質問 1:
Your manager asks you to show which attacks have been detected on your SRX Series device using the IPS feature.
Which command would you use to accomplish this task?
A. show security idp attack detail
B. show security idp attack table
C. show security idp memory
D. show security idp counters
正解:B
質問 2:
Click the Exhibit button. [edit] user@host# run show log debug
Feb3 22:04:31 22:04:31.824294:CID-0:RT:flow_first_policy_search: policy search from
zone host-> zone attacker (Ox0,0xe4089404,0x17)
Feb3 22:04:31 22:04:31.824297:CID-0:RT:Policy lkup: vsys 0 zone(9:host) ->
zone(10:attacker) scope: 0 Feb3 22:04:31 22:04:31.824770:CID-0:RT:5.0.0.25/59028 -> 25.0.0.25/23 proto 6 Feb3 22:04:31 22:04:31.824778:CID-0:RT:Policy lkup: vsys 0 zone(5:Umkmowm) ->
zone(5:Umkmowm) scope: 0 Feb3 22:04:31 22:04:31.824780:CID-0:RT:5.0.0.25/59028 -> 25.0.0.25/23 proto 6 Feb3 22:04:31 22:04:31.824783:CID-0:RT: app 10, timeout 1800s, curr ageout 20s Feb3 22:04:31 22:04:31.824785:CID-0:RT: permitted by policy default-policy-00(2) Feb3 22:04:31 22:04:31.824787:CID-0:RT: packet passed, Permitted by
policy.
Feb3 22:04:31 22:04:31.824790:CID-0:RT:flow_first_src_xlate:
nat_src_xlated: False, nat_src_xlate_failed; False
Feb3 22:04:31 22:04:31.824834:CID-0:RT:flow_first_src_xlate: incoming src port is: 38118
Which two statements are true regarding the output shown in the exhibit? (Choose two.)
A. The log shows the reverse flow of the session.
B. The log is showing the first path packet flow.
C. The user has configured a security policy to allow the packet.
D. The packet does not match any user-configured security policies.
正解:B
質問 3:
Click the Exhibit button. -- Exhibit-
-- Exhibit -
Referring to the exhibit, the session close log was generated by the application firewall rule set HTTP.
Why did the session close?
A. The host with the IP address of 192.168.1.123 received a TCP segment with the FIN flag set from the host with the IP address of 65.197.244.218.
B. The SRX device was unable to determine the user and role in the allotted time, which caused the session to close.
C. The application identification engine was unable to determine which application was in use, which caused the SRX device to close the session.
D. The host with the IP address of 192.168.1.123 sent a TCP segment with the FIN flag set to the host with the IP address of 65.197.244.218.
正解:D
解説: (Pass4Test メンバーにのみ表示されます)
質問 4:
You want to implement a hub-and-spoke VPN topology using a single logical interface on the hub.Which st0 interface configuration is correct for the hub device?
A. [edit interfaces]
user@srx# show
st0 {
unit 0 {
point-to-point;
family inet {
address 10.10.10.1/24;
}
}
}
B. [edit interfaces]
user@srx# show
st0 {
multipoint
unit 0 {
family inet {
address 10.10.10.1/24;
}
}
}
C. [edit interfaces]
user@srx# show
st0 {
unit 0 {
family inet {
address 10.10.10.1/24;
}
}
}
D. [edit interfaces]
user@srx# show
st0 {
unit 0 {
multipoint;
family inet {
address 10.10.10.1/24;
}
}
}
正解:D
解説: (Pass4Test メンバーにのみ表示されます)
質問 5:
Click the Exhibit button.
-- Exhibit --
security {
nat {
destination {
pool Web-Server {
address 10.0.1.5/32;
}
rule-set From-Internet {
from zone Untrust;
rule To-Web-Server {
match {
source-address 0.0.0.0/0;
destination-address 172.16.1.7/32;
}
then {
destination-nat pool Web-Server;
}
}
}
}
}
zones {
security-zone Untrust {
address-book {
address Web-Server-External 172.16.1.7/32;
address Web-Server-Internal 10.0.1.5/32;
}
interfaces {
ge-0/0/0.0;
}
}
security-zone DMZ {
address-book {
address Web-Server-External 172.16.1.7/32;
address Web-Server-Internal 10.0.1.5/32;
}
interfaces {
ge-0/0/1.0;
}
}
}
}
-- Exhibit -
You are migrating from one external address block to a different external address block. You want to enable a smooth transition to the new address block. You temporarily want to allow external users to contact the Web server using both the existing external address as well as the new external address 192.168.1.1.
