質問 1:
Which configuration statement would allow the SRX Series device to match a signature only on the first match, and not subsequent signature matches in a connection?
A. user@host# set security idp idp-policy test rulebase-ips rule 1 then action ignore-connection
B. user@host# set security idp idp-policy test rulebase-ips rule 1 then action drop-
connection
C. user@host# set security idp idp-policy test rulebase-ips rule 1 then action no-action
D. user@host# set security idp idp-policy test rulebase-ips rule 1 then action recommended
正解:A
質問 2:
Click the Exhibit button.
user@host> monitor traffic interface ge-0/0/3
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/3, capture size 96 bytes
Reverse lookup for 172.168.3.254 failed (check DNS reachability). Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lockups on IP addresses.
19:24:16.320907 In arp who-has 172.168.3.254 tell 172.168.3.1 19.24:17.322751 In arp who has 172.168.3.254 tell 172.168.3.1 19.24:18.328895 In arp who-has 172.168.3.254 tell
172.168.3.1
19.24:18.332956 In arn who has 172.168.3.254 tell 172.168.3.1
A new server has been set up in your environment. The administrator suspects that the firewall is blocking the traffic from the new server. Previously existing servers in the VLAN are working correctly. After reviewing the logs, you do not see any traffic for the new server.
Referring to the exhibit, what is the cause of the problem?
A. The server is in the wrong VLAN.
B. The firewall has a filter enabled to blocktrafficfrom the server.
C. The firewall has been misconfigured with the incorrect routing-instance.
D. The server has been misconfigured with the wrong IP address.
正解:C
質問 3:
You are asked to change the configuration of your company's SRX device so that you can block nested traffic from certain Web sites, but the main pages of these Web sites must remain available to users.Which two methods will accomplish this goal? (Choose two.)
A. Implement a firewall filter for Web traffic.
B. Configure an application firewall rule set.
C. Use an IDP policy to inspect the Web traffic.
D. Enable the HTTP ALG.
正解:A,B
解説: (Pass4Test メンバーにのみ表示されます)
質問 4:
An external host is attacking your network. The host sends an HTTP request to a Web server, but does not include the version of HTTP in the request.
Which type of attack is being performed?
A. signature-based attack
B. anomaly
C. application identification
D. fingerprinting
正解:B
解説: (Pass4Test メンバーにのみ表示されます)
質問 5:
Which two statements are true about an interconnect logical system on an SRX Series device? (Choose two.)
A. VXLAN is used to switch inter-LSYS-traffic.
B. VPLS is used to switch inter-LSYS traffic.
C. The root and user LSYSs connect to the interconnect LSYS usingvtinterfaces.
D. The root and user LSYSs connect to the interconnect LSYS usingltinterfaces.
正解:B,D
質問 6:
-- Exhibit -[edit] user@srx# run show route
inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 01:09:08 > to 172.18.1.1 via ge-0/0/3.0 10.210.14.128/27 *[Direct/0] 8w6d 15:43:09 > via ge-0/0/0.0 10.210.14.135/32 *[Local/0] 11w0d 06:43:04 Local via ge-0/0/0.0 172.18.1.0/30 *[Direct/0] 8w6d 15:43:01 > via ge-0/0/3.0 172.18.1.2/32 *[Local/0] 11w0d 06:43:03 Local via ge-0/0/3.0 172.19.1.0/24 *[Direct/0] 03:46:56 > via ge-0/0/1.0 172.19.1.1/32 *[Local/0] 03:46:56 Local via ge-0/0/1.0 172.20.105.0/24 *[Direct/0] 03:46:56 > via ge-0/0/4.105 172.20.105.1/32 *[Local/0] 03:46:56 Local via ge-0/0/4.105 192.168.30.1/32 *[Direct/0] 4d 03:44:41 > via lo0.0
fbf.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:00:11 > to 172.19.1.2 via ge-0/0/1.0 172.19.1.0/24 *[Direct/0] 00:00:11 > via ge-0/0/1.0
[edit]
user@srx# show routing-instances
fbf {
routing-options {
static {
route 0.0.0.0/0 next-hop 172.19.1.2;
}
}
}
[edit]
user@srx# show routing-options
interface-routes {
rib-group inet fbf-int;
}
static {
route 0.0.0.0/0 next-hop 172.18.1.1;
}
rib-groups {
fbf-int {
import-rib [ inet.0 fbf.inet.0 ];
import-policy fbf-pol;
}
}
[edit]
user@srx# show policy-options policy-statement fbf-pol
term 1 {
from interface ge-0/0/1.0;
to rib fbf.inet.0;
then accept;
}
term 2 {
then reject;
}
-- Exhibit -
Referring to the exhibit, you notice that filter-based forwarding is not working.
