Halloween Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

You configured a chassis cluster for high availability on an SRX Series device and enrolled this HA cluster with the Juniper ATP Cloud. Which two statements are correct in this scenario? (Choose two.)

A.

You must use different license keys on both cluster nodes.

B.

When enrolling your devices, you only need to enroll one node.

C.

You must set up your HA cluster after enrolling your devices with Juniper ATP Cloud

D.

You must use the same license key on both cluster nodes.

Full Access
Question # 5

Exhibit

You are validating bidirectional traffic flows through your IPsec tunnel. The 4546 session represents traffic being sourced from the remote end of the IPsec tunnel. The 4547 session represents traffic that is sourced from the local network destined to the remote network.

Which statement is correct regarding the output shown in the exhibit?

A.

The remote gateway address for the IPsec tunnel is 10.20.20.2

B.

The session information indicates that the IPsec tunnel has not been established

C.

The local gateway address for the IPsec tunnel is 10.20.20.2

D.

NAT is being used to change the source address of outgoing packets

Full Access
Question # 6

What are two valid modes for the Juniper ATP Appliance? (Choose two.)

A.

flow collector

B.

event collector

C.

all-in-one

D.

core

Full Access
Question # 7

Exhibit

The show network-access aaa radius-servers command has been issued to solve authentication issues.

Referring to the exhibit, to which two authentication servers will the SRX Series device continue to send requests? (Choose TWO)

A.

200l:DB8:0:f101;:2

B.

192.168.30.191

C.

192.168.30.190

D.

192.168.30.188

Full Access
Question # 8

You want to enforce I DP policies on HTTP traffic.

In this scenario, which two actions must be performed on your SRX Series device? (Choose two )

A.

Choose an attacks type in the predefined-attacks-group HTTP-All.

B.

Disable screen options on the Untrust zone.

C.

Specify an action of None.

D.

Match on application junos-http.

Full Access
Question # 9

You are asked to share threat intelligence from your environment with third party tools so that those

tools can be identify and block lateral threat propagation from compromised hosts.

Which two steps accomplish this goal? (Choose Two)

A.

Configure application tokens in the SRX Series firewalls to limit who has access

B.

Enable Juniper ATP Cloud to share threat intelligence

C.

Configure application tokens in the Juniper ATP Cloud to limit who has access

D.

Enable SRX Series firewalls to share Threat intelligence with third party tool.

Full Access
Question # 10

Exhibit

Referring to the exhibit, which two statements are true about the CAK status for the CAK named "FFFP"? (Choose two.)

A.

CAK is not used for encryption and decryption of the MACsec session.

B.

SAK is successfully generated using this key.

C.

CAK is used for encryption and decryption of the MACsec session.

D.

SAK is not generated using this key.

Full Access
Question # 11

Regarding IPsec CoS-based VPNs, what is the number of IPsec SAs associated with a peer based upon?

A.

The number of traffic selectors configured for the VPN.

B.

The number of CoS queues configured for the VPN.

C.

The number of classifiers configured for the VPN.

D.

The number of forwarding classes configured for the VPN.

Full Access
Question # 12

You are asked to control access to network resources based on the identity of an authenticated device

Which three steps will accomplish this goal on the SRX Series firewalls? (Choose three )

A.

Configure an end-user-profile that characterizes a device or set of devices

B.

Reference the end-user-profile in the security zone

C.

Reference the end-user-profile in the security policy.

D.

Apply the end-user-profile at the interface connecting the devices

E.

Configure the authentication source to be used to authenticate the device

Full Access
Question # 13

Exhibit

You are asked to establish an IBGP peering between the SRX Series device and the router, but the session is not being established. In the security flow trace on the SRX device, packet drops are observed as shown in the exhibit.

What is the correct action to solve the problem on the SRX device?

A.

Create a firewall filter to accept the BGP traffic

B.

Configure destination NAT for BGP traffic.

C.

Add BGP to the Allowed host-inbound-traffic for the interface

D.

Modify the security policy to allow the BGP traffic.

Full Access
Question # 14

Which two features would be used for DNS doctoring on an SRX Series firewall? (Choose two.)

A.

The DNS ALG must be enabled.

B.

static NAT

C.

The DNS ALG must be disabled.

D.

source NAT

Full Access
Question # 15

The monitor traffic interface command is being used to capture the packets destined to and the from the SRX Series device.

In this scenario, which two statements related to the feature are true? (Choose two.)

A.

This feature does not capture transit traffic.

B.

This feature captures ICMP traffic to and from the SRX Series device.

C.

This feature is supported on high-end SRX Series devices only.

D.

This feature is supported on both branch and high-end SRX Series devices.

Full Access
Question # 16

You are asked to provide single sign-on (SSO) to Juniper ATP Cloud. Which two steps accomplish this goal? (Choose two.)

A.

Configure Microsoft Azure as the service provider (SP).

B.

Configure Microsoft Azure as the identity provider (IdP).

C.

Configure Juniper ATP Cloud as the service provider (SP).

D.

Configure Juniper ATP Cloud as the identity provider (IdP).

