Juniper JN0-636 JNCIP-SEC Exam Practice Test Instant Access

Question 1

Exhibit

Which two statements are correct about the output shown in the exhibit. (Choose two.)

AThe source address is translated.

BThe packet is an SSH packet

CThe packet matches a user-configured policy

DThe destination address is translated.

Answer : A, B

The source address is translated because the traceoptions output shows that the source IP address 192.168.5.2 is translated to 192.168.100.1 and the source port 0 is translated to 14777. The traceoptions output also shows the flag flow_first_src_xlate, which indicates that this is the first time that source NAT is applied to this session.

The packet is an SSH packet because the traceoptions output shows that the application protocol is tcp/22, which is the default port for SSH. The traceoptions output also shows the flag flow_tcp_syn, which indicates that this is the first packet of a TCP connection.

traceoptions (Security NAT) | Junos OS | Juniper Networks

[SRX] How to interpret Flow TraceOptions output for NAT troubleshooting

Question 2

What are two valid modes for the Juniper ATP Appliance? (Choose two.)

Aflow collector

Bevent collector

Call-in-one

Dcore

Answer : C, D

The two valid modes for the Juniper ATP Appliance are all-in-one and core. The all-in-one mode is a single appliance that performs both the collector and the core functions. The collector function collects traffic from the network and sends it to the core function for analysis and detection. The core function performs the threat detection, mitigation, and analytics. The all-in-one mode is suitable for small to medium-sized networks that do not require high scalability or performance. The core mode is a dedicated appliance that performs only the core function. The core mode is used in conjunction with one or more collector appliances that collect traffic from the network and send it to the core appliance for analysis and detection. The core mode is suitable for large-scale networks that require high scalability and performance.Reference: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-atp-appliance-overview.html

Question 3

You have designed the firewall filter shown in the exhibit to limit SSH control traffic to yours SRX Series device without affecting other traffic.

Which two statement are true in this scenario? (Choose two.)

AThe filter should be applied as an output filter on the loopback interface.

BApplying the filter will achieve the desired result.

CApplying the filter will not achieve the desired result.

DThe filter should be applied as an input filter on the loopback interface.

Answer : C, D

https://www.juniper.net/documentation//en_US/junos/topics/concept/firewall-filter-ex-series-evaluation-understanding.html

Question 4

You have noticed a high number of TCP-based attacks directed toward your primary edge device. You are asked to

configure the IDP feature on your SRX Series device to block this attack.

Which two IDP attack objects would you configure to solve this problem? (Choose two.)

ANetwork

BSignature

CProtocol anomaly

Dhost

Answer : B, C

Question 5

You are asked to determine if the 203.0.113.5 IP address has been added to the third-party security feed, DS hield, from Juniper Seclnte1. You have an SRX Series device that is using Seclnte1 feeds from Juniper ATP Cloud

Which command will return this information?

Ashow security dynamic---address category---name CC | match 203.0.113.5

Bshow security dynamic---address category---name Infected---Hosts | match 203.0.113.5

Cshow security dynamic-address category-name IP Filter I match 203.0.113.5

Dshow Security dynamic-address category-name JWAS | match 203.0.113.5

Answer : A

The command 'show security dynamic-address category-name DS hield' will show the IP addresses that are part of the DS hield category. By filtering the output of this command with the 'match 203.0.113.5' command, you can determine if the IP address 203.0.113.5 is part of the DS hield feed. This command will check the feeds that are configured on SRX Series device and are associated to juniper ATP Cloud.

Question 6

Your IPsec VPN configuration uses two CoS forwarding classes to separate voice and data traffic. How many IKE security associations are required between the IPsec peers in this scenario?

Answer : A

An IKE security association (SA) is a set of parameters that define how the Internet Key Exchange (IKE) protocol will authenticate and establish the secure channel between the IPsec VPN peers. When you configure an IPsec VPN, one IKE SA is created between the peers, regardless of how many CoS forwarding classes are used to separate the traffic. The SA will be used to negotiate the IPsec SA parameters, such as encryption algorithms and keys.

In this scenario, only 1 IKE security association is required between the IPsec peers, no matter how many CoS forwarding classes are used to separate the voice and data traffic.

Question 7

Which two statements are correct regarding tenant systems on SRX Series devices? (Choose two.)

AA maximum of 32 tenant systems can be configured on a physical SRX device.

BAll tenant systems share a single routing protocol process.

CEach tenant system runs its own instance of the routing protocol process

DA maximum of 500 tenant systems can be configured on a physical SRX device.

Answer : C, D

The following statements are true regarding tenant systems on SRX Series devices:

Each tenant system runs its own instance of the routing protocol process. Each tenant system is isolated, and it has its own routing table, interfaces, and security policies.

A maximum of 500 tenant systems can be configured on a physical SRX device. This allows for a high degree of flexibility and scalability, as each tenant system can be configured with its own set of features and security policies.

A maximum of 32 tenant systems can be configured on a physical SRX device and All tenant systems share a single routing protocol process are not correct statements

Juniper JN0-636 Juniper Security, Professional JNCIP-SEC Exam Practice Test