 10.1.10.5/2326 --> 1.1.70.6/17;icmp, IF.ge-0/0/2
Session ID.18408, Policy namE.default-permit/4, Timeout: 2
In: 10.1.10.5/64513 --> 1.1.70.6/512;icmp, IF.ge-0/0/2.0 Out: 1.1.70.6/512 --> 100.0.0.1/64513;icmp, IF.ge-
0/0/3.10 -- Exhibit --
A user has reported a traffic drop issue between a host with the 10.1.10.5 internal IP address and a host with the
1.1.70.6 IP address. The traffic transits an SRX240 acting as a NAT translator. You are investigating the issue
on the SRX240 using the output shown in the exhibit.
Regarding this scenario, which two statements are true? (Choose two.)

Juniper JN0-633
A. The sessions shown indicate interface-based NAT processing.

B. The sessions shown indicate static NAT processing.
C. ICMP traffic is passing in both directions.
D. ICMP traffic is passing in one direction.
Answer: B,C
QUESTION 156
You want to configure in-band management of an SRX device in transparent mode.
Which command is required to enable this functionality?
A. set interfaces irb unit 1 family inet address

B. set interfaces vlan unit 1 family inet address
C. set interfaces ge-0/0/0 unit 0 family inet address
D. set interfaces ge-0/0/0 unit 0 family bridge address
Answer: A
QUESTION 157
You are asked to implement an IPsec VPN between your main office and a new remote office. The remote
office receives its IKE gateway address from their ISP dynamically.
Regarding this scenario, which statement is correct?
A. Configure a fully qualified domain name (FQDN) as the IKE identity.

B. Configure the dynamic-host-address option as the IKE identity.
C. Configure the unnumbered option as the IKE identity.
D. Configure a dynamic host configuration name (DHCN) as the IKE identity.
Answer: A
QUESTION 158
You are asked to implement a monitoring feature that periodically verifies that the data plane is working across
your IPsec VPN.Which configuration will accomplish this task?
A. [edit security ike] user@srx# show policy policy-1 { mode main;

proposal-set standard;
pre-shared-key ascii-text "$9$URiqPFnCBIc5QIcylLXUjH"; ## SECRET-DATA
}
gateway my-gateway { ike-policy policy-1; address 10.10.10.2; dead-peer-detection; external-interface ge-0/0/1;
}
B. [edit security ipsec]
user@srx# show policy policy-1 {
}
vpn my-vpn { bind-interface st0.0; dead-peer-detection; ike {
gateway my-gateway; ipsec-policy policy-1;
}
Juniper JN0-633
establish-tunnels immediately;
}
C. [edit security ike] user@srx# show policy policy-1 { mode main;
pre-shared-key ascii-text "$9$URiqPFnCBIc5QIcylLXUjH"; ## SECRET-DATA
}
gateway my-gateway { ike-policy policy-1; address 10.10.10.2; vpn-monitor; external-interface ge-0/0/1;
}
D. [edit security ipsec]
user@srx# show policy policy-1 { proposal-set standard;
}
vpn my-vpn { bind-interface st0.0; vpn-monitor;
ike {
gateway my-gateway; ipsec-policy policy-1;
}
establish-tunnels immediately;
}
Answer: D
Reference: https://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-
collections/security/software-all/monitoring-and-troubleshooting/index.html?topic-59092.html
QUESTION 159
Which two statements are true about an interconnect logical system on an SRX Series device? (Choose two.)
A. VXLAN is used to switch inter-LSYS-traffic.

