Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet...

117
Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120 min File Version : 1.0 http://www.gratisexam.com/ Exam: Juniper Networks JN0-632 Version: 2012-04-17 Questions: 140 Good Luck

Transcript of Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet...

Page 1: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Juniper Networks Certified Internet Professional (JNCIP-SEC)

Number: JN0-632Passing Score: 800Time Limit: 120 minFile Version: 1.0

http://www.gratisexam.com/

Exam: Juniper Networks JN0-632

Version: 2012-04-17

Questions: 140

Good Luck

Page 2: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Exam A

QUESTION 1You are concerned about the latency introduced in processing packets through the IPS signature database andwant to configure the SRX Series device to minimize latency. You decide to configure inline tap mode.

Which two statements are true? (Choose two)

A. When packets pass through for firewall inspection, they are not copied to the IPS module.B. Packets passing through the firewall module are copied to the IPS module for processing as the packets

continue through the forwarding process.C. Traffic that exceeds the processing capacity of the IPS module will be dropped.D. Traffic that exceeds the processing capacity of the IPS module will be forwarded without being inspected by

the IPS module.

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Answer:- Packets passing through the firewall module are copied to the IPS module for processing as the packetscontinue through the forwarding process.- Traffic that exceeds the processing capacity of the IPS module will be forwarded without being inspected bythe IPS module.

Explanation: Inline Tap mode is supported in 10.2. It will have a positive impact on performance and will only be supported indedicated mode. The processing will essentially be the same as it is in dedicated inline mode, however insteadof flowd simply placing the packet in the IDPD queue to be processed, it will make a copy of the packet, put thatin the queue, and forward on the original packet without waiting for IDPD to perform the inspection. This willmean that the IDP will not be a bottleneck in performance. The one limitation around this feature is that someattacks may be able to pass through the SRX without being blocked such as single packet attacks. However,even though the single packet attacks may not be blocked, most attacks will be blocked, and even in the casethat an attack is let through the SRX can still close down the session and even send TCP resets if it is a TCPprotocol and the Close Connection option is set.

QUESTION 2You create a custom attack signature with the following criteria:

-- HTTP Request:-- Pattern: *\x<404040...40-- Direction Client to Server

Which client request would be identified as an attack?

A. FTP GET.,\x404040...40B. HTTP GET *\404040..40C. HTPPOST.*\x404040...40D. HTTP GET *\x4040401.40

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: HTTP GET *\x4040401.40

Page 3: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Explanation:Signature-based attack objects will be the most common form of attack object to configure. This is where youuse regular expression matching to define what attack objects should be matched by the detector engine. Theprovided regular expression matches HTTP GET request containing *\x4040401..40. Here \x – hex basednumbers, . - any symbol.

Reference: http://www.juniper.net/techpubs/en_US/idp5.1/topics/example/simple/intrusiondetection-prevention-custom-attack-object-compound-signature.html

QUESTION 3Click the Exhibit button.

In the exhibit, what does the configured screen do?

Exhibit:

A. It blocks TCP connection from a host when more than 1000 successive TCP connections are received.B. It blocks TCP connections for a host when more than 1000 connections are received within 3600 seconds.C. It blocks TCP connection attempts from a host when more than 10 connection attempts are made within

1000 microseconds.D. It blocks TCP connections from the host for 1000 seconds when a host is identified as a TCP scan source.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: It blocks TCP connection attempts from a host when more than 10 connection attempts are madewithin 1000 microseconds.

Explanation:The command prevents port scan attacks. A port scan attack occurs when an attacker sends packets withdifferent port numbers to scan available services. The attack succeeds if a port responds. To prevent thisattack, the device internally logs the number of different ports scanned from a single remote source. Forexample, if a remote host scans 10 ports in 0.005 seconds (equivalent to 5000 microseconds, the defaultthreshold setting), the device flags this behavior as a port scan attack, and rejects further packets from the

Page 4: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

remote source.

Reference: http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swcmdref/portscan.html

QUESTION 4Click the Exhibit button.

In the exhibit, Customer A and Customer B connect to the same SRX Series device. ISP1 and ISP2 are alsodirectly connected to the SRX device. Customer A's traffic must use ISP1, and Customer B's traffic must useISP2.

Which configuration will create the required routing tables?

Exhibit:

A. set routing-options rib-groups fbf import-rib [ custA.inet.0 custB.inet.0 ]B. set routing-options rib-groups fbf export-rib [ custA.inet.0 custB.inet.0 ]C. set routing-options rib-groups fbf import-rib [ custA.inet.0 custB.inet.0 inet.0 ]D. set routing-options rib-groups fbf export-rib [ custA.inet.0 custB.inet.0 inet.0 ]

Correct Answer: C

Page 5: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Section: (none)Explanation

Explanation/Reference:Answer: set routing-options rib-groups fbf import-rib [ custA.inet.0 custB.inet.0 inet.0 ]

Explanation:

QUESTION 5You must configure a site-to-site VPN connection between your company and a business partner. The securitypolicy of your organization states that the source of incoming traffic must be authenticated by a neutral party toprevent spoofing of an unauthorized source gateway.

What accomplishes this goal?

A. Use a manual key exchange to encrypt/decrypt traffic.B. Generate internal Diffie-Hellman public/private key pairs on each VPN device and exchange public keys

with the business partner.C. Use a third-party certificate authority and exchange public keys with the business partner.D. Use a private X.509 PKI certificate and verify it against a third-party certificate revocation list (CRL).

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: Use a third-party certificate authority and exchange public keys with the business partner.

Explanation:

QUESTION 6Company A and Company B are using the same IP address space. You are using static NAT to provide dualtranslation between the two networks.

Which two additional requirements are needed to fully allow end-to-end communication? (Choosetwo.)

A. route information for each remote deviceB. persistent-natC. required security policiesD. no-nat-traversal

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Answer:- route information for each remote device- required security policies

Explanation:

Reference: http://www.juniper.fr/techpubs/en_US/junos10.4/topics/example/nat-twice-configuring.htmlhttp://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

QUESTION 7

Page 6: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Your company is deploying a new WAN that uses transport over a private network infrastructure to provide anany-to-any topology. Your manager is concerned about the confidentiality of data as it crosses the WAN.Scalability of the SRX Series device's ability to perform IKE key exchanges is a key consideration.

Which VPN design satisfies your manager's concerns?

A. a transparent IPSec VPNB. a hub-and-spoke VPNC. a point-to-multipoint VPND. a group VPN

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: a group VPN

Explanation:Reference: http://juniper.fr/techpubs/software/junos-security/junos-security10.2/junos-securityswconfig-security/topic-45780.html

QUESTION 8Click the Exhibit button

Senior management reports that your company's network is being attacked by hackers exploiting a recentlyannounced vulnerability. The attack is not being detected by the DP on your SRX Series device. You suspectthat your attack database is out of date. You check the version of the attack database and discover it is severalweeks old. You configured your device to download updates automatically as shown in the exhibit.

What must you do for the automatic update to function properly?

Exhibit:

A. Change the interval to daily by adding set automatic interval 1 to the configuration and commit the change.B. Enable the automatic updates by adding set automatic enable to the configuration and commit the change.C. Set the time zone on your device.D. Change the URL of the update site to use https:// instead of http://.

Correct Answer: BSection: (none)Explanation

Page 7: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Explanation/Reference:Answer: Enable the automatic updates by adding set automatic enable to the configuration and commit thechange.

Explanation:

QUESTION 9You obtained a license tile from Juniper Networks for the SRX Series Services Gateway IPS feature set. Youwant to install the license onto the SRX Series device.

http://www.gratisexam.com/

Which statement is accurate?

A. The license file is automatically downloaded from the online license server, you need not do anything.B. Transfer the file to the SRX Series device using FTP or SCP and install the license with the request system

license add <filename> command.C. The license file must be decrypted with the openssl utility before being installed on the SRX Series device.D. Transfer the file to the SRX firewall using FTP or SCP and install the license with the request system license

install-permanent command.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer: Transfer the file to the SRX Series device using FTP or SCP and install the license with the requestsystem license add <filename> command.

Explanation:Refrence: http://www.juniper.net/techpubs/en_US/junos11.1/topics/reference/commandsummary/request-system-license-add.html

QUESTION 10You have been asked to configure a signature to block an attack released by a security vulnerability reportingagency. Which two characteristics of the attack must you understand to configure the attack object? (Choosetwo )

A. the source port of the attackerB. a string or regular expression that occurs within the attackC. the context where the attack pattern is found within the packetD. the IPv4 routing header

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Answer:- a string or regular expression that occurs within the attack- the context where the attack pattern is found within the packet

Page 8: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Explanation:Reference: http://www.juniper.net/techpubs/en_US/nsm2011.1/topics/task/configuration/attacksignature-attack-object-creating-nsm.html

QUESTION 11In a group VPN the members rekey with the server using the Unicast PUSH method. This rekey mechanism isprotected by which secure channel?

A. KEKB. IPSec SAC. TEKD. IKE SA

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: IKE SA

Explanation:It's true that Key Encryption Key (KEK) is used to encrypt rekey messages. But in the same time GDOIexchanges in Phase 2 must be protected by ISAKMP Phase 1 Sas. And GDOI groupkeypush exchange is oneof the two types of GDOI exchanges: groupkey-pull and groupkey-push.

QUESTION 12Which two configuration tasks should you use to implement filter-based forwarding? (Choose two.)

A. Create a VRF routing instance.B. Create a firewall filter with an action of virtual-channelC. Create routing options with rib-groups.D. Create routing options with interface routes.

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:Answer:- Create routing options with rib-groups.- Create routing options with interface routes.

Explanation:

Reference: http://www.juniper.net/techpubs/en_US/junos10.3/topics/usage-guidelines/routing-configuring-filter-based-forwarding.html

QUESTION 13Your corporate network consists of a central office and four branch offices. You are responsible for coming upwith an effective solution to provide secure connectivity between the sites.

Which solution meets the requirements?

A. Implement firewall filters on each device.B. Implement an H11 HS-based mesh between all sites.

Page 9: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

C. Implement secure routing policies.D. Implement a hub-and-spoke VPN

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: Implement a hub-and-spoke VPN

Reference:http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/vpn-hub-spoke-topologies-oneinterface.html

QUESTION 14Click the Exhibit button.

The client is downloading a file from the FTP server. The FTP control channel is established using a securitypolicy named t rust-to-untrust.

Which statement is correct about the output in the exhibit regarding the data channel?

Exhibit:

Page 10: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. Passive FTP is being used to establish the data channel.B. The pinhole has been opened by the FTP ALG for return traffic.C. The session requires a separate security policy for return traffic.D. The session is using NAT to translate IP addresses.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer: The pinhole has been opened by the FTP ALG for return traffic.

Page 11: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Explanation:

QUESTION 15You want to verify how many security policies will match FTP traffic from source address 1.1.1.1 port 55000. todestination address 2.2.2.2 port 21.

Which operational mode command should you use?

A. show security match-policy from-zone trust source-ip 1.1.1.1 source-port 55000 to-zone untrust destination-ip 2.2.2.2 destination-port 21 protocol tcp result-count

B. test security match-policies from-zone trust source-ip 1.1.1.1 source-port 55000 to-zone untrust destination-ip 2.2.2.2 destination-port 21 protocol tcp result-count

C. show security match-policies from-zone trust source-ip 1.1.1.1 source-port 55000 to-zone untrustdestination-ip 2.2.2.2 destination-port 21 protocol tcp result-count

D. show security match-policies from-zone trust source-ip 1.1.1.1 source-port 55000 to-zone untrustdestination-ip 2.2.2.2 destination-port 21 protocol udp result-count

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: show security match-policies from-zone trust source-ip 1.1.1.1 source-port 55000 to-zone untrustdestination-ip 2.2.2.2 destination-port 21 protocol tcp result-count

Explanation:

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topiccollections/security/software-all/cli-reference/junos-security-cli-reference.pdf

QUESTION 16Click the Exhibit button

The exhibit shows an IPSec tunnel configuration In an effort to increase the security of the tunnel, you mustconfigure the tunnel to negotiate a new tunnel key during IKE phase 2.

How can the configuration be changed to accommodate this requirement?

Exhibit:

Page 12: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. A new tunnel key is negotiated by default during phase 2; no configuration change is necessary.B. PFS must be added to the IKE policy pol-ike.C. PFS must be added to the IPSec policy pol-ipsec.D. A new tunnel key cannot be negotiated in IKE phase 2 with route-based IPSec VPNs; a policybased IPSec

VPN must be

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: C

Explanation: PFS is a method for deriving Phase 2 keys independent from and unrelated to the preceding keys. Alternatively,the Phase 1 proposal creates the key (the SKEYID_d key) from which all Phase 2 keys are derived. TheSKEYID_d key can generate Phase 2 keys with a minimum of CPU processing. Unfortunately, if anunauthorized party gains access to the SKEYID_d key, all your encryption keys are compromised. PFSaddresses this security risk by forcing a new DH key exchange to occur for each Phase 2 tunnel. Using PFS isthus more secure, although the rekeying procedure in Phase 2 might take slightly longer with PFS enabled.

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/vpn-security-phase-2-ipsec-proposal-understanding.html

Page 13: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

QUESTION 17You configured all the required parameters to allow IPv6 address book entries. You successfully committed theconfiguration. You noticed that IPv4 traffic is still working as expected, but IPv6 traffic is being dropped.

What is the solution to the problem? (Choose Two)

A. IPv4 and IPv6 address book entries will not work togetherB. IPv6 flow-based mode must be enabled.C. The SRX device must be rebooted.D. IPv6 policy-based mode must be enabled.

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Answer: - IPv6 flow-based mode must be enabled.- The SRX device must be rebooted.

Explanation:[edit security forwarding-options] diriger# set family inet6 mode flow-based[edit security forwarding-options]diriger# exit[edit]diriger# commitwarning: You have enabled/disabled inet6 flow.You must reboot the system foryour change to take effect.If you have deployed a cluster, be sure to reboot all nodes.commit complete[edit]

Reference: http://blog.kramse.org/blojsom/blog/default/IPv6/Juniper-SRX210-Junos-10-2-flow-based-IPv6-forwarding?smm=yhttp://blog.kramse.org/blojsom/blog/default/IPv6/JUNOS-software-on-SRX-basic-IPv6- configuration?smm=y

QUESTION 18Given the session shown below:

user@srx> show security flow sessionSession ID: 3729, Policy name: nat-example-security-policy/6, Timeout: 2 In: 10.1.0.13/52939 —>207.17.137.229/80;tcp, If: ge-0/0/5.0 Out: 207.17.137.229/80 --> 172.19.101.42/2132;tcp, If: ge-0/0/0

Which statement is true?

A. The session indicates that destination NAT with no port translation is taking place.B. The session indicates that no NAT is taking place.C. The session indicates that source NAT is taking place.D. The session indicates that destination NAT with port translation is taking place.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: The session indicates that source NAT is taking place.

Explanation:The output of the command shows that the TCP packet with src ip 10.1.0.13 and src tcp port 52939 and dst ip207.17.137.229 and dst port 80 is entering interface ge-0/0/5.0 and the reverse connection is created for thesame session: src ip 172.19.101.42 and src tcp port 2132 and dst ip 207.17.137.229 and dst tcp port 80. So thesource ip 10.1.0.13 is translated to 172.19.101.42.

