Exhibit.
Referring to the exhibit, which two statements are true? (Choose two.)
Exhibit
Referring to the exhibit, which three protocols will be allowed on the ge-0/0/5.0 interface? (Choose three.)
Answer : B, D, E
The exhibit shows the output of the 'show interfaces ge-0/0/5.0 extensive' command on an SRX Series device. The output includes a section called 'Security' that lists the protocols that are allowed on the ge-0/0/5.0 interface. The protocols that are allowed on the ge-0/0/5.0 interface are:
OSPF
DHCP
NTP
It's important to notice that the output don't have IBGP, IPsec, so these protocols are not allowed on the ge-0/0/5.0 interface.
You want to enroll an SRX Series device with Juniper ATP Appliance. There is a firewall device in the path between the devices. In this scenario, which port should be opened in the firewall device?
Answer : B
This is the port used for encrypted communication between the SRX series device and the Juniper ATP Appliance
In order to enroll an SRX Series device with Juniper ATP Appliance, the firewall device must have port 443 open. Port 443 is the default port used for HTTPS traffic, the communication between the SRX Series device and the ATP Appliance needs to be encrypted, that's why this port should be opened.
Exhibit
You are trying to configure an IPsec tunnel between SRX Series devices in the corporate office and branch1. You have committed the configuration shown in the exhibit, but the IPsec tunnel is not establishing.
In this scenario, what would solve this problem.
Answer : C
Exhibit
Referring to the exhibit, an internal host is sending traffic to an Internet host using the 203.0.113.1 reflexive address with source port 54311.
Which statement is correct in this situation?
Answer : B
According to the Juniper documentation, reflexive NAT is a type of source NAT that allows an internal host to communicate with an external host using a single public IP address and port. The reflexive NAT session is created when the internal host initiates the traffic to the external host, and the session is deleted when the traffic stops. The reflexive NAT session is bidirectional, meaning that the external host can send traffic back to the internal host using the same public IP address and port that the internal host used to reach the external host. However, the external host cannot initiate a new session to the internal host using the same public IP address and port, unless the internal host has already established a session with the external host. Therefore, only the Internet host that the internal host originally communicated with can initiate traffic to reach the internal host using the 203.0.113.1 address, a random source port, and destination port 54311.Reference: [Configuring Reflexive NAT]
You are requested to enroll an SRX Series device with Juniper ATP Cloud.
Which statement is correct in this scenario?
Answer : D
Juniper ATP Cloud is a cloud-based service that provides advanced threat prevention and detection for SRX Series devices. To enroll an SRX Series device with Juniper ATP Cloud, you need to have a valid license and authorization code, and you need to run a Junos OS op script on the device. The op script performs the following tasks:
Downloads and installs certificate authority (CA) licenses onto your SRX Series device.
Creates local certificates and enrolls them with the cloud server.
Performs basic Juniper ATP Cloud configuration on the SRX Series device.
Establishes a secure connection to the cloud server.
You can run the op script either by copying the CLI command from the Juniper ATP Cloud Web Portal and running it on the device, or by using theenrollcommand on the device. The op script is the only way to enroll an SRX Series device with Juniper ATP Cloud. You cannot enroll the device manually or by using other methods.
The other statements in the question are incorrect for the following reasons:
If a device is already enrolled in a realm and you enroll it in a new realm, none of the device data or configuration information is propagated to the new realm. This includes history, infected hosts feeds, logging, API tokens, and administrator accounts. You can view and change the realm association of a device from the Realm Management page in the Juniper ATP Cloud Web Portal.
The only way to enroll an SRX Series device is not to interact with the Juniper ATP Cloud Web Portal. You can also use theenrollcommand on the device, which performs all the necessary enrollment steps without requiring you to access the Web Portal.
When the license expires, the SRX Series device is not disenrolled from Juniper ATP Cloud without a grace period. The device enters a grace period of 30 days, during which it can still send files to the cloud for inspection and receive threat intelligence feeds. After the grace period, the device is disenrolled and stops communicating with the cloud.
Enroll an SRX Series Firewall using Juniper ATP Cloud Web Portal
You want to configure a threat prevention policy.
Which three profiles are configurable in this scenario? (Choose three.)
Answer : C, D, E
The three profiles that are configurable in a threat prevention policy are infected host profile, C&C profile, and malware profile. A threat prevention policy is a feature of Juniper ATP Cloud that provides protection and monitoring for selected threat profiles, including command and control servers, infected hosts, and malware. Using feeds from Juniper ATP Cloud and optional custom feeds that you configure, ingress and egress traffic is monitored for suspicious content and behavior. Based on a threat score, detected threats are evaluated and action may be taken once a verdict is reached. You can create a threat prevention policy by selecting one or more of the following profiles:
Infected host profile: This profile detects and blocks traffic from hosts that are infected with malware or compromised by attackers. You can configure the threat score thresholds and the actions for different levels of severity. You can also enable Geo IP filtering to block traffic from or to specific countries or regions.
C&C profile: This profile detects and blocks traffic to or from command and control servers that are used by attackers to control malware or botnets. You can configure the threat score thresholds and the actions for different levels of severity. You can also enable Geo IP filtering to block traffic from or to specific countries or regions.
Malware profile: This profile detects and blocks traffic that contains malware or malicious content. You can configure the threat score thresholds and the actions for different levels of severity. You can also enable protocol-specific settings for HTTP and SMTP traffic, such as file type filtering, file size filtering, and file name filtering.
The other two profiles, device profile and SSL proxy profile, are not configurable in a threat prevention policy. A device profile is a feature of Policy Enforcer that defines the device type, the device group, and the device settings for the SRX Series devices that are enrolled with Juniper ATP Cloud. An SSL proxy profile is a feature of SRX Series devices that enables SSL proxy to decrypt and inspect SSL/TLS traffic for threats and policy violations.