♥♥ 2021 NEW RECOMMEND ♥♥
Free VCE & PDF File for Juniper JN0-633 Real Exam (Full Version!)
★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions
Free Instant Download NEW JN0-633 Exam Dumps (PDF & VCE):
Available on:
http://www.surepassexam.com/JN0-633-exam-dumps.html
Q11. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
Referring to the exhibit, the application firewall configuration fails to commit. What must you do to allow the configuration to commit?
A. Each firewall rule set must only have one rule.
B. A firewall rule set cannot mix dynamic applications and dynamic application groups.
C. The action in the rules must be different than the action in the default rule.
D. The action in the default rule must be set to deny.
Answer: C
Explanation: Reference:http://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/application-firewall-overview.html
Q12. You want to implement an IPsec VPN on an SRX device using PKI certificates for authentication. As part of the implementation, you are required to ensure that the certificate submission, renewal, and retrieval processes are handled automatically from the certificate authority.Regarding this scenario, which statement is correct?
A. You can use SCEP to accomplish this behavior.
B. You can use OCSP to accomplish this behavior.
C. You can use CRL to accomplish this behavior.
D. You can use SPKI to accomplish this behavior.
Answer: A
Explanation: Reference: Page 9
http://www.juniper.net/techpubs/en_US/junos/information-products/topic-collections/nce/pki-conf-trouble/configuring-and-troubleshooting-public-key- infrastructure.pdf
Q13. Which problem is introduced by setting the terminal parameter on an IPS rule?
A. The SRX device will stop IDP processing for future sessions.
B. The SRX device might detect more false positives.
C. The SRX device will terminate the session in which the terminal rule detected the attack.
D. The SRX device might miss attacks.
Answer: D
Explanation: Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-42464.html
Q14. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
In the network shown in the exhibit, you want to forward traffic from the employees to ISP1 and ISP2. You want to forward all Web traffic to ISP1 and all other traffic to ISP2. However, your configuration is not producing the expected results. Part of the configuration is shown in the exhibit. When you run the show route table isp1 command, you do not see the
default route listed.
What is causing this behavior?
A. The autonomous system number is incorrect, which is preventing the device from receiving a default route from ISP1.
B. The device is not able to resolve the next-hop.
C. The isp1 routing instance is configured with an incorrect instance-type.
D. The show route table isp1 command does not display the default route unless you add the exact 0.0.0.0/0 option.
Answer: B
Explanation: Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223
Q15. An SRX Series device is configured for inline tap mode. What will occur if Drop Packet is selected?
A. The SRX Series device drops a matching packet before it can reach its destination but does not close the connection.
B. The SRX Series device will ignore the action Drop Packet.
C. The SRX Series device closes the connection and sends an RST packet to both the client and the server.
D. The SRX Series device drops a matching packet associated with the connection, preventing traffic for the connection from reaching its destination.
Answer: D
Q16. You are asked to design a solution to verify IPsec peer reachability with data path forwarding.
Which feature would meet the design requirements?
A. DPD over Phase 1 SA
B. DPD over Phase 2 SA
C. VPN monitoring over Phase 1 SA
D. VPN monitoring over Phase 2 SA
Answer: D
Explanation:
Reference :http://forums.juniper.net/t5/SRX-Services-Gateway/dead-peer-detection-VS-VPN-monitor-in-IPSEC/td-p/176671
Q17. Click the Exhibit button.
-- Exhibit -- security { nat { destination {
pool Web-Server { address 10.0.1.5/32;
}
rule-set From-Internet { from zone Untrust;
rule To-Web-Server { match {
source-address 0.0.0.0/0; destination-address 172.16.1.7/32;
}
then {
destination-nat pool Web-Server;
}
}
}
}
}
zones {
security-zone Untrust { address-book {
address Web-Server-External 172.16.1.7/32; address Web-Server-Internal 10.0.1.5/32;
}
interfaces { ge-0/0/0.0;
}
}
security-zone DMZ { address-book {
address Web-Server-External 172.16.1.7/32; address Web-Server-Internal 10.0.1.5/32;
}
interfaces { ge-0/0/1.0;
}
}
}
}
-- Exhibit --
You are migrating from one external address block to a different external address block. You want to enable a smooth transition to the new address block. You temporarily want to allow external users to contact the Web server using both the existing external address as well as the new external address 192.168.1.1.
How do you accomplish this goal?
A. Add address 192.168.1.1/32 under [edit security nat destination pool Web-Server].
B. Change the address Web-Server-Ext objects to be address-set objects that include both addresses.
C. Change the destination address under [edit security nat destination rule-set From- Internet rule To-Web-Server match] to include both 172.16.1.7/32 and 192.168.1.2/32.
D. Create a new rule for the new address in the [edit security nat destination rule-set From- Internet] hierarchy.
Answer: D
Explanation: Reference:http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/nat-security- source-and-destination-nat-translation-configuring.html
Q18. Click the Exhibit button. [edit]
user@host# show interfaces ge-0/0/1 {
unit 0 {
family bridge { interface-mode access; vlan-id 20;
}
}
}
ge-0/0/10 { unit 0 {
family bridge { interface-mode access; vlan-id 20;
}
}
}
[edit]
user@host# show bridge-domains d1 {
domain-type bridge; vlan-id 20;
}
[edit]
user@host# show security flow bridge
[edit]
user@host# show security zones security-zone 12 {
host-inbound-traffic { system-services { any-service;
}
}
interfaces { ge-0/0/1.0; ge-0/0/10.0;
}
}
Referring to the exhibit, which statement is true?
A. Packets sent tom the SRX Series device are sent to the RE.
B. Packets sent to the SRX Series device are discarded.
C. Only frames that have a VLAN ID of 20 are accepted.
D. Only frames that do not have any VLAN tags are accepted.
Answer: C
Q19. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
Referring to the topology shown in the exhibit, which two configuration tasks will allow Host A to telnet to the public IP address associated with Server B? (Choose two.)
A. Configure transparent mode to bypass the NAT processing of Server B's public IP address.
B. Configure a stateless filter redirecting local traffic destined to Server B's public IP address.
C. Configure a destination NAT rule that matches local traffic destined to Server B's public IP address.
D. Configure a source NAT rule that matches local traffic destined to Server B's public IP address.
Answer: C,D
Explanation:
In this scenario wehave a host be accessible on the Internet by one address, but have it be translated to another address when it initiates connections out to the Internet.So we need to combine Source and destination NAT.
Reference:http://chimera.labs.oreilly.com/books/1234000001633/ch09.html#destination_na t
Q20. Which two statements are true about an interconnect logical system on an SRX Series device? (Choose two.)
A. VXLAN is used to switch inter-LSYS-traffic.
B. The root and user LSYSs connect to the interconnect LSYS usingvtinterfaces.
C. VPLS is used to switch inter-LSYS traffic.
D. The root and user LSYSs connect to the interconnect LSYS usingltinterfaces.
Answer: C,D