Page 14: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junossecurity-cli-reference/show-security-flow-session.html#jd0e143381

QUESTION 19What are two implementations of NAT? (Choose two.)

A. source NATB. group NATC. filter-based NATD. destination NAT

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:Answer: - source NAT- destination NAT

Explanation:A - Source NAT is the translation of the source IP address of a packet leaving the Juniper Networks device.Source NAT is used to allow hosts with private IP addresses to access a public network D - Destination NAT isthe translation of the destination IP address of a packet entering the Juniper Networks device. Destination NATis used to redirect traffic destined to a virtual host (identified by the original destination IP address) to the realhost (identified by the translated destination IP address).

Reference:http://www.juniper.net/techpubs/en_US/junos10.4/topics/example/nat-security-source-anddestination- nat-translation-configuring.htmlhttp://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/network-address-translationoverview.html

QUESTION 20You are notified that a particular application passing through a SRX3600 is not working properly. A request hasbeen made to provide a packet capture of the application traffic as it egresses the SRX device.

What is required to capture the transit application traffic on the egress interface?

A. Create a firewall filter with the action packet-capture and apply the firewall filter to the egress interface.B. Create a firewall filter with the action packet-mode and apply the firewall fitter to the egress interface.C. Execute the operational mode command monitor traffic interface and specify the egress interface.D. Configure the data path-debug capture parameters and start the packet capture from operational mode.E. Create a firewall filter with action sample and apply the firewall filter to the egress interface.

Correct Answer: ESection: (none)Explanation

Explanation/Reference:Answer: Create a firewall filter with action sample and apply the firewall filter to the egress interface.

Explanation:See reference for details.

Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

Page 15: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

QUESTION 21The SRX Series device is configured for source NAT. The source IP address will be translated to 1.1.1.1. Apacket with a source address of 21.21.21.21 and destination address of 31.1.1.1 arrives at the SRX Seriesdevice.

Which policy will this packet match?

A. a policy in which the match criteria has a source address of 21.21.21.21 and a destination address of31.1.1.1

B. a policy in which the match criteria has a source address of 1.1.1.1 and a destination address of21.21.21.21

C. a policy in which the match criteria has a source address of 21.21.21.21 and a destination address of1.1.1.1

D. a policy in which the match criteria has a source address of 31.1.1.1 and a destination address of 1.1.1.1

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Answer: a policy in which the match criteria has a source address of 21.21.21.21 and a destinationaddress of31.1.1.1

Explanation:

QUESTION 22You want to allow users from routing-instance Juniper1 to route to the destination 2.2.2.2, reached throughrouting-instance Juniper2 without sharing all the routes between the two instances.

Which static route configuration will accomplish this?

A. set routing-instances Juniper1 routing-options static route 2.2.2.2 next-table Juniper2.inet.0B. set routing-instances Juniper2 routing-options static route 2.2.2.2 next-table Juniperl.inet.0C. set routing-options static route 2.2.2.2 next-table Juniper2.inet.0D. set routing-options static route 2.2.2.2 next-table Juniperl.inet.0

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Answer: set routing-instances Juniper1 routing-options static route 2.2.2.2 next-table Juniper2.inet.0

Explanation:

QUESTION 23You want to implement a chassis cluster using SRX650s in your network. Your manager has informed you thatthe nodes participating in the chassis cluster will reside in remote locations.

Which two statements represent valid considerations for this deployment scenario? (Choose two.)

A. The latency between the participating nodes cannot exceed 300 ms.B. The links supporting the control and fabric links should all be 1 Gbps or higher.C. The same physical path supporting the control and fabric links should be used.D. The paths supporting the control and fabric links should use segregated virtual paths

Page 16: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Answer: - The links supporting the control and fabric links should all be 1 Gbps or higher.- The paths supporting the control and fabric links should use segregated virtual paths

Explanation:After configuring the SRX650 HA Chassis Cluster, ge-0/0/0 is reserved for FXP0 (out of band), ge-0/0/1 forControl Link and one more port (mostly used ge-0/0/2) for Fabric Link. In most SRX Series devices in a chassiscluster, you can configure any pair of Gigabit Ethernet interfaces or any pair of 10-Gigabit interfaces to serve asthe fabric between nodes. If you are connecting each of the fabric links through a switch, you must enable thejumbo frame feature on the corresponding switch ports. If both of the fabric links are connected through thesame switch, the RTO-andprobes pair must be in one virtual LAN (VLAN) and the data pair must be in anotherVLAN. Heretoo, the jumbo frame feature must be enabled on the corresponding switch ports.

Refrence: http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/chassis-cluster-fabricconfiguring-cli.html

QUESTION 24Access to a Web server is being severe^ interrupted after configuring SCREEN parameters. The intent on ofthe IT group was to alleviate the mitigation of SYN flood attacks by dropping connections aggressively if thenumber of SYN packets to the server exceeded 1000 packets per second.

Which two SCREEN settings will resolve the issue? (Choose two.)

A.

Page 17: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

B.

C.

Page 18: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

D.

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:Answer:

Page 19: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Explanation:

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junossecurity-swconfig-security/id-68220.html#id-68220

QUESTION 25What are two valid chassis cluster implementations? (Choose two.)

A. active/activeB. online/offlineC. active/passiveD. passive/passive

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Answer: - active/active- active/passive

Explanation:There are only two options: active/active and active/passive. See reference.

Reference:http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfigsecurity/activeactive-full-mesh-chassis-cluster-scenario.htmlhttp://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfigsecurity/activepassive-chassis-cluster-scenario.html

QUESTION 26What describes the NULL scan and how would you effectively mitigate it?

Page 20: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. A NULL scan attack consists of a series of packets that have source port 0 and various destination ports setThey can be minimized with SCREEN options, such as set security screen ids-option foo tcp-no-null andudp-no-null.

B. A NULL scan attack is an attack targeting port of the remote device's TCP/IP stack. set security idp sensor-configuration flow no-allow-tcp-without-flow.

C. A NULL scan attack uses packets with no flags set and you can minimize it with SCREEN options, setscreen ids-option foo tcp tcp-no-flag.

D. A NULL attack is making use of UDP packets that just contain "0" characters in their payload; a statelessfirewall filter can help to mitigate this attack.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: A NULL scan attack uses packets with no flags set and you can minimize it with SCREEN options, setscreen ids-option foo tcp tcp-no-flag.

Explanation:A normal TCP segment header has at least one flag control set. A TCP segment with no control flags set is ananomalous event. Because different operating systems respond differently to such anomalies, the response (orlack of response) from the targeted device can provide a clue as to the type of OS it is running.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security95/junossecurity-swconfig-security/id-91902.html#id-20336http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-clireference/jd0e96963.html

QUESTION 27Click the Exhibit button.

In the process of securing your network from network reconnaissance, you notice that a large number ofrandom packets are destined for unused segments on your network.

Referring to the exhibit, how should you secure the borders from these attacks while allowing legitimate trafficto pass through?

Exhibit:

Page 21: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. Configure SYN fragment protection to prevent these types of packets from entering the network.B. Configure IP sweep protection to rate-limit the number of allowed packets.C. Configure TCP sweep protection to rate-limit the number of allowed packets to enter.D. Configure the teardrop screen to prevent these types of packets from entering your network.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: Configure TCP sweep protection to rate-limit the number of allowed packets to enter.

Explanation: In a TCP Sweep attack, an attacker sends TCK SYN packets to the target device as part of theTCP handshake. If the device responds to those packets, the attacker gets an indication that a port in thedevice is open, which makes the port vulnerable to attack. The TCP Sweep SCREEN option restricts thesession establishment between the source IP (the attacker) and the destination IP (the target device) based onthe number of attempts made by the attacker within a particular timeframe. The default threshold is 50 packetsper second. If the number of attempts exceeds 50, the security device does not establish connection. You canset the threshold to a value between 1 and 5000 packets per second.

Reference: http://help.juniper.net/help/english/6.2.0/zone_ids_edit_cnt.htm

QUESTION 28You have been asked to configure a signature to block an attack released by a security vulnerability reportingagency. Which two characteristics of the attack must you understand to configure the attack object? (Choosetwo)

Page 22: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. the source IP address of the attackerB. the protocol the attack is transported inC. a string or regular expression that occurs within the attackD. IPv4 routing header

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Answer: - the protocol the attack is transported in- a string or regular expression that occurs within the attack

Explanation:

Reference: http://www.juniper.net/techpubs/en_US/idp5.1/topics/task/configuration/intrusiondetection-prevention-signature-attack-object-creating-nsm.html

QUESTION 29In a group VPN topology, you have three members A, B, and C. You want A lo communicate with B using adifferent encryption key from the one it uses to communicate with C.

How do you achieve this?

A. You put A, B, and C in three different groupsB. You put A, B, and C in the same group, but you define a different match-policy for communication between

A and B and for communication between A and C.C. You define a different SA and a different match-policy for communication between A and B and for

communication between A and C.D. In a group VPN, all members of a group must use the same key to communicate with each other.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer:

Explanation:

Reference: http://www.juniper.net/us/en/local/pdf/app-notes/3500202-en.pdf

QUESTION 30What is the primary function of Junos Intrusion Prevention System (IPS)?

A. to protect against scans and attacksB. to perform firewall filteringC. to perform NAT translationD. to provide IPSec tunneling

Correct Answer: ASection: (none)Explanation

Page 23: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Explanation/Reference:Answer: to protect against scans and attacks

Explanation: IPS feature list includes:Stateful Signature Detection: Signatures are applied only to relevant portions of the network traffic determinedby the appropriate protocol context, minimizing false positives.Protocol Anomaly Detection: Protocol usage is verified against published RFCs to detect any violations orabuse, proactively protecting the network from intrusions and even undiscovered vulnerabilities.Traffic Anomaly Detection: Heuristic rules provide detection from unexpected traffic patterns that may suggestreconnaissance or attacks. This intrusion prevention system proactively prevents reconnaissance activities andblocks distributed denial of service (DDoS) attacks.Role-Based Administration: More than 100 different activities can be assigned as unique permissions fordifferent administrators, streamlining business operations by logically separating and enforcing roles of variousadministrators.Intrusion Prevention System functions conform to business operations: Enable logical separation of devices,policies, reports, and other management activities to group devices based on business practices.

Reference:http://www.juniper.net/as/en/products-services/software/router-services/ips/

QUESTION 31Click the Exhibit button.

A junior network administrator has configured an inbound destination NAT to an internal server translating apublic IP to an RFC1918 IP address on the internal network. After configuring NAT and the policy to permit thisconnectivity, the junior administrator is unable to get this to work.

Traffic never gets to the internal server.

Based upon the configuration in the exhibit, what is needed to resolve the problem?

Exhibit:

Page 24: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. The NAT policy is configured incorrectly.B. The security policies are out of order.C. The security policies for the return traffic are written incorrectly.D. The permit-web-dmz security policy is written incorrectly.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: The permit-web-dmz security policy is written incorrectly.

Explanation:

Page 25: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

destination-address in policy permit-web-dmz should be 10.1.1.11/32.

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/nat-securitydestination-address-port-translation-configuring.html

QUESTION 32In a group VPN a group member can reach the key server 100.0.0.3 using the interface ge-0/0/5. It can reachall other group members using the interface ge-0/0/7. The IP address of ge-0/0/5 is 1.1.1.1 and the IP addressof ge-0/0/7 is 2.2.2.1.

Which configuration is correct for this member?

A.

Page 26: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

B.

C.

Page 27: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

D.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer:

Page 28: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Explanation:

The correct answer should have:

Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junossecurity-swconfig-security/topic-45798.html

QUESTION 33You are implementing a chassis cluster and adding the cluster to your multicast domain. Which two statementsare valid considerations for this implementation scenario? (Choose two.)

A. Multicast sessions are only maintained on the primary node in the cluster and will not be maintained duringa failover scenario.

B. Multicast sessions are synchronized on both nodes within the cluster and will be maintained during afailover scenario.

C. The ppe and ppd interfaces are used to enable a cluster to act as a rendezvous point (RP) or first hoprouter in the multicast domain.

D. The pe and pd interfaces are used to enable a cluster to act as a rendezvous point (RP) or first hop router inthe multicast domain.

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Answer: - Multicast sessions are synchronized on both nodes within the cluster and will be maintained during a failover

Page 29: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

scenario.- The ppe and ppd interfaces are used to enable a cluster to act as a rendezvous point (RP) or first hop routerin the multicast domain.

http://www.gratisexam.com/

Explanation:Multicast protocols are supported in chassis clustering for all SRX Series and J Series devices. J Seriesdevices support pd and pe interfaces and SRX Series devices support ppd and ppe interfaces. If PIM sparsemode is enabled on any router (potentially a PIM sparse-mode source DR) and a Tunnel Services PIC ispresent on the router, a PIM register encapsulation interface, or pe interface, is automatically created for eachRP address that is used to encapsulate source data packets and send them to respective RP addresses on thePIM DR as well as the PIM RP. The pe interface receives PIM register messages and encapsulates them bymeans of the hardware.

Reference:https://www.thenewnetworkishere.com/techpubs/en_US/junos10.3/information-products/topiccollections/release-notes/10.3/topic-47950.html

QUESTION 34Click the Exhibit button

In the exhibit, a site-to-site IPSec tunnel between the chassis cluster and the remote SRX240 device will notestablish. The chassis cluster and the remote SRX240 device are using their loopback interfaces tor IPSectunnel termination.

What is causing the problem?

Exhibit:

Page 30: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. Site-to-site IPSec VPNs are not supported on a chassis cluster; a GRE tunnel must be used instead.B. Loopback interface IPSec tunnel termination is not supported on high-end SRX Series chassis clusters; use

the reth0 interface instead.C. Site-to-site IPSec VPNs between high-end SRX Series chassis clusters and branch SRX devices are not

supported. The SRX240 device must be replaced with a high-end SRX device.D. Loopback interface IPSec tunnel termination within a chassis cluster must have PFS enabled Configure

PFS on both ends of the IPSec tunnel.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer: B

Explanation:

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junossecurity-swconfig-security/topic-43738.htmlhttp://kb.juniper.net/InfoCenter/index?page=content&id=KB14371

Page 31: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

QUESTION 35In terms of application and protocol recognition, how does the IPS engine inspect the traffic?

A. unidirectional on the incoming interfaceB. unidirectional on the outbound interfaceC. only traffic from and to well-known portsD. bidirectionally

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: bidirectionally

Explanation:

Page 32: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Exam B

QUESTION 1Click the Exhibit button.

In the exhibit, traffic from the client is routed to Server A by default You have just implemented filter-basedforwarding to redirect specific traffic from the client to Server B. Server B will then send that traffic to Server A.After finalizing this implementation, you notice reverse traffic from Server A back to the client is being dropped.

Which statement describes why the reverse traffic is being dropped?

Exhibit:

A. The filter-based forwarding unidirectional-only option has been enabled.B. The MAC caching configuration option has not been enabled.C. The Junos OS performs a route lookup on the reverse traffic and drops the traffic due to a zone mismatch.D. The Junos OS performs a security policy check in the fast path packet flow on traffic matched by a stateless

filter.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: The Junos OS performs a route lookup on the reverse traffic and drops the traffic due to a zonemismatch.

Explanation:

Reference: http://juniper.ilkom.unsri.ac.id/stepbystep/Junos%20Security.pdf

QUESTION 2Your company has installed a new transparent proxy server that it wants all employee traffic to traverse beforetaking the default route to the Internet. The proxy server is within two DMZ zones from the SRX Series device,which means your SRX device must now have two default routes:

Page 33: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

one to the proxy DMZ and one to the Internet from the proxy DMZ.

