JN0-633 Online Practice Questions and Answers

You are asked to establish a baseline for your company's network traffic to determine the bandwidth usage per application. You want to undertake this task on the central SRX device that connects all segments together. What are two ways to accomplish this goal? (Choose two.)

A. Configure a mirror port on the SRX device to capture all traffic on a data collection server for further investigation.

B. Use interface packet counters for all permitted and denied traffic and calculate the values using Junos scripts.

C. Send SNMP traps with bandwidth usage to a central SNMP server.

D. Enable AppTrack on the SRX device and configure a remote syslog server to receive AppTrack messages.

You are asked to deploy dynamic VPNs between the corporate office and remote employees that work from home. The gateway device at the corporate office consists of a pair of SRX650s in a chassis cluster. Which two statements about the deployment are true? (Choose two.)

A. The SRX650s must be separated as standalone devices to support the dynamic VPNs.

B. The remote clients must install client software to establish a tunnel with the corporate network.

C. The remote clients must reside behind an SRX device configured as the local tunnel endpoint.

D. The SRX650 must have HTTP or HTTPS enabled to aid in the client software distribution process.

You are asked to design a solution to verify IPsec peer reachability with data path forwarding. Which feature would meet the design requirements?

A. DPD over Phase 1 SA

B. DPD over Phase 2 SA

C. VPN monitoring over Phase 1 SA

D. VPN monitoring over Phase 2 SA

Which three match condition objects are required when creating IPS rules? (Choose three.)

A. attack objects

B. address objects

C. terminal objects

D. IP action objects

E. zone objects

You are asked to troubleshoot ongoing problems with IPsec tunnels and security policy processing. Your network consists of SRX240s and SRX5600s. Regarding this scenario, which two statements are true? (Choose two.)

A. You must enable data plane logging on the SRX240 devices to generate security policy logs.

B. You must enable data plane logging on the SRX5600 devices to generate security policy logs.

C. IKE logs are written to the kmd log file by default.

D. IPsec logs are written to the kmd log file by default.

Click the Exhibit button.

In the network shown in the exhibit, you want to forward traffic from the employees to ISP1 and ISP2. You want to forward all Web traffic to ISP1 and all other traffic to ISP2. However, your configuration is not producing the expected results. Part of the configuration is shown in the exhibit. When you run the show route table isp1 command, you do not see the default route listed.

What is causing this behavior?

Exhibit:

A. The autonomous system number is incorrect, which is preventing the device from receiving a default route from ISP1.

B. The device is not able to resolve the next-hop.

C. The isp1 routing instance is configured with an incorrect instance-type.

D. The show route table isp1 command does not display the default route unless you add the exact 0.0.0.0/0 option.

Click the Exhibit button.

Host A cannot resolve the www.target.host.com Web page when using its configured DNS server. As shown in the exhibit, Host A's configured DNS server and the Web server hosting the www.target.host.com Web page are in the same subnet. You have verified bidirectional reachability between Host A and the Web server hosting the Web page.

What would cause this behavior on the SRX device in Company B's network?

Exhibit:

A. DNS replication is enabled.

B. DNS doctoring is enabled.

C. DNS replication is disabled.

D. DNS doctoring is disabled.

Click the Exhibit button.

Referring to the exhibit, a pair of SRX3600s is in an active/passive chassis cluster configured for transparent mode. Which type of traffic would traverse the secondary SRX3600 (node 1)?

Exhibit:

A. all traffic including non-IP traffic

B. any IP traffic

C. only TCP and UDP traffic

D. only BPDU traffic

Click the Exhibit button.

user@host> monitor traffic interface ge-0/0/3

verbose output suppressed, use or for full protocol decode

Address resolution is ON. Use to avoid any reverse lookup delay.

Address resolution timeout is 4s.

Listening on ge-0/0/3, capture size 96 bytes

Reverse lookup for 172.168.3.254 failed (check DNS reachability). Other reverse lookup failures will not be

reported.

Use to avoid reverse lockups on IP addresses.

19:24:16.320907 In arp who-has 172.168.3.254 tell 172.168.3.1

19.24:17.322751 In arp who has 172.168.3.254 tell 172.168.3.1

19.24:18.328895 In arp who-has 172.168.3.254 tell 172.168.3.1

19.24:18.332956 In arn who has 172.168.3.254 tell 172.168.3.1

A new server has been set up in your environment. The administrator suspects that the firewall is blocking

the traffic from the new server. Previously existing servers in the VLAN are working correctly. After

reviewing the logs, you do not see any traffic for the new server.

Referring to the exhibit, what is the cause of the problem?

Exhibit:

A. The server is in the wrong VLAN.

B. The server has been misconfigured with the wrong IP address.

C. The firewall has been misconfigured with the incorrect routing-instance.

D. The firewall has a filter enabled to block traffic from the server.

Click the Exhibit button.

user@key-server> show security group-vpn server ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 97 UP bb224408940cc5d 435b9404284083c2 Main 192.168.11.1 98 UP 242c840089404d15 ab19284089408ba8 Main 192.168.11.2

user@key-server> show security group-vpn server ipsec security-associations Group: group-1, Group Id:

1 Total IPsec SAs: 1 IPsec SA Algorithm SPI Lifetime group-l-sa ESP:3des/shal 1343991c 2736

Group: group-2, Group id: 2 Total IPsec SAs: 1 IPsec SA Algorithm SPI Lifetime group-2-sa ESP:3des/shal 13be9e9 2741

Group: group-3, Group Id: 3 Total IPsec SAs: 1 IPsec SA Algorithm SPI Lifetime group-3-sa ESP:3des/shal 20709057 2741

Group: group-4, Group Id: 4 Total IPsec SAs: 1 IPsec SA Algorithm SPI Lifetime group-4-sa ESP:3des/shal 5111c2e1 2741

Which statement is correct regarding the outputs shown in the exhibit?

Which statement is correct regarding the outputs shown in the exhibit?

A. Two established peers are in the group VPNs.

B. One established peer is in the group VPNs.

C. No established peer is in the group VPNs.

D. Four established peers are in the group VPNs.