NEW QUESTION 1
Click the Exhibit button.

You notice that your SRX Series device is not blocking HTTP traffic as expected. Referring to the exhibit, what should you do to solve the problem?

• A. Commit the configuration.
• B. Reboot the SRX Series device.
• C. Configure the SRX Series device to operate in packet-based mode.
• D. Move the deny-http policy to the bottom of the policy list.

Answer: B

NEW QUESTION 2
Click the Exhibit button.

Which two statements describe the output shown in the exhibit? (Choose two.)

• A. Node 0 is controlling traffic for redundancy group 1.
• B. Node 1 is controlling traffic for redundancy group 1.
• C. Redundancy group 1 experienced an operational failure.
• D. Redundancy group 1 was administratively failed over.

Answer: BD

NEW QUESTION 3
A link from the branch SRX Series device chassis cluster to the Internet requires more bandwidth. In this scenario, which command would you issue to begin provisioning a second link?

• A. set chassis cluster reth-count 2
• B. set interfaces fab0 fabric-options member-interfaces ge-0/0/1
• C. set interfaces ge-0/0/1 gigether-options redundant-parent reth1
• D. set chassis cluster redundancy-group 1 node 1 priority 1

Answer: B

NEW QUESTION 4
What is the function of redundancy group 0 in a chassis cluster?

• A. Redundancy group 0 identifies the node controlling the cluster management interface IP addresses.
• B. The primary node for redundancy group 0 identifies the first member node in a chassis cluster.
• C. The primary node for redundancy group 0 determines the interface naming for all chassis cluster nodes.
• D. The node on which redundancy group 0 is primary determines which Routing Engine is active in the cluster.

Answer: D

NEW QUESTION 5
Click the exhibit button.

Referring to the exhibit, which statement is true?

• A. Packets entering the interface are being dropped because of a stateless filter.
• B. Packets entering the interface matching an ALG are getting dropped.
• C. TCP packets entering the interface are failing the TCP sequence check.
• D. Packets entering the interface are getting dropped because the interface is not bound to a zone.

Answer: D

NEW QUESTION 6
What are the maximum number of redundancy groups that would be used on a chassis cluster?

• A. The maximum number of redundancy groups use is equal to the number of configured physical interfaces.
• B. The maximum number of redundancy groups use is equal to one more than the number of configured physical interfaces.
• C. The maximum number of redundancy groups use is equal to the number of configured logical interfaces.
• D. The maximum number of redundancy groups use is equal to one more than the number of configured logical interfaces.

Answer: C

NEW QUESTION 7
What are three characteristics of session-based forwarding, compared to packet-based forwarding, on an SRX Series device? (Choose three.)

• A. Session-based forwarding uses stateful packet processing.
• B. Session-based forwarding requires less memory.
• C. Session-based forwarding performs faster processing of existing session.
• D. Session-based forwarding uses stateless packet processing,
• E. Session-based forwarding uses six tuples of information.

Answer: ACE

NEW QUESTION 8
You have configured source NAT with port address translation. You also need to guarantee that the same IP address is assigned from the source NAT pool to a specific host for multiple concurrent sessions.
Which NAT parameter would meet this requirement?

• A. port block-allocation
• B. port range twin-port
• C. address-persistent
• D. address-pooling paired

Answer: D

NEW QUESTION 9
Click to the Exhibit button.
Referring to the exhibit, which two statements are true? (Choose two.)

• A. Interface ge-0/0/0 will not accept SSH connections.
• B. Interfaces ge-0/0/0.0 and ge-0/0/1.0 will allow SSH connections.
• C. Interface ge-0/0/0.0 will respond to pings.
• D. Interface ge-0/0/1.0 will respond to pings.

Answer: BD

NEW QUESTION 10
You need to configure an IPsec tunnel between a remote site and a hub site. The SRX Series device at the remote site receives a dynamic IP address on the external interface that you will use for IPsec.
Which feature would you need to configure in this scenario?

• A. NAT-T
• B. crypto suite B
• C. aggressive mode
• D. IKEv2

Answer: C

NEW QUESTION 11
Which statement describes the function of NAT?

• A. NAT encrypts transit traffic in a tunnel.
• B. NAT detects various attacks on traffic entering a security device.
• C. NAT translates a public address to a private address.
• D. NAT restricts or permits users individually or in a group.

Answer: C

NEW QUESTION 12
Click the Exhibit button.
You are configuring an OSPF session between two SRX Series devices. The session will not come up. Referring to the exhibit, which configuration change will solve this problem?

• A. Configure a loopback interface and add it to the trust zone.
• B. Configure the host-inbound-traffic protocols ospf parameter in the trust security zone.
• C. Configure the application junos-ospf parameter in the allow-trusted-traffic security policy.
• D. Configure the host-inbound-traffic system-services any-service parameter in the trust security zone.

