What are two supported hypervisors for hosting a vSRX? (Choose two.)
- A . VMware ESXi
- B . Solaris Zones
- C . KVM
- D . Docker
You are asked to change when your SRX high availability failover occurs. One network interface is considered more important than others in the high availability configuration. You want to prioritize failover based on the state of that interface.
Which configuration would accomplish this task?
- A . Create a VRRP group configuration that lists the reth’s IP address as the VIP while using each physical interface that make up the reth definition of each SRX HA pair.
- B . Configure IP monitoring of the important interface’s IP address and adjust the heartbeat interval and heartbeat threshold to the shortest settings.
- C . Create a separate redundancy group to isolate the important interface; set the priority of the new redundancy group to 255.
- D . Configure interface monitor inside the redundancy group that contains the important physical interface; adjust the weight associated with the monitored interface to 255.
Which three Encapsulating Security Payload protocols do the SRX Series devices support with IPsec? (Choose three.)
- A . DES
- B . RC6
- C . TLS
- D . AES
- E . 3DES
What are three characteristics of session-based forwarding, compared to packet-based forwarding, on an SRX Series device? (Choose three.)
- A . Session-based forwarding uses stateful packet processing.
- B . Session-based forwarding requires less memory.
- C . Session-based forwarding performs faster processing of existing session.
- D . Session-based forwarding uses stateless packet processing,
- E . Session-based forwarding uses six tuples of information.
You have configured source NAT with port address translation. You also need to guarantee that the same IP address is assigned from the source NAT pool to a specific host for multiple concurrent sessions.
Which NAT parameter would meet this requirement?
- A . port block-allocation
- B . port range twin-port
- C . address-persistent
- D . address-pooling paired
You have configured source NAT with port address translation. You also need to guarantee that the same IP address is assigned from the source NAT pool to a specific host for multiple concurrent sessions.
Which NAT parameter would meet this requirement?
- A . port block-allocation
- B . port range twin-port
- C . address-persistent
- D . address-pooling paired
168.150.111 using HTTP?
- A . The client will be denied by policy p2.
- B . The client will be denied by policy p1.
- C . The client will be permitted by policy p2.
- D . The client will be permitted by policy p1.
Click the Exhibit button.
Which feature is enabled with destination NAT as shown in the exhibit?
- A . NAT overload
- B . block allocation
- C . port translation
- D . NAT hairpinning
Which two statements about security policy actions are true? (Choose two.)
- A . The log action implies an accept action.
- B . The log action requires an additional terminating action.
- C . The count action implies an accept action.
- D . The count action requires an additional terminating action.
Which two statements are true about global security policies? (Choose two.)
- A . Global security policies are evaluated before regular security policies.
- B . Global security policies can be configured to match addresses across multiple zones.
- C . Global security policies can match traffic regardless of security zones.
- D . Global security policies do not support IPv6 traffic.
Which statement is true about functional zones?
- A . Functional zones are a collection of regulated transit network segments.
- B . Functional zones provide a means of distinguishing groups of hosts and their resources from one another.
- C . Functional zones are used for management.
- D . Functional zones are the building blocks for security policies.
You have recently configured an IPsec tunnel between two SRX Series devices. One of the devices is assigned an IP address using DHCP with an IP address that changes frequently. Initial testing indicates that the IPsec tunnel is not working. Troubleshooting has revealed that Phase 1 negotiations are failing.
Which two actions would solve the problem? (Choose two.)
- A . Verify that the device with the IP address assigned by DHCP is the traffic initiator.
- B . Verify that VPN monitoring is enabled.
- C . Verify that the IKE policy is configured for aggressive mode.
- D . Verify that PKI is properly configured.
Click the Exhibit button.
Which statement would explain why the IP-monitoring feature is functioning incorrectly?
- A . The global weight value is too large for the configured global threshold.
- B . The secondary IP address should be on a different subnet than the reth IP address.
- C . The secondary IP address is the same as the reth IP address.
- D . The monitored IP address is not on the same subnet as the reth IP address.
Click the Exhibit button.
You have configured NAT on your network so that Host A can communicate with Server B. You want to ensure that Host C can initiate communication with Host A using Host A’s reflexive address.
Referring to the exhibit, which parameter should you configure on the SRX Series device to satisfy this requirement?
- A . Configure persistent NAT with the target-hostparameter.
- B . Configure persistent NAT with the target-host-portparameter.
- C . Configure persistent NAT with the any-remote-hostparameter.
- D . Configure persistent NAT with the port-overloadingparameter.
Which feature is used when you want to permit traffic on an SRX Series device only at specific times?
- A . scheduler
- B . pass-through authentication
- C . ALGs
- D . counters
Which two modes are supported during the Phase 1 IKE negotiations used to establish an IPsec tunnel? (Choose two.)
- A . transport mode
- B . aggressive mode
- C . main mode
- D . tunnel mode
Which statement describes the function of NAT?
- A . NAT encrypts transit traffic in a tunnel.
- B . NAT detects various attacks on traffic entering a security device.
- C . NAT translates a public address to a private address.