What can you do to get the traffic to flow to the transparent proxy DMZ, and then from the proxy DMZ to theInternet, regardless of the destination or port?

A. Configure two static default floating routes: one from the employee zone to the ingress proxy DMZ and asecond from the egress proxy DMZ to the Internet.

B. Configure two separate routing instances: one instance for the employee zone to the ingress proxy DMZand the second for the egress proxy DMZ to the Internet.

C. Configure security policies that will route all traffic to the ingress proxy DMZ then traffic will follow the defaultroute to the Internet from the egress proxy DMZ.

D. Configure a rib-group to handle the two default routes between the ingress and egress zones of the newproxy.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer: Configure two separate routing instances: one instance for the employee zone to the ingress proxyDMZ and the second for the egress proxy DMZ to the Internet.

Explanation:

QUESTION 3You are configuring a hub-and-spoke VPN topology between an SRX Series device deployed at the hub siteand several non-Juniper devices at spoke sites. You have decided to use static routes on the hub device tomake the spoke network reachable.

What else must you do to make the remote networks reachable?

A. Use the NHTB protocol to ensure that automatic tunnel bindings are created.B. Add static next-hop tunnel bindings on the spoke devices for the hub networks.C. Configure proxy IDs for the remote networks on the hub device.D. Add static next-hop tunnel bindings on the hub device for the spoke networks.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: Add static next-hop tunnel bindings on the hub device for the spoke networks.

Explanation:

Reference: http://kb.juniper.net/kb/documents/public/junos/jsrx/JSeries_SRXSeries_Multipoint_VPN_with_NHTB_12.pdf

QUESTION 4Click the Exhibit button.

A user complains that they cannot reach a destination host using Telnet. The user expresses concern that theSRX Series device is blocking the connection attempt. You check the security policy log on the SRX device andsee the entry shown in the exhibit.

Based on the security policy log entry, which three statements describe why the user is unable to use Telnet toreach the destination host? (Choose three.)

Page 34: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Exhibit:

A. No security policy is configured on the SRX device to match the request.B. The destination host does not have a valid route for the user's PC.C. The destination host is not listening on the requested service.D. Another device between the SRX device and destination host is blocking the request.E. A trace options flag is set on the SRX device to drop the telnet traffic

Correct Answer: BCDSection: (none)Explanation

Explanation/Reference:Answer:- The destination host does not have a valid route for the user's PC.- The destination host is not listening on the requested service.- Another device between the SRX device and destination host is blocking the request.

Explanation:Based on security policy log entry we can confirm that “allow-telnet” security policy is configured on the SRXdevice and SRX device does not receive any packet from remote telnet server as the both server-packets(server-bytes) are zero. So the possible options are B, C, D.

Reference: http://www.juniperforum.com/index.php?topic=10131.0http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-securityswconfig-security/junos-security-swconfig-security.pdf

QUESTION 5You have a problem with an FTP session that will not establish through your SRX240 device. You confirmedthat routing and security policies are correct. You want to capture packets to further troubleshoot the problem.

Which two actions are required to do this? (Choose two.)

A. Run the monitor traffic interface | save pcap command.B. Turn on the packet-capture option in the forwarding-options section of the configuration.C. Build a firewall filter with a sample action on the interface.D. Enable traceoptions on the interface.

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Answer:- Turn on the packet-capture option in the forwarding-options section of the configuration.- Build a firewall filter with a sample action on the interface.

Explanation:

Page 35: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Reference: http://forums.juniper.net/t5/SRX-Services-Gateway/packet-capture-on-Juniper-SRX210/tdp/102454

QUESTION 6You have been asked to add a dynamic VPN to your SRX650. This dynamic VPN must be able to support fiveusers at the same time.

What are two primary requirements? (Choose two.)

A. You must configure IKE to use main mode.B. You must configure IKE to use certificates for authentication.C. You must configure IKE to use aggressive mode.D. You must configure IKE to use preshared keys for authentication.

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:Answer:- You must configure IKE to use aggressive mode.- You must configure IKE to use preshared keys for authentication.

Explanation: When a dynamic VPN user negotiates an AutoKey IKE tunnel with a preshared key, aggressivemode must be used. Therefore, you must always use aggressive mode with the dynamic VPN feature.

Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-swconfigsecurity/ipsec-vpn-overview.htmlhttp://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-securityswconfig-security/vpn-dynamic-config-overview.html

QUESTION 7Click the Exhibit button.

The exhibit shows a configuration for two IPSec tunnels. The tunnel ipsec-vpn-primary is being used as theprimary tunnel, and the tunnel ipsec-vpn-backup is being used as the backup tunnel. The remote device is not aJuniper Networks device. When a link failure occurs in the path that supports the primary tunnel, traffic is blackholed for many minutes before the backup tunnel is used.

What can you do to reduce the failover time?

Exhibit:

Page 36: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. Configure BFD over the IPSec tunnel.B. Configure VPN monitoring on the primary tunnel.C. Configure DPD on the primary tunnel.D. Configure DPD on the backup tunnel.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: Configure DPD on the primary tunnel.

Explanation:

Reference:

Page 37: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

http://www.juniper.net/techpubs/software/junos/junos94/swconfig-services/configuringthe-remote-address-and-backup-remote-address.html

QUESTION 8Click the Exhibit button.

You are troubleshooting a new IPSec VPN tunnel that is failing to establish an IKE security association betweenSRX Series devices. You notice the error in the log shown in the exhibit.

What is a possible cause for this problem?

Exhibit:

A. mismatched proxy IDsB. mismatched peer IDsC. mismatched Phase 2 proposalsD. mismatched preshared key

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: mismatched Phase 2 proposals

Explanation: Most likely the Phase 1 pre-shared keys do not match.

Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB10101

QUESTION 9Click the Exhibit button.

In the exhibit, two SRX240 devices form a chassis cluster. Node 0 is primary for RG 1, and interface monitoringis configured to fail primacy over to Node 1 in the event interface ge-5/0/3 goes down. However, when interlacege-5/0/3 goes down, Node 0 retains primary for RG 1.

Which two statements describe why Node 0 retained primacy for RG 1? (Choose two)

Exhibit:

Page 38: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. The ge-5/0/3 interface belongs to Node 1 which is in a secondary state so no failover is necessary.B. Node 0 has a priority of 254, but it will not switch unless an additional interface goes down.C. Node 1 has a priority of 0 and is not eligible to take primacy of RG 1.D. The ge-5/0/3 interface belongs to Node 1 and the priority was subtracted from Node 1.

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Answer:- The ge-5/0/3 interface belongs to Node 1 which is in a secondary state so no failover is necessary.- Node 1 has a priority of 0 and is not eligible to take primacy of RG 1.

Explanation:

Reference:http://answers.oreilly.com/topic/2040-how-to-initially-troubleshoot-a-junos-chassiscluster/

QUESTION 10You want to implement an IPS rule base action in which matching traffic is dropped.

A. no-action

Page 39: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

B. drop-packetC. acceptD. notification

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer:

Explanation:

Actions specify the actions you want IDP to take when the monitored traffic matches the attack objectsspecified in the rules. The following table shows the actions you can specify for IDP rules:

Page 40: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-securityswconfig-security/understand-rule-action-section.html#understand-rule-action-section

QUESTION 11Which two protocols are supported by Application Layer Gateways (ALGs) on SRX Series devices? (Choosetwo.)

A. FTPB. HTTPC. SIPD. SNMP

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Answer:- FTP- SIP

Explanation:– FTP use port number inside TCP payload. This requires ALG– SIP use contact info inside UDP payload. This requires ALG

Reference:http://www.juniper.net/techpubs/en_US/nsm2010.4/topics/reference/specifications/securityservice-firewall-alg-protocol-enable-disable-overview.htmlhttp://www.juniper.net/techpubs/en_US/junos11.2/information-products/topiccollections/security/software-all/feature-support-reference/junos-security-feature-support-guide.pdf

QUESTION 12Click the Exhibit button.

Your company uses a custom-built application that uses RSH. You have configured a new application definitionto support it on your SRX Series device as shown in the exhibit, and you applied the application to the relevantsecurity policy. After you commit the configuration, users report that they can no longer interact with remotedevices.

What is causing the problem?

Exhibit:

A. The source-port parameter is missing.B. The inactivity timeout value is too low.C. The application-protocol parameter is missing.D. The protocol parameter is incorrect.

Page 41: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: The application-protocol parameter is missing.

Explanation:

Reference: http://www.juniper.net/techpubs/en_US/junos10.3/topics/usage-guidelines/services-configuringapplication-protocol-properties.html?searchid=1320265916617

QUESTION 13Which two protection mechanisms are supported on SRX Series Services Gateways? (Choose two)

A. flow overflow attack protectionB. back door protectionC. Layer 2 protection for ARP spoofingD. back link protection

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Answer:- back door protection- Layer 2 protection for ARP spoofing

Explanation:The IDP system detects Layer 2 attacks by defining implied rules on the IDP Sensor. By default, the IDP hasARP spoof detection enabled. You can configure an interface to reject G-ARP requests and replies based onyour security concerns. Accepting gratuitous ARP requests and replies might make the network vulnerable toARP spoofing attacks.

The backdoor rulebase protects your network from mechanisms installed on a host computer thatfacilitatesunauthorized access to the system. Attackers who have already compromised a system typically installbackdoors (such as Trojans) to make future attacks easier. When attackers send and retrieve information toand from the backdoor program (as when typing commands), they generate interactive traffic that IDP candetect.

Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB7443&actp=search&viewlocale=en_US&searchid=1248336689499#http://www.juniper.net/techpubs/software/management/security-manager/nsm2008_2/nsmintrusion-detection-prevention-device-guide.pdf

QUESTION 14Your new employer has contacted you because the company's Web servers located at the DM2 (dmz zone) arenot reachable from the Internet (untrust zone). After examining the configuration from the previousadministrator, you determine that the problem must be with the NAT configuration. The servers have theinternal IP addresses 172.14 14 9/24 and 172.14.14 10/24.

Which NAT configuration will correct the problem?

Page 42: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A.

B.

Page 43: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

C.

D.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer:

Page 44: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Explanation:

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/nat-securitydestination-address-port-translation-configuring.html

QUESTION 15You have a VoIP application that requires external sessions to be initiated into your environment. Your networkonly has a single public IP address configured on the egress interface.

Which two parameters must be configured for your application to work properly? (Choose two)

A. port-oversubscription offB. persistent-natC. overflow-pool interfaceD. port-overloading off

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Answer:- persistent-nat- port-overloading off

Explanation:

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topiccollections/security/software-all/cli-reference/junos-security-cli-reference.pdf

QUESTION 16You configure an SRX Series chassis cluster with graceful restart support for the configured routing protocols.When testing your cluster failover in a large, multivendor lab environment, you notice that most of the BGP andOSPF neighbors remain adjacent, whereas a few other neighbors drop the adjacency with your cluster duringthe cluster failover test. You notice that the OSPF and BGP neighbors that drop the adjacencies are always the

Page 45: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

same

Why is this happening?

A. The OSPF/BGP neighbors in question have misconfigured hello/dead interval timers, which causes theconnection to flap during the failover.

B. The OSPF/BGP neighbors in question are not running in GR helper mode, which causes the adjacencies toflap.

C. The local SRX cluster devices have misconfigured OSPF/BGP hello/dead interval timers, which cause theconnections to flap during the failover.

D. The local SRX cluster devices are not running in GR helper mode, which causes the adjacencies to flap.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer: The OSPF/BGP neighbors in question are not running in GR helper mode, which causes theadjacencies to flap.

Explanation:When a router is running graceful restart and the router stops sending and replying to protocol livenessmessages (hellos), the adjacencies assume a graceful restart and begin running a timer to monitor therestarting router. During this interval, helper routers do not process an adjacency change for the router that theyassume is restarting, but continue active routing with the rest of the network. The helper routers assume thatthe router can continue stateful forwarding based on the last preserved routing state during the restart. If therouter was actually restarting and is back up before the graceful timer period expires in all of the helper routers,the helper routers provide the router with the routing table, topology table, or label table (depending on theprotocol), exit the graceful period, and return to normal network routing.

Reference:http://www.juniper.net/techpubs/en_US/junos10.2/topics/concept/high-availabilityfeatures-in-junos-introducing.html

QUESTION 17Click the Exhibit button.

You are configuring a hub-and-spoke VPN in your company network Connectivity between the branches andcompany headquarters is not working.

Referring to the configuration excerpt shown in the exhibit, which statement is correct?

Exhibit:

Page 46: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120
Page 47: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. The st0 interface has a wrong interface type.B. Static routes are missing that point to the remote branch sites.C. The preshared keys between the branch sites and the headquarters do not match.D. This VPN type is not supported with policy-based IPSec VPNs.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: This VPN type is not supported with policy-based IPSec VPNs.

Explanation:Policy-based VPNs are primarily used for simple site-to-site VPNs and for remote accessVPNs. For more hub-and-spoke, route-based VPNs should be used.

QUESTION 18You want to limit attacks on TCP ports.

Which two scans should you be concerned about? (Choose two)

A. TCP/IP scanB. SYN scanC. SYN/SYN scanD. FIN/ACK scan

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Answer:- SYN scan- FIN/ACK scan

Explanation:A port scan occurs when one source IP address sends IP packets containing TCP SYN segments to a definednumber of different ports at the same destination IP address within a defined interval (5000 microseconds is thedefault). The purpose of this attack is to scan the available services in the hopes that at least one port willrespond, thus identifying a service to target. Normally, TCP segments with the FIN flag set also have the ACKflag set (to acknowledge the previous packet received). Because a TCP header with the FIN flag set but not theACK flag is anomalous TCP behavior, there is no uniform response to this. The OS might respond by sendinga TCP segment with the RST flag set. Another might completely ignore it. The victim's response can providethe attacker with a clue as to its OS.(Other purposes for sending a TCP segment with the FIN flag set are toevade detection while performing address and port scans and to evade defenses on guard for a SYN flood byperforming a FIN flood instead

QUESTION 19Click the Exhibit button.

You want to verify a security flow on your SRX Series device.

Which statement is true regarding the output shown in the exhibit?

Exhibit:

Page 48: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. This output indicates interface-based source NAT.B. The policy nat-security-policy denies traffic from 10.1.0.13 to 207.17.137 229.C. This output indicates source NAT without port translation.D. The "out" direction shows traffic egressing out of the firewall towards 207.17.137.229.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: This output indicates source NAT without port translation.

Explanation:The client connects to WEB server 207.17.137.229. The reverse flow shows that destination IP is changedfrom 10.1.0.13 to 172.19.101.42. This indicates that source NAT is in place.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junossecurity-cli-reference/show-security-flow-session.html

QUESTION 20Two High End SRX Series devices are configured in a chassis cluster, but interchassis communication isproblematic and intermittent. Node 0 has SPCs located in slots 1, 2, 5, and 10 and has IOCs located in slots 3and A. Node 1 has SPCs located in slots 13,14,18, and 22 and has IOCs located in slots 15 and 16.

What is causing the interchassis communication issues?

A. The IOCs must be placed in the first two slots on each node.B. The SPCs must all be placed in consecutive slots on each node.C. The IOC slots being used do not align between nodes.D. The SPC slots being used do not align between nodes.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: The SPC slots being used do not align between nodes.