How do you accomplish this goal?
A. Add address 192.168.1.1/32 under [edit security nat destination pool Web-Server].
B. Create a new rule for the new address in the [edit security nat destination rule-set From-Internet] hierarchy.
C. Change the address Web-Server-Ext objects to be address-set objects that include both addresses.
D. Change the destination address under [edit security nat destination rule-set From-Internet rule To-Web-Server match] to include both 172.16.1.7/32 and 192.168.1.2/32.
正解:B
解説: (Pass4Test メンバーにのみ表示されます)
質問 6:
What are two network scanning methods? (Choose two.)
A. ping of death
B. SYN flood
C. ping sweep
D. UDP scan
正解:C,D
解説: (Pass4Test メンバーにのみ表示されます)
質問 7:
A local user complains that they cannot connect to an FTP server on the DMZ network. You investigate and confirm that the security policy allows FTP traffic from the trust zone to the DMZ zone.
What are two reasons for this problem? (Choose two.)
A. No security policy exists for traffic from the DMZ zone to the trust zone.
B. The FTP server has no route back to the local network.
C. No route is configured to the DMZ network.
D. The FTP ALG is disabled.
正解:B,D
質問 8:
Click the Exhibit button. -- Exhibit-
-- Exhibit -Referring to the exhibit, AppTrack is only logging the session closure messages for sessions that last 1 to 3 minutes.
What is causing this behavior?
A. AppTrack only generates session closure messages.
B. AppTrack only generates session update messages.
C. AppTrack is not properly configured under the [edit security application-tracking] hierarchy.
D. AppTrack generates other messages only when the update interval is surpassed.
正解:D
解説: (Pass4Test メンバーにのみ表示されます)
質問 9:
You are asked to ensure traffic from your executive staff does not use the same ISP connection as your other traffic.
Which three actions are required to accomplish this task? (Choose three)
A. Assign the outgoing interface to theno-forwardinginstance.
B. Create a routing instance and define the type asforwarding.
C. Create a RIB group to share routes between the main instance and the routing instance.
D. Create a firewall filter to match this traffic and send this traffic to the routing instance.
E. Create a routing instance and define the type asno-forwarding.
正解:B,C,D
Your manager asks you to show which attacks have been detected on your SRX Series device using the IPS feature.
Which command would you use to accomplish this task?
A. show security idp attack detail
B. show security idp attack table
C. show security idp memory
D. show security idp counters
正解:B
質問 2:
Click the Exhibit button. [edit] user@host# run show log debug
Feb3 22:04:31 22:04:31.824294:CID-0:RT:flow_first_policy_search: policy search from
zone host-> zone attacker (Ox0,0xe4089404,0x17)
Feb3 22:04:31 22:04:31.824297:CID-0:RT:Policy lkup: vsys 0 zone(9:host) ->
zone(10:attacker) scope: 0 Feb3 22:04:31 22:04:31.824770:CID-0:RT:5.0.0.25/59028 -> 25.0.0.25/23 proto 6 Feb3 22:04:31 22:04:31.824778:CID-0:RT:Policy lkup: vsys 0 zone(5:Umkmowm) ->
zone(5:Umkmowm) scope: 0 Feb3 22:04:31 22:04:31.824780:CID-0:RT:5.0.0.25/59028 -> 25.0.0.25/23 proto 6 Feb3 22:04:31 22:04:31.824783:CID-0:RT: app 10, timeout 1800s, curr ageout 20s Feb3 22:04:31 22:04:31.824785:CID-0:RT: permitted by policy default-policy-00(2) Feb3 22:04:31 22:04:31.824787:CID-0:RT: packet passed, Permitted by
policy.
Feb3 22:04:31 22:04:31.824790:CID-0:RT:flow_first_src_xlate:
nat_src_xlated: False, nat_src_xlate_failed; False
Feb3 22:04:31 22:04:31.824834:CID-0:RT:flow_first_src_xlate: incoming src port is: 38118
Which two statements are true regarding the output shown in the exhibit? (Choose two.)
A. The log shows the reverse flow of the session.
B. The log is showing the first path packet flow.
C. The user has configured a security policy to allow the packet.
D. The packet does not match any user-configured security policies.
正解:B
質問 3:
Click the Exhibit button. -- Exhibit-
-- Exhibit -
Referring to the exhibit, the session close log was generated by the application firewall rule set HTTP.
Why did the session close?
