1 You have configured a log collector VM and Security Director.

System logging is
enabled on a branch SRX Series device, but security logs do not appear in the monitor charts.
How would you solve this problem?

 A. Configure a security policy to forward logs to the collector.

 B. Configure application identification on the SRX Series device.
 C. Configure security logging on the SRX Series device.
 D. Configure J-Flow on the SRX Series device.

jaruch8412

4 months, 2 weeks ago

I would choose A as a correct answer.
upvoted 1 times

jaruch8412

4 months, 2 weeks ago

There is nothing like "security logging" on SRX device.
upvoted 1 times

MuadDib

3 months, 2 weeks ago

Actually, you can configure security logging on the SRX device. It's under syslog. So the answer
should be C.

2 What is the correct application mapping sequence when a user goes to Facebook for the
first time through an SRX Series device?

 A. first packet > process packet > check application system cache > classify application >
process packet > match and identify application
 B. first packet > check application system cache > process packet > classify application >
match and identify application
 C. first packet > check application system cache > classify application > process packet >
match and identify application
 D. first packet > process packet > check application system cache > classify application >
match and identify application

 jaruch8412
 4 months, 2 weeks ago
 The answer should be B.
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-
application-identification-overview.html#mapping-sequence
3 After using Security Director to add a new firewall policy rule on an SRX Series device,
you notice that the hit count on the policy is not increasing. Upon further investigation, you find
that the devices listed in the new rule are able to communicate as expected. Your firewall policy
consists of hundreds of rules.
Using only Security Director, how do you find the rule that is allowing the communication to
occur in this scenario?

 A. Generate a Top Firewall Rules report.

 B. Generate a Policy Analysis report.
 C. Generate a Top Source IPs report.
 D. Generate a Top Firewall Events report.

 jaruch8412
 4 months, 2 weeks ago
 It should be answer B: Genrate Policy Analysis report. "Select the anomaly type that you
want to include in the report: Shadowed—Select this option to identify any shadowed
rules. A rule is shadowed when all the packets of a previous rule match with the current
rule. By selecting this option, the shadowed rules are not evaluated. Redundant—Select
this option to identify redundant or duplicate rules. A redundant rule performs the same
action on the same packets as another rule. The security policy is not affected by
removing the redundant rules." https://www.juniper.net/documentation/en_US/junos-
space16.1/topics/task/configuration/junos-space-policy-analysis-report-definition-
creating.html
 upvoted 1 times

 MuadDib
 3 months, 2 weeks ago
 It is D, since the events show almost everything needed for this. They are under different
tabs, but it is answer D.

4 our network includes SRX Series devices at the headquarters location. The SRX Series
devices at this location are part of a high availability chassis cluster and are configured for IPS.
There has been a node failover.
In this scenario, which statement is true?

 A. Existing sessions continue to be processed by IPS because of table synchronization.

 B. Existing sessions are no longer processed by IPS and become firewall sessions.
 C. Existing session continue to be processed by IPS as long as GRES is configured.
 D. Existing sessions are dropped and must be reestablished so IPS processing can occur.

 jaruch8412
 4 months, 2 weeks ago
 Answear B is correct. "No inspection is performed on sessions that fail over or fail back.
Only new sessions after a failover are inspected by IPS, and older sessions become
firewall sessions." https://www.juniper.net/documentation/en_US/junos/topics/topic-
map/security-idp-migration-introduction.html#jd0e182
5 You are scanning files that are being transferred from the Internet to hosts on your
internal network with Sky ATP. However, you notice that files that are 1 GB in size are not
being scanned by Sky ATP.
In this scenario, which two statements are true? (Choose two.)

 A. The Sky ATP failback option is set to permit.

 B. The Sky ATP engine or the SRX Series device is too busy.
 C. The 1 GB file size is larger than the scan size limit for Sky ATP.
 D. The Sky ATP policy on the SRX Series device is misconfigured.

 jaruch8412
 4 months, 2 weeks ago
 I would say the correct answers are A and C. "You can also define the maximum file size
requirement per each category to send to the cloud. If a file falls outside of the maximum
file size limit, use the Sky ATP policy fallback option to either allow or deny the file to
be downloaded. For more information, see Sky Advanced Threat Prevention Policy
Overview." https://www.juniper.net/documentation/en_US/release-independent/sky-
atp/topics/reference/general/sky-atp-profile-overview.html

6 Referring to the configuration shown in the exhibit, which statement explains why
traffic matching the IDP signature DNS:OVERFLOW:TOO-LONG-TCP-MSG is not being
stopped by the SRX Series device?

