♥♥ 2021 NEW RECOMMEND ♥♥
Free VCE & PDF File for Juniper JN0-633 Real Exam (Full Version!)
★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions
Free Instant Download NEW JN0-633 Exam Dumps (PDF & VCE):
Available on:
http://www.surepassexam.com/JN0-633-exam-dumps.html
Q31. Click the Exhibit button.
user@host# run show security flow session
Session ID: 28, Policy name: allow/5, Timeout: 2, Valid
In: 172.168.1.2/24800 --> 66.168.100.100/8001; tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 64 Out: 10.168.100.1/8001 --> 172.168.1.2/24800; tcp, If: ge-0/0/6.0, Pkts: 1, Bytes: 40
Your customer is unable to reach your HTTP server that is connected to the ge-0/0/6 interface. The HTTP server has an address of 10.168.100.1 on port 80 internally, but is accessed publicly using interface ge-0/0/3 with the address 66.168.100.100 on port 8001.
Referring to the exhibit, what is causing this problem?
A. The traffic is originated with incorrect IP address from the customer.
B. The traffic is translated with the incorrect IP address for the HTTP server.
C. The traffic is translated with the incorrect port number for the HTTP server.
D. The traffic is originated with the incorrect port number from the customer.
Answer: C
Q32. You are asked to troubleshoot ongoing problems with IPsec tunnels and security policy processing. Your network consists of SRX240s and SRX5600s.
Regarding this scenario, which two statements are true? (Choose two.)
A. You must enable data plane logging on the SRX240 devices to generate security policy logs.
B. You must enable data plane logging on the SRX5600 devices to generate security policy logs.
C. IKE logs are written to the kmd log file by default.
D. IPsec logs are written to the kmd log file by default.
Answer: B,D
Explanation: Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB16506
http://www.google.co.in/url?sa=t&rct=j&q=IKE%20logs%20are%20written%20to%20the%20kmd%20log%20file%20by%20default&source=web&cd=2&ved=0CC8QFjAB&url=http%3A%2F%2Fwww.juniper.net%2Fus%2Fen%2Flocal%2Fpdf%2Fapp-notes%2F3500175-en.pdf&ei=SNHzUZntEcaPrQfnpICYDQ&usg=AFQjCNGb-rMrVcm6cqqBLWDif54CaCTrrw
Q33. Click the Exhibit button.
[edit]
useu@host# run show log debug
Feb3 22:04:32 22:04:31.983991:CID-0:RT:ge-0/0/1.0:5.0.0.25/59028-
>25.0.0.25/23, tcp, flag 18
Feb3 22:04:32 22:04:31.983997:CID-0:RT: find flow: table 0x582738c0, hash 53561(0xffff), sa 5.0.0.25, da 5.0.0.25, sp 59028, dp 23, proto 6, tok 20489
Feb3 22:04:32 22:04:31.984004:CID-0:RT:Found: session id 0x14f98. sess tok 20489
Feb3 22:04:32 22:04:31.984005:CID-0:RT: flow got session. Feb3 22:04:32 22:04:31.984006:CID-0:RT: flow session id 85912
Feb3 22:04:32 22:04:31.984009:CID-0:RT: vector bits 0x2 vector 0x53a949e8 Feb3 22:04:32 22:04:31.984012:CID-0:RT: tcp sec check.
Feb3 22:04:32 22:04:31.984015:CID-0:RT:mbuf 0x4a82cd80, exit nh 0xa0010
Which two statements are true regarding the output shown in the exhibit? (Choose two.)
A. The outgoing interface is ge-0/0/1.0.
B. The packet is subject to fast-path packet processing.
C. The packet is part of the first-packet path processing.
D. TCP sequence checking is enabled.
Answer: C,D
Q34. You want to implement persistent NAT for an internal resource so that external hosts are able to initiate communications to the resource, without the internal resource having previously sent packets to the external hosts.Which configuration setting will accomplish this goal?
A. persistent-nat permit target-host
B. persistent-nat permit any-remote-host
C. persistent-nat permit target-host-port
D. address-persistent
Answer: B
Explanation:
Reference :http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig-security/understand-persistent-nat-section.html
Q35. Click the Exhibit button.
{primarynode0}[edit security idp idp-policy test-ips-policy] user@host# show
rulebase-ips { rule r1 { match {
source-address any; attacks {
predefined-attack-groups “HTTP - All”;
}
}
then { action {
drop-packet;
}
}
terminal;
}
rule r2 { match {
source-address 172.16.0.0/12; attacks {
predefined-attack-groups “FTP - All”;
}
then { action { no-action;
}
}
}
rule r3 { match {
source-address 172.16.0.0/12; attacks {
predefined-attack-groups “TELNET - All”;
}
}
then { action { no-action;
}
}
}
rule r4 { match {
source-address any; attacks {
predefined-attack-groups “FTP - All”;
}
}
then { action {
drop-packet;
}
}
}
}
A user with IP address 172.301.100 initiates an FTP session to a host with IP address 10.100.1.50 through an SRX Series device and is subject to the IPS policy shown in the exhibit.