Answer: A

NEW QUESTION 13
You are asked to change when your SRX high availability failover occurs. One network interface is considered more important than others in the high availability configuration. You want to prioritize failover based on the state of that interface.
Which configuration would accomplish this task?

• A. Create a VRRP group configuration that lists the reth’s IP address as the VIP while using each physical interface that make up the reth definition of each SRX HA pair.
• B. Configure IP monitoring of the important interface’s IP address and adjust the heartbeat interval and heartbeat threshold to the shortest settings.
• C. Create a separate redundancy group to isolate the important interface; set the priority of the new redundancy group to 255.
• D. Configure interface monitor inside the redundancy group that contains the important physical interface; adjust the weight associated with the monitored interface to 255.

Answer: D

NEW QUESTION 14
Which SRX5400 component is responsible for performing first pass security policy inspection?

• A. Routing Engine
• B. Switch Control Board
• C. Services Processing Unit
• D. Modular Port Concentrator

Answer: C

NEW QUESTION 15
Click the Exhibit button.

Which statement would explain why the IP-monitoring feature is functioning incorrectly?

• A. The global weight value is too large for the configured global threshold.
• B. The secondary IP address should be on a different subnet than the reth IP address.
• C. The secondary IP address is the same as the reth IP address.
• D. The monitored IP address is not on the same subnet as the reth IP address.

Answer: C

NEW QUESTION 16
You have recently configured an IPsec tunnel between two SRX Series devices. One of the devices is assigned an IP address using DHCP with an IP address that changes frequently. Initial testing indicates that the IPsec tunnel is not working. Troubleshooting has revealed that Phase 1 negotiations are failing.
Which two actions would solve the problem? (Choose two.)

• A. Verify that the device with the IP address assigned by DHCP is the traffic initiator.
• B. Verify that VPN monitoring is enabled.
• C. Verify that the IKE policy is configured for aggressive mode.
• D. Verify that PKI is properly configured.

Answer: AC

NEW QUESTION 17
Clients at a remote office are accessing a website that is against your company Internet policy. You change the action of the security policy that controls HTTP access from permit to deny on the remote office SRX Series device. After committing the policy change, you notice that new users cannot access the website but users that have existing sessions on the device still have access. You want to block all user sessions immediately.
Which change would you make on the SRX Series device to accomplish this task?

• A. Add the set security flow tcp-session rst-invalidate-session option to the configuration and commit the change.
• B. Add the set security policies policy-rematch parameter to the configuration and commit the change.
• C. Add the security flow tcp-session strict-syn-check option to the configuration and commit the change.
• D. Issue the commit full command from the top of the configuration hierarchy.

Answer: B

NEW QUESTION 18
After an SRX Series device processes the first packet of a session, how are subsequent packets for the same session processed?

• A. They are processed using fast-path processing.
• B. They are forwarded to the control plane for deep packet inspection.
• C. All packets are processed in the same manner.
• D. They are queued on the outbound interface until a matching security policy is found.

Answer: A

NEW QUESTION 19
Which type of VPN provides a secure method of transporting encrypted IP traffic?

• A. IPsec
• B. Layer 3 VPN
• C. VPLS
• D. Layer 2 VPN

Answer: A

NEW QUESTION 20
Click the Exhibit button.
You are trying to create a security policy on your SRX Series device that permits HTTP traffic from your private 172.25.11.0/24 subnet to the Internet. You create a policy named permit – http between the trust and untrust zones that permits HTTP traffic.
When you issue a commit command to apply the configuration changes, the commit fails with the error shown in the exhibit.
Which two actions would correct the error? (Choose two.)

• A. Create a custom application named http at the [edit applications] hierarchy.
• B. Execute the Junos commit full command to override the error and apply the configuration.
• C. Modify the security policy to use the built-in junos-http application.
• D. Issue the rollback 1 command from the top of the configuration hierarchy and attempt the commit again.

Answer: BC

NEW QUESTION 21
Which UDP port is used in Ipsec tunneling when NAT-T is in use?

• A. 50
• B. 4500
• C. 500
• D. 51

Answer: B

NEW QUESTION 22
Which two modes are supported during the Phase 1 IKE negotiations used to establish an IPsec tunnel? (Choose two.)

• A. transport mode
• B. aggressive mode
• C. main mode
• D. tunnel mode

Answer: BC

NEW QUESTION 23
Which two statements are true about global security policies? (Choose two.)

• A. Global security policies are evaluated before regular security policies.
• B. Global security policies can be configured to match addresses across multiple zones.
• C. Global security policies can match traffic regardless of security zones.
• D. Global security policies do not support IPv6 traffic.

Answer: BC

NEW QUESTION 24
What are two supported hypervisors for hosting a vSRX? (Choose two.)

• A. VMware ESXi
• B. Solaris Zones
• C. KVM
• D. Docker

Answer: AC

NEW QUESTION 25
......