jn0-333 Exam - Security, Specialist (JNCIS-SEC)

NEW QUESTION 1
Which interface is used exclusively to forward Ethernet-switching traffic between two chassis cluster nodes?

• A. swfab0
• B. fxp0
• C. fab0
• D. me0

Answer: A

NEW QUESTION 2
Which two statements are true when implementing source NAT on an SRX Series device? (Choose two.)

• A. Source NAT is applied before the security policy search.
• B. Source NAT is applied after the route table lookup.
• C. Source NAT is applied before the route table lookup.
• D. Source NAT is applied after the security policy search.

Answer: BD

NEW QUESTION 3
Click the Exhibit button.

Referring to the exhibit, what will happen if client 172.16.128.50 tries to connect to destination 192.168.150.3 using HTTP?

• A. The client will be denied by policy p2.
• B. The client will be permitted by the global policy.
• C. The client will be permitted by policy p1.
• D. The client will be denied by policy p3.

Answer: C

NEW QUESTION 4
You want to trigger failover of redundancy group 1 currently running on node 0 and make node 1 the primary node the redundancy group 1.
Which command would be used accomplish this task?

• A. user@host# set chassis cluster redundancy-group 1 node 1
• B. user@host> request chassis cluster failover redundancy-group 1 node 1
• C. user@host# set chassis cluster redundancy-group 1 preempt
• D. user@host> request chassis cluster failover reset redundancy-group 1

Answer: B

NEW QUESTION 5
Click the Exhibit button.

Users at a remote office are unable to access an FTP server located at the remote corporate data center as expected. The remote FTP server is listening on the non-standard TCP port 2121.
Referring to the exhibit, what is causing the problem?

• A. The FTP clients must be configured to listen on non-standard client ports for the FTP data channel negotiations to succeed.
• B. Two custom FTP applications must be defined to allow bidirectional FTP communication through the SRX Series device.
• C. The custom FTP application definition does not have the FTP ALG enabled.
• D. A new security policy must be defined between the untrust and trust zones.

Answer: D

NEW QUESTION 6
What are two valid zones available on an SRX Series device? (Choose two.)

• A. security zones
• B. policy zones
• C. transit zones
• D. functional zones

Answer: AD

NEW QUESTION 7
Click the Exhibit button.
You are trying to create a security policy on your SRX Series device that permits HTTP traffic from your private 172.25.11.0/24 subnet to the Internet. You create a policy named permit – http between the trust and untrust zones that permits HTTP traffic.
When you issue a commit command to apply the configuration changes, the commit fails with the error shown in the exhibit.
Which two actions would correct the error? (Choose two.)

• A. Create a custom application named http at the [edit applications] hierarchy.
• B. Execute the Junos commit full command to override the error and apply the configuration.
• C. Modify the security policy to use the built-in junos-http application.
• D. Issue the rollback 1 command from the top of the configuration hierarchy and attempt the commit again.

Answer: BC

NEW QUESTION 8
You want to protect your SRX Series device from the ping-of-death attack coming from the untrust security zone.
How would you accomplish this task?

• A. Configure the host-inbound-traffic system-services ping except parameter in the untrust security zone.
• B. Configure the application tracking parameter in the untrust security zone.
• C. Configure a from-zone untrust to-zone trust security policy that blocks ICMP traffic.
• D. Configure the appropriate screen and apply it to the [edit security zone security-zone untrust] hierarchy.

Answer: D

NEW QUESTION 9
You must verify if destination NAT is actively being used by users connecting to an internal server from the Internet.
Which action will accomplish this task on an SRX Series device?

• A. Examine the destination NAT translations table.
• B. Examine the installed routes in the packet forwarding engine.
• C. Examine the NAT translation table.
• D. Examine the active security flow sessions.

Answer: A

NEW QUESTION 10
Click the Exhibit button.

The inside server must communicate with the external DNS server. The internal DNS server address is 10.100.75.75. The external DNS server address is 75.75.76.76. Traffic from the inside server to the DNS server fails.
Referring to the exhibit, what is causing the problem?

• A. The security policy must match the translated destination address.
• B. Source and static NAT cannot be configured at the same time.
• C. The static NAT rule must use the global address book entry name for the DNS server.
• D. The security policy must match the translated source and translated destination address.

Answer: A

NEW QUESTION 11
Click the Exhibit button.

