Ucertify is a distinguished Juniper JN0-633 exam questions and answers supplier. You will get a substantial score which guarantee your accomplishment and get certified. We promise 100% money back should you not get by way of at first time. The Juniper Juniper exam practice tests are revised as well as upgraded by our experienced authorities in accordance together with the real Juniper Juniper JN0-633. Hurry up to get the Juniper JN0-633 training materials as well as make full preparation for the Juniper certification.
2021 Mar JN0-633 torrent
Q11. Click the Exhibit button.
-- Exhibit -- [edit security]
user@srx# show idp
…
application-ddos Webserver { service http;
connection-rate-threshold 1000; context http-get-url {
hit-rate-threshold 60000;
value-hit-rate-threshold 30000;
time-binding-count 10;
time-binding-period 25;
}
}
-- Exhibit --
You are using AppDoS to protect your network against a bot attack, but noticed an approved application has falsely triggered the configured IDP action of drop. You adjusted your AppDoS configuration as shown in the exhibit. However, the approved traffic is still dropped.
What are two reasons for this behavior? (Choose two.)
A. The approved traffic results in 50,000 HTTP GET requests per minute.
B. The approved traffic results in 25 HTTP GET requests within 10 seconds from a single host.
C. The active IDP policy has not been defined in the security configuration.
D. The IDP action is still in effect due to the timeout configuration.
Answer: A,D
Explanation: Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/appddos-protection-overview.html
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/appddos-proctecting-against.html#appddos-proctecting-against
Q12. Click the Exhibit button.
[edit protocols ospf area 0.0.0.0]
user@host# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address
3289542 UP 48d928408940de28 e418fc7702fe483b Main
172.31.50.1
3289543 UP eb45940484082b14 428086b100427326 Main 10.10.50.1
[edit protocols ospf area 0.0.0.0]
user@host# run show security ipsec; security-associations Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:des/ shal 6d40899b 1360/ unlim - root 500 10.10.50.1
>131073 ESP:des/ shal 5a89400e 1360/ unlim - root 500 10.10.50.1
<131074 ESP:des/ shal c04046f 1359/ unlim - root 500 172.31.50.1
>131074 ESP:des/ shal 5508946c 1359/ unlim - root 500 172.31.50.1
[edit protocols ospf area 0.0.0.0] user@host# run show ospf neighbor
Address Interface State ID Pri Dead 10.40.60.1 st0.0 Init 10.30.50.1 128 35
10.40.60.2 st0.0 Full 10.30.50.1 128 31
[edit protocols ospf area 0.0.0.0] user@host# show
interface st0.0;
You have already configured a hub-and-spoke VPN with one hub device and two spoke devices. However, the hub device has one neighbor in the Init state and one neighbor in the Full state.
What would you do to resolve this problem?
A. Configure the st0.0 interface under OSPF as a nonbroadcast multiple access interface.
B. Configure the st0.0 interface under OSPF as a point-to-multipoint interface.
C. Configure the st0.0 interface under OSPF as a point-to-point interface.
D. Configure the st0.0 interface under OSPF as an unnumbered interface.
Answer: B
Q13. You are using destination NAT to translate the address of your HTTPS server to a private address on your SRX Series device. You have decided to implement IDP SSL decryption. Upon enabling the decryption, you notice sessions are not decrypted.
Which action resolves the problem?
A. Replace the server SSL certificate to use the public address.
B. Reboot the SRX Series device.
C. Increase the SSLsession-id-cache-timeoutvalue to any value greater than 5000 seconds.
D. Enable the IDPsensor-configurationdetector to detect address translation.
Answer: D
Q14. You are troubleshooting an IPsec session and see the following IPsec security associations:
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
< 192.168.224.1 500 ESP:aes-256/sha1 d6393645 26/ unlim - 0
> 192.168.224.1 500 ESP:aes-256/sha1 153ec235 26/ unlim - 0
< 192.168.224.1 500 ESP:aes-256/sha1 f9a2db9a 3011/ unlim - 0
> 192.168.224.1 500 ESP:aes-256/sha1 153ec236 3011/ unlim - 0
What are two reasons for this behavior? (Choose two.)
A. Both peers are trying to establish IKE Phase 1 but are not successful.
B. Both peers have established SAs with one another, resulting in two IPsec tunnels.
C. The lifetime of the Phase 2 negotiation is close to expiration.
D. Both peers have establish-tunnels immediately configured.
Answer: C,D
Explanation: Reference: http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swcmdref/show-security-ipsec-security-associations.html
Q15. Click the Exhibit button.