Explanation:Both SRX devices are required to have the same number and location of SPCs and Network Processing Cards(NPCs). This is required because the SPUs talk to their peer SPU in the same FPC and PIC location.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, JamesQuinn, August 2010, p. 543.

QUESTION 21Click the Exhibit button.

Which two statements are true based on the configuration shown in the exhibit? (Choose two)

Page 49: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Exhibit:

A. All ICMP traffic without the ACK bit set from the untrust zone will be dropped.B. All ICMP traffic larger than 65 KB from the untrust zone will be dropped.C. All fragmented IP packets belonging to the same original packet that have differing offset and size values

will be dropped.D. All fragmented IP packets belonging to the same original packet that has matching offset and size values

will be dropped.

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:

Page 50: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Answer:- All ICMP traffic larger than 65 KB from the untrust zone will be dropped.- All fragmented IP packets belonging to the same original packet that have differing offset and size values willbe dropped.

Explanation:A grossly oversized ICMP packet can trigger a range of adverse system reactions such as denial of service(DoS), crashing, freezing, and rebooting. Ping-death command is used to protect against a ping of deatchattack. Teardrop attacks exploit the reassembly of fragmented IP packets. IP tear-drop command enableprotection against a Teardrop attack.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security96/junossecurity-swconfig-security/id-12795.htmlhttp://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfigsecurity/id-58971.html

QUESTION 22Click the Exhibit button.

In the exhibit, a chassis cluster is deployed in active/active mode. This chassis cluster control and fabric linksare connected through 100 Mbps WAN connections. During peak data usage times the chassis clusterbecomes disabled even though the rate of new connections through the cluster is relatively low.

What is the problem?

Exhibit:

A. Control and fabric link WAN connections are not supported through a non-Ethernet-based technology.VPLS must be used instead.

B. Control link heartbeats are being lost during peak data usage times. The WAN connection that supports thecontrol link must be upgraded to support greater bandwidth.

C. Fabric link probes are being lost during peak data usage times. The WAN connection that supports thefabric link must be upgraded to support greater bandwidth.

D. Latency across a WAN connection will always exceed the recommended 100 ms limit. The chassis clusterwill always enter the disabled state during peak data usage.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer: Control link heartbeats are being lost during peak data usage times. The WAN connection thatsupports the control link must be upgraded to support greater bandwidth.

Explanation:If the control link fails, Junos OS disables the secondary node to prevent the possibility of each node becomingprimary for all redundancy groups, including redundancy group 0. A control link failure is described as not

Page 51: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

receiving heartbeats over the control link; however, heartbeats are still received over the fabric link.

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/chassis-clustercontrol-link-failure-recovery-understanding.html

QUESTION 23You are working at a service provider that offers only residential access to DSL subscribers. Your company hasdecided to make customer traffic subject to further inspection.

When you install a new IPS machine in the network, where should you place it?

A. as close as possible to the server farm that runs the company's Web and DNS servers.B. between the dual-homed upstream routers and the firewalls.C. as close to the B-RAS devices as possible.D. in the middle of the network.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: as close to the B-RAS devices as possible.

Explanation:B-RAS concentrate the traffic from remote DSL subscribers. So IPS machine should be placed as close to theB-RAS as possible.

QUESTION 24Click the Exhibit button.

In the exhibit, you are configuring a flow trace of all packets for a TCP session initiated by the client to theserver "Die server's IP address is translated using static NAT You want to use flow trace packet filters to limitthe traffic viewed in your trace.

Which configuration specifies the correct filters?

Exhibit:

Page 52: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A.

B.

C.

D.

Correct Answer: DSection: (none)Explanation

Page 53: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Explanation/Reference:Answer:

Explanation:The correct answer matches source IP 1.1.1.100 and destination IP 1.1.1.30 in request packets and source IP192.168.224.30 and destination IP 10.1.1.100 in reply from the server.

QUESTION 25You have correctly implemented a SIP Application Layer Gateway (ALG) on your company's SRX Series deviceto support SIP traffic on the network. However, after committing the configuration, users report that they arehaving problems making calls. Other traffic is property flowing through the device, and calls that do not passthrough the SRX Series device have no issues.

Which action will help identify the problem?

A. Configure trace options for the SIP Application Layer Gateway (ALG).B. Configure the security policy to log SIP traffic events.C. Configure trace options for the security policy.D. Monitor traffic for the ingress interface, checking for SIP packet corruption.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Answer: Configure trace options for the SIP Application Layer Gateway (ALG).

Explanation:Troubleshooting this issue may be done by enabling the following traceoptions:set security traceoptions file<filename> eg. sip-trace-detailset security traceoptions flag allset security alg sip traceoptions flag allextensiveset security flow traceoptions file <filename>set security flow traceoptions flag allset security flowtraceoptions packet-filter 1 source-port 5060set security flow traceoptions packet-filter 1 destination-port 5060

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junossecurity-cli-reference/id-83758.htmlhttp://kb.juniper.net/InfoCenter/index?page=content&id=KB21406&actp=search&viewlocale=en_US&searchid=1320325662928#

QUESTION 26You want to source NAT all traffic initiated from Host A behind an SRX Series device to Server B. The internaltransport address must be mapped to the same external transport address. Also, the external Server B mustnot communicate with the internal Host A using the NAT IP address/port unless the internal Host A has alreadycommunicated with the external Server B.

Page 54: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

How do you enforce this set of criteria on the SRX Series device?

A. Configure port randomization and pool overloading for source NAT.B. Configure pool overloading and persistent NAT for source NAT.C. Turn off port randomization and configure persistent NAT for source NAT.D. Turn off pool overloading and configure persistent NAT for source NAT.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: Turn off pool overloading and configure persistent NAT for source NAT.

Explanation:To keep transport address PAT should be disabled using “port no-translation” command.

Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB21296

QUESTION 27Your company plans to increase the security level for VPNs in its network by using certificates instead ofpreshared keys The company wants to introduce its own centrally administered certificate authority from whichall device certificates will be derived. You have been asked to automate certification enrollment, re-enrollment,and revocation.

How can you implement this?

A. Use self-signed certificates on each device and have copies stored centrally.B. Contract out this problem to VeriSign to deliver a solution.C. Roll out a certificate automation system that is based on SCEP.D. Buy certificates that do not need to be renewed from Entrust.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: Roll out a certificate automation system that is based on SCEP.

Explanation:With Simple Certificate Enrollment Protocol (SCEP), you can configure your Juniper Networks device to obtaina certificate authority (CA) certificate online and start the online enrollment for the specified certificate ID. TheCA public key verifies certificates from remote peers.

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/task/configuration/certificatedigital-online-configuration-enabling.html

QUESTION 28Your company is bringing a remote office online and is using an IPSec VPN to establishes securecommunication between the offices. The remote SRX Series device is receiving its IP address dynamically fromthe service provider.

Which VPN technique can you use on your remote office SRX device?

A. Configure a fully qualified domain name (FQDN) as the IKE identity, and configure IKE to use main mode.

Page 55: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

B. Configure a fully qualified domain name (FQDN) as the IKE identity, and configure IKE to use aggressivemode.

C. Configure the dynamic-host-address option as the IKE identity, and configure IKE to use aggressive modeD. Configure the dynamic-host-address option as the IKE identity, and configure IKE to use main mode

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer: Configure a fully qualified domain name (FQDN) as the IKE identity, and configure IKE to useaggressive mode.

Explanation:When using site-to-site VPNs the most common type of IKE identity is the IP address, assuming that the hosthas a static IP address. If the host does not have a static IP address, a hostname can be used. Aggressivemode is an alternative to Main mode IPsec negotiation and it is most common when building VPNs from clientworkstations to VPN gateways, where the client’s IP address is neither known in advanced nor fixed.

QUESTION 29Click the Exhibit button.

The output shown in the exhibit is from an SRX Series device that is the hub in a hub-and-spoke VPN.

Which two statements are true regarding this output? (Choose two.)

Exhibit:

A. NAT traversal is being used.B. VPN monitoring has been enabled.C. VPN monitoring has not been enabled.D. The IKE SA has been successfully established.

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:Answer: - VPN monitoring has not been enabled.- The IKE SA has been successfully established.

Explanation:The command show security ipsec security-associations is not NAT relative. The value of Mon parameterproves that VPN monitoring is disabled. Here are the possible values of the Mon field:

Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB10090

QUESTION 30Click the Exhibit button.

Page 56: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Referring to the exhibit, an IPSec tunnel is established between SRXA and SRXB. A GRE tunnel is establishedbetween router A and router B. Users in LANA can ping users in LANB however large FTP transfers are failing.

What is causing the problem?

Exhibit:

A. The anti-replay service window size needs to be increased to 64.B. SRXB is running in transport mode.C. Fragmentation is not allowed on the IPSec tunnel.D. GRE over IPSec is not supported.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: Fragmentation is not allowed on the IPSec tunnel.

Explanation:Fragmentation is not allowed on the IPSec tunnel because don't fragment (DF) bit is set. So the packets withsize equal to standard ethernet MTU (1500 bytes) are dropped.

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/reference/configurationstatement/clear-dont-fragment-bit-edit-service-set.html

QUESTION 31You are asked to set up a multi-tenant configuration on your SRX Series device. Several remote branchlocations are connected to the device. You will connect each remote site to a separate logical interface. Youwant to implement segmentation between the branch locations using security zones and routing-instances.

Page 57: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Which two statements are true? (Choose two.)

A. Multiple branch locations can be assigned to the same zone but different routing-instances.B. Multiple branch locations can be assigned to the same routing-instance but different zones.C. If you use the interfaces all configuration option under a zone, different interfaces in the same zone can be

assigned to multiple routing instances.D. If you use the interfaces all configuration option under a zone, different interfaces must be assigned to the

same routing instance.

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Answer: -

Explanation:If you connect each remote site to a separate logical interface then multiple branch locations can be assignedto different zones. SRX is different from an ordinary Junos router. On the SRX, interfaces don’t just live inrouting instances; they also live in security zones. All interfaces configured within the same security zone mustalso be configured within the same routing instance (the security zone cannot span more than one routinginstance).

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August2010, p. 691

QUESTION 32Click the Exhibit button.

You are troubleshooting a new IPSec VPN tunnel that is failing to establish an IKE security association betweenSRX Series devices. You notice the error in the log shown in the exhibit.

What are two possible causes for this problem? (Choose two.)

Exhibit:

A. no route to 2.2.2.2B. mismatched peer ID typeC. incorrect peer addressD. missing Phase 1 policy

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Answer:- mismatched peer ID type- incorrect peer address

Explanation:Message “unable to find phase-1 policy as remote peer:2.2.2.2 is not recognized” means that the responder did

Page 58: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

not recognize the incoming request as originating from a valid gateway peer. You have to confirm that on theresponder the following IKE gateway configuration settings are correct:The Static IP Address specified for the Remote Gateway is correct.The Peer ID specified for the RemoteGateway is correct.The outgoing interface is correct.

Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB10101

QUESTION 33In planning for your core data center's SRX5800 cluster software upgrade, minimal downtime is requested byyour management team.

With a goal to achieve maximum uptime, how should you upgrade the SRX cluster?

A. Preload the software onto the SRX devices and then issue the following command at the same time on bothSRX devices: request system software add <package-name> reboot.

B. Use in-service software upgrade using the following command: request system software inservice-upgrade<package-name> reboot.

C. Preload the software onto the SRX devices and then issue the following command at the same time on bothSRX devices: request system software add no-validate <package-name> reboot.

D. Use an in-service software upgrade using the following command: request system software inserviceupgrade <package-name> restart.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer: Use in-service software upgrade using the following command: request system software inservice-upgrade <package-name> reboot.

Explanation:The in-service software upgrade (ISSU) feature allows a chassis cluster pair to be upgraded or downgradedfrom supported JUNOS versions with a traffic impact similar to that of redundancy group failovers. Beforeupgrading, you should perform failovers so that all redundancy groups are active on only one device. It isrecommended that routing protocols graceful restart be enabled prior to initiating an ISSU.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junossecurity-cli-reference/request-system-software-in-service-upgrade.html

QUESTION 34A site-to-site VPN is configured between satellite offices and headquarters using a digital certificate from aneutral party. Once the VPN is up and stable, the certificate issued by the neutral party is revoked. The next-update time is not contained in the CRL.

Which two actions should you take to ensure that the SRX Series device renegotiates the VPN faster? (Choosetwo.)

A. Configure the SRX Series device with refresh-interval.B. Wait for the default timer to expire; the device will then renegotiate the VPN tunnel.C. Specify a URL to retrieve the CRL using HTTP or LDAP.D. Configure the next-update time in the CRL.

Correct Answer: ACSection: (none)

Page 59: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Explanation

Explanation/Reference:Answer: A,C- Configure the SRX Series device with refresh-interval.- Specify a URL to retrieve the CRL using HTTP or LDAP.

Explanation:The refresh interval specifies the frequency (in hours) to update the CRL. The default values are:next-update time in CRL, or 1 week if no next-update time is specified. By default, the location (URL) to retrievethe CRL (HTTP or LDAP) is empty and uses CDP information embedded in the CA certificate. To set URL the following command may be used (example):set security pki ca-profile ms-ca revocation-check crl urlhttp://labsrv1.labdomain.com/CertEnroll/LABDOMAIN.crl

Reference: http://www.juniper.net/techpubs/en_US/junos11.3/topics/example/pki-example-pki-injunos-configuring.html

QUESTION 35Click the Exhibit button.

You configured a security policy with an address book entry using a DNS name. Traffic matching the securitypolicy for the DNS name is being dropped.

Referring to the exhibit, what is the cause?

Exhibit:

Page 60: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. The domain name must be configured as www.juniper.net.B. The security policy is missing the junos-dns application.C. The destination address configuration must also include an IP address.D. The domain name has not been resolved by DNS.

Correct Answer: DSection: (none)Explanation

Page 61: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Explanation/Reference:Answer: The domain name has not been resolved by DNS.

Explanation:Once of requirements for configuring address-book with dns-name entries is “Configure Domain Name System(DNS) services” without which domain name cnnot be resolved.

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/zone-address-bookconfiguring-cli.html

Page 62: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Exam C

QUESTION 1An attacker from IP address 1.1.1.2 is filling your SRX Series device's session table with TCP sessions thathave all completed a legitimate three-way handshake.

What will help throttle the attack?

A. syn-flood destination-thresholdB. syn-ack-ack-proxyC. limit-session destination-ip-basedD. limit-session source-ip-based

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: D

Explanation:Limit-session source-ip-based command is used to Limit the number of concurrent sessions the device caninitiate from a single source IP address.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security94/junossecurity-cli-reference/limit-session.html

QUESTION 2You want to allow users from routing-instance Juniper1 to route to the destination 2.2.2.2, reached throughrouting-instance Juniper2 without sharing all the routes between the two instances. You have configured policy-statement move_routes with a route-filter to accept the 2 2.2.2 route. You have created rib-group Group1, andapplied it under routing-instance Juniper2.

Which rib-group configuration will accomplish this?

A.

Page 63: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

B.

C.

D.