 A. The security policy dmz-pol1 has an action of permit.

 B. The IDP policy idp-pol1 is not configured as active.
 C. The IDP rule r2 has an ip-action value of notify.
 D. The IDP rule r1 has an action of ignore-connection.

 Maw
 7 months, 1 week ago
 I think answer D make more sense for this question

7 Click the Exhibit button.

Which statement explains the current state value of the command output shown in the exhibit?
  A. A valid response was received from a domain PC probe, and the user is a valid domain
user programmed in the PFE.
 B. An invalid response was received from a domain PC probe, and the user is an invalid
domain user.
 C. A probe event generated an entry in the authentication table, but no probe response has
been received from the domain PC.
 D. The user-to-address mapping was successfully read from the domain controller event
logs, and an entry was added to the authentication table witch currently

 jaruch8412
 4 months, 2 weeks ago
 Answer D is correct. "Initial—Specifies that IP address-to-user mapping information was
obtained by reading domain controller event logs and an entry was added to the
authentication table. Entries in this state are changed to valid when the table is pushed
from the Routing Engine to the Packet Forwarding Engine. "
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-user-auth-
intergrated-user-firewall-overview.html#jd0e478

8 Using the Policy Controller API, which configuration would post Sky ATP with PE
mode to the Policy Enforcer controller configuration?

 A. "configs": { "sdsn": false "cloudonly": true }

 B. "configs": { "sdsn": false "cloud": false }
 C. "configs": { "sdsn": true "cloudonly": false }
 D. "configs": { "sdsn": false "cloud": true

 jaruch8412
 4 months, 2 weeks ago
 https://www.juniper.net/documentation/en_US/release-independent/policy-
enforcer/topics/concept/policy-controler-config.html

9 Referring to the exhibit, you have expanded the disk storage size in ESXi for your log
collector from 500 GB to 600 GB. However, your log collectors disk size has not changed.
Given the scenario, which two statements are true? (Choose two.)

 A. You must run a script from the console to expand the disk size.
 B. The ESXi storage parameter is not associated with the Elasticsearch disk size
parameter.
 C. You must reboot the log collector for storage settings to be updated
 D. You must re-run the log collector setup script to update the storage settings.

 jaruch8412
 4 months, 2 weeks ago
  https://www.juniper.net/documentation/en_US/junos-
space16.1/topics/task/operational/junos-space-size-vm-disk-log-collector-expanding.html

10 Which two parameters are required to match in an IDP rule for the terminal option to
take effect? (Choose two.)

 A. attacks custom-attacks
 B. attacks predefined-attacks
 C. application
 D. source-address

 jaruch8412
 4 months, 2 weeks ago
 I would choose answers C and D.
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-idp-
policy-rules-and-rulebases.html#id-understanding-idp-terminal-rules
 upvoted 1 times

 MuadDib
 3 months, 3 weeks ago
 Since A and B are the exempt conditions, C and D should be indeed correct.
 upvoted 1 times

 MuadDib
 3 months, 2 weeks ago
 The rule states it has to match source, destination, zone and application. It does not have
to match attacks, so definitely C and D.

11 Your network includes SRX Series devices at the headquarters location. The SRX Series
devices at this location are part of a high available chassis cluster and are configured for IPS.
There has been a node failover.
In this scenario, which two statements are true? (Choose two.)

 A. The IP action table is synchronized between the chassis cluster nodes.

 B. Cached SSL session ID information for existing sessions is not synchronized between
nodes.
 C. The IP action table is not synchronized between the chassis cluster nodes.
 D. Cached SSL session ID information for existing session is synchronized between
nodes.

 jaruch8412
 4 months, 2 weeks ago
 The correct answer should be B and C.
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-idp-
migration-introduction.html#jd0e182
12 While reviewing the Log and Reporting portion of Security Director, you find that
multiple objects reference the same address. You want to use a standardized name for all of the
objects.
In this scenario, how would you create a standardized object name without searching the entire
policy?

 A. Remove the duplicate objects.

 B. Merge the duplicate objects.
 C. Rename the duplicate objects.
 D. Replace the duplicate objects.

 jaruch8412
 4 months, 2 weeks ago
 https://www.juniper.net/documentation/en_US/junos-
space18.1/topics/task/operational/junos-space-objects-policies-duplicate-showing.html

13 Click the Exhibit button.

Referring to the exhibit, how many AppTrack logs will be generated for an HTTP session lasting
12 minutes?

