-- Exhibit --
user@host> show configuration
...
security {
nat {
destination {
pool server {
address 10.100.100.1/32 port 5555;
}
rule-set rule1 {
from zone UNTRUST;
rule 1 {
match {
destination-address 192.168.100.1/32;
destination-port 5000;
}
then {
destination-nat pool server;
}
}
}
}
proxy-arp {
interface ge-0/0/1.0 {
address {
192.168.100.1/32;
}
}
}
}
policies {
from-zone UNTRUST to-zone TRUST {
policy allow {
match {
source-address any;
destination-address any;
application [ junos-ping tcp-5000 ];
}
then {
permit;
}
}
}
}
zones {
security-zone TRUST {
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
protocols {
all;
}
}
}
}
}
security-zone UNTRUST {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
}
}
applications { application tcp-5000 { protocol tcp; destination-port 5000; }
}
-- Exhibit -
Click the Exhibit button.
Your customer is attempting to reach a new server that should be accessible publicly using
192.168.100.100 on TCP port 5000, and internally using 10.100.100.1 on TCP port 5555. You notice no sessions form when the customer attempts to access the server.
Referring to the exhibit, what will resolve this problem?
A. The NAT pool server must use port 5000.
B. There must be a TRUST-to-UNTRUST security policy to allow return traffic.
C. The UNTRUST-to-TRUST security policy must allow port 5555.
D. The NAT rule set rule1 must match on port 5555.
正解:C
質問 2:
Two SRX Series devices are having problems establishing an IPsec VPN session. One of the devices has a firewall filter applied to its gateway interface that rejects UDP traffic.
What would resolve the problem?
A. Disable the IKE Phase 1 part of the session establishment.
B. Edit the firewall filter to allow UDP port 500.
C. Disable the IKE Phase 2 part of the session establishment.
D. Change the configuration so that session establishment uses TCP.
正解:A
質問 3:
When attempting to delete IDP policies and configurations from an SRX Series device, a user enters these configuration commands:
Delete security idp
Commit
However, after the commit has completed, the configuration is still present under the [edit security idp] hierarchy.
What should the user do to permanently remove the configuration?
A. Delete the IDP templates commit script from the [edit system scripts commit] hierarchy, delete the [edit security idp] hierarchy, and then commit the change.
B. Delete the /var/db/scripts/commit/templates.xsl file and reboot the device.
C. Stop the idpd process using the set system processes idp-policy disable configuration command, commit the change, delete the [edit security idp] hierarchy, and then commit that change.
D. Delete the [edit security idp] hierarchy, commit the change, and immediately reboot the device.
正解:A
質問 4:
Your SRX Series device has the following configuration:
user@host> show security policies
...
Policy: my-policy, State: enabled, Index: 5, Sequence number: 1
Source addresses: any Destination addresses: any
Applications: snmp
Action: reject
From zone: trust, To zone: untrust
...
When traffic matches my-policy, you want the device to silently drop the traffic; however, you notice that the device is replying with ICMP unreachable messages instead.
What is causing this behavior?
A. the trust zone
B. the untrust zone
C. the snmp application
D. the reject action
正解:A
Satou -
普段電車に乗るときもすっと見てた。そのお陰で、試験に合格しました。便利で分かりやすい!サラリーマンのわしにとっては最高Pass4Testさん、ありがとうございました。