B. The root and user LSYSs connect to the interconnect LSYS usingvtinterfaces.
C. VPLS is used to switch inter-LSYS traffic.
D. The root and user LSYSs connect to the interconnect LSYS usingltinterfaces.
Answer: C,D
QUESTION 160
-- Exhibit --
user@srx240< show route summary Router ID.
inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) Direct: 1 routes, 1 active
Local: 1 routes, 1 active StatiC.1 routes, 1 active
customer-A.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
Direct: 1 routes, 1 active Local: 1 routes, 1 active StatiC.1 routes, 1 active
customer-B.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) Direct: 1 routes, 1 active
Local: 1 routes, 1 active OSPF.1 routes, 1 active
StatiC.1 routes, 1 active
customer-B.inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
Direct: 2 routes, 2 active
Local: 2 routes, 2 active
StatiC.1 routes, 1 active
-- Exhibit --
Juniper JN0-633
In the output, how many user-configured routing instances have active routes?
A. 1
B. 2
C. 3
D. 4
Answer: B
Reference:http://www.juniper.net/techpubs/en_US/junos11.4/topics/reference/command-summary/show-route-
summary.html#jd0e185
QUESTION 161
You are asked to allow access to an external application for an internal host subject to address translation. The
application requires multiple sessions initiated from the internal host and expects all the sessions to originate
from the same source IP address.
Which Junos feature meets this objective?
A. destination NAT with address persistence

B. source NAT with address persistence
C. static NAT with port translation
D. interface-based persistent NAT
Answer: B
QUESTION 162
A security administrator has configured an IPsec tunnel between two SRX devices. The devices are configured
with OSPF on the st0 interface and an external interface destined to the IPsec endpoint. The adminstrator notes
that the IPsec tunnel and OSPF adjacency keep going up and down. Which action would resolve this issue?
A. Create a firewall filter on the st0 interface to permit IP protocol 89.

B. Configure the IPsec tunnel to accept multicast traffic.
C. Create a /32 static route to the IPsec endpoint through the external interface.
D. Increase the OSPF metric of the external interface.
Answer: C
Reference: http://packetsneverlie.blogspot.in/2013/03/route-based-ipsec-vpn-with-ospf.html
QUESTION 163
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:<1.1.1.100/51303->1.1.1.30/3389;6>
matched filter MatchTraffic:
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:packet [48] ipid = 5015, @423d7e9e Feb 2 09:00:02
09:00:00.1872004:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 13, common flag Ox0, mbuf
Ox423d7d00
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: flow process pak fast ifl 72
In_ifp fe-0/0/7.0
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: fe-0/0/7.0:1.1.1.100/51303- >1.1.1.30/3389, top, flag 2 syn
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: find flow: table Ox5258d7b0, hash 17008(Oxffff), sa 1.1.1.100,
Juniper JN0-633
da 1.1.1.30, sp 51303, dp 3389, proto 6, tok

448
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: no session found, start first
path. in_tunnel - 0, from_cp_flag - 0
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: flow_first_create_session
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: flow first_in_dst_nat: in <fe-0/0/7.0>, out <N/A> dst_adr
1.1.1.30, sp 51303, dp 3389
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: chose interface fe-0/0/7.0 as incoming nat if.
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_rule_dst_xlate: packet 1.1.1.100->1.1.1.30 nsp2
0.0.0.0->192.168.224.30.
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_routing: call flow_route_lookup() src_ip 1.1.1.100,
x_dst_ip 192.168.224.30, in ifp fe-0/0/7.0, out ifp N/A sp 51303, dp 3389, ip_proto 6, tos 0
Feb 2 09:00:02 09:00:00.1872004:CID-O:RT:Doing DESTINATION addr route-lookup Feb 2 09:00:02
09:00:00.1872004:CID-0:RT: routed (x_dst_ip 192 168.224.30)
from untrust (fe-0/0/7.0 in 0) to ge-0/0/0.0, Next-hop: 192.168.224.30
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: policy search from zone untrust-> zone trust
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: policy has timeout 900
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: app 0, timeout 1800s, curr ageout 20s
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_src_xlate: src nat 0.0.0.0(51303) to
192.168.224.30(3389) returns status 1, rule/pool id 1/2. Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: dip id =
2/0, 1.1.1.100/51303->192.168.224.3/48810
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: choose interface ge-0/0/0.0 as outgoing phy if
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/0.0, addr: 192.168.224.30,
rtt_idx:0
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:sm_flow_interest_check: app_id 0, policy 9, app_svc_en 0, flags
Ox2. not interested
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:sm_flow_interest_check: app_id 1, policy 9, app_svc_en 0, flags
Ox2. not interested
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_service_lookup(): natp(Ox51ee4680): app_id, 0(0).
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: service lookup identified service O.
A. The packet being inspected is a UDP packet.

