Beruflich Dokumente
Kultur Dokumente
System logging is
enabled on a branch SRX Series device, but security logs do not appear in the monitor charts.
How would you solve this problem?
jaruch8412
jaruch8412
MuadDib
2 What is the correct application mapping sequence when a user goes to Facebook for the
first time through an SRX Series device?
A. first packet > process packet > check application system cache > classify application >
process packet > match and identify application
B. first packet > check application system cache > process packet > classify application >
match and identify application
C. first packet > check application system cache > classify application > process packet >
match and identify application
D. first packet > process packet > check application system cache > classify application >
match and identify application
jaruch8412
4 months, 2 weeks ago
The answer should be B.
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-
application-identification-overview.html#mapping-sequence
3 After using Security Director to add a new firewall policy rule on an SRX Series device,
you notice that the hit count on the policy is not increasing. Upon further investigation, you find
that the devices listed in the new rule are able to communicate as expected. Your firewall policy
consists of hundreds of rules.
Using only Security Director, how do you find the rule that is allowing the communication to
occur in this scenario?
4 our network includes SRX Series devices at the headquarters location. The SRX Series
devices at this location are part of a high availability chassis cluster and are configured for IPS.
There has been a node failover.
In this scenario, which statement is true?
6 Referring to the configuration shown in the exhibit, which statement explains why
traffic matching the IDP signature DNS:OVERFLOW:TOO-LONG-TCP-MSG is not being
stopped by the SRX Series device?
Which statement explains the current state value of the command output shown in the exhibit?
A. A valid response was received from a domain PC probe, and the user is a valid domain
user programmed in the PFE.
B. An invalid response was received from a domain PC probe, and the user is an invalid
domain user.
C. A probe event generated an entry in the authentication table, but no probe response has
been received from the domain PC.
D. The user-to-address mapping was successfully read from the domain controller event
logs, and an entry was added to the authentication table witch currently
jaruch8412
4 months, 2 weeks ago
Answer D is correct. "Initial—Specifies that IP address-to-user mapping information was
obtained by reading domain controller event logs and an entry was added to the
authentication table. Entries in this state are changed to valid when the table is pushed
from the Routing Engine to the Packet Forwarding Engine. "
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-user-auth-
intergrated-user-firewall-overview.html#jd0e478
8 Using the Policy Controller API, which configuration would post Sky ATP with PE
mode to the Policy Enforcer controller configuration?
9 Referring to the exhibit, you have expanded the disk storage size in ESXi for your log
collector from 500 GB to 600 GB. However, your log collectors disk size has not changed.
Given the scenario, which two statements are true? (Choose two.)
A. You must run a script from the console to expand the disk size.
B. The ESXi storage parameter is not associated with the Elasticsearch disk size
parameter.
C. You must reboot the log collector for storage settings to be updated
D. You must re-run the log collector setup script to update the storage settings.
jaruch8412
4 months, 2 weeks ago
https://www.juniper.net/documentation/en_US/junos-
space16.1/topics/task/operational/junos-space-size-vm-disk-log-collector-expanding.html
10 Which two parameters are required to match in an IDP rule for the terminal option to
take effect? (Choose two.)
A. attacks custom-attacks
B. attacks predefined-attacks
C. application
D. source-address
jaruch8412
4 months, 2 weeks ago
I would choose answers C and D.
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-idp-
policy-rules-and-rulebases.html#id-understanding-idp-terminal-rules
upvoted 1 times
MuadDib
3 months, 3 weeks ago
Since A and B are the exempt conditions, C and D should be indeed correct.
upvoted 1 times
MuadDib
3 months, 2 weeks ago
The rule states it has to match source, destination, zone and application. It does not have
to match attacks, so definitely C and D.
11 Your network includes SRX Series devices at the headquarters location. The SRX Series
devices at this location are part of a high available chassis cluster and are configured for IPS.
There has been a node failover.
In this scenario, which two statements are true? (Choose two.)
Referring to the exhibit, how many AppTrack logs will be generated for an HTTP session lasting
12 minutes?