Correct Answer: C

Page 64: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Section: (none)Explanation

Explanation/Reference:Answer:

Explanation:We have to import only one route from Juniper2.inet.0 to Juniper1.inet.0 so we have to use importpolicymove_routes to filter out other route during the import. Also we have to do import into the Juniper1.inet.0 tableso we have to select the option with “import Juniper1.inet.0”

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security96/junossecurity-cli-reference/jd0e34855.html

QUESTION 3A SYN packet traverses an SRX Series device and a session is created. When the return SYNACK packetarrives at the SRX, the original interface on which the SYN packet arrived is down. However, an alternate routeexists through another interface in a different zone no-syn-check is not configured on the device.

What will happen to the return packet?

A. The packet will be dropped.B. The packet will be dropped with an ICMP message being sent back to the originating device.C. The packet will match the existing session and will be forwarded to the destination device.D. A new session will be created and the packet will be forwarded to the destination device.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Answer: The packet will be dropped.

Explanation:As an alternate route exists through the interface in a different zone SYN-ACK packet will be dropped.

Reference:http://kb.juniper.net/InfoCenter/index?

Page 65: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

page=content&id=KB21983&actp=search&viewlocale=en_US&searchid=1320415514489#

QUESTION 4A security analyst at your company wants to make sure packets coming from the Internet accessing your publicWeb servers are protected from HTTP packets that do not meet standards.

Which attack object will protect your infrastructure from nonstandard packets?

A. signature attack objectsB. compound protocol attack objectsC. protocol anomaly attack objectsD. the HTTP anomaly screen

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: protocol anomaly attack objects

Explanation:Protocol anomaly attack objects are predefined objects developed by the Juniper Security Team to detectactivity that is outside the bounds of a protocol. Typically, the enforcement for what is considered acceptablebehavior for protocols is based on an RFC specification or a manufacturer spec if there is no RFC.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August2010, p. 404

QUESTION 5You want to deploy an SRX Series cluster for a distributed data center between two remote locations. Theearner will provide you with dark fiber capable of the following: a 100 km reach. 125 ms propagation delay, anda packet loss of 1 out of 10.000.000 packets. You plan to connect the fiber directly to the SRX Series deviceswithout any switches in between, and you plan to configure the SRX Series devices with a straightforwardcluster configuration. One of the NOC engineers expresses doubts that this design will work.

How do you respond?

A. You explain that everything will work as expected.B. You agree to install switches in between the SRX Series clusters in both sites for increased availability of

the network.C. You agree with the argument that dark fiber is not the best choice and choose a managed SDH/SONET

solution, running Ethernet over SDH/SONET.D. You agree with the NOC engineer that the heartbeat interval timers for the cluster must be adjusted to

accommodate the 125 ms delay.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: You agree with the NOC engineer that the heartbeat interval timers for the cluster must be adjusted toaccommodate the 125 ms delay.

Explanation:JUNOS Software transmits heartbeat signals over the control link at a configured interval. The system usesheartbeat transmissions to determine the “health” of the control link. If the number of missed heartbeats has

Page 66: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

reached the configured threshold, the system assesses whether a failure condition exists. You specify theheartbeat threshold and heartbeat interval when you configure the chassis cluster. In a chassis clusterconfiguration on an SRX100, SRX210, SRX240, or SRX650 device, the default values of the heartbeat-threshold and heartbeat-interval options in the [edit chassis cluster] hierarchy are 8 beats and 2000 msrespectively. These values cannot be changed on these devices.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junossecurity-swconfig-security/topic-43696.html?searchid=1320415514489http://www.juniper.net/techpubs/en_US/junos10.2/information-products/topic-collections/releasenotes/10.2/topic-45729.html?searchid=1320415514489

QUESTION 6A site-to-site VPN is configured between the main office and a remote office. An administrator wants to keeptrack of the VPN tunnel.

Which feature is used to verify that the VPN tunnel is up even if user traffic is not passing through it?

A. Dead peer detection sending ICMP packetsB. VPN monitoring sending ICMP packetsC. VPN monitoring sending UDP packetsD. Dead peer detection sending UDP packets

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer: VPN monitoring sending ICMP packets

Explanation:The command set security ipsec vpn-monitor-options interval 15 threshold 15 is used to monitor the VPN bysending Internet Control Message Protocol (ICMP) requests to the peer every 15 seconds, and to declare thepeer unreachable after 15 unsuccessful pings.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junossecurity-cli-reference/id-84923.html?searchid=1320423410978http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-securityswconfig-security/topic-40793.html?searchid=1320423410978

QUESTION 7You want to add a dynamic VPN to your SRX650. This dynamic VPN must be able to support five users at thesame time.

What are two primary requirements? (Choose two.)

A. You must use a policy-based VPN.B. You must use a route-based VPN.C. You must install the proper licenses.D. You must configure local client authentication.

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:

Page 67: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Answer: - You must use a policy-based VPN.-

Explanation:SRX only supports Dynamic VPN which has embedded client. For that it must be policy-based asfor client-based VPN SRX will be specifically looking for this tunnel policy. So this cannot work as route-based VPN.Dynamic VPN is a licensed feature. By default, a two user evaluation license is provided free of cost on theSRX devices, and it does not expire. In cases where there are more than two users that need to connectconcurrently, a license is required. These are available as a 5, 10, 25, and 50 user license.

Reference:http://forums.juniper.net/t5/SRX-Services-Gateway/dialup-vpn-over-route-based-vpn/m-p/90610http://kb.juniper.net/InfoCenter/index?page=content&id=KB17436&actp=search&viewlocale=en_US&searchid=1320423410978#

QUESTION 8What causes a node in an SRX Series chassis cluster to be in the disabled state?

A. The primary node loses all power.B. Both the control and fabric links between the two nodes go down at the same time.C. The number of missed heartbeats reaches the configured threshold.D. The backup node is configured to go into a disabled state until the active node has a failure

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: The number of missed heartbeats reaches the configured threshold.

Explanation:JUNOS Software transmits heartbeat signals over the control link at a configured interval. The system usesheartbeat transmissions to determine the “health” of the control link. If the number of missed heartbeats hasreached the configured threshold, the system assesses whether a failure condition exists. For a chassis clusterwith one control link, if the control link goes down, all redundancy groups on the secondary node go to theineligible state and eventually to the disabled state.

Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB15421&actp=search&viewlocale=en_US&searchid=1320424816614#http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-securityswconfig-security/topic-43696.html

QUESTION 9Click the Exhibit button.

http://www.gratisexam.com/

Referring to the exhibit, what happens when the source pool is exhausted?

Exhibit:

Page 68: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. Traffic is forwarded with the translated source as the egress interface.B. Traffic is dropped.C. Traffic is forwarded without port translation.D. Traffic is forwarded without translation.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Answer: Traffic is forwarded with the translated source as the egress interface.

Explanation:When a given pool is exhausted, it may then reference a completely different overflow-pool for additionaltranslations. If interface key word is used with overflow-pool then interface's IP address is used for NAT andPAT.

Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junossecurity-cli-reference/jd0e81039.html?searchid=1320424816614

QUESTION 10Click the Exhibit button.

A junior member of the network team has set up a new VPN tunnel using a PKI certificate and is unable toestablish the tunnel After troubleshooting the problem and confirming that the proposals and encryptionalgorithms match on both sides, they ask you for help.

Referring to the exhibit, what is the cause of this problem?

Page 69: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Exhibit:

A. The authentication method must be changed to pre-shared-keys to make use of the PKI certificateB. The proposal set is missing which will cause the VPN tunnel to not establish.C. PKI-based VPN tunnels cannot use main mode; aggressive mode must be used.D. There is no trusted CA configured, which is required for PKI-based tunnels.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: There is no trusted CA configured, which is required for PKI-based tunnels.

Explanation:Trusted-ca specifies the preferred certificate authority (CA) to use when requesting a certificate from the peer.If no value is specified, then no certificate request is sent.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junossecurity-cli-reference/jd0e104424.html?searchid=1320424816614

QUESTION 11You initiated the download of the attack database. The system indicates that it will run asynchronous andreturns you to a command prompt in the CLI. You want to know if the download has completed.

Which command do you run to confirm this?

A. request security idp security-package install statusB. request system software idp security-package download statusC. request security idp security-package download statusD. request security idp security-package install

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

Page 70: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Answer: C

Explanation:“request security idp security-package download status” command is used to verify the download status.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August2010, p. 434

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15806&actp=search&viewlocale=en_US&searchid=1320424816614#

QUESTION 12Click the Exhibit button.

In the exhibit, Node 0 had primacy of RG 1 until interface ge-0/0/1 failed. Upon restoration of interface ge-0/0/1Node 1 retained primacy for RG 1.

What will allow Node 0 to regain primacy of RG 1?

Exhibit:

A. Add the preempt parameter.B. Add the acquire parameter.C. Increase the gratuitous ARP threshold.D. Decrease the hold-down interval.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Answer: Add the preempt parameter.

Explanation:Preempt command enables chassis cluster node preemption within a redundancy group. If preempt is added toa redundancy group configuration, the device with the higher priority in the group can initiate a failover tobecome master. By default, preemption is disabled.

Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security-clireference/jd0e11037.html?searchid=1320424816614

QUESTION 13You have been asked to implement a hub-and-spoke IPSec VPN in a multi-vendor environment where thespoke devices are not always Junos devices.

Page 71: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Which statement is correct?

A. The next-hop tunnel bindings are not needed for a non-Junos spoke device.B. The next-hop tunnel bindings are created automatically for all spoke devices.C. You must manually configure the next-hop tunnel bindings for all non-Junos spoke devices.D. You must manually configure the next-hop tunnel bindings for all spoke devices.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: C

Explanation:The hub device uses the IP address of the remote peer’s st0 interface as the next-hop. You can enter the staticroute manually, or you can allow a dynamic routing protocol such as OSPF to automatically enter the routereferencing the peer’s st0 interface IP address as the next-hop in the route table. The same IP address mustalso be entered as the next hop, along with the appropriate IPSec VPN name, in the NHTB table. In this waythe route and NHTB tables are linked. Regarding the NHTB table, there are two options: you can either enterthe nexthop manually, or you can allow the J Series or SRX Series device to obtain it automatically from theremote peer during Phase 2 negotiations using the NOTIFY_NS_NHTB_INFORM message. Note that thisfunctionality currently only applies if both peers are J Series or SRX Series devices, running the JUNOS.

Reference:http://kb.juniper.net/kb/documents/public/junos/jsrx/JSeries_SRXSeries_Multipoint_VPN_with_NHTB_12.pdf

QUESTION 14You have a VoIP application that requires external sessions to be initiated into your environment. The internalhost has previously sent a packet to the external VoIP application's reflexive transport address.

Which parameter would be enabled for this solution?

A. persistent-nat all-remote-hostB. persistent-nat target-host-portC. persistent-nat target-hostD. persistent-nat any-remote-host

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer: persistent-nat target-host-port

Explanation:You can configure three persistent NAT types on the SRX device. With all three types, all requests from aspecific internal IP address and port are mapped to the same external address. Differences exist between thethree types.

Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB21296&cat=JUNOS&actp=LIST

QUESTION 15An IPSec tunnel has just gone down in your network and you have been asked to troubleshoot and resolve theissue.

Page 72: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Which three reasons might be the cause of this issue? (Choose three.)

A. network connectivity issuesB. encapsulation mismatchesC. identical preshared keysD. MTU mismatch on tunnel endpointsE. authentication mismatches

Correct Answer: ABESection: (none)Explanation

Explanation/Reference:Answer:- network connectivity issues- encapsulation mismatches- authentication mismatches

Explanation:

Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB21899&actp=search&viewlocale=en_US&searchid=1320424816614#

QUESTION 16Bandwidth utilization has significant increased recently on the SRX3600 connecting your company to theInternet. You have decided to enable the Application Tracking feature on the device to provide visibility into thevolume of the different applications passing through.

Where in the configuration is Application Tracking applied?

A. interfacesB. zoneC. routing instancesD. globally

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer: zone

Explanation:

Application tracking is configured under security zone security-zone section.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junossecurity-swconfig-security/topic-45953.html?searchid=1320424816614

QUESTION 17You have been asked to troubleshoot a VoIP connectivity problem that occurs every time the IPSec VPN tunneldrops. The SRX Series device has a default route to the Internet and receives a more specific route for theVoIP server over the IPSec tunnel using OSPF. Every time the tunnel drops, when the tunnel re-establishes,the NOC must manually clear the sessions on the SRX device for these VoIP sessions to work again.

Page 73: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

What can you do to resolve this problem?

A. Configure the route change timeout value under the flow options.B. Configure OSPF to advertise the default route to the SRX device.C. Write security policies bidirectionally so either side can initiate traffic.D. Configure the IPSec tunnels to establish tunnels immediately.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Answer: Configure the route change timeout value under the flow options.

Explanation:The session with incorrect route information needs to be deleted in a timely fashion. To do this there is a flowcommand in the firewall:set flow route-change-timeout <seconds> This is the command to timeout the sessions which are affected by aroute change. The sessions can timeout with this setting instead of the actual timeout of the session. This beingshorter than the original timeout can clear the session before the actual timeout.

Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB13637&actp=search&viewlocale=en_US&searchid=1320424816614#

QUESTION 18You need to establish a new point-to-point IPSec VPN to a recently acquired remote site. The remote site iscurrently using the same network space with many overlapping IP addresses. You have been asked toimplement an interim solution until there is time to migrate the remote site to a different network space.

Which solution accomplishes this task?

A. Implement source NAT on the remote gateway device.B. Implement destination NAT on the local gateway device.C. Implement static NAT on the local gateway device.D. Implement static NAT on both gateway devices.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: Implement static NAT on both gateway devices.

Explanation:Because both networks use the same internal IP addressing, it is not possible to simply build a tunnel betweenthe two sites. However, if the tunnel endpoints on both sides are Juniper services routers, it is possible toconfigure a tunnel between these sites with an advanced configuration using NAT. It is important to understandthis basic routing dilemma. If a host is attached to a network, say 10.0.0.0/24, and the other device on theremote end is attached to a network using the same IP address subnet, it is not possible to build a tunnel androute the traffic to the other device without some sort of address translation. This is because all packets arerouted based onthe destination IP address. Before routing occurs, a determination must be made as to whether the destination IP is on the same (local)network or not. If the destination IP is on the same network, say 10.0.0.10, the destination device is found usingAddress Resolution Protocol (ARP).However, if the destination IP resides on a different network, the packet is sent to the next-hop router based on

Page 74: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

the device’s routing table. Because both the local and remote networks share the same IP addressing scheme,the packets will be handled locally and never route to the VPN tunnel. To work around this, we can performstatic NAT on the source IP and destination IP of all traffic destined for the remote network at the other end ofthe tunnel. For this reason, a route based approach to IPsec VPNs makes sense, because the creation of a“virtual” network interface on each services router by way of a “secure tunnel” or “st0” interface is required. It isimportant to note that in this case the both source and destination addresses are translated as the packettraverses the VPN tunnel to the end host. Thus the services routers at each end of the tunnel must contacteach other using a newly created IP network.

Reference:http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/JSRX_VPN_with_Overlapping_Subnetsv2_0.pdf

QUESTION 19Click the Exhibit button.

Host A and Server B must each be able to initiate traffic to each other. Server B does not have a route to the1.1.1 0/24 network; it can send traffic only to IP addresses in the 2.1.1.0/24 network.

Which NAT type will you configure to achieve this communication using the SRX Series device?