B. The incoming interface is fe-0/0/7.
C. This traffic matches an existing flow.
D. Source NAT is being used.
Answer: B,C
QUESTION 164
Your company is using a dynamic VPN configuration on their SRX device. Your manager asks you to enforce
password expiration policies for all VPN users.
Which authentication method meets the requirement?
A. local password database

B. TACACS+
C. RADIUS
D. LDAP
Juniper JN0-633
Answer: D
Explanation:
Reference : http://kb.juniper.net/InfoCenter/index?page=content&id=KB17423&actp=RSS
QUESTION 165
You have initiated the download of the IPS signature database on your SRX Series device.
Which command would you use to confirm the download has completed?
A. request security idp security-package install

B. request security idp security-package download
C. request security idp security-package install status
D. request security idp security-package download status
Answer: D
QUESTION 166
You are responding to a proposal request from an enterprise with multiple branch offices. All branch offices
connect to a single SRX device at a centralized location. The request requires each office to be segregated on
the central SRX device with separate IP networks and security considerations. No single office should be able to
starve the CPU from other branch offices on the central SRX device due to the number of flow sessions.
However, connectivity between offices must be maintained.Which three features are required to accomplish this
goal? (Choose three.)
A. Logical Systems
B. Interconnect Logical System
C. Virtual Tunnel Interface
D. Logical Tunnel Interface
E. Virtual Routing Instance
Answer: A,B,D
Explanation:
Reference :http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/logical-
systems-interfaces.html
http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-
all/logical-systems-config/index.html?topic-57390.html
QUESTION 167
Your company is providing multi-tenant security services on an SRX5800 cluster. You have been asked to
create a new logical system (LSYS) for a customer. The customer must be able to access and manage new
resources within their LSYS.
A. Create the new LSYS, allocate resources, and then create the user administrator role so that the customer can
manage their allocated resources.
B. Create the new LSYS, and then create the user administrator role so that the customer can allocate and
Juniper JN0-633
manage resources.
C. Create the new LSYS, and then create the master adminstrator role for the LSYS so that the customer can
allocate and manage resources.
D. Create the new LSYS, then request the required resources from the customer, and create the required
resources.
Answer: A
Explanation:
Reference
:http://www.juniper.net/techpubs/en_US/junos12.1/topics/task/configuration/logical-system-security-user-lsys-
overview-configuring.html
QUESTION 168
-- Exhibit
-- Exhibit --
Host traffic is traversing through an IPsec tunnel. Users are complaining of intermittent issues with their
connection.
Referring to the exhibit, what is the problem?
A. The tunnel is down due to a configuration change.

B. The do-not-fragment bit is copied to the tunnel header.
C. The MSS option on the SYN packet is set to 1300.
D. The TCP SYN check option is disabled for tunnel traffic.

