You want to deploy two vSRX instances in different public cloud providers to provide redundant security services for your network. Layer 2 connectivity between the two vSRX instances is not possible.
What would you configure on the vSRX instances to accomplish this task?
Your customer needs embedded security in an EVPN-VXLAN solution.
What are two benefits of adding an SRX Series device in this scenario? (Choose two.)
AIt enhances tunnel inspection for VXLAN encapsulated traffic with Layer 4-7 security services.
BIt adds extra security with the capabilities of an enterprise grade firewall in the EVPN-VXLAN underlay.
CIt adds extra security with the capabilities of an enterprise grade firewall in the EVPN-VXLAN overlay.
DIt enhances tunnel inspection for VXLAN encapsulated traffic with only Layer 4 security services.
Click the Exhibit button.
You are troubleshooting a new IPsec VPN that is configured between your corporate office and the RemoteSite1 SRX Series device. The VPN is not currently establishing. The RemoteSite1 device is being assigned an IP address on their gateway interface using DHCP.
Referring to the exhibit, which action will solve this problem?
AOn the RemoteSite1 device, change the IKE gateway external interface to st0.0.
BOn both devices, change the IKE version to use version 2 only.
COn both devices, change the IKE policy proposal set to basic.
DOn both devices, change the IKE policy mode to aggressive.
Click the Exhibit button.
You are asked to ensure that Internet users can access the company’s internal webserver using its FQDN. However, the internal DNS server’s A record only points to the webserver’s private address.
Referring to the exhibit, which two actions are required to complete this task? (Choose two.)
AConfigure destination NAT for both the DNS server and the webserver.
BDisable the DNS ALG.
CConfigure static NAT for both the DNS server and the webserver.
DConfigure proxy ARP on ge-0/0/3.
In a multimode HA environment, which service must be configured to synchronize between nodes?
APKI certificated
BIDP
CIPsec VPN
Dadvanced policy-based routing
Question 6
Troubleshooting Security Policies and Security Zones
0
Question 7
Automated Threat Mitigation
Question 8
Advanced Policy-Based Routing (APBR)
Question 9
Multinode High Availability (HA)
Question 10
Automated Threat Mitigation
Question 11
Advanced Network Address Translation (NAT)
Question 12
Advanced IPsec VPNs
Question 13
Logical Systems and Tenant Systems
Question 14
Layer 2 Security
Question 15
Advanced Policy-Based Routing (APBR)
Question 16
Automated Threat Mitigation
Question 17
Multinode High Availability (HA)
Question 18
Advanced Policy-Based Routing (APBR)
Question 19
Advanced Network Address Translation (NAT)
Question 20
Advanced Network Address Translation (NAT)
Question 21
Troubleshooting Security Policies and Security Zones
Question 22
Advanced IPsec VPNs
Question 23
Advanced Network Address Translation (NAT)
Question 24
Layer 2 Security
Question 25
Troubleshooting Security Policies and Security Zones
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ad
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Click the Exhibit button.
You can use SSH from SRX-1 to R-1 but not telnet. Both telnet and SSH services are enabled on R-1.
Referring to the exhibit, which configuration on SRX-1 is denying the access?
AThe security policy from the junos-host zone to the TRUST zone is denying port 22.
BThe security policy from the TRUST zone to the junos-host zone is denying port 22.
CThe security policy from the junos-host zone to the TRUST zone is denying port 23.
DThe security policy from the TRUST zone to the junos-host zone is denying port 23.
You are deploying threat remediation to endpoints connected through third-party devices.
In this scenario, which three statements are correct? (Choose three.)
AAll third-party switches must support AAA/RADIUS and Dynamic Authorization Extensions to the RADIUS protocol.
BThe connector uses an API to gather endpoint MAC address information from the RADIUS server.
CAll third-party switches in the specified network are automatically mapped and registered with the RADIUS server.
DThe connector queries the RADIUS server for the infected host endpoint details and initiates a change of authorization (CoA) for the infected host.D. The RADUIS server sends Status-Server messages to update infected host information to the connector.
Click the Exhibit button.
Referring to the exhibit, which statement about TLS 1.2 traffic is correct?
ATLS 1.2 traffic will be sent to routing instance R2 but not forwarded to the next hop.
BTLS 1.2 traffic will be sent to routing instance R2 and forwarded to next hop 10.2.0.1.
CTLS 1.2 traffic will be sent to routing instance R1 and forwarded to next hop 10.1.0.1.
DTLS 1.2 traffic will be sent to routing instance R1 but not forwarded to the next hop.
Click the Exhibit button.
Referring to the exhibit, which three statements about the multinode HA environment are true? (Choose three.)
ASession state is synchronized on both nodes.
BIP monitoring has failed for the services redundancy group.
CNode 1 will host services redundancy group 1 unless it is unavailable.
DNode 2 will process transit traffic that it receives for services redundancy group 1.
ETwo services redundancy groups are available.
Click the Exhibit button.
Referring to the exhibit, which three actions do you need to take to isolate the hosts at the switch port level if they become infected with malware? (Choose three.)
ADeploy Juniper Secure Analytics.
BUse a third-party connector.
CConfigure AppTrack on the SRX Series device.
DEnroll the SRX Series device with Juniper ARP Cloud.
EDeploy Security Director with Policy Enforcer.
You are asked to see if your persistent NAT binding table is exhausted.
