♥♥ 2021 NEW RECOMMEND ♥♥
Free VCE & PDF File for Juniper JN0-633 Real Exam (Full Version!)
★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions
Free Instant Download NEW JN0-633 Exam Dumps (PDF & VCE):
Available on:
http://www.surepassexam.com/JN0-633-exam-dumps.html
Q51. You want to create a custom IDP signature for a new HTTP attack on your SRX device. You have the exact string that identifies the attack.Which two additional elements do you need to define your custom signature? (Choose two.)
A. service context
B. protocol number
C. direction
D. source IP address of the attacker
Answer: A,C
Explanation: Reference: http://rtoodtoo.net/2011/09/22/how-to-write-srx-idp-custom-attacksignature/
Q52. At which two times does the IPS rulebase inspect traffic on an SRX device? (Choose two.)
A. When traffic matches the active IDP policy.
B. When traffic first matches an IDP rule with the terminal parameter.
C. When traffic uses the application layer gateway.
D. When traffic is established in the firewall session table.
Answer: A,B
Explanation: Reference: http://books.google.co.in/books?id=2HSLsTJIgEQC&pg=PA814&lpg=PA814&dq=what+time+IPS+rulebase+inspects+traffic+on+SRX&source=bl&ots=_eDe_vLNBA&sig=1I4yX_S0OvkQVP-rqL273laMCyE&hl=en&sa=X&ei=nqvzUfn1Is-rrAf71oHYBA&ved=0CC4Q6AEwAQ#v=onepage&q=what%20time%20IPS%20rulebase% 20inspects%20traffic%20on%20SRX&f=false
Q53. Your SRX device is performing NAT to provide an internal resource with a public address. Your DNS server is on the same network segment as the server. You want your internal hosts to be able to reach the internal resource using the DNS name of the resource.
How do you accomplish this goal?
A. Implement proxy ARP.
B. Implement NAT-Traversal.
C. Implement NAT hairpinning.
D. Implement persistent NAT.
Answer: A
Explanation:
Reference :http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig-security/prxy-arp-nat_srx.html
Q54. A local user complains that they cannot connect to an FTP server on the DMZ network. You investigate and confirm that the security policy allows FTP traffic from the trust zone to the DMZ zone.
What are two reasons for this problem? (Choose two.)
A. The FTP server has no route back to the local network.
B. No route is configured to the DMZ network.
C. No security policy exists for traffic from the DMZ zone to the trust zone.
D. The FTP ALG is disabled.
Answer: A,D
Q55. Your company is using a dynamic VPN configuration on their SRX device. Your manager asks you to enforce password expiration policies for all VPN users.
Which authentication method meets the requirement?
A. local password database
B. TACACS+
C. RADIUS
D. LDAP
Answer: D
Explanation:
Reference : http://kb.juniper.net/InfoCenter/index?page=content&id=KB17423&actp=RSS
Q56. You are asked to deploy dynamic VPNs between the corporate office and remote employees that work from home. The gateway device at the corporate office consists of a pair of SRX650s in a chassis cluster.Which two statements about the deployment are true? (Choose two.)
A. The SRX650s must be separated as standalone devices to support the dynamic VPNs.
B. The remote clients must install client software to establish a tunnel with the corporate network.
C. The remote clients must reside behind an SRX device configured as the local tunnel endpoint.
D. The SRX650 must have HTTP or HTTPS enabled to aid in the client software distribution process.
Answer: B,D
Explanation:
Reference :http://www.juniper.net/us/en/local/pdf/app-notes/3500201-en.pdf
Q57. You recently implemented application firewall rules on an SRX device to act upon encrypted traffic. However, the encrypted traffic is not being correctly identified.
Which two actions will help the SRX device correctly identify the encrypted traffic? (Choose two.)
A. Enable heuristics to detect the encrypted traffic.
B. Disable the application system cache.
C. Use the junos:UNSPECIFIED-ENCRYPTED application signature.
D. Use the junos:SPECIFIED-ENCRYPTED application signature.
Answer: A,C
Explanation: Reference:http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/encrypted-p2p-heuristics-detection.html
Q58. You are asked to implement an IPsec VPN between your main office and a new remote office. The remote office receives its IKE gateway address from their ISP dynamically.
Regarding this scenario, which statement is correct?
A. Configure a fully qualified domain name (FQDN) as the IKE identity.
B. Configure the dynamic-host-address option as the IKE identity.
C. Configure the unnumbered option as the IKE identity.
D. Configure a dynamic host configuration name (DHCN) as the IKE identity.
Answer: A
Q59. Click the Exhibit button.
root@host# show system login user user {
uid 2000; class operator;
authentication {
encrypted-password "$1$4s7ePrk5$9S.MZTwmXTV7sovJZFFsw1"; ## SECRET-DATA
]
}
An SRX Series device has been configured for multiple certificate-based VPNs. The IPsec security association used for data replication is currently down . The administrator is a contractor and has the permissions on the SPX Series device as shown in the exhibit
Which command set would allow the administrator to troubleshoot the cause for the VPN being down?
A. set security ipsec traceoptions file ipsec
set security ipsec traceoptions flag security-associations
B. set security ike traceoptions file ike set security ike traceoptions flag ike
C. request security pki verify-integrity-status
D. request security ike debug-enable local <ip of the local gateway> remote <ip of the remote gateway›
Answer: C
Q60. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
Host A cannot resolve the www.target.host.com Web page when using its configured DNS server. As shown in the exhibit, Host A's configured DNS server and the Web server hosting the www.target.host.com Web page are in the same subnet. You have verified bidirectional reachability between Host A and the Web server hosting the Web page.
What would cause this behavior on the SRX device in Company B's network?
A. DNS replication is enabled.
B. DNS doctoring is enabled.
C. DNS replication is disabled.
D. DNS doctoring is disabled.
Answer: D
Explanation: Reference:http://www.trapezenetworks.com/techpubs/en_US/junos12.2/topics/concept/dns-alg-nat-doctoring-overview.html