-- Exhibit–
-- Exhibit --
In the network shown in the exhibit, you want to forward traffic from the employees to ISP1 and ISP2. You want to forward all Web traffic to ISP1 and all other traffic to ISP2. However, your configuration is not producing the expected results. Part of the configuration is shown in the exhibit. When you run the show route table isp1 command, you do not see the
default route listed.
What is causing this behavior?
A. The autonomous system number is incorrect, which is preventing the device from receiving a default route from ISP1.
B. The device is not able to resolve the next-hop.
C. The isp1 routing instance is configured with an incorrect instance-type.
D. The show route table isp1 command does not display the default route unless you add the exact 0.0.0.0/0 option.
Answer: B
Explanation: Reference:http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223
Up to the immediate present JN0-633 testing engine:
Q16. Click the Exhibit button.
user @host> show bgp summary logical-system LSYS1 Groups : 11 Peers : 10 Down peers: 1
Table Tot. Paths Act Paths Suppressed History Damp State Pending
inet.0 141 129 0 0 0 Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
192.168.64.12 65008 11153 11459 0 26 3d
3:10:43 9/10/10/0 0/0/0/0
192.168.72.12 65009 11171 11457 0 26 3d
3:10:39 11/12/12/0 0/0/0/0
192.168.80.12 65010 9480 9729 0 27 3d
3:10:42 11/12/12/0 0/0/0/0
192.168.88.12 65011 11171 11457 0 25 3d
3:10:31 12/13/13/0 0/0/0/0
192.168.96.12 65012 9479 9729 0 26 3d
3:10:34 12/13/13/0 0/0/0/0
192.168.10.12 65013 111689 11460 0 27 3d
3:10:46 9/10/10/0 0/0/0/0
192.168.11.12 65014 111688 11458 0 25 3d
3:10:42 9/10/10/0 0/0/0/0
192.168.12.12 65015 111687 11457 0 25 3d
3:10:38 9/10/10/0 0/0/0/0
192.68.11.12 650168 9478 9729 0 25 3d
3:10:42 9/10/10/0 0/0/0/0
192.168.13.12 65017 111687 11457 0 27 3d
3:10:30 9/10/10/0 0/0/0/0
192.168.16.12 65017 111687 11457 0 27 1w3d2h
Connect
user@host> show interfaces ge-0/0/7.0 extensive
Logical interface ge-0/0/7.0 (Index 76) (SNMP ifIndex 548) (Generation 141)
...
Security: Zone: log
Allowed host-inbound traffic : bootp dns dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rloqin rpm rsh snmp
snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp
Flow Statistics: Flow Input statistics: Self packets: 0
ICMP packets: 0
VPN packets: 0
Multicast packets: 0
Bytes permitted by policy: 0
Connections established: 0 Flow Output statistics: Multicast packets: 0
Bytes permitted by policy: 0
Flow error statistics (Packets dropped due to): Address spoofing: 0
Authentication failed: 0 Incoming NAT errors: 0
Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0
No parent for a gate: 0
No one interested in self pakets: 0 No minor session: 0
No more sessions: 589723 No NAT gate: 0
No route present: 0
No SA for incoming SPI: 0 No tunnel found: 0
No session for a gate: 0
No zone or NULL zone binding 0 Policy denied: 0
Security association not active: 0
TCP sequence number out of window: 0 Syn-attack protection: 0
User authentication errors: 0
Protocol inet, MTU: 1500, Generation: 1685, Route table: 0 Flags: Sendbcast-pkt-to-re
Addresses, F1ags: Is-Preferred Is-Primary
Destination: 10.5.123/24, Local: 10.5.123.3, Broadcast: 10.5.123.255, Generation: 156
Protocol multiservice, MTU: Unlimited, Generation: 1686, Route table: 0 Policer: Input: default_arp_policer
...
An SRX Series device has been configured with a logical system LSYS1. One of the BGP peers is down.
Referring to the exhibit, which statement explains this problem?
A. The LSYS license only allows up to ten BGP peerings.
B. The maximum number of allowed flows is set to low.
C. The allocated memory is not sufficient for this LSYS.
D. The minimum number of flows is set to high.
Answer: B
Q17. You are asked to establish a baseline for your company's network traffic to determine the bandwidth usage per application. You want to undertake this task on the central SRX device that connects all segments together.What are two ways to accomplish this goal? (Choose two.)
A. Configure a mirror port on the SRX device to capture all traffic on a data collection server for further investigation.