Juniper JN0-633
Answer: B
QUESTION 169
user@host> show interfaces routing-instance all ge* terse
InterfaceAdmin Link Proto LocalInstance
ge-0/0/0.0 up up inet 172.16.12.205/24 default
ge-0/0/1.0 up up inet 5.0.0.5/24
iso A
ge-0/0/2.0 up up inet 25.0.0.5/24
iso B
user@host> show security flow session
Session ID: 82274, Policy name: default-policy-00/2, Timeout: 1770, Valid
In: 5.0.0.25/61935 --> 25.0.0.25/23;tcp, If: ge-0/0/1.0, Pkts: 31, Bytes: 1781
Out: 25.0.0.25/23 --> 5.0.0.25/61935;tcp, If: ge-0/0/2.0, Pkts: 23, Bytes: 1452
Total sessions: 3
user@host> show route
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, + = Both
0.0.0.0/0 *[Static/5] 04:08:52
> to 172.16.12.1 via ge-0/0/0.0
172.16.12.0/24 *[Direct/0] 04:08:52
via ge-0/0/0.0
172.16.12.205/32 *[Local/0] 4w4d 23:04:29
Loca1 via ge-0/0/0.0
224.0.0.5/32 *[OSPF/10] 14:37:35, metric 1
MultiRecv
A. inet.0: 4 destinations, 4 routes {4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
5.0.0.0/24 5 *[Direct/0] 00:05:04 > via ge-0/0/1.0
5.0.0.5/32 *[Local/0] 00:05:04 Local via ge-0/0/1.0 25.0.0.0/24 *[Direct/0] 00:02:37 > via ge-0/0/2.0
B. inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
5.0.0.25/32 *[Static/5] 00:02:38 to table A.inet.0
25.0.0.0/24 *[Direct/0] 00:02:37 > via ge-0/0/2.0
25.0.0.5/32 *[Local/0] 00:02:37 Local via ge-0/0/2.0
Which statement is true about the outputs shown in the exhibit?
C. The routing instances A and B are connected using anltinterface.
D. Routing instance As routes are shared with routing instance B.
E. Routing instance Bs routes are shared with routing instance
A.
F. The routing instances A and B are connected using avtinterface.
Answer: C
QUESTION 170
You must ensure that your Layer 2 traffic is secured on your SRX Series device in transparent mode.
Juniper JN0-633
What must be considered when accomplishing this task?
A. Layer 2 interfaces must use theethernet-switchingprotocol family.

B. Security policies are not supported when operating in transparent mode.
C. Screens are not supported in your security zones with transparent mode.
D. You must reboot your device after configuring transparent mode.
Answer: D
QUESTION 171
When configuring AutoVPN, which two actions are required for an administrator to establish communication
from the hub site to the spoke sites? (Choose two.)
A. Configure the next hop tunnel binding (NHTB).

B. Configure static routes from the hub to the spoke.
C. Configure a dynamic routing protocol such as BGP, OSPF, or RIP on the tunnel interfaces.
D. Create a multipoint secure tunnel interface on the hub device.
Answer: C,D
QUESTION 172
[edit protocols ospf area 0.0.0.0]
user@host# run show security ike security-associations Index State Initiator cookie Responder cookie Mode
Remote Address
3289542 UP 48d928408940de28 e418fc7702fe483b Main 172.31.50.1
3289543 UP eb45940484082b14 428086b100427326 Main 10.10.50.1
[edit protocols ospf area 0.0.0.0]
user@host# run show security ipsec; security-associations Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:des/ shal 6d40899b 1360/ unlim - root 500 10.10.50.1
>131073 ESP:des/ shal 5a89400e 1360/ unlim - root 500 10.10.50.1
<131074 ESP:des/ shal c04046f 1359/ unlim - root 500 172.31.50.1
>131074 ESP:des/ shal 5508946c 1359/ unlim - root 500 172.31.50.1
[edit protocols ospf area 0.0.0.0] user@host# run show ospf neighbor
Address Interface State ID Pri Dead 10.40.60.1 st0.0 Init 10.30.50.1 128 35 10.40.60.2 st0.0 Full 10.30.50.1 128
31
[edit protocols ospf area 0.0.0.0] user@host# show
interface st0.0;
You have already configured a hub-and-spoke VPN with one hub device and two spoke devices. However, the
hub device has one neighbor in the Init state and one neighbor in the Full state.
What would you do to resolve this problem?
A. Configure the st0.0 interface under OSPF as a nonbroadcast multiple access interface.
B. Configure the st0.0 interface under OSPF as a point-to-multipoint interface.
C. Configure the st0.0 interface under OSPF as a point-to-point interface.
D. Configure the st0.0 interface under OSPF as an unnumbered interface.

