Juniper Certified Security Professional JNCIP-SEC Practice Questions How does secure wire mode differ from transparent mode?In secure wire mode security policy cannot be used to secure intra vlan trafficIn secure wire mode no switching lookup takes place to forward trafficIn secure wire mode Traffic can be modified using source natIn secure wire mode IRB interfaces can be configured to route inter vlan traffic You are trying to get a SSH honeypot setup on a Juniper ATP appliance collector. The collector is running with hardware with two physical interfaces and two physical CPU cores. The honeypot feature is not working What would be a cause of this problem?The collector must have at least of four physical cores.The collector must have at least of three physical interfaces.The collector must have at least of four physical interfaces.The collector must have at least of six physical cores. A user is unable to reach a necessary resource. You discover the path through the srx series device includes several security features. The traffic is not being evaluated by any security policy In this scenario, which two components within the flow module would affect the traffic? (Choose two.)Services ALGSource Nat.Destination NatRoute lookup Your SRX series device does not see the SYN packetThe device will forward the subsequent packets and the session will not be establishedThe device will Drop the subsequent packets and the session will be establishedThe device will forward the subsequent packets and the session will be establishedThe device will Drop the subsequent packets and the session will not be established You have set up security director with policy enforcer and have configured 12 third-party feeds and sky atp feed. You are also injecting 16 feeds using the available open api. You want to add another compatible feed using open api, but policy enforcer is not receiving the new feed What is the problem scenario?You cannot add more than 16 feeds though the available open apiYou must wait 48 hours for the feed to updateYou have reached the maximum limit of 29 total feedsYou cannot add more than 16 feeds with the available open api An administrator want to implement persistent NAT for an internal resource so that external hosts are able to initiate communications to the resource, with the internal resource having previously sent packets to the external host Which configuration setting is used to accomplish this goal?Persistent-nat permit target-host-portPersistent-nat permit target-hostAddress-persistentPersistent-nat permit any-remote-host Which would you use the port-overload-factor 1?to enable the port-overloadingto disable the port-overloadingto map port with 1:1 ratio for port-overloadingto set the maximum port-overloading capability. Which Junos security feature is used for signature-based attack prevention?RADIUSAppQoSIPSPIM Which two statement are true about ADVPN members? (Choose two.)ADVPN members can use IKEv1ADVPN members are authenticated using pre-shared keys.ADVPN members can use IKEv2ADVPN members are authenticated using certificates. You have noticed a high number of TCP-based attacks directed toward your primary edge device. You are asked to configure the IDP feature on your SRX Series device to block this attack. Which two IDP attack objects would you configure to solve this problem? (Choose two.)NetworkSignatureProtocol anomalyhost Which two log format types are supported by the JATP appliance? (Choose two.)YAMLXMLCSVYANG You are asked to set up notifications if one of your collector traffic feeds drops below 100 kbps. Which two configuration parameters must be set to accomplish this task? (Choose two.)Set a traffic SNMP trap on the JATP appliance.Set a logging notification on the JATP appliance.Set a traffic system alert on the JATP appliance.Set a general triggered notification on the JATP appliance. You have a remote access VPN where the remote users are using the NCP client. The remote users can access the internal corporate resources as intended; however, traffic that is destined to all other internet sites is going through the remote access VPN. You want to ensure that only traffic that is destined to the internal corporate resources use the remote access VPN. Which two actions should you take to accomplish this task? (choose two.)Configure split tunneling on the NCP profile on the remote client.Configure the necessary traffic selectors within the VPN configuration on the SRX Series device.Enable the split tunneling feature within the VPN configuration on the SRX Series device.Enable IKEv2 within the VPN configuration on the SRX Series device. Your organization has multiple Active Directory domain to control user access. You must ensure that security polices are passing traffic based upon the user’s access rights. What would you use to assist your SRX series devices to accomplish this task?JIMSJunos SpaceJSAJATP Appliance Malware that is detonated by the JATP sandbox must be able to communicate with the internet without being able to harm your local network resources. Which statement is correct in this scenario?The exhaust interface must be connected to the Internet zone.The monitoring interface must be connected to the Internet zone.The honeypot interface must be connected to the Internet zone.The management interface must be connected to the Internet zone. . You are asked to secure your network against TOR network traffic. Which two Juniper products would accomplish this task? (Choose two.)Juniper Sky ATPContrail InsightsJuniper ATP ApplianceContrail Edge You are asked to configure an IPsec VPN between two SRX Series devices that allows for processing