- D . NAT restricts or permits users individually or in a group.
Click the Exhibit button.
You are monitoring traffic, on your SRX300 that was configured using the factory default security parameters. You notice that the SRX300 is not blocking traffic between Host A and Host B as expected.
Referring to the exhibit, what is causing this issue?
- A . Host B was not assigned to the Untrust zone.
- B . You have not created address book entries for Host A and Host B.
- C . The default policy has not been committed.
- D . The default policy permits intrazone traffic within the Trust zone.
What is the function of redundancy group 0 in a chassis cluster?
- A . Redundancy group 0 identifies the node controlling the cluster management interface IP addresses.
- B . The primary node for redundancy group 0 identifies the first member node in a chassis cluster.
- C . The primary node for redundancy group 0 determines the interface naming for all chassis cluster nodes.
- D . The node on which redundancy group 0 is primary determines which Routing Engine is active in the cluster.
Which statement describes the function of screen options?
- A . Screen options encrypt transit traffic in a tunnel.
- B . Screen options protect against various attacks on traffic entering a security device.
- C . Screen options translate a private address to a public address.
- D . Screen options restrict or permit users individually or in a group.
You want to protect your SRX Series device from the ping-of-death attack coming from the untrust security zone.
How would you accomplish this task?
- A . Configure the host-inbound-traffic system-services ping except parameter in the untrust security zone.
- B . Configure the application tracking parameter in the untrust security zone.
- C . Configure a from-zone untrust to-zone trust security policy that blocks ICMP traffic.
- D . Configure the appropriate screen and apply it to the [edit security zone security-zone untrust] hierarchy.
After an SRX Series device processes the first packet of a session, how are subsequent packets for the same session processed?
- A . They are processed using fast-path processing.
- B . They are forwarded to the control plane for deep packet inspection.
- C . All packets are processed in the same manner.
- D . They are queued on the outbound interface until a matching security policy is found.
You must verify if destination NAT is actively being used by users connecting to an internal server from the Internet.
Which action will accomplish this task on an SRX Series device?
- A . Examine the destination NAT translations table.
- B . Examine the installed routes in the packet forwarding engine.
- C . Examine the NAT translation table.
- D . Examine the active security flow sessions.
Which interface is used exclusively to forward Ethernet-switching traffic between two chassis cluster nodes?
- A . swfab0
- B . fxp0
- C . fab0
- D . me0
Which three statements describes traditional firewalls? (Choose three.)
- A . A traditional firewall performs stateless packet processing.
- B . A traditional firewall offers encapsulation, authentication, and encryption.
- C . A traditional firewall performs stateful packet processing.
- D . A traditional firewall forwards all traffic by default.
- E . A traditional firewall performs NAT and PAT.
Which SRX5400 component is responsible for performing first pass security policy inspection?
- A . Routing Engine
- B . Switch Control Board
- C . Services Processing Unit
- D . Modular Port Concentrator
Which SRX5400 component is responsible for performing first pass security policy inspection?
- A . Routing Engine
- B . Switch Control Board
- C . Services Processing Unit
- D . Modular Port Concentrator
100.75.75. The external DNS server address is 75.75.76.76. Traffic from the inside server to the DNS server fails.
Referring to the exhibit, what is causing the problem?
- A . The security policy must match the translated destination address.
- B . Source and static NAT cannot be configured at the same time.
- C . The static NAT rule must use the global address book entry name for the DNS server.
- D . The security policy must match the translated source and translated destination address.
Click the Exhibit button.
Users at a remote office are unable to access an FTP server located at the remote corporate data center as expected. The remote FTP server is listening on the non-standard TCP port 2121.
Referring to the exhibit, what is causing the problem?
- A . The FTP clients must be configured to listen on non-standard client ports for the FTP data channel negotiations to succeed.
- B . Two custom FTP applications must be defined to allow bidirectional FTP communication through the SRX Series device.
- C . The custom FTP application definition does not have the FTP ALG enabled.
- D . A new security policy must be defined between the untrust and trust zones.
You want to trigger failover of redundancy group 1 currently running on node 0 and make node 1 the primary node the redundancy group 1.
Which command would be used accomplish this task?
- A . user@host# set chassis cluster redundancy-group 1 node 1
- B . user@host> request chassis cluster failover redundancy-group 1 node 1
- C . user@host# set chassis cluster redundancy-group 1 preempt
- D . user@host> request chassis cluster failover reset redundancy-group 1
You need to configure an IPsec tunnel between a remote site and a hub site. The SRX Series device at the remote site receives a dynamic IP address on the external interface that you will use for IPsec.
Which feature would you need to configure in this scenario?
- A . NAT-T
- B . crypto suite B
- C . aggressive mode
- D . IKEv2
Which statement is true about high availability (HA) chassis clusters for the SRX Series device?
- A . Cluster nodes require an upgrade to HA compliant Routing Engines.
- B . Cluster nodes must be connected through a Layer 2 switch.
- C . There can be active/passive or active/active clusters.
- D . HA clusters must use NAT to prevent overlapping subnets between the nodes.