 A. 4
 B. 2
 C. 1
 D. 3

  darknight
 5 months ago
 3 is correct. Refer to: https://www.juniper.net/documentation/en_US/junos/topics/topic-
map/security-application-tracking.html "The default interval between messages is 5
minutes. If a session starts and ends within this update interval, AppTrack generates one
message at session close. However, if the session is long-lived, an update message is sent
every 5 minutes. The session-update-interval minutes is configurable as shown in this
step"
 upvoted 2 times

 MYN
 4 months, 1 week ago
 Agreed
 upvoted 1 times

 MYN
 4 months, 1 week ago
 when did you take exam ? Mine is this week, hope questions are updated here.
 upvoted 1 times

 MuadDib
 3 months, 3 weeks ago
 Actually, 4 is the correct answer. Check the line with the first update. That is at minute 1.
So there will be an update at minutes 1, 6, 11 and close of session at 12 minute-mark.

14 Your network includes SRX Series devices at the headquarters location. The SRX Series
devices at this location are part of a high availability chassis cluster and are expected to support
several UTM features.
Which two statements related to this environment are true? (Choose two.)

 A. UTM features can be configured on either of the nodes within the cluster.
 B. The chassis cluster must be configured for active/active mode.
 C. UTM features must be configured on the primary node within the cluster.
 D. The chassis cluster must be configured for active/backup mode.

 jaruch8412
 4 months, 2 weeks ago
 https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-
configuring-utm-for-chassis-cluster.html

15 You are implementing user authentication on your network using an SRX Series device
and want to ensure that there are redundant forms of authentication for users to access the
network. You have configured the device with the integrated user firewall and user role firewall
features. You are testing failover methods using the default priority values.
In this scenario, which two statements are true? (Choose two.)
  A. If the user fails local authentication, then the Junos OS will attempt to authenticate the
user with a user role firewall.
 B. If the user fails user role firewall authentication, then the Junos OS will attempt to
authenticate the user with an integrated user firewall.
 C. If the user fails integrated user firewall authentication, then the Junos OS will
attempt to authenticate with a user role firewall.
 D. If the user fails local authentication, then the Junos OS will attempt to
authenticate the user with an integrated user firewall.

16 Click the Exhibit button.

Referring to the exhibit, the host has been automatically blocked from communicating on the
network because a malicious file was downloaded. You cleaned the infected host and changed
the investigation status to Resolved Fixed.
What does Sky ATP do if the host then attempts to download a malicious file that would result in
a threat score of 10?

 A. Sky ATP does not log the connection attempt and an SRX Series device does not
allow the host to communicate on the network.
 B. Sky ATP logs the connection attempt and an SRX Series device does not allow the
host to communicate on the network.
 C. Sky ATP logs the connection attempt and an SRX Series device allows the host to
communicate on the network.
 D. Sky ATP does not log the connection attempt and an SRX Series device allows the
host to communicate on the network.

 jaruch8412
 4 months, 2 weeks ago
 In my opinion the correct answer is B
https://www.juniper.net/documentation/en_US/junos-space18.3/policy-
enforcer/topics/concept/junos-space-policy-enforcer-sky-atp-host-detail.html
 upvoted 1 times
 
 MuadDib
 3 months, 3 weeks ago
 I would go with the current answer, C, since after you resolve it, the level goes back to 0
and the next one will be allowed through.
 upvoted 1 times

 Chucky
 3 months, 3 weeks ago
 I cannot find a good source to confirm this answer. There's no such information on
Juniper web documentation.
 upvoted 1 times

 MuadDib
 3 months, 2 weeks ago
 The Juniper SRX web documentation isn't clear on this, but it does say that the host level
will go back to 0, because of the Resolve fixed status. Therefore it should allow it
through. The only other feasible option is the one put forward by jaruch. But that answer
can also not be confirmed so far.

17 Your network includes SRX Series devices at all headquarter, data center, and branch
locations. The headquarter and data center locations use high-end SRX
Series devices, and the branch locations use branch SRX Series devices. You are asked to deploy
IPS on the SRX Series devices using one of the available IPS deployment modes.
In this scenario, which two statements are true? (Choose two.)

 A. Inline tap mode provides enforcement.

 B. Inline tap mode can be used at all locations.
 C. Integrated mode can be used at all locations.
 D. Integrated mode provides enforcement.

 jaruch8412
 4 months, 2 weeks ago
 https://kb.juniper.net/InfoCenter/index?page=content&id=KB27717&cat=INTRUSION_
DETECTION&actp=LIST