B. Use interface packet counters for all permitted and denied traffic and calculate the values using Junos scripts.
C. Send SNMP traps with bandwidth usage to a central SNMP server.
D. Enable AppTrack on the SRX device and configure a remote syslog server to receive AppTrack messages.
Answer: A,D
Explanation:
AppTrack is used for visibility for application usage and bandwidth Reference:http://www.juniper.net/us/en/local/pdf/datasheets/1000327-en.pdf
Q18. Click the Exhibit button.
user@host> show interfaces routing-instance all ge* terse InterfaceAdmin Link Proto LocalInstance
ge-0/0/0.0 up up inet 172.16.12.205/24 default ge-0/0/1.0 up up inet 5.0.0.5/24
iso A
ge-0/0/2.0 up up inet 25.0.0.5/24 iso B
user@host> show security flow session
Session ID: 82274, Policy name: default-policy-00/2, Timeout: 1770, Valid In: 5.0.0.25/61935 --> 25.0.0.25/23;tcp, If: ge-0/0/1.0, Pkts: 31, Bytes: 1781 Out: 25.0.0.25/23 --> 5.0.0.25/61935;tcp, If: ge-0/0/2.0, Pkts: 23, Bytes: 1452
Total sessions: 3 user@host> show route
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, + = Both
0.0.0.0/0 *[Static/5] 04:08:52
> to 172.16.12.1 via ge-0/0/0.0 172.16.12.0/24 *[Direct/0] 04:08:52
via ge-0/0/0.0
172.16.12.205/32 *[Local/0] 4w4d 23:04:29
Loca1 via ge-0/0/0.0
224.0.0.5/32 *[OSPF/10] 14:37:35, metric 1
MultiRecv
A. inet.0: 4 destinations, 4 routes {4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both 5.0.0.0/24 5 *[Direct/0] 00:05:04
> via ge-0/0/1.0
5.0.0.5/32 *[Local/0] 00:05:04
Local via ge-0/0/1.0 25.0.0.0/24 *[Direct/0] 00:02:37
> via ge-0/0/2.0
B. inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both 5.0.0.25/32 *[Static/5] 00:02:38
to table A.inet.0
25.0.0.0/24 *[Direct/0] 00:02:37
> via ge-0/0/2.0
25.0.0.5/32 *[Local/0] 00:02:37
Local via ge-0/0/2.0
Which statement is true about the outputs shown in the exhibit?
C. The routing instances A and B are connected using anltinterface.
D. Routing instance A’s routes are shared with routing instance B.
E. Routing instance B’s routes are shared with routing instance A.
F. The routing instances A and B are connected using avtinterface.
Answer: C
Q19. Click the Exhibit button.
-- Exhibit --
[edit security idp] user@srx# show | no-more idp-policy basic {
rulebase-ips { rule 1 { match {
from-zone untrust; source-address any; to-zone trust;
destination-address any; application default; attacks {
custom-attacks data-inject;
}
}
then { action {
recommended;
}
notification { log-attacks;
}
}
}
}
}
active-policy basic; custom-attack data-inject {
recommended-action close; severity critical;
attack-type { signature {
context mssql-query;
pattern "SELECT * FROM accounts"; direction client-to-server;
}
}
}
-- Exhibit --
You have configured the custom attack signature shown in the exhibit. This configuration is valid, but you want to improve the efficiency and performance of your IDP.
Which two commands should you use? (Choose two.)
A. set custom attack data-inject recommended-action drop
B. set custom-attack data-inject attack-type signature protocol-binding tcp
C. set idp-policy basic rulebase-ips rule 1 match destination-address webserver
D. set idp-policy basic rulebase-ips rule 1 match application any
Answer: B,C
Q20. Click the Exhibit button.
-- Exhibit --
user@srx> show security flow session
Session ID.7724, Policy namE.default-permit/4, Timeout: 2 In: 1.1.70.6/17 --> 100.0.0.1/2326;icmp, IF.ge-0/0/3
Out: 10.1.10.5/2326 --> 1.1.70.6/17;icmp, IF.ge-0/0/2
Session ID.18408, Policy namE.default-permit/4, Timeout: 2 In: 10.1.10.5/64513 --> 1.1.70.6/512;icmp, IF.ge-0/0/2.0 Out: 1.1.70.6/512 --> 100.0.0.1/64513;icmp, IF.ge-0/0/3.10
-- Exhibit --
A user has reported a traffic drop issue between a host with the 10.1.10.5 internal IP address and a host with the 1.1.70.6 IP address. The traffic transits an SRX240 acting as a NAT translator. You are investigating the issue on the SRX240 using the output shown in the exhibit.
Regarding this scenario, which two statements are true? (Choose two.)
A. The sessions shown indicate interface-based NAT processing.
B. The sessions shown indicate static NAT processing.
C. ICMP traffic is passing in both directions.
D. ICMP traffic is passing in one direction.
Answer: B,C
see more JN0-633 dumps