Exhibit:

A. Configure a source NAT that maps 1.1.1.1 to 2.1.1.100.B. Configure a destination NAT that maps 2.1.1.100 to 1.1.1.1.C. Configure a static NAT that maps 1.1.1.1 to 2.1.1.100.D. Configure a static NAT that maps 1.1.1.1 to 2.1.1.200.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: Configure a static NAT that maps 1.1.1.1 to 2.1.1.100.

Explanation:Static NAT defines a one-to-one mapping from one IP subnet to another IP subnet. The mapping includesdestination IP address translation in one direction (2.1.1.100 to 1.1.1.1 for IP packets going from Server B toHost A) and source IP address translation in the reverse direction (1.1.1.1 to 2.1.1.1.100 for packets going fromHost A t oServer B). From the NAT device, the original destination address is the virtual host IP address whilethe mapped-to address is the real host IP address. Static NAT allows connections to be originated from eitherside of the network, but translation is limited to one-to-one or between blocks of addresses of the same size.For eachprivate address, a public address must be allocated. No address pools are necessary.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junossecurity-swconfig-security/topic-42805.html

QUESTION 20You notice an unusual increase in activity in your network. You investigate by reviewing logs and analyzing

Page 75: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

traffic flows. In your analysis, you identify a remote host is sending traffic to your network with random TCPflags set including URG PSH, ACK and FIN.

What is the attacker doing with these packets?

A. The attacker is attempting a TCP random flag attack.B. The attacker is attempting a TCP overflow attack.C. The attacker is running an XMAS tree scan.D. The attacker is running an idle scan.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: The attacker is running an XMAS tree scan.

Explanation:The Xmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set. This iscalled a Xmas tree scan because of the alternating bits turned on and off in the flagsbyte (00101001), much likethe lights of a Christmas tree.

Reference:http://en.wikipedia.org/wiki/Christmas_tree_packet

QUESTION 21Your company is bringing a remote office online and will use VPN connectivity for access to resources betweenoffices. The remote SRX Series device has an IP address, which it obtained dynamically from a serviceprovider.

Which VPN technique can be used on your remote office SRX Series device?

A. Configure the head office to allow promiscuous VPN connections and disable the use of IKE peer identities.B. Use the main-mode IKE exchange method in combination with a transport-mode tunnel.C. Use a certificate authority for IKE Phase 2 authentication.D. Use a fully qualified domain name (FQDN) as the IKE identity and configure IKE to use aggressive mode.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: Use a fully qualified domain name (FQDN) as the IKE identity and configure IKE to use aggressivemode.

Explanation:When using site-to-site VPNs the most common type of IKE identity is the IP address, assuming that the hosthas a static IP address. If the host does not have a static IP address, a hostname or FQDN can be used. Alsodynamic IP address requires the use of aggressive mode (unprotected IKE identities)

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August2010, p. 261.

QUESTION 22You have a branch location connected to a virtual-router type of routing-instance. To provide Internet access,one requirement is to provide connectivity to an interface and its direct route, which belongs to the default inet.0

Page 76: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

routing-instance.

Which statement is true?

A. The scenario is not possible; the interfaces must both be in the same routing-instance.B. You must configure a non-forwarding routing-instance.C. You must configure interface-routes with a share rib-group.D. You must configure a policy in the forwarding-options configuration hierarchy.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: You must configure interface-routes with a share rib-group.

Explanation:You have to import interface routes from inet.0 table into routing-instance. This is done by configuring routing-options interface-routes rib-group command.

Reference: http://www.juniper.net/techpubs/en_US/junos10.3/topics/reference/configurationstatement/rib-group-edit-routing-options.html?searchid=1320424816614

QUESTION 23Click the Exhibit button.

The client is downloading a file from the FTP server. The FTP control channel is established using a securitypolicy named trust-to-untrust.

Referring to the exhibit, which two statements are correct from the output showing the data channel? (Choosetwo.)

Exhibit:

Page 77: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. Active FTP is being used to establish the data channel.B. The client is using passive FTP to establish the data channel.C. The FTP ALG has opened a pinhole for the return traffic.D. The FTP ALG is not being used in the security policy.

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Answer: - The client is using passive FTP to establish the data channel.- The FTP ALG is not being used in the security policy.

Explanation:The client is using passive FTP to establish the data channel (active FTP use port 20 and reverse direction).There is no need to open ponhole for return traffic as th eboth session are initiated by the client.

Reference: http://slacksite.com/other/ftp.html

QUESTION 24You have configured your SRX Series device with two route-based VPNs for the same destination networkRemote SRX Series device A's route has a preference of 5 and remote SRX Series device B has a preferenceof 10. Users complain they cannot reach the networks through the VPN tunnel. You verify the VPN's status anddiscover that the IKE Phase 1 and Phase 2 security associations are active, but the remote networks are notreachable.

Which SRX VPN feature would you use to cause the route-based VPN with preference 10 to be used?

Page 78: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. Configure the dead peer detection feature.B. Configure the vpn-monitor feature.C. Configure the establish-tunnels-immediately option.D. Configure the IPSec security association lifetime to a lower value.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer: Configure the vpn-monitor feature.

Explanation:One issue with DPD is that it doesn’t necessarily mean the underlying VPN is up and running, just that the peeris up and responding. VPN monitoring is not an Ipsec standard feature, but it utilizes Internet Control MessageProtocol (ICMP) to determine if the VPN is up. VPN monitoring allows the SRX to send ICMP traffic either to thepeer gateway, or to another destination on the other end of the tunnel (such as a server), along with specifyingthe source IP address of the ICMP traffic. If the ICMP traffic fails, the VPN is considered down.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August2010, p. 269.

QUESTION 25Click the Exhibit button.

You created the IPS policy displayed in the exhibit and find that the policy is not being used to inspect traffic.

What must you do to activate the policy?

Exhibit:

Page 79: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. You must import and activate the IPS signature database to the SRX Series device.B. You must run the set security idp active-policy base-policy command and commit the configuration.C. You must run the set security idp activate base-policy command and commit the configuration.D. You must use the commit activate-ips command to recompile the IPS rule base.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer: You must run the set security idp active-policy base-policy command and commit the configuration.

Explanation:New policy must be activated with set security idp active-policy base-policy command.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junossecurity-swconfig-security/topic-42460.html?searchid=1320438879836

QUESTION 26In the sequence of IPS inspection steps, protocol anomaly detection is performed after which step?

A. after fragments are reassembled.

Page 80: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

B. after packets in sessions are tracked.C. after applications and decode protocols are identified.D. after packet signatures are checked.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: after applications and decode protocols are identified.

Explanation:Anomaly detection can be performed only after application and protocol are idetified.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junossecurity-swconfig-security/topic-42473.htmlhttp://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-securityswconfig-security/topic-42478.html?searchid=1320438879836

QUESTION 27You have configured persistent NAT in your NAT rule base. You create a security policy in the direction ofexternal to internal.

Which persistent NAT parameter should you configure?

A. all-remote-hostB. target-hostC. any-remote-hostD. target-host-port

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Answer:- target-host- any-remote-host

Explanation:The following types of persistent NAT can be configured on the Juniper Networks device:• Any remote host—All requests from a specific internal IP address and port are mapped to the same reflexivetransport address. Any external host can send a packet to the internal host by sending the packet to thereflexive transport address.• Target host—All requests from a specific internal IP address and port are mapped to the same reflexivetransport address. An external host can send a packet to an internal host by sending the packet to the reflexivetransport address. The internal host must have previously sent a packet to the external host’s IP address.

Reference:http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topiccollections/security/software-all/security/junos-security-swconfig-security.pdf

QUESTION 28You have implemented a chassis cluster that spans a Layer 2 network between two office campuses. You areusing dual fabric links. Some of the RTOs are getting lost.

Page 81: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

What are two reasons why this happens? (Choose two.)

A. The switches interconnecting the fabric links do not support jumbo frames.B. The switches are not configured with the proper VLAN tags used by RTO traffic.C. The Layer 2 network contains 10 Gigabit links.D. There is a 500 millisecond latency between the SRX Series devices.

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:Answer: A,D- The switches interconnecting the fabric links do not support jumbo frames.- There is a 500 millisecond latency between the SRX Series devices.

Explanation:If you are connecting each of the fabric links through a switch, you must enable the jumbo frame feature on thecorresponding switch ports. If both of the fabric links are connected through the same switch, the RTO-and-probes pair must be in one virtual LAN (VLAN) and the data pair must be in another VLAN. Here too, the jumboframe feature must be enabled on the corresponding switch ports.

Reference:http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/chassis-cluster-fabricconfiguring-cli.html

QUESTION 29Your company recently acquired another company. During a site visit and network audit, you recognize that theacquired company's private network address space overlaps with yours. You will eventually merge thenetworks, but for the moment, you must make communication between the networks work over the Internet asa first step toward the migration.

What should you do to meet the requirements?

A. Use source NAT to deliver the necessary translations between private and public networksB. Implement a static NAT at one site.C. Implement double NAT on both sites' public network-facing routers.D. Migrate to multicast.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: Implement double NAT on both sites' public network-facing routers.

Explanation:Double NAT occurs when both the source IP address and destination IP address leave the translating systemchanged. Double NAT is commonly used for merging two networks with overlapping address space. This hasbecome an increasingly common scenario as more organizations have moved to using RFC 1918 privateaddress space for their internal addressing in an effort to overcome public IPv4 address exhaustion. Whenthese organizations merge, they are left with overlapping RFC 1918 addressing. In these cases, double NATmust be leveraged until systems can be readdressed.

Reference:O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August2010, p. 243

Page 82: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

QUESTION 30What is a NULL scan attack and how can you minimize its effects?

A. A NULL scan attack consists of a series of packets that have source port 0 and various destination portsset. This attack can be minimized using 3et security screen ids-option my screen tcp-no-null and udp-no-null.

B. A NULL scan attack is an attack targeting port 0 of the remote device's TCP/IP stack. This attack can beminimized Using set security idp sensor-configuration flow no-allow-tcp without-flow.

C. A NULL scan attack uses TCP packets with no flags set. This attack can be minimized using set screen ids-option my-screen tcp tcp-no-flag.

D. A NULL attack makes use of UDP packets that contain only null characters in their payload. This attack canbe minimized using a stateless firewall filter.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: A NULL scan attack uses TCP packets with no flags set. This attack can be minimized using setscreen ids-option my-screen tcp tcp-no-flag.

Explanation:A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. In a productionenvironment, there will never be a TCP packet that doesn’t contain a flag. Because the Null Scan does notcontain any set flags, it can sometimes penetrate firewalls and edge routers that filter incoming packets withparticular flags. Null scan attack can be minimized using set screen ids-option my-screen tcp tcp-no-flag.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junossecurity-cli-reference/jd0e98530.html?searchid=1320438879836

QUESTION 31Click the Exhibit button.

You have been asked to configure a virtual-router routing-instance (or a group of internal users. To grant theinternal users Internet access, you create a static route for all unknown traffic to be routed to the main instanceinet.0 table, as shown in the exhibit.

What is required for the return traffic from the Internet to be allowed back through the SRX?

Exhibit:

A. You must configure a rib-group to move routes from the Juniper routing-instance route table into the inet.0table for the return traffic to be routed back through.

B. The return traffic uses fast path processing to bypass routing in the inet.0 routing table.C. You must configure a group to move routes from inet.0 table into the Juniper routing-instance route table for

the return traffic to be routed back through.

Page 83: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

D. The return traffic uses first packet processing to bypass routing in the inet.0 routing table.

Correct Answer: ABSection: (none)Explanation

Explanation/Reference:Answer: A,B- You must configure a rib-group to move routes from the Juniper routing-instance route table into the inet.0table for the return traffic to be routed back through.- The return traffic uses fast path processing to bypass routing in the inet.0 routing table.

Explanation:Without exporting routes from routing-instance Juniper to inet.0 the traffic from internet to the networks inrouting-instance Juniper is dropped. When a packet enters the SRX, the flow daemon (flowd) performs asession lookup. It does this to see whether the packet is already part of an existing session. If the packet is partof an existing session, it takes what is referred to as the fast path . If it is not found to be part of an existingsession, it goes down the slow path . The fast path has fewer steps involved in checking the packet, and as aresult, it is much faster at processing the packet.

Reference:http://www.juniper.net/techpubs/en_US/junos11.3/topics/reference/configuration-statement/ribgroups-edit-routing-options.html

QUESTION 32Your company provides a managed network service for its customers. Two of your customers have mergedand want to have the same configurations and firewalls. However, they must use their legacy Internetconnections. As a result, you need 172.27.0.0/24 to go to ISP A and 172.25.0 0/24 to go to ISP B.

Which filter-based forwarding configuration will work for these two customers?

A.

Page 84: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

B.

C.

Page 85: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

D.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer:

Page 86: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Explanation:Option is selected because it forward traffic sourced from 172.27.0.0/24 to routing-instance ISPA and trafficsourced from 172.25.0.0/24 to routing-instance ISP-B.

Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223&actp=search&viewlocale=en_US&searchid=1320488885905#

QUESTION 33Which two make up the context of an IPS attack signature? (Choose two.)

A. service bindingB. applicationC. scopeD. application subset

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Answer:- application- application subset

Explanation:To aid in the accuracy and performance of IPS inspection, the SRX uses a concept called contexts to match anattack in the specific place where it occurs in the application protocol. This helps to ensure that performance isoptimized by not searching for attacks where they would not occur, and it limits false positives.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, TimEberhard, James Quinn, August 2010, p. 405

QUESTION 34Which component can you use to find an attack for traffic that uses a nonstandard service?

A. last packetB. ToS markingsC. first packetD. last data packet

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: first packet

Explanation:Juniper Networks provides predefined application signatures that detect Transmission Control Protocol (TCP)and User Datagram Protocol (UDP) applications running on nonstandard ports. Identifying these applicationsallows Intrusion Detection and Prevention (IDP) to apply appropriate attack objects to applications running onnonstandard ports. The application signatures identify an application by matching patterns in the first packet ofa session.

Reference:

Page 87: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junossecurity-swconfig-security/topic-42381.html?searchid=1320488885905

QUESTION 35Click the Exhibit button.

You are asked to help troubleshoot new connectivity to a server on your network The system administrator isreceiving user requests and confirms that the responses are being sent out However, the user never sees theresponse packet and suspects the firewall is dropping them. You configure a basic data path trace option andconfirm you see the return data but it is being dropped.

Referring to the exhibit, why is the traffic being dropped?

Exhibit:

A. The server is changing the ports causing the session to be treated as a new session and it is beingdropped.

B. The sessions are stale and must be cleared manually.C. The traffic is failing a route lookup.D. The traffic is routing asymmetrically.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: The traffic is routing asymmetrically.

Explanation:Asymmetric return traffic can pass zone based firewall if outgoing interface is in the same zone.

Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB21983&actp=search&viewlocale=en_US&searchid=1320415514489#

Page 88: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Exam D

QUESTION 1You loaded the attack database on your SRX device, but it must be installed.

Which command statement installs the attack database?

A. request system security-package add /var/tmp/idp.tar.tgzB. request security idp security-package installC. request security idp security-package install packageD. request security idp security-package install database

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer: request security idp security-package install

Explanation:The command request security idp security-package install is used to Install the signature DB on to the controland data-plane.

Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB15806&actp=search&viewlocale=en_US&searchid=1320424816614

QUESTION 2A user residing in the trust zone of the SRX Series device cannot access a Web page hosted on a server in theDMZ zone. You verity that an active security policy exists on the SRX device that allows the user's PC toaccess the Web server with the application HTTP. However, you do not see the security policy access counterincrement, nor do you see any information in the log file associated with the security policy.