A. The host with the IP address of 192.168.1.123 received a TCP segment with the FIN flag set from the host with the IP address of 65.197.244.218.
B. The SRX device was unable to determine the user and role in the allotted time, which caused the session to close.
C. The application identification engine was unable to determine which application was in use, which caused the SRX device to close the session.
D. The host with the IP address of 192.168.1.123 sent a TCP segment with the FIN flag set to the host with the IP address of 65.197.244.218.
正解:D
解説: (Pass4Test メンバーにのみ表示されます)
質問 4:
You want to implement a hub-and-spoke VPN topology using a single logical interface on the hub.Which st0 interface configuration is correct for the hub device?
A. [edit interfaces]
user@srx# show
st0 {
unit 0 {
point-to-point;
family inet {
address 10.10.10.1/24;
}
}
}
B. [edit interfaces]
user@srx# show
st0 {
multipoint
unit 0 {
family inet {
address 10.10.10.1/24;
}
}
}
C. [edit interfaces]
user@srx# show
st0 {
unit 0 {
family inet {
address 10.10.10.1/24;
}
}
}
D. [edit interfaces]
user@srx# show
st0 {
unit 0 {
multipoint;
family inet {
address 10.10.10.1/24;
}
}
}
正解:D
解説: (Pass4Test メンバーにのみ表示されます)
質問 5:
Click the Exhibit button.
-- Exhibit --
security {
nat {
destination {
pool Web-Server {
address 10.0.1.5/32;
}
rule-set From-Internet {
from zone Untrust;
rule To-Web-Server {
match {
source-address 0.0.0.0/0;
destination-address 172.16.1.7/32;
}
then {
destination-nat pool Web-Server;
}
}
}
}
}
zones {
security-zone Untrust {
address-book {
address Web-Server-External 172.16.1.7/32;
address Web-Server-Internal 10.0.1.5/32;
}
interfaces {
ge-0/0/0.0;
}
}
security-zone DMZ {
address-book {
address Web-Server-External 172.16.1.7/32;
address Web-Server-Internal 10.0.1.5/32;
}
interfaces {
ge-0/0/1.0;
}
}
}
}
-- Exhibit -
You are migrating from one external address block to a different external address block. You want to enable a smooth transition to the new address block. You temporarily want to allow external users to contact the Web server using both the existing external address as well as the new external address 192.168.1.1.
How do you accomplish this goal?
A. Add address 192.168.1.1/32 under [edit security nat destination pool Web-Server].
B. Create a new rule for the new address in the [edit security nat destination rule-set From-Internet] hierarchy.
C. Change the address Web-Server-Ext objects to be address-set objects that include both addresses.
D. Change the destination address under [edit security nat destination rule-set From-Internet rule To-Web-Server match] to include both 172.16.1.7/32 and 192.168.1.2/32.
正解:B
解説: (Pass4Test メンバーにのみ表示されます)
質問 6:
What are two network scanning methods? (Choose two.)
A. ping of death
B. SYN flood
C. ping sweep
D. UDP scan
正解:C,D
解説: (Pass4Test メンバーにのみ表示されます)
質問 7:
A local user complains that they cannot connect to an FTP server on the DMZ network. You investigate and confirm that the security policy allows FTP traffic from the trust zone to the DMZ zone.
What are two reasons for this problem? (Choose two.)
A. No security policy exists for traffic from the DMZ zone to the trust zone.
B. The FTP server has no route back to the local network.
C. No route is configured to the DMZ network.
D. The FTP ALG is disabled.
正解:B,D
質問 8:
Click the Exhibit button. -- Exhibit-
-- Exhibit -Referring to the exhibit, AppTrack is only logging the session closure messages for sessions that last 1 to 3 minutes.
What is causing this behavior?
A. AppTrack only generates session closure messages.
B. AppTrack only generates session update messages.
C. AppTrack is not properly configured under the [edit security application-tracking] hierarchy.
D. AppTrack generates other messages only when the update interval is surpassed.
正解:D
解説: (Pass4Test メンバーにのみ表示されます)
質問 9:
You are asked to ensure traffic from your executive staff does not use the same ISP connection as your other traffic.
Which three actions are required to accomplish this task? (Choose three)
A. Assign the outgoing interface to theno-forwardinginstance.
B. Create a routing instance and define the type asforwarding.
C. Create a RIB group to share routes between the main instance and the routing instance.
D. Create a firewall filter to match this traffic and send this traffic to the routing instance.
E. Create a routing instance and define the type asno-forwarding.
正解:B,C,D
0 お客様のコメント