JN0-533 Online Practice Questions and Answers

You are troubleshooting telnet traffic destined to IP address 10.10.10.1. You decide to run debug and want to set the flow filter. Which command will show only the telnet traffic going to the 10.10.10.1 address?

A. ssg5-serial-> set ffilter dst-ip 10.10.10.1 ssg5-serial-> set ffilter dst-port 23

B. ssg5-serial-> set ffilter dst-ip 10.10.10.1 dst-port 23

C. ssg5-serial-> set ffilter dst-port 23

D. ssg5-serial-> set ffilter dst-ip 10.10.10.1

Your ScreenOS device is configured with multiple NAT types. What is the order of precedence in this situation?

A. interface-based NAT -> VIP -> MIP -> policy-based NAT

B. VIP -> MIP -> policy-based NAT -> interface-based NAT

C. MIP -> VIP -> interface-based NAT -> policy-based NAT

D. MIP -> VIP -> policy-based NAT -> interface-based NAT

You want to centralize the logging for all your ScreenOS devices and you must be able to synchronize the log. Which two actions would you perform to accomplish this? (Choose two.)

A. Enable logging to the console.

B. Enable logging to syslog.

C. Enable NTP and set to UTC/GMT time.

D. Enable logging to the USB.

A host in the untrust zone sends 1000 SYN packets in a single second to a host in your trust zone destined for port 80. Referring to the exhibit, which statement describes the behavior of the ScreenOS device?

ssg5-> get conf | include syn set zone untrust screen syn-flood attack-threshold 625 set zone untrust screen syn-flood alarm-threshold 250 set zone untrust screen syn-flood timeout 20 set zone untrust screen syn-flood queue-size 1000 set zone untrust screen syn-flood set flow syn-proxy syn-cookie

A. It will maintain this state for all 1000 connection attempts.

B. It will begin to drop the SYN packets.

C. It will block further connection attempts from this host for 20 seconds.

D. It will reply with SYN-ACK packets.

Which action does a ScreenOS device perform first when processing a packet?

A. It checks for an existing session.

B. It checks for attacks in the payload.

C. It performs a route lookup.

D. It performs a policy lookup.

Which two statements are true about the default route configuration based on the output shown in the exhibit? (Choose two.)

A. A default route is configured in the trust-vr with a next-hop IP address of 1.1.1.1.

B. A default route is configured in the trust-vr with a next hop of ethernet3/1.

C. A default route is configured in the trust-vr with a next hop of the untrust-vr.

D. A default route is configured in the untrust-vr with a next-hop IP address of 1.1.1.1.

You need to add a DIP pool to the interface shown in the exhibit. The DIP pool has been assigned the IP addresses 20.20.20.1 through 20.20.20.10. Which command would you use to accomplish this task?

ssg5(M)-> get conf | incl ethernet1/2 set interface "ethernet1/2" zone "Untrust" set interface ethernet1/2 ip 10.0.0.1/24 set interface ethernet1/2 route set interface "ethernet1/2" description "Internet Connection 1" set interface ethernet1/2 ip manageable set interface ethernet1/2 manage ping

A. set interface ethernet1/2 ext ip 20.20.20.1 255.255.255.0 dip 1 20.20.20.1 20.20.20.10

B. set interface ethernet1/2 ext ip 10.0.0.1 255.255.255.0 dip 1 20.20.20.1 20.20.20.10

C. set interface ethernet1/2 dip 1 20.20.20.1 20.20.20.10

D. set interface ethernet1/2 secondary ip 20.20.20.1 255.255.255.0 dip 1 20.20.20.1 20.20.20.10

HostA is in the Trust zone and has an IP address of. ServerA is a Web server in the DMZ zone and has an IP address of. Which three configuration statements are required to allow traffic from HostA to communicate with ServerA? (Choose three.)

A. ssg5-> set address Trust HostA /32

B. ssg5-> set policy from DMZ to Trust ANY ANY ANY permit

C. ssg5-> set address DMZ ServerA /32

D. ssg5-> set policy from Trust to DMZ HostA ServerA HTTP permit

E. ssg5-> set address Trust HostA /32

Which two statements are true about redundant interfaces on a ScreenOS device? (Choose two.)

A. With two interfaces in a redundant interface, only one link is primary at any given time.

B. On high-end models with multi-ASIC cards, redundant Ethernet ports must be in the same ASIC group.

C. With two interfaces in a redundant interface, both links pass traffic at the same time.

D. On high-end models with multi-ASIC cards, redundant Ethernet ports can be used on different ASIC groups.

You have entered the following BGP configuration:

set vrouter trust-vr bgp 65530 set vrouter trust-vr bgp enable set vrouter trust-vr protocol bgp neighbor 1.1.1.250 remote-as 65500 set vrouter trust-vr protocol bgp neighbor 1.2.3.250 remote-as 65280

BGP is not working.

What two elements are missing from your configuration? (Choose two.)

A. You have not enabled the BGP peers.

B. You have not enabled EBGP multihop.

C. You have not placed the peers in a BGP peer group.

D. You have not enabled BGP on the interfaces connecting to the peers.