What is causing the problem?

A. A security policy exists further down the list that is denying the user access to Web server traffic.B. No route exists on the SRX device to the destination server.C. A firewall filter is applied to the egress interface.D. The policy rematch option is disabled for the session configuration.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer: No route exists on the SRX device to the destination server.

Explanation:Without the correct route to Web server in DMZ zone the packet will be dropped.

QUESTION 3You have configured persistent NAT with the default inactivity timeout. All of the sessions of a persistent NATbinding have expired.

How long will the binding remain in the SRX Series device's memory?

A. 30 seconds

Page 89: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

B. 120 secondsC. 300 secondsD. 360 seconds

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: 300 seconds

Explanation:The inactivity-timeout option defines how long a persistent NAT mapping will remain in the persistent NATtable. The value is defined in increments of seconds from a minimum of oneminute to a maximum of two hours. The default is five minutes.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August2010, p. 224.

QUESTION 4Click the Exhibit button.

Referring to the exhibit, which type of NAT is implemented?

Exhibit:

Page 90: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. persistent NATB. double NATC. destination NATD. source NAT

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer: double NAT

Explanation:Double NAT occurs when both the source IP address and destination IP address leave the translating system

Page 91: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

changed. Double NAT is commonly used for merging two networks withoverlapping address space.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August2010, p. 243.

QUESTION 5You are configuring a hub-and-spoke VPN topology between an SRX Series device deployed at the hub siteand several devices at spoke sites. You have configured all the settings to establish the tunnel, but the IPSecSA has not yet established all configured proposals and policies match on both sides.

Which three actions can you perform to establish the IPSec SA between the hub and spoke sites? (Choosethree.)

A. Enable VPN monitoringB. Initiate traffic from the spoke site to the hub siteC. Configure the tunnel to establish immediatelyD. Configure dead peer detectionE. Initiate traffic from the hub site to the spoke site

Correct Answer: BCESection: (none)Explanation

Explanation/Reference:Answer: - Initiate traffic from the spoke site to the hub site- Configure the tunnel to establish immediately-

Explanation:The VPN can be established immediately when the configuration is applied (and subsequently whenever theVPN expires), or it can be established on-traffic when there is user data traffic. By default, VPNs areestablished on-traffic.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August2010, p. 296

QUESTION 6Your company has decided to enable IPv6 in its corporate network. All core network elements are alreadyenabled. You have completed the configuration of the SRX Series cluster. All tests are running well and noissues have been found. The IT department decides to increase the MTU on the access switches and theworkstations to 9000, everything else will continue using the standard settings.

Which statement is correct about how the SRX chassis cluster will handle all these packets?

A. It drops all IPv4 and IPv6 packets.B. It fragments all IPv4 packets as well as the IPv6 packets, no issues are expected.C. It fragments all IPv4 packets without the DF bit set and drops all IPv6 packets, sending an ICMP message

back to the sender.D. This configuration will not work unless you run the SRX Series device in Layer 2 mode only.

Correct Answer: CSection: (none)Explanation

Page 92: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Explanation/Reference:Answer: It fragments all IPv4 packets without the DF bit set and drops all IPv6 packets, sending an ICMPmessage back to the sender

Explanation:For IPv4 Internet Control Message Protocol (IPv4 ICMP), if a node within the path between a source node anda destination node receives a packet that is larger than its MTU size, it can fragment the packet and transmitthe resulting smaller packets. For IPv6, only a source node (the node that sent the packet) can fragment apacket, and this is done to accommodate a path MTU size-adjustment requirement. Nodes along the path of apacket cannot fragment the packet to transmit it.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junossecurity-swconfig-security/topic-45354.html?searchid=1320499651998

QUESTION 7You have set up a chassis cluster in an active-active state. While monitoring the fabric link during a failoverscenario, you noticed the utilization is higher than expected.

What are two possible causes of the higher utilization? (Choose two)

A. An upstream link failure has resulted in Internet-bound traffic ingressing the primary node and egressing thesecondary node.

B. The failover from the primary node to the secondary node has resulted in increased heartbeat and RTOtraffic.

C. A LAN interface failure has resulted in Internet-bound traffic ingressing the secondary node and egressingthe primary node.

D. The failover from the primary node to the secondary node has resulted in a graceful restart scenario inwhich all traffic must use the fabric link.

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Answer: - An upstream link failure has resulted in Internet-bound traffic ingressing the primary node and egressing thesecondary node.- A LAN interface failure has resulted in Internet-bound traffic ingressing the secondary node and egressing theprimary node.

Explanation:The control plane software operates in active/backup mode. When configured as a chassis cluster, the twonodes back up each other, with one node acting as the primary device and the other as the secondary device,ensuring stateful failover of processes and services in the event of system or hardware failure. If the primarydevice fails, the secondary device takes over processing of traffic.The data plane software operates in active/active mode. In a chassis cluster, session information is updated astraffic traverses either device and this information is transmitted between the nodes over the fabric link toguarantee that established sessions are not dropped when a failover occurs. In active/active mode, it ispossible for traffic to ingress the cluster on one node and egress from the other node.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junossecurity-swconfig-security/junos-security-swconfig-security.pdf p. 779

QUESTION 8Your network engineering department has decided another SRX cluster is needed for additional capacity and

Page 93: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

DMZ segments. After installing the new cluster on the same VLANs, network segment customers are reportingintermittent loss of service. Upon investigating the problem, you have confirmed that there are no IP addressconflicts.

What is causing the problem?

A. The two SRX clusters are competing for primary RE1 status and the traffic keeps failing over between thetwo clusters.

B. The two SRX clusters have been configured with matching cluster IDs and as a result have conflicting MACaddresses.

C. The two SRX clusters are flooding the network with gratuitous ARPs and overloading the directly connectedswitches.

D. The two SRX clusters are competing for primary REO status and traffic keeps failing over between the twoclusters.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer: The two SRX clusters have been configured with matching cluster IDs and as a result have conflictingMAC addresses.

Explanation:The cluster ID is used when determining Media Access Control (MAC) addresses for the redundant Ethernetinterfaces.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August2010, p. 545.

QUESTION 9When fragmented traffic is processed by the IPS engine, two steps are performed. First, the IPS engineidentifies IP fragments.

What is the second step?

A. detecting fragment chains.B. checking fragments for overlaps, duplicates, or fragmented packets of the wrong length.C. reassembling packets and serializing them in the correct order for further inspection.D. checking a TCP packet's length and TTL.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: reassembling packets and serializing them in the correct order for further inspection.

Explanation:Fo further processing fragments of IP packet must be reassembled and serialized.

QUESTION 10Click the Exhibit button.

Referring to the exhibit, Company A and Company B are using the same IP address space.

Page 94: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

http://www.gratisexam.com/

Which NAT configuration allows device A and device B to communicate?

Exhibit:

A.

Page 95: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

B.

Page 96: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

C.

Page 97: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

D.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer:

Page 98: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Explanation:To habdle this situation double NAT is required. First of all you create two one-to-one maping for translation ofdestination IPs:10.1.1.0/24 172.31.1.0/24 for packets that go from Company B to Company A and10.1.1.0/24 172.31.2.0/24 fro packets that go from Company A to Company BThen on each router you create destination addrress translation for packets coming from untrusted zone.

QUESTION 11You administer an SRX5600 to which several customer networks are attached. Each customer networkterminates in a virtual routing-instance. You have been asked to direct traffic sourced from a specific prefix inone routing-instance to another routing-instance. The affected traffic enters the SRX5600 on one physicalinterface.

Which method can accomplish this objective?

A. Use a stateless firewall on the interface to forward traffic to the other routing-instance.B. Use a routing policy on the interface to forward traffic to the other routing-instance.C. Use a security policy on the zone to forward traffic to the other routing-instance.D. Use a forwarding rule on the interface to forward traffic to the other routing-instance.

Correct Answer: ASection: (none)Explanation

Page 99: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Explanation/Reference:Answer: Use a stateless firewall on the interface to forward traffic to the other routing-instance.

Explanation:You configure firewall filter to match source address and then forward matched traffic to needed routing-instance.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August2010, p. 694

QUESTION 12You created a new application named custom-ftp for FTP traffic, but you do not want the FTP ALG to be used.You have other applications using the FTP ALG, and you want to make sure those applications are notaffected.

What is the correct syntax to disable the FTP ALG in the application custom-ftp?

A. set applications custom-ftp application-protocol ignore ftpB. set applications application custom-ftp application-protocol ftp noneC. set applications application custom-ftp application-protocol ignoreD. set applications application custom-ftp ignore ftp

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: set applications application custom-ftp application-protocol ignore

Explanation:“set applications application custom-ftp application-protocol ignore” disables ALG protocol processing.

Reference: http://jsrx.juniperwiki.com/index.php?title=JNCIE-SEC

QUESTION 13You are troubleshooting a problem with a chassis cluster, and you issue the show log jsrpd command.

What information would be helpful in the generated output? (Choose two)

A. The output displays fabric link status information, including details such as jitter and when a link goes upand down.

B. The output displays node-to-node tunneling status information, including details such as tunnel negotiationsand endpoint discovery information.

C. The output displays authentication error conditions for reth interfaces, including details used for linkaggregation negotiations and member interface status.

D. The output displays redundancy group status information, including details such as node primacy orredundancy group failover reasons.

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:Answer: - The output displays fabric link status information, including details such as jitter and when a link goes up and

Page 100: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

down.- The output displays redundancy group status information, including details such as node primacy orredundancy group failover reasons.

Explanation:The data link uses jsrpd heartbeat messages to validate that the path is up and is actively working. The JSRPDdetects a change in chassis cluster redundancy mode.

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topiccollections/syslog-messages/syslog-messages.pdf

QUESTION 14You are having problems with SYN flood attacks against your network. You administered the TCP syn-floodoptions on your SRX device to block these attacks, but internal hosts are still seeing floods that fall just underthe threshold you have set for blocking SYN floods. You cannot set the threshold any lower without impactinglegitimate traffic.

What are two SYN flood protection commands that you can use to resolve the problem? (Choose two.)

A. set security flow syn-flood-protection-mode syn-proxyB. disable security flow syn-flood-protection-mode syn-floodC. set security flow syn-flood-protection-mode [syn-proxy syn-cookie]D. set security flow syn-flood-protection-mode syn-cookie

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:Answer: A,D- set security flow syn-flood-protection-mode syn-proxy- set security flow syn-flood-protection-mode syn-cookie

Explanation:When syn-proxy is configured the first SYN packets are allowed through. Once the attack threshold is met, theSRX proxies the connection, sending a SYN/ACK back to the source. This is used to determine if it is alegitimate request or just a drone flooding SYN requests. In the sourceand destination-based SYN floodingprotections, the SYN packets are not proxied but dropped to the floor. Anything above that configured thresholdis dropped. This is a dangerous setting, and you must be cautious when designing these thresholds.SYN cookie protection is a stateless SYN proxy that you can use to defend against SYN floods from spoofedsource IP addresses. A SYN cookie doesn’t add much value if the source IP addresses are legitimate and replyto the SYN/ACK packet.

Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB3268

QUESTION 15You have been asked to secure your network from as many network reconnaissance activities as possible.

Which three screens would be helpful in blocking these types of activities? (Choosethree.)

A.

Page 101: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

B.

C.

D.

E.

Correct Answer: BCDSection: (none)Explanation

Explanation/Reference:Answer:

Explanation:

Page 102: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

The packets with source-route-option creates load on CPU and may create security risk. A TCP header with theFIN flag set but not the ACK flag is anomalous TCP behavior, causing various responses from the recipient,depending on the OS. Blocking packets with the FIN flag and without the ACK flag helps prevent OS systemprobes. Land attacks occur when an attacker sends spoofed SYN packets containing the IP address of thevictim as both the destination and source IP address.

Reference:http://www.juniper.net/techpubs/en_US/junos11.2/topics/reference/statement-hierarchy/securityscreen.html

QUESTION 16Your company is in the process of deploying a VPN network 10 connects its sites Traffic will predominantlyaccess resources at the central site. However, on occasion, traffic must betransported from one spoke site to another.

Which two methods will provide the desired connectivity? (Choose two.)

A. a hub-and-spoke IPSec VPN using a multipoint secure tunnel interface on the hub deviceB. a hub-and-spoke IPSec VPN using a multipoint secure tunnel interface on all devicesC. a hub-and-spoke IPSec VPN using a separate secure tunnel unit for each spoke deviceD. a hub-and-spoke IPSec VPN using a separate multipoint secure tunnel on each spoke device

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Answer: - a hub-and-spoke IPSec VPN using a multipoint secure tunnel interface on the hub device- a hub-and-spoke IPSec VPN using a separate secure tunnel unit for each spoke device

Explanation:Route-based VPNs offer two different types of architectures: point-to-point and point-to-multipoint. Point-to-point VPNs map a single VPN to a single logical interface unit, so the SRX connects directly to a single peerVPN gateway on the interface. Point-tomultipoint VPNs allow the device to connect to multiple peer gatewayson a single logical interface.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August2010, p. 266.

QUESTION 17You recertify added NAT in your environment and now users are complaining about not being able to accessthe Internet.

Which two parameters would you configure to verify that NAT is working correctly? (Choose two.)

A. security trace-options flag flow basicB. security flow trace-options flag packet-dropsC. security nat trace-options flag allD. security nat source/destination trace-options flag all

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Answer:

Page 103: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

- security flow trace-options flag packet-drops- security nat trace-options flag all

Explanation:The NAT trace options hierarchy configures trace file and flags for verification purposes. J Series and SRXSeries devices have two main components. Those are the Routing Engine (RE) and the Packet ForwardingEngine (PFE). The PFE is divided into the ukernel portion and the real-time portion. For verification, you canturn on flags individually to debug NAT functionality on the RE, ukernel PFE, or real-time PFE. The trace data iswritten to/var/log/security-trace by default.Example:set security nat traceoptions flag allset security nat traceoptions flag source-nat-pfeset security nat traceoptions flag source-nat-reset security nat traceoptions flag source-nat-rt

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junossecurity-swconfig-security/topic-42831.html?searchid=1320517464784http://kb.juniper.net/InfoCenter/index?page=content&id=KB15758&actp=search&viewlocale=en_US&searchid=1320517464784#Verification

QUESTION 18Click the Exhibit button.

Compare the two outputs shown in the exhibit.

Which two statements are correct about VPN monitoring? (Choose two.)

Exhibit:

Page 104: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. In the output, "DOWN" means that VPN monitoring is disabledB. In the output, "DOWN" means that the VPN monitoring feature has detected a failureC. In the output,"-" means that VPN monitoring feature is not enabledD. In the output,"-" means that the VPN monitoring feature has detected a failure

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Answer: - In the output, "DOWN" means that the VPN monitoring feature has detected a failure- In the output,"-" means that VPN monitoring feature is not enabled

Explanation:If VPN monitoring is enabled, then this will show Up or Down. A hyphen (-) means VPN monitoring is notenabled for this SA.

Reference:

Page 105: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-esswcmdref/show-security-ipsec-security-associations.html

QUESTION 19Click the Exhibit button.

Referring to the exhibit, which parameter can be applied under the destination-address hierarchy?