If the user tries to execute thecd ~rootcommand, which statement is correct?
A. The FTP command will be denied with the offending packet dropped and the session will be closed by the SRX device.
B. The FTP command will be denied with the offending packet dropped and the rest of the FTP session will be inspected by the IPS policy.
C. The FTP command will be allowed to execute and the rest of the FTP session will be ignored by the IPS policy.
D. The FTP command will be allowed to execute but any other attacks executed during the session will be inspected.
Answer: D
Q36. For an SRX chassis cluster in transparent mode, which action occurs to signal a high availability failover to neighboring switches?
A. the SRX chassis cluster generates Spanning Tree messages
B. the SRX chassis cluster generates gratuitous ARPs
C. the SRX chassis cluster flaps the former active interfaces
D. the SRX chassis cluster uses IP address monitoring
Answer: C
Reference: http://books.google.co.in/books?id=2HSLsTJIgEQC&pg=PA246&lpg=PA246&dq=the+SRX+chassis+cluster+flaps+the+former+active+interfaces&source=bl&ots=_eDe_vRMyw&sig= x-Px98kZEi4hZvGflcoybABdMRQ&hl=en&sa=X&ei=iMLzUcDSLcfRrQeQw4CYCA&ved=0CEAQ6AEwBA#v=onepage&q=flap&f=false
Q37. Which two statements about AppQoS are true? (Choose two.)
A. AppQoS remarking supersedes interface remarking.
B. AppQoS supports forwarding class assignment.
C. AppQoS supports rate limiting.
D. AppQoS supports bandwidth reservation.
Answer: B,C
Q38. Click the Exhibit button.
userehost# run show route
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:05:06
> to 172.16.1.1 via ge-0/0/1.0 172.16.1.0/24 *[Direct/O] 00:05:06
> via ge-0/0/1.0
172.16.1.3/32 *[Local/0] 00:05:07
Local via ge-0/0/1.0 192.168.200.2/32 *[Local/0] 00:05:07
Reject
vr-a.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
192.168.1.1 /24 *[Direct/0] 00:01:05
> via ge-0/0/2.0
192.168.1.2 /32 *[Local/0] 00:01:05
Local via ge-0/0/2.0
vr-b.inet.0: 2 destinations, 2 routes (2 active, 0 holddcwn, 0 hidden) + = Active Route, - = Last Active, * = Both
192.168.1.1 /24 *[Direct/O] 00:01:05
> via go-0/0/3.0
192.168.1.2 /32 *[Local/0] 00:01:05
Local via ge-0/0/3.0
User 1 will access Server 1 using IP address 10.2.1.1. You need to ensure that return traffic is able to reach User 1 from Server 1.
Referring to the exhibit, which two configurations allow this communication (Choose two.)
A. [edit security nat static] user@host# show
rule-set server-nat { from zone [ untrust ]; rule 1 {
match {
destination-address 10.2.1.1/32;
}
then { static-nat { prefix {
192.168.1.2/32;
}
}
}
}
}
B. [edit security nat static] user@host# show
rule-set server-nat {
from zone [ junos-host untrust ]; rule 1 {
match {
destination-address 10.2.1.1/32;
}
then { static-nat { prefix {
192.168.1.2/32;
routing-instance vr-b;
}
}
}
}
}
C. [edit security nat static] user@host# show
rule-set server-nat { from zone untrust; rule 1 {
match {
destination-address 10.2.1.1/32;
}
then { static-nat { prefix {
192.168.1.2/32;
routing-instance vr-a;
}
}
}
}
}
D. [edit security nat static] user@host# show
rule-set in {
from zone untrust; to zone cust-a; rule overload { match {
source-address 0.0.0.0/0;
}
then { source-nat { interface;
}
}
}
}
Answer: B
Q39. You are asked to deploy a group VPN between various sites associated with your company. The gateway devices at the remote locations are SRX240 devices.
Which two statements about the new deployment are true? (Choose two.)
A. The networks at the various sites must use NAT.
B. The participating endpoints in the group VPN can belong to a chassis cluster.
C. The networks at the various sites cannot use NAT.
D. The participating endpoints in the group VPN cannot be part of a chassis cluster.
Answer: C,D
Explanation:
Reference :http://www.thomas-krenn.com/redx/tools/mb_download.php/mid.x6d7672335147784949386f3d/Manual_Confi guring_Group_VPN_Juniper_SRX.pdf http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/NT260/SRX_HA_Deployment_Guide_v1.2.pdf
Q40. Your company has added a connection to a new ISP and you have been asked to send specific traffic to the new ISP. You have decided to implement filter-based forwarding. You have configured new routing instances with type forwarding. You must direct traffic into each instance.Which step would accomplish this goal?
A. Add a firewall filter to the ingress interface that specifies the intended routing instance as the action.
B. Create a routing policy to direct the traffic to the required forwarding instances.
C. Configure the ingress and egress interfaces in each forwarding instance.
D. Create a static default route for each ISP in inet.0, each pointing to a different forwarding instance.
Answer: A
Explanation:
Reference :http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223