Full Access
Question # 17

In an effort to reduce client-server latency transparent mode was enabled an SRX series device.

Which two types of traffic will be permitted in this scenario? (Choose Two )

A.

ARP

B.

Layer 2 non-IP multicast

C.

BGP

D.

IPsec

Full Access
Question # 18

You are asked to configure a security policy on the SRX Series device. After committing the policy, you receive the “Policy is out of sync between RE and PFE .” error.

Which command would be used to solve the problem?

A.

request security polices resync

B.

request service-deployment

C.

request security polices check

D.

restart security-intelligence

Full Access
Question # 19

Exhibit

Referring to the exhibit, which three statements are true? (Choose three.)

A.

The packet's destination is to an interface on the SRX Series device.

B.

The packet's destination is to a server in the DMZ zone.

C.

The packet originated within the Trust zone.

D.

The packet is dropped before making an SSH connection.

E.

The packet is allowed to make an SSH connection.

Full Access
Question # 20

In Juniper ATP Cloud, what are two different actions available in a threat prevention policy to deal with an infected host? (Choose two.)

A.

Send a custom message

B.

Close the connection.

C.

Drop the connection silently.

D.

Quarantine the host.

Full Access
Question # 21

Which two security intelligence feed types are supported?

A.

infected host feed

B.

Command and Control feed

C.

custom feeds

D.

malicious URL feed

Full Access
Question # 22

You want to enroll an SRX Series device with Juniper ATP Appliance. There is a firewall device in the path between the devices. In this scenario, which port should be opened in the firewall device?

A.

8080

B.

443

C.

80

D.

22

Full Access
Question # 23

You are deploying a virtualization solution with the security devices in your network Each SRX Series device must support at least 100 virtualized instances and each virtualized instance must have its own discrete administrative domain.

In this scenario, which solution would you choose?

A.

VRF instances

B.

virtual router instances

C.

logical systems

D.

tenant systems

Full Access
Question # 24

Exhibit.

Referring to the exhibit, a spoke member of an ADVPN is not functioning correctly.

Which two commands will solve this problem? (Choose two.)

A.

[edit interfaces]

user@srx# delete st0.0 multipoint

B.

[edit security ike gateway advpn-gateway]

user@srx# delete advpn partner

C.

[edit security ike gateway advpn-gateway]

user@srx# set version v1-only

D.

[edit security ike gateway advpn-gateway]

user@srx# set advpn suggester disable

Full Access
Question # 25

Exhibit

Which statement is true about the output shown in the exhibit?

A.

The SRX Series device is configured with default security forwarding options.

B.

The SRX Series device is configured with packet-based IPv6 forwarding options.

C.

The SRX Series device is configured with flow-based IPv6 forwarding options.

D.

The SRX Series device is configured to disable IPv6 packet forwarding.

Full Access
Question # 26

you configured a security policy permitting traffic from the trust zone to the untrust zone but your

traffic not hitting the policy.

In this scenario, which cli command allows you to troubleshoot traffic problem using the match criteria?

A.

show security policy-report

B.

show security application-tracking counters

C.

show security match-policies

D.

request security policies check

Full Access
Question # 27

which two statements about the configuration shown in the exhibit are correct ?

Exhibit:

A.

The remote IKE gateway IP address is 203.0.113.100.

B.

The local peer is assigned a dynamic IP address.

C.

The local IKE gateway IP address is 203.0.113.100.

D.

The remote peer is assigned a dynamic IP address.

Full Access
Question # 28

you are connecting two remote sites to your corporate headquarters site. You must ensure that traffic

passes corporate headquarter.

In this scenario, which VPN should be used?

A.

full mesh IPsec VPNs with tunnels between all sites

B.

a full mesh Layer 3 VPN with the BGP route reflector behind the corporate firewall device

C.

a Layer 3 VPN with the corporate firewall acting as the hub device

D.

hub-and-spoke IPsec VPN with the corporate firewall acting as the hub device

Full Access
Question # 29

Exhibit

Referring to the exhibit, which two statements are true? (Choose two.)

A.

The data that traverses the ge-0/070 interface is secured by a secure association key.

B.

The data that traverses the ge-070/0 interface can be intercepted and read by anyone.

C.

The data that traverses the ge-070/0 interface cannot be intercepted and read by anyone.

D.

The data that traverses the ge-O/0/0 interface is secured by a connectivity association key.

Full Access
Question # 30

All interfaces involved in transparent mode are configured with which protocol family?

A.

mpls

B.

bridge

C.

inet

D.

ethernet — switching

Full Access
Question # 31

Which two log format types are supported by the JATP appliance? (Choose two.)

A.

YAML

B.

XML

C.

CSV

D.

YANG

Full Access
Question # 32

Exhibit:

Referring to the exhibit, the operator user is unable to save configuration files to a usb stick the is

plugged into SRX. What should you do to solve this problem?

A.

Add the floppy permission flag to the operations class

B.

Add the system-control permission flag to the operation class

C.

Add the interface-control permission flag to the operation class

D.

Add the system permission flag to the operation class

Full Access