of CoS on the intermediate routers. What will satisfy this requirement?OpenVPNRemote Access VPNPolicy-based VPNRoute-based VPN You opened a support ticket with JTAC for your Juniper ATP appliance. JTAC asks you to set up access to the device using the reverse SSH connection. Which three setting must be configured to satisfy this request? (Choose three.)Enable JTAC remote accessCreate a temporary root account.Enable a JATP support account.Create a temporary admin account.Enable remote support Which interface family is required for Layer 2 transparent mode on SRX Series devices?LLDPEthernet switchinginetVPLS The monitor traffic interface command is being used to capture the packets destined to and the from the SRX Series device. In this scenario, which two statements related to the feature are true? (Choose two.)This feature does not capture transit traffic.This feature captures ICMP traffic to and from the SRX Series device.This feature is supported on high-end SRX Series devices only.This feature is supported on both branch and high-end SRX Series devices. You are asked to configure an SRX Series device to bypass all security features for IP traffic from the engineering depart. Which firewall filter will accomplish this taskuser@srx# show firewall filter eng-filter term 1 { from { source-prefix-list { eng-subnet; } } then accept; } term 2 { then accept; }user@srx# show firewall filter eng-filter term 1 { from { source-prefix-list { eng-subnet; } destination-prefix-list { hr-subnet; } } then accept; } term 2 { then packet-mode;user@srx# show firewall filter eng-filter term 1 { from { source-prefix-list { hr-subnet; } destination-prefix-list { eng-subnet; } } then accept; } term 2 { then packet-mode; }user@srx# show firewall filter eng-filter term 1 { from { source-prefix-list { eng-subnet; } } then packet-mode; } term 2 { then accept; } In a Juniper ATP Appliance, what would be a reason for the mitigation rule to be in the failed-remove state?The Juniper ATP appliance was not able to communicate with the SRX Series device.The Juniper ATP appliance was not able to obtain the config lock.The Juniper ATP appliance received a commit error message from the SRX Series device.The Juniper ATP appliance received an unknown error message from the SRX Series device. You are asked to configure a new SRX Series CPE device at a remote office. The device must participate in forwarding MPLS and IPsec traffic. Which two statement are true regarding this implementation? (Choose two.)A firewall filter must be configured to enable packet mode forwarding.The SRX Series device can process both MPLS and IPsec with default traffic handling.Host inbound traffic must not be processed by the flow module.Host inbound traffic must be processed by the flow module. You are configuring transparent mode on an SRX Series device. You must permit IP-based traffic only, and BPDUs must be restricted to the VLANs from which they originate. Which configuration accomplishes these objectives?bridge { block-non-ip-all; bypass-non-ip-unicast; no-packet-flooding; }bridge { block-non-ip-all; bypass-non-ip-unicast; bpdu-vlan-flooding; }bridge { bypass-non-ip-unicast; bpdu-vlan-flooding; }bridge { block-non-ip-all; bpdu-vlan-flooding; } You have a webserver and a DNS server residing in the same internal DMZ subnet. The public Static NAT addresses for the servers are in the same subnet as the SRX Series devices internet-facing interface. You implement DNS doctoring to ensure remote users can access the webserver. Which two statements are true in this scenario? (Choose two.)The DNS doctoring ALG is not enabled by default.The Proxy ARP feature must be configured.The DNS doctoring ALG is enabled by default.The DNS CNAME record is translated. You are not able to activate the SSH honeypot on the all-in-one Juniper ATP appliance. What would be a cause of this problem?You are not able to activate the SSH honeypot on the all-in-one Juniper ATP appliance. What would be a cause of this problem?You are not able to activate the SSH honeypot on the all-in-one Juniper ATP appliance. What would be a cause of this problem?The collector must have a minimum of five interfaces.The collector must have a minimum of four interfaces. You must implement an IPsec VPN on an SRX Series device using PKI certificates for authentication. As part of the implementation, you are required to ensure that the certificate submission, renewal, and retrieval processes are handled automatically from the certificate authority. In this scenario, which statement is correct.You can use CRL to accomplish this behavior.You can use CRL to accomplish this behavior.You can use OCSP to accomplish this behavior.You can use OCSP to accomplish this behavior. You are asked to merge the corporate network with the network from a recently acquired company. Both networks use the same private IPv4 address space (172.25.126.0/24). An SRX Series device serves as the gateway for each network. Which solution allows you to merge the two networks without modifying the current address assignments?Persistent NATNAT64Source NATDouble NAT You are asked to configure a security policy on the SRX Series device. After committing the policy, you receive the “Policy is out of sync between RE and PFE .” error. Which command would be used to solve the problem?request security polices resyncrequest service-deploymentrequest security polices checkrestart security-intelligence In which two ways are tenant systems different from logical systems? (Choose two.)Tenant systems have higher scalability than logical systems.Tenant systems have fewer routing features than logical systems.Tenant systems