What is the reason for this behavior?
A. The default static routes are configured incorrectly.
B. The routing policy is configured incorrectly.
C. The routing instance is configured incorrectly.
D. The RIB group is configured incorrectly.
正解:C
解説: (Pass4Test メンバーにのみ表示されます)
質問 7:
You are asked to implement a Dynamic IPsec VPN on your new SRX240. You are required to facilitate up to 5 simultaneous users.
Which two statements must be considered when accomplishing the task?
A. Your devices must be in a chassis cluster.
B. You must use main mode for your IKE phase 1 policy.
C. You must acquire at least three additional licenses.
D. You must be a policy-based VPN.
正解:C,D
質問 8:
Given the following session output:
Session ID., Policy namE.default-policy-00/2, StatE.Active, Timeout: 1794, Valid
In: 2001:660:1000:8c00::b/1053 --> 2001:660:1000:9002::aafe/80;tcp, IF.reth0.0, Pkts: 4, Bytes: 574
Out: 192.168.203.10/80 --> 192.168.203.1/24770;tcp, IF.reth1.0, Pkts: 3, Bytes:
Which statement is correct about the security flow session output?
A. NAT64 is used.
B. This session is about to expire.
C. The IPv4 Web server runs services on TCP port 24770.
D. Proxy NDP is used for this session.
正解:A
解説: (Pass4Test メンバーにのみ表示されます)
質問 9:
You are asked to establish a baseline for your company's network traffic to determine the bandwidth usage per application. You want to undertake this task on the central SRX device that connects all segments together.What are two ways to accomplish this goal? (Choose two.)
A. Configure a mirror port on the SRX device to capture all traffic on a data collection server for further investigation.
B. Enable AppTrack on the SRX device and configure a remote syslog server to receive AppTrack messages.
C. Use interface packet counters for all permitted and denied traffic and calculate the values using Junos scripts.
D. Send SNMP traps with bandwidth usage to a central SNMP server.
正解:A,B
解説: (Pass4Test メンバーにのみ表示されます)
Which configuration statement would allow the SRX Series device to match a signature only on the first match, and not subsequent signature matches in a connection?
A. user@host# set security idp idp-policy test rulebase-ips rule 1 then action ignore-connection
B. user@host# set security idp idp-policy test rulebase-ips rule 1 then action drop-
connection
C. user@host# set security idp idp-policy test rulebase-ips rule 1 then action no-action
D. user@host# set security idp idp-policy test rulebase-ips rule 1 then action recommended
正解:A
質問 2:
Click the Exhibit button.
user@host> monitor traffic interface ge-0/0/3
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/3, capture size 96 bytes
Reverse lookup for 172.168.3.254 failed (check DNS reachability). Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lockups on IP addresses.
19:24:16.320907 In arp who-has 172.168.3.254 tell 172.168.3.1 19.24:17.322751 In arp who has 172.168.3.254 tell 172.168.3.1 19.24:18.328895 In arp who-has 172.168.3.254 tell
172.168.3.1
19.24:18.332956 In arn who has 172.168.3.254 tell 172.168.3.1
A new server has been set up in your environment. The administrator suspects that the firewall is blocking the traffic from the new server. Previously existing servers in the VLAN are working correctly. After reviewing the logs, you do not see any traffic for the new server.
Referring to the exhibit, what is the cause of the problem?
A. The server is in the wrong VLAN.
B. The firewall has a filter enabled to blocktrafficfrom the server.
C. The firewall has been misconfigured with the incorrect routing-instance.
D. The server has been misconfigured with the wrong IP address.
正解:C
質問 3:
You are asked to change the configuration of your company's SRX device so that you can block nested traffic from certain Web sites, but the main pages of these Web sites must remain available to users.Which two methods will accomplish this goal? (Choose two.)
A. Implement a firewall filter for Web traffic.
B. Configure an application firewall rule set.
C. Use an IDP policy to inspect the Web traffic.
D. Enable the HTTP ALG.
正解:A,B
解説: (Pass4Test メンバーにのみ表示されます)
質問 4:
An external host is attacking your network. The host sends an HTTP request to a Web server, but does not include the version of HTTP in the request.
Which type of attack is being performed?