Juniper JN0-633
Answer: B
QUESTION 173
HostA (1.1.1.1) is sending TCP traffic to HostB (2.2.2.2). You need to capture the TCP packets locally on the
SRX240. Which configuration would you use to enable this capture?
A. [edit security flow] user@srx# show traceoptions {

file dump;
flag basic-datapath;
}
B. [edit security] user@srx# show application-tracking { enable;
}
flow { traceoptions { file dump;
flag basic-datapath;
}
}
C. [edit firewall filter capture term one] user@srx# show
from { source-address { 1.1.1.1;
}
destination-address { 2.2.2.2;
}
protocol tcp;
}
then { port-mirror; accept;
}
D. [edit firewall filter capture term one] user@srx# show
from { source-address { 1.1.1.1;
}
destination-address {
2.2.2.2;
}
protocol tcp;
}
then { sample; accept;
}
Answer: D
Reference:http://khurramkhalid.wordpress.com/2012/05/22/packet-capture-on-srx-devices/
QUESTION 174
What is a secure key management protocol used by IPsec?
A. AH
B. ESP
C. TCP
D. IKE

Juniper JN0-633
Answer: D
QUESTION 175
You have configured an IPsec VPN with traffic selectors; however, your IPsec tunnel does not appear to be
working properly.
What are two reasons for the problem? (Choose two.)
A. You are configured a remote address value of 0.0.0.0/0.

B. You are trying to use traffic selectors with policy-based VPNs.
C. You have configured 15 traffic selectors on each SRX Series device.
D. You are trying to use traffic selectors with route-based VPNs.
Answer: A,B

Exam JN0-633

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Exam JN0-633

Uploaded by

Copyright:

Available Formats

Juniper JN0-633

Title Security, Professional (JNCIP-SEC)

Updated Version: 8.0

Best Material, Great Results. www.certkingdom.com 1

A. An incoming packet with VLAN tag 20 will be translated to VLAN tag 2.

A. You must add at least one PKI certificate.

A. security flow traceoptions

D. monitor traffic interface

Best Material, Great Results. www.certkingdom.com 3

A. set custom attack data-inject recommended-action drop

A. You must acquire at least three additional licenses.

A. Two established peers are in the group VPNs.

A. DNS doctoring translates the DNS CNAME payload.

A. Modify the security policy.

A. Only route-based VPNs are supported.

A. The output shows source NAT.

A. persistent-nat permit target-host

A. show security flow session tunnel

A. The NAT translation is incorrect.

A. Enable the HTTP ALG.

A. IDP attack action-based DSCP rewriters

Best Material, Great Results. www.certkingdom.com 11

A. Load your Web servers private key in the IDP configuration.

Best Material, Great Results. www.certkingdom.com 12

A. Configure the LDAP base distinguished name.

A. The 192.168.0.1 address is translated to the 10.60.60.1 address.

A. This session is about to expire.

Best Material, Great Results. www.certkingdom.com 14

A. Disable SYN checking.

A. You must configure the destination zone match.

Best Material, Great Results. www.certkingdom.com 16

Reference :Page No 2 Figure 1

192.168.1.0/24 *[Direct/0] 00:01:05

A. [edit security nat static] user@host# show rule-set server-nat {

A. Use a VLAN interface.

A. The RIB group is configured incorrectly.

Best Material, Great Results. www.certkingdom.com 21

A. You must use preshared keys.

A. Replace the server SSL certificate to use the public address.

A. You can use SCEP to accomplish this behavior.

A. mismatched preshared key

Best Material, Great Results. www.certkingdom.com 23

A. only originating traffic from source to destination in a session

Best Material, Great Results. www.certkingdom.com 24

A. Supports any-to-any member connectivity.

A. The traffic is originated with incorrect IP address from the customer.

A. the SRX chassis cluster generates Spanning Tree messages

A. The networks at the various sites must use NAT.

Best Material, Great Results. www.certkingdom.com 26

A. Packets may get fragmented.

A. Use the IP-Block action.

Best Material, Great Results. www.certkingdom.com 27

A. show security policies

Best Material, Great Results. www.certkingdom.com 28

A. Configure a firewall filter that includes the application-firewall policy.

A. The LSYS license only allows up to ten BGP peerings.

B. The maximum number of allowed flows is set to low.

A. Enable heuristics to detect the encrypted traffic.

A. virtual routing instance

Best Material, Great Results. www.certkingdom.com 31

A. DNS replication is enabled.

A. Enable asyncronous-routing under the Blue zone.

A. Perform packet flooding.