A. 4
B. 2
C. 1
D. 3
darknight
5 months ago
3 is correct. Refer to: https://www.juniper.net/documentation/en_US/junos/topics/topic-
map/security-application-tracking.html "The default interval between messages is 5
minutes. If a session starts and ends within this update interval, AppTrack generates one
message at session close. However, if the session is long-lived, an update message is sent
every 5 minutes. The session-update-interval minutes is configurable as shown in this
step"
upvoted 2 times
MYN
4 months, 1 week ago
Agreed
upvoted 1 times
MYN
4 months, 1 week ago
when did you take exam ? Mine is this week, hope questions are updated here.
upvoted 1 times
MuadDib
3 months, 3 weeks ago
Actually, 4 is the correct answer. Check the line with the first update. That is at minute 1.
So there will be an update at minutes 1, 6, 11 and close of session at 12 minute-mark.
14 Your network includes SRX Series devices at the headquarters location. The SRX Series
devices at this location are part of a high availability chassis cluster and are expected to support
several UTM features.
Which two statements related to this environment are true? (Choose two.)
A. UTM features can be configured on either of the nodes within the cluster.
B. The chassis cluster must be configured for active/active mode.
C. UTM features must be configured on the primary node within the cluster.
D. The chassis cluster must be configured for active/backup mode.
jaruch8412
4 months, 2 weeks ago
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-
configuring-utm-for-chassis-cluster.html
15 You are implementing user authentication on your network using an SRX Series device
and want to ensure that there are redundant forms of authentication for users to access the
network. You have configured the device with the integrated user firewall and user role firewall
features. You are testing failover methods using the default priority values.
In this scenario, which two statements are true? (Choose two.)
A. If the user fails local authentication, then the Junos OS will attempt to authenticate the
user with a user role firewall.
B. If the user fails user role firewall authentication, then the Junos OS will attempt to
authenticate the user with an integrated user firewall.
C. If the user fails integrated user firewall authentication, then the Junos OS will
attempt to authenticate with a user role firewall.
D. If the user fails local authentication, then the Junos OS will attempt to
authenticate the user with an integrated user firewall.
Referring to the exhibit, the host has been automatically blocked from communicating on the
network because a malicious file was downloaded. You cleaned the infected host and changed
the investigation status to Resolved Fixed.
What does Sky ATP do if the host then attempts to download a malicious file that would result in
a threat score of 10?
A. Sky ATP does not log the connection attempt and an SRX Series device does not
allow the host to communicate on the network.
B. Sky ATP logs the connection attempt and an SRX Series device does not allow the
host to communicate on the network.
C. Sky ATP logs the connection attempt and an SRX Series device allows the host to
communicate on the network.
D. Sky ATP does not log the connection attempt and an SRX Series device allows the
host to communicate on the network.
jaruch8412
4 months, 2 weeks ago
In my opinion the correct answer is B
https://www.juniper.net/documentation/en_US/junos-space18.3/policy-
enforcer/topics/concept/junos-space-policy-enforcer-sky-atp-host-detail.html
upvoted 1 times
MuadDib
3 months, 3 weeks ago
I would go with the current answer, C, since after you resolve it, the level goes back to 0
and the next one will be allowed through.
upvoted 1 times
Chucky
3 months, 3 weeks ago
I cannot find a good source to confirm this answer. There's no such information on
Juniper web documentation.
upvoted 1 times
MuadDib
3 months, 2 weeks ago
The Juniper SRX web documentation isn't clear on this, but it does say that the host level
will go back to 0, because of the Resolve fixed status. Therefore it should allow it
through. The only other feasible option is the one put forward by jaruch. But that answer
can also not be confirmed so far.
17 Your network includes SRX Series devices at all headquarter, data center, and branch
locations. The headquarter and data center locations use high-end SRX
Series devices, and the branch locations use branch SRX Series devices. You are asked to deploy
IPS on the SRX Series devices using one of the available IPS deployment modes.
In this scenario, which two statements are true? (Choose two.)