Which show command would you use to accomplish this task?
Bshow security nat source persistent-nat-table all
Cshow security nat source pool all
Dshow security nat source summary
Click the Exhibit button.
Referring to the exhibit, which two statements are true? (Choose two.)
AEvery VPN packet that the SRX receives from the VPN peer is outside the ESP sequence window.
BThe SRX is sending traffic into the tunnel and out toward the VPN peer.
CThe SRX is not sending any packets to the VPN peer.
DThe SRX is not receiving any packets from the VPN peer.
Click the Exhibit button.
Referring to the exhibit, which two statements about User1 are true? (Choose two.)
AUser1 can add logical units to an interface that a primary administrator has not previously assigned.
BUser1 can view outputs from other user logical systems.
CUser1 is logged in to logical system LSYS-1.
DUser1 has access to the configuration specific to their assigned logical system.
Click the Exhibit button.
Referring to the exhibit, which two statements are true? (Choose two.)
AHosts in the Local zone can communicate with hosts in the Trust zone with a security policy.
BHosts in the Local zone can be enabled for control plane access to the SRX.
CYou can configure security policies for traffic flows between hosts in the Local zone.
DAn IRB interface is required to enable communication between the Trust and the Untrust zones.
Click the Exhibit button.
Referring to the exhibit, you are having problems configuring advanced policy-based routing.
What should you do to solve the problem?
AApply a policy to the ABPR RIB group to only allow the exact routes you need.
BRemove the default static route from the main instance configuration.
CChange the routing instance to a forwarding instance.
DChange the routing instance to a virtual router instance.
Which two statements are correct about automated threat mitigation with Security Director? (Choose two.)
AInfected hosts are tracked by their IP address.
BInfected hosts are tracked by their user identity.
CInfected hosts are tracked by their chassis serial number.
DInfected hosts are tracked by their MAC address.
You have deployed two SRX Series devices in an active/passive multinode HA scenario.
In this scenario, which two statements are correct? (Choose two.)
AServices redundancy group 0 (SRG0) is used for services that have a control plane state.
BServices redundancy group 1 (SRG1) is used for services that have a control plane state.
CServices redundancy group 0 (SRG0) is used for services that do not have a control plane state.
DServices redundancy group 1 (SRG1) is used for services that do not have a control plane state.
Click the Exhibit button.
Referring to the exhibit, a default static route on SRX-1 sends all traffic to ISP-A. You have configured APBR to send all requests for streaming video traffic to ISP-B. However, the return traffic from the streaming video server is coming through ISP-A, and the traffic is being dropped by SRX-1. You can only make changes on SRX-1.
How do you solve this problem?
AConfigure BGP to control the return path of the streaming video traffic.
BPlace both ISP-facing interfaces in the same zone.
CChange the APBR routing instance from a forwarding instance to a virtual router instance.
DEnable AppTrack to keep track of the sessions and zones for the streaming video traffic.
Which two statements are true regarding NAT64? (Choose two.)
AAn SRX Series device should be in flow-based forwarding mode for IPv4.
BAn SRX Series device should be in packet-based forwarding mode for IPv4.
CAn SRX Series device should be in packet-based forwarding mode for IPv6.
DAn SRX Series device should be in flow-based forwarding mode for IPv6.
Click the Exhibit button.
Referring to the exhibit, which two statements are correct about the NAT configuration? (Choose two.)
AThe original destination port is used for the source port for the session.
BOnly a specific host can initiate a session to the reflexive address after the initial session.
CAny external host will be able to initiate a session to the reflexive address.
DBoth the internal and the external host can initiate a session after the initial translation.
Which two statements are true about the procedures the Junos security device uses when handling traffic destined for the device itself? (Choose two.)
AIf the received packet is addressed to the ingress interface, then the device first performs a security policy evaluation for the junos-host zone.
BIf the received packet is addressed to the ingress interface, then the device first examines the host -inbound-traffic configuration for the ingress interface and zone.
CIf the received packet is destined for an interface other than the ingress interface, then the device performs a security policy evaluation based on the ingress and egress zone.
DIf the received packet is destined for an interface other than the ingress interface, then the device performs a security policy evaluation for the junos-host zone.
Which two statements are correct about mixed mode? (Choose two.)
AIRB interfaces cannot be used to route traffic.
BLayer 2 and Layer 3 interfaces can use separate security zones.
CIRB interfaces can be used to route traffic.
DLayer 2 and Layer 3 interfaces can use the same security zone.
Which role does an SRX Series device play in a DS-Lite deployment?
Asoftwire concentrator
Bsoftwire initiator
CSTUN client
DSTUN server
Which two statements are true when setting up an SRX Series device to operate in mixed mode? (Choose two.)
AA physical interface can be configured to be both a Layer 2 and a Layer 3 interface at the same time.
BThe SRX must be rebooted after configuring at least one Layer 3 and one Layer 2 interface.
CPackets from Layer 2 interfaces are switched within the same bridge domain.
DUser logical systems support Layer 2 traffic processing.
Click the Exhibit button.
Which two statements are correct about the output shown in the exhibit? (Choose two.)
AThe data shown requires a traceoptions flag of host-traffic.
BThe data shown requires a traceoptions flag of basic-datapath.
CThe packet is dropped by a configured security policy.
DThe packet is dropped by the default security policy.