A. signature-based attack
B. anomaly
C. application identification
D. fingerprinting
正解:B
解説: (Pass4Test メンバーにのみ表示されます)
質問 5:
Which two statements are true about an interconnect logical system on an SRX Series device? (Choose two.)
A. VXLAN is used to switch inter-LSYS-traffic.
B. VPLS is used to switch inter-LSYS traffic.
C. The root and user LSYSs connect to the interconnect LSYS usingvtinterfaces.
D. The root and user LSYSs connect to the interconnect LSYS usingltinterfaces.
正解:B,D
質問 6:
-- Exhibit -[edit] user@srx# run show route
inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 01:09:08 > to 172.18.1.1 via ge-0/0/3.0 10.210.14.128/27 *[Direct/0] 8w6d 15:43:09 > via ge-0/0/0.0 10.210.14.135/32 *[Local/0] 11w0d 06:43:04 Local via ge-0/0/0.0 172.18.1.0/30 *[Direct/0] 8w6d 15:43:01 > via ge-0/0/3.0 172.18.1.2/32 *[Local/0] 11w0d 06:43:03 Local via ge-0/0/3.0 172.19.1.0/24 *[Direct/0] 03:46:56 > via ge-0/0/1.0 172.19.1.1/32 *[Local/0] 03:46:56 Local via ge-0/0/1.0 172.20.105.0/24 *[Direct/0] 03:46:56 > via ge-0/0/4.105 172.20.105.1/32 *[Local/0] 03:46:56 Local via ge-0/0/4.105 192.168.30.1/32 *[Direct/0] 4d 03:44:41 > via lo0.0
fbf.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:00:11 > to 172.19.1.2 via ge-0/0/1.0 172.19.1.0/24 *[Direct/0] 00:00:11 > via ge-0/0/1.0
[edit]
user@srx# show routing-instances
fbf {
routing-options {
static {
route 0.0.0.0/0 next-hop 172.19.1.2;
}
}
}
[edit]
user@srx# show routing-options
interface-routes {
rib-group inet fbf-int;
}
static {
route 0.0.0.0/0 next-hop 172.18.1.1;
}
rib-groups {
fbf-int {
import-rib [ inet.0 fbf.inet.0 ];
import-policy fbf-pol;
}
}
[edit]
user@srx# show policy-options policy-statement fbf-pol
term 1 {
from interface ge-0/0/1.0;
to rib fbf.inet.0;
then accept;
}
term 2 {
then reject;
}
-- Exhibit -
Referring to the exhibit, you notice that filter-based forwarding is not working.
What is the reason for this behavior?
A. The default static routes are configured incorrectly.
B. The routing policy is configured incorrectly.
C. The routing instance is configured incorrectly.
D. The RIB group is configured incorrectly.
正解:C
解説: (Pass4Test メンバーにのみ表示されます)
質問 7:
You are asked to implement a Dynamic IPsec VPN on your new SRX240. You are required to facilitate up to 5 simultaneous users.
Which two statements must be considered when accomplishing the task?
A. Your devices must be in a chassis cluster.
B. You must use main mode for your IKE phase 1 policy.
C. You must acquire at least three additional licenses.
D. You must be a policy-based VPN.
正解:C,D
質問 8:
Given the following session output:
Session ID., Policy namE.default-policy-00/2, StatE.Active, Timeout: 1794, Valid
In: 2001:660:1000:8c00::b/1053 --> 2001:660:1000:9002::aafe/80;tcp, IF.reth0.0, Pkts: 4, Bytes: 574
Out: 192.168.203.10/80 --> 192.168.203.1/24770;tcp, IF.reth1.0, Pkts: 3, Bytes:
Which statement is correct about the security flow session output?
A. NAT64 is used.
B. This session is about to expire.
C. The IPv4 Web server runs services on TCP port 24770.
D. Proxy NDP is used for this session.
正解:A
解説: (Pass4Test メンバーにのみ表示されます)
質問 9:
You are asked to establish a baseline for your company's network traffic to determine the bandwidth usage per application. You want to undertake this task on the central SRX device that connects all segments together.What are two ways to accomplish this goal? (Choose two.)
A. Configure a mirror port on the SRX device to capture all traffic on a data collection server for further investigation.
B. Enable AppTrack on the SRX device and configure a remote syslog server to receive AppTrack messages.
C. Use interface packet counters for all permitted and denied traffic and calculate the values using Junos scripts.
D. Send SNMP traps with bandwidth usage to a central SNMP server.
正解:A,B
解説: (Pass4Test メンバーにのみ表示されます)
0 お客様のコメント