Exhibit:

A. utm-policyB. idp-filterC. drop-translatedD. uac-policy

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: uac-policy

Explanation:With uac-policy enabled JUNOS security policies enforce rules for transit traffic, defining what traffic can passthrough the Juniper Networks device. The policies control traffic that enters from one zone (from-zone) andexits another (to-zone).

Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB17476&cat=SRX_SERIES&actp=LISThttp://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-securityswconfig-security/uac-config-enabling-uac.html

QUESTION 20Which statement accurately describes an idle scan?

A. A scanning method where "stealth" packets (packets without arty flags set) are sent from an attacker to aremote target host through IDS systems.

B. A scanning method that scans all idle TCP connections on a remote target host to hijack them, so that youcan take advantage of an authenticated data connection.

Page 106: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

C. A scanning method where long idle periods exist between the scanning packets sent so IDS systems do notsense the scan attack.

D. A scanning method where a "zombie" host is used by an attacker to exploit a predictable IP fragmentationID sequence and to discover open ports on the target host.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: A scanning method where a "zombie" host is used by an attacker to exploit a predictable IPfragmentation ID sequence and to discover open ports on the target host.

Explanation:The idle scan is a TCP port scan method that consists of sending spoofed packets to a computer to find outwhat services are available. This is accomplished by impersonating another computer called a "zombie" (that isnot transmitting or receiving information) and observing the behavior of the zombie system.

Reference: http://nmap.org/book/idlescan.htmlhttp://en.wikipedia.org/wiki/Idle_scan

QUESTION 21You must protect your network against Layer 4 scans.

Which two actions help you achieve this objective? (Choose two)

A. Configure an IPS rule to use the predefined attack group SCAN.B. Configure screens capable of blocking port scans.C. Configure an IPS rule to use the predefined attack group SCAN and enable the DP option in a security

policyD. Enable TCP/UDP monitoring to discover scan sources and block them.

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Answer:- Configure screens capable of blocking port scans.- Configure an IPS rule to use the predefined attack group SCAN and enable the DP option in a security policy

Explanation:B. Example: set security screen ids-option untrusted-internet tcp port-scan threshold 1000000C. Juniper provides predefined attack objects (both protocol anomaly and signatures) individually and inpredefined groups to customers who have active licenses. The predefined attack objects cannot be edited forthe most part; however, you can use these as a basis for creating custom attack objects.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August2010, p. 405.

QUESTION 22You have been asked to design and deploy a VPN-based backup network for your enterprise. Your network iscurrently configured across a single OSPF Area 0. All the VPN termination points in your network will beJuniper Networks SRX Series devices.

How must you configure your devices so that static routing can be avoided?

Page 107: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. OSPF will not provide the needed functionality. The group VPN feature is required to create the next-hoptunnel binding and arrange key management across routing domains.

B. Configure VPN tunnels between the SRX Series devices and enable OSPF Area 0 on the st.0 interfaces.You can use the next-hop tunnel binding (NHTB) protocol for next hops to the tunnels.

C. Configure VPN tunnels between the SRX Series devices and enable OSPF Area 0 on the st.0 interfaces.You must configure next-hop tunnel binding for the remote peers mapping next hops to VPN names.

D. Because OSPF will not provide the required next-hop VPN binding alone, dynamic VPN must be used todiscover the next-hop tunnel binding automatically.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer:

Explanation:Point-to-multipoint VPNs allow you to bind multiple VPNs to a single interface on the hub. For this to workproperly, the SRX must know not only which VPN to send the traffic into on the st0 interface to which it isbound, but also which next-hop will be used for routing that traffic on the interface. To accomplish this, the SRXuses a mechanism called a Next-Hop Tunnel Binding (NHTB) table on the interface to map all of thisinformation. On the SRX, if you are going to another SRX or ScreenOS device and you are using static routing,the SRX can automatically exchange the next-hop tunnel information with the peer as part of the optionalvendor attribute exchanges in Phase 2 (also known as auto NHTB). If you are using a dynamic routing protocol(such as RIP, OSPF, or BGP), you will not need to make a manual mapping entry because the SRX can buildthe table automatically from the routing updates matching the next-hop to the tunnel it came out of.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August2010, p. 268.

QUESTION 23Click the Exhibit button.

Referring to the exhibit, which two statements are true? (Choose two)

Exhibit:

Page 108: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. The VPN is setup using a preshared key.B. The VPN is set up using certificates.C. The VPN is set with NAT traversal.D. The VPN is set without NAT traversal.

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Answer: - The VPN is setup using a preshared key.- The VPN is set with NAT traversal.

Explanation:Authentication-method: Pre-shared-keys indicates that pre-shared key is used for authentication. Certificatesand preshared keys are mutually exclusive options. The VPN is set with NAT traversal as NAT-T uses UDPport 4500 (by default) rather than the standard UDP port 500.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August2010, p. 270.

QUESTION 24For RG 1, Node 0 has priority 200; Node 1 has priority 100. Preempt has been configured. Node 0 has beenrebooted; therefore, Node 1 is primary for RG 1.

What happens when Node 0 comes back up?

A. Node 0 is still secondary for RG 1 because preempt is configuredB. All redundancy groups failover to Node 0.

Page 109: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

C. Node 0 becomes primary for RG 1.D. Node 0 will preempt Node 1 from becoming primary for RG 1.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: Node 0 becomes primary for RG 1.

Explanation:Each node is given a priority within a redundancy group. The higher-priority device is given mastership over theredundancy group. This depends on a few options, and one of them, bydefault, is that a node with a higher priority will not preempt the device with the lower priority. The result is that ifa lower-priority node were to have ownership of a redundancy group and then a node with the higher prioritywere to come online, it would not give ownership to the higher-priority device. To enable this, the preemptoption would need to be enabled, and the device with the higher priority would take ownership of theredundancy group when it was healthy to do so.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August2010, p. 572.

QUESTION 25Click the Exhibit button.

Which statement is true regarding the session displayed in the exhibit?

Exhibit:

A. The session must be a transit session.B. The session must be a local session.C. The session traverses more than one routing-instance.

Page 110: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

D. The session traverses only one routing-instance.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: The session traverses only one routing-instance.

Explanation:The session tokens match (0x20a) for In and Out parts. This indicates that the session traverses only onerouting-instance.

QUESTION 26Click the Exhibit button.

The NHTB configuration excerpt shown in the exhibit is applied on an SRX Series device that is a hub in a hub-and-spoke VPN.

Which statement is true about this configuration?

Exhibit:

A. The spoke devices can be any IPSec VPN gatewayB. The spoke devices must be SRX Series devicesC. The spoke devices must support NHTB protocol.D. The spoke devices require multipoint configured on the st0 interface.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Answer: The spoke devices can be any IPSec VPN gateway

Page 111: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Explanation:As far as NHTB is configured the remote spoke device is not required to be Juniper. NHTB protocol must besupported by the hub only and only on the hub st0 is configured as multipoint.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August2010, p. 267.

QUESTION 27Click the Exhibit button.

In the exhibit, which two commands should you use to ping 10.1.1.100 from me SRX Series device's commandline? (Choose two)

Exhibit:

A. ping 10.1.1.100B. ping source 10.1.1.1 10.1.1.100C. ping routing-instance vr1 10.1.1.100D. ping interface ge-0/0/1.0 10.1.1.100

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:Answer:- ping routing-instance vr1 10.1.1.100- ping interface ge-0/0/1.0 10.1.1.100

Explanation:As far as 10.1.1.100 belongs to routing-instance vr1 we have the two options to ping this host:

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/task/operational/security-pingcommand-using.html

QUESTION 28Your company has VPNs that connect to other companies. The company wants to use certificates with arecognized third-patty certificate authority.

Which two steps are required to use certificates with a certificate authority? (Choose two)

A. Configure a CRLB. Configure RSA signatures for the IKE authentication methodC. Configure DSA signatures for the IKE authentication methodD. Generate a certificate request for the SRX device

Page 112: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:Answer:- Configure RSA signatures for the IKE authentication method- Generate a certificate request for the SRX device

Explanation:To use certificates with a certificate authority you have to set the IKE authentication method configuring phase 1proposal by setting the “rsa-signature” attribute. the rsa-signatures attribute signifies certificates using RSA keygeneration. Before you can use certificate based authentication you have to generate certificate request froeach participating SRX device. You can do it by issuing th ecommand: request security pki generate-certificate-request

Reference: http://jsrx.juniperwiki.com/index.php?title=JNCIE-SEC#Certificates

QUESTION 29Your company wants to deploy IPv6. The deployment on core routers has been completed. You now mustenable your firewalls with the new protocol, but you must configure the SRX Series device so that it does notyet examine IPv6 packets.

How do you accomplish this?

A. Configure IPv6 addresses on all Layer 3 interfaces, including the reth interfaces, enhance the securitypolicies so that IPv6 packets are ignored; enhance the used routing protocols with IPv6 capabilities.

B. Configure IPv6 addresses on all Layer 3 interfaces, including the reth interfaces, and enhance the usedrouting protocols with IPv6 capabilities.

C. Configure IPv6 addresses on all Layer 3 interfaces, including the reth interfaces, enhance the used routingprotocols with IPv6 capabilities; configure the security forwarding options so that IPv6 traffic is nottransported in the stateful forwarding mode.

D. Configure IPv6 addresses on all Layer 3 interfaces, including the reth interfaces, and enhance the securityprotocols with IPv6 capabilities as well as to switch on "Inet6 routing" in the configuration's routing-optionsstanza.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Answer: - Configure IPv6 addresses on all Layer 3 interfaces, including the reth interfaces, enhance the used routingprotocols with IPv6 capabilities; configure the security forwarding options so that IPv6 traffic is not transportedin the stateful forwarding mode.

Explanation:By default, SRX runs with flow-based forwarding, which drops IPv6 packets. To allow IPv6 packets to be able tobe forwarded by SRX, a forwarding-options command must be configured. The following forwarding-optionscommand is required:set security forwarding-options family inet6 mode packet-based

Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB16040&actp=search&viewlocale=en_US&searchid=1320572266620#http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-securityswconfig-interfaces-and-routing/logical-properties-section.html#ipv6-enable-section

Page 113: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-adminguide/config-selective-stateless-chap.html#config-selective-stateless-chap

QUESTION 30You have a VoIP application that requires external sessions to be initiated into your environment. The internalhost has not sent an initial packet to the external host's reflexive transport address.

Which NAT parameter will accomplish this task?

A. target-hostB. address-persistentC. target-host-portD. any-remote-host

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Answer: - any-remote-host

Explanation:When persistent NAT is used with any-remote-host option all requests from a specific internal IP address andport are mapped to the same reflexive transport address and any external host can send a packet to theinternal host by sending the packet to the reflexive transport address.

Reference: http://www.juniper.net/techpubs/en_US/junos11.1/information-products/topiccollections/security/software-all/security/index.html?topic-42825.html#jd0e125921http://kb.juniper.net/InfoCenter/index?page=content&id=KB21296&cat=JUNOS&actp=LISThttp://www.juniper.net/techpubs/en_US/junos11.1/information-products/topiccollections/security/software-all/security/index.html?topic-42826.html

QUESTION 31You want to implement a VPN on your SRX device that will use certificates to authenticate with the peergateway. You plan to allow certificates from any certificate authority.

Which two configuration commands are required? (Choose two.)

A. Set security ipsec proposal rsa-prop1 authentication-method rsa-signatures.B. Set security ike policy ike-poll certificate local-certificate my-cert.C. Set security ike proposal rsa-prop1 authentication-method rsa-signatures.D. Set security ike policy ike-poll certificate trusted-ca use-all.

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:Answer:- Set security ike proposal rsa-prop1 authentication-method rsa-signatures.- Set security ike policy ike-poll certificate trusted-ca use-all.

Explanation:Set security ike proposal rsa-prop1 authentication-method rsa-signatures enables certificate basedauthentication in IKE phase 1.

Page 114: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

Set security ike policy ike-poll certificate trusted-ca use-all enables the using of all configured certificateauthorities.

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topiccollections/security/software-all/cli-reference/junos-security-cli-reference.pdf

QUESTION 32A security alert has been issued for an application running on your network that exploits a buffer overflow tocompromise the application. The security alert specifies that client-to-servercommunication will contain the string "*~\hack-man?\" or the string "\back\*?/hat".

Which type of IPS custom signature is required to block the traffic?

A. A signature attack object for each of the specified strings.B. A compound attack object.C. A protocol anomaly attack object.D. A regular expression matching the identified strings.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Answer: - A signature attack object for each of the specified strings.

Explanation:Signature-based attack objects will be the most common form of attack object to configure. This is where youuse regular expression matching to define what attack objects should be matched by the detector engine.

Reference: O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August2010, p. 430

QUESTION 33Click the Exhibit button.

Given the exhibit, which type of NAT is implemented?

Exhibit:

Page 115: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

A. one-to-many with port translationB. many-to-many with port translationC. many-to-many without port translationD. many-to-one with port translation

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer: - many-to-many with port translation

Explanation:Many-to-many with port translation type of NAT was implemented in exhibit. It translates source IP formaximum 255 hosts from matching 10.1.1.0/24 network to the pool of 11 Ips from 200.0.0.30 – 200.0.0.40. Asthe first number 255 is grater than the second one (11) PAT may be neede for translation.

Reference:O'Reilly. Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, Tim Eberhard, James Quinn, August2010, p. 209.

QUESTION 34After implementing a chassis cluster for active/active clustering, you have identified a congestion issue withtraffic traversing the data link between the two nodes.

Which solution should you implement?

A. Increase the throughput ratio for the active/active clustering configuration.B. Use a link with a higher bandwidth capacity for the data link.C. Offload the excess traffic to a dedicated reth group.

Page 116: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

D. Implement dual data links to load balance data traffic

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Answer: - Use a link with a higher bandwidth capacity for the data link.

Explanation:You have to upgrade fabric link to support a higher bandwidth. Connecting two fabric links between nodesprovide with redundency. Having two fabric links helps to avoid a possible single point of failure but does notprovide load balancing of data traffic.

Reference: http://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/chassis-cluster-dualfabric-links-understanding.html

QUESTION 35In which order are the stages of an attack?

A. reconnaissance, host probes, evasion, host accessB. host probes, host access, evasion, reconnaissanceC. evasion, reconnaissance, host probes, host accessD. reconnaissance, host access, evasion, host probes

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Answer: -

Explanation:An attacker usually precedes an attack by performing reconnaissance on the target. Before launching anexploit, attackers might try to probe the targeted host to learn its operating system (OS).Whether gatheringinformation or launching an attack, it is generally expected that the attacker avoids detection. Although some IPaddress and port scans are blatant and easily detectable, more wily attackers use a variety of means to concealtheir activity. Techniques such as using FIN scans instead of SYN scans—which attackers know most firewallsand intrusion detection programs detect—indicate an evolution of reconnaissance and exploit techniques forevading detection and successfully accomplishing their tasks.

Reference: http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junossecurity-swconfig-security/id-93100.htmlhttp://www.juniper.net/techpubs/en_US/junos11.2/topics/concept/attack-detection-preventionoverview.htmlhttp://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfigsecurity/understanding-operating-system-probes.html

Page 117: Juniper Networks Certified Internet Professional (JNCIP-SEC) · Juniper Networks Certified Internet Professional (JNCIP-SEC) Number : JN0-632 Passing Score : 800 Time Limit : 120

http://www.gratisexam.com/