Host A is attempting to connect to Host B using the domain name, which is tied to a public IP address. All attempts to connect to Host B have failed. You have examined the configuration on your SRX340 and determined that a NAT policy is required.
Referring to the exhibit, which two NAT types will allow Host A to connect to Host B? (Choose two.)

• A. source NAT
• B. NAT-T
• C. destination NAT
• D. static NAT

Answer: CD

NEW QUESTION 12
Click to the Exhibit button.
Referring to the exhibit, which two statements are true? (Choose two.)

• A. Interface ge-0/0/0 will not accept SSH connections.
• B. Interfaces ge-0/0/0.0 and ge-0/0/1.0 will allow SSH connections.
• C. Interface ge-0/0/0.0 will respond to pings.
• D. Interface ge-0/0/1.0 will respond to pings.

Answer: BD

NEW QUESTION 13
Which process describes the implementation of screen options on an SRX Series device?

• A. Configured screen options are only applied when traffic does not match a valid route.
• B. Configured screen options are applied only to the first packet that is processed in a stateful session.
• C. Configured screen options are applied to all packets that are processed by the stateful session firewall processor.
• D. Configured screen options are only applied when traffic does not match a valid policy.

Answer: C

NEW QUESTION 14
What are two supported hypervisors for hosting a vSRX? (Choose two.)

• A. VMware ESXi
• B. Solaris Zones
• C. KVM
• D. Docker

Answer: AC

NEW QUESTION 15
You have recently configured an IPsec tunnel between two SRX Series devices. One of the devices is assigned an IP address using DHCP with an IP address that changes frequently. Initial testing indicates that the IPsec tunnel is not working. Troubleshooting has revealed that Phase 1 negotiations are failing.
Which two actions would solve the problem? (Choose two.)

• A. Verify that the device with the IP address assigned by DHCP is the traffic initiator.
• B. Verify that VPN monitoring is enabled.
• C. Verify that the IKE policy is configured for aggressive mode.
• D. Verify that PKI is properly configured.

Answer: AC

NEW QUESTION 16
You want to ensure that any certificates used in your IPsec implementation do not expire while in use by your SRX Series devices.
In this scenario, what must be enabled on your devices?

• A. RSA
• B. TLS
• C. SCEP
• D. CRL

Answer: C

NEW QUESTION 17
Which three Encapsulating Security Payload protocols do the SRX Series devices support with IPsec? (Choose three.)

• A. DES
• B. RC6
• C. TLS
• D. AES
• E. 3DES

Answer: ADE

NEW QUESTION 18
Click the Exhibit button.

You notice that your SRX Series device is not blocking HTTP traffic as expected. Referring to the exhibit, what should you do to solve the problem?

• A. Commit the configuration.
• B. Reboot the SRX Series device.
• C. Configure the SRX Series device to operate in packet-based mode.
• D. Move the deny-http policy to the bottom of the policy list.

Answer: B

NEW QUESTION 19
What is the function of redundancy group 0 in a chassis cluster?

• A. Redundancy group 0 identifies the node controlling the cluster management interface IP addresses.
• B. The primary node for redundancy group 0 identifies the first member node in a chassis cluster.
• C. The primary node for redundancy group 0 determines the interface naming for all chassis cluster nodes.
• D. The node on which redundancy group 0 is primary determines which Routing Engine is active in the cluster.

Answer: D

NEW QUESTION 20
Click the exhibit button.

You are configuring security policies with Junos Space Security Director. Referring to the exhibit, which two statements are true? (Choose two.)

• A. The host device has three rules assigned to it.
• B. The policy assigned to the host device is published.
• C. The policy assigned to the host device requires publishing.
• D. The host device has two rules assigned to it.

Answer: BD

NEW QUESTION 21
Which statement describes the function of screen options?

• A. Screen options encrypt transit traffic in a tunnel.
• B. Screen options protect against various attacks on traffic entering a security device.
• C. Screen options translate a private address to a public address.
• D. Screen options restrict or permit users individually or in a group.

Answer: B

NEW QUESTION 22
Click the Exhibit button.

Which feature is enabled with destination NAT as shown in the exhibit?

• A. NAT overload
• B. block allocation
• C. port translation
• D. NAT hairpinning

Answer: D

NEW QUESTION 23
......