JN0-633 Online Practice Questions and Answers

You are asked to establish a baseline for your company's network traffic to determine the bandwidth usage per application. You want to undertake this task on the central SRX device that connects all segments together. What are two ways to accomplish this goal? (Choose two.)

A. Configure a mirror port on the SRX device to capture all traffic on a data collection server for further investigation.

B. Use interface packet counters for all permitted and denied traffic and calculate the values using Junos scripts.

C. Send SNMP traps with bandwidth usage to a central SNMP server.

D. Enable AppTrack on the SRX device and configure a remote syslog server to receive AppTrack messages.

You have implemented a tunnel in your network using DS-Lite. The tunnel is formed between one of the SRX devices in your network and a DS-Lite-compatible CPE device in your customer's network. Which two statements are true about this scenario? (Choose two.)

A. The SRX device will serve as the softwire initiator and the customer CPE device will serve as the softwire concentrator.

B. The SRX device will serve as the softwire concentrator and the customer CPE device will serve as the softwire initiator.

C. The infrastructure network supporting the tunnel will be based on IPv4.

D. The infrastructure network supporting the tunnel will be based on IPv6.

Your SRX device is performing NAT to provide an internal resource with a public address. Your DNS

server is on the same network segment as the server. You want your internal hosts to be able to reach the

internal resource using the DNS name of the resource.

How do you accomplish this goal?

A. Implement proxy ARP.

B. Implement NAT-Traversal.

C. Implement NAT hairpinning.

D. Implement persistent NAT.

You want to implement an IPsec VPN on an SRX device using PKI certificates for authentication. As part of the implementation, you are required to ensure that the certificate submission, renewal, and retrieval processes are handled automatically from the certificate authority. Regarding this scenario, which statement is correct?

A. You can use SCEP to accomplish this behavior.

B. You can use OCSP to accomplish this behavior.

C. You can use CRL to accomplish this behavior.

D. You can use SPKI to accomplish this behavior.

Your company is using a dynamic VPN configuration on their SRX device. Your manager asks you to enforce password expiration policies for all VPN users. Which authentication method meets the requirement?

A. local password database

B. TACACS+

C. RADIUS

D. LDAP

You are asked to implement a monitoring feature that periodically verifies that the data plane is working across your IPsec VPN. Which configuration will accomplish this task?

A. [edit security ike] user@srx# show policy policy-1 {

mode main;

proposal-set standard;

pre-shared-key ascii-text "$9$URiqPFnCBIc5QIcylLXUjH"; ## SECRET-DATA

}

gateway my-gateway {

ike-policy policy-1;

address 10.10.10.2;

dead-peer-detection;

external-interface ge-0/0/1;

}

B. [edit security ipsec] user@srx# show policy policy-1 {

proposal-set standard;

}

vpn my-vpn {

bind-interface st0.0;

dead-peer-detection;

ike {

gateway my-gateway;

ipsec-policy policy-1;

}

establish-tunnels immediately;

}

C. [edit security ike] user@srx# show

policy policy-1 {

mode main;

proposal-set standard;

pre-shared-key ascii-text "$9$URiqPFnCBIc5QIcylLXUjH"; ## SECRET-DATA

}

gateway my-gateway {

ike-policy policy-1;

address 10.10.10.2;

vpn-monitor;

external-interface ge-0/0/1;

}

D. [edit security ipsec] user@srx# show policy policy-1 {

proposal-set standard;

}

vpn my-vpn {

bind-interface st0.0;

vpn-monitor;

ike {

gateway my-gateway;

ipsec-policy policy-1;

}

establish-tunnels immediately;

}

What are the three types of attack objects used in an IPS engine? (Choose three.)

A. signature

B. chargen

C. compound

D. component

E. anomaly

Somebody has inadvertently configured several security policies with application firewall rule sets on an SRX device. These security policies are now dropping traffic that should be allowed. You must find and remove the application firewall rule sets that are associated with these policies. Which two commands allow you to view these associations? (Choose two.)

A. show security policies

B. show services application-identification application-system-cache

C. show security application-firewall rule-set all

D. show security policies application-firewall

Click the Exhibit button.

user@host> show services application-identification application-system—cache

Application System Cache Configurations: Application-cache: off nested-application-cache: on cache-unknown-result: on cache-entry-timeout: 3600 seconds

You are using the application identification feature on your SRX Series device. The help desk reports that users are complaining about slow Internet connectivity. You issue the command shown in the exhibit.

What must you do to correct the problem?

A. Modify the configuration with the delete services application-identification noapplication-system-cachecommand and commit the change.

B. Modify the configuration with the delete services application-identification no-clear-application-system-cachecommand and commit the change.

C. Reboot the SRX Series device.

D. Modify the configuration with the delete services application-identification no-application identificationcommand and commit the change.

Click the Exhibit button.

user@host> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 3271043 UP 7f42284089404673 95fd8408940438d8 Main 172.31.50.2

user@host> show security ipsec security-associations Total active tunnels: 0

user@host> show log phase2

Feb 2 14:21:18 host kmd[1088]: IKE negotiation failed with error: TS unacceptable. IKE Version: 1, VPN:

vpn-1 Gateway: gate-1, Local: 172.31.50.1/500, Remote: 172.31.50.2/500, Local IKE-ID: 172.31.50.1,

Remote IKE-ID: 172.31.50.2, VR-ID: 0

Feb 2 14:21:18 host kmd[1088]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: vpn-1,

Peer Proposed traffic-selector local-ip: ipv4(2.2.2.2), Peer Proposed traffic-selector remote-ip: ipv4

(1.1.1.1)

Feb 2 14:21:54 host kmd[1088]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1,

VPN: vpn-1 Gateway: gate-1, Local:

172.31.50.1/500, Remote: 172.31.50.2/500, Local IKE-ID: 172.31.50.1, Remote IKE-ID: 172.31.50.2, VRID: 0

Feb 2 14:22:19 host kmd[1088]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: vpn-1,

Peer Proposed traffic-selector local-ip:

ipv4 (2.2.

2.2), Peer Proposed traffic-selector remote-ip: ipv4(1.1.1.1)

You have recently configured an IPsec VPN between an SRX Series device and another non- Junos security device. The phase one tunnel is up but the phase two tunnel is not present.

Referring to the exhibit, what is the cause of this problem?

A. preshared key mismatch

B. mode mismatch

C. proposal mismatch

D. proxy-ID mismatch