have fewer routing features than logical systems.Tenant systems have fewer routing features than logical systems. You are connecting two remote sites to your corporate headquarters site; you must ensure that all traffic is secured and only uses a single Phase 2 SA for both sites. In this scenario, which VPN should be used?An IPsec group VPN with the corporate firewall acting as the hub device.Full mesh IPsec VPNs with tunnels between all sites.A hub-and-spoke IPsec VPN with the corporate firewall acting as the hub device.A full mesh Layer 3 VPN with the corporate firewall acting as the hub device. Which three type of peer devices are supported for Cos-Based IPsec VPN?High-end SRX Series devicecSRXvSRXBranch-end SRX Series device Which three role or protocol are required when configuring an ADVPN? (choose three)BGPOSPFshortcut suggestershortcut partnerIKEv1 What are two important function of the Juniper Networks ATP appliance solution? (Choose two.).StatisticsAnalysisDetectionFiltration You have configured three logical tunnel interfaces in a tenant system on the SRX series devices…. In this scenario, what would case this problem.The SRX1500 device requires a tunnel PIC to allow for logical tunnel interfaces.There is no VPLS switch on the tenant system containing a peer lt-0/0/0The SRX1500 devices does not support more than two logical interfaces.There is no GRE tunnel between the tenant system and master system. Which two modes are supported Juniper Skey ATP? (Choose two)tap modeprivate modeglobal modesecure wire mode You must troubleshoot ongoing problems with IPsec tunnels and security policy processing. Your network consists of SRX340s and SRX5600s. In this scenario, which two statements are true? (Choose two.)You must enable data plane logging on the SRX5600 devices to generate security policy logs.IPsec logs are written to the kmd log file by defaultIKE logs are written to the messages log file by defaultYou must enable data plane logging on the SRX340 devices to generate security policy logs. Which feature of Sky ATP is deployed with Policy Enforcer?Zero-day threat mitigationSoftware image snapshot supportDevice inventory managementService redundancy daemon configuration support You correctly configured a security policy to deny certain traffic, but logs reveal that traffic is still allowed. You specific traceoption flag will help you troubleshoot this problem.rulesrouting-packetlookupconfiguration You configured a security policy permitting traffic from the trust zone to the DMZ zone, inserted the new policy at the top of the list, and successfully committed it to the SRX series device, Upon monitoring you notice that the hit count does not increase on the newly configured policy. In this scenario, which two commands would help you to identify the problem? (Choose two.)user@srx> show security match-policies from-zone trust to-zone DMZ source-ip 192.168.10.100/32 destination-ip 10.10.10.80/32 protocol tcp source-port 5806 destination-port 443 result-count 10user@srx> show security zones trust detailuser@srx> show security match-policies from-zone trust to-zone DMZ source-ip 192.168.10.100/32 destination-ip 10.10.10.80/32 protocol tcp source-port 5806 destination-port 443user@srx> show security shadow-polices from zone trust to zone DMZ Your company has purchased a competitor and now must connect the new network to the existing one. The competitors gateway device is receiving its ISP address using DHCP. Communication between the two sites must be secured; however, obtaining a static public IP address for the new site gateway is not an option at this time. The company has several requirements for this solution. A site-to-site IPsec VPN must be used to secure traffic between the two sites. The IKE identity on the new site gateway device must use the hostname option; and Internet traffic from each site should exit through its local internet connection. The configuration shown in the exhibit has been applied to the new sites SRX, but the secure tunnel is not working. In this scenario, what configuration change is needed for the tunnel to come up?Change the IKE policy mode to aggressiveRemove the quotes around the hostnameApply a static address to ge-0/0/2Bind interface st0 to the gateway You are asked to implement the session cache feature on an SRX5400 In th scenario, what information does a session cache entry record (choose two)To which SPU the traffic of the session should be forwardedTo which NPU the traffic of the session should be forwardedThe type of processing to do for egress trafficThe type of processing to do for ingress traffic Which two VPN features are supported with cos-based ipsec vpns? (choose two)IKEv2Dead peer detectionIKEV1VPN monitoring You have configured static nat for webserver in your dmz. Both internal and external users can reach the webserver using the IP address. However only internal users can reach the webserver using DNS name when external users attempt to reach using DNS name an error message received. Which action would solve this problemDisable web filteringUse dns doctoringModify the security policyUse destination nat instead of static nat You have download and initiated the installation of the application package for the JATP applicance on an SRX1500. You must confirm that the installation of the application package has completed successfully In this scenario which command would you use to accomplish this task?Show services application-identification versionShow services application-identification application detailShow services application-identification application versionShow services application-identification status Time is Up!