Download - Juniper JN0-332 v6
-
8/22/2019 Juniper JN0-332 v6
1/103
Juniper JN0-332
Juniper Networks Certified Internet Specialist, SEC
(JNCIS-SEC)Version: 6.0
-
8/22/2019 Juniper JN0-332 v6
2/103
QUESTION NO: 1
Which configuration keyword ensures that all in-progress sessions are re-evaluated upon
committing a security policy change?
A. policy-rematch
B. policy-evaluateC. rematch-policy
D. evaluate-policy
Answer: A
Explanation:
QUESTION NO: 2
Click the Exhibit button.
You need to alter the security policy shown in the exhibit to send matching traffic to an IPsec VPN
tunnel. Which command causes traffic to be sent through an IPsec VPN named remote-vpn?
A. [edit security policies from-zone trust to-zone untrust]
user@host# set policy tunnel-traffic then tunnel remote-vpnB. [edit security policies from-zone trust to-zone untrust]
user@host# set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn
C. [edit security policies from-zone trust to-zone untrust]
user@host# set policy tunnel-traffic then permit ipsec-vpn remote-vpn
D. [edit security policies from-zone trust to-zone untrust]
user@host# set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn
Answer: D
Explanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 2
-
8/22/2019 Juniper JN0-332 v6
3/103
QUESTION NO: 3
Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by AH?
(Choose three.)
A. data integrity
B. data confidentialityC. data authentication
D. outer IP header confidentiality
E. outer IP header authentication
Answer: A,C,E
Explanation:
QUESTION NO: 4
You must configure a SCREEN option that would protect your router from a session table
flood.Which configuration meets this requirement?
A. [edit security screen]
user@host# show
ids-option protectFromFlood {
icmp {
ip-sweep threshold 5000;
flood threshold 2000;
}
}
B. [edit security screen]
user@host# show
ids-option protectFromFlood {
tcp {
syn-flood {attack-threshold 2000;
destination-threshold 2000;
}
}
}
C. [edit security screen]
user@host# show
ids-option protectFromFlood {
udp {flood threshold 5000;
}
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 3
-
8/22/2019 Juniper JN0-332 v6
4/103
}
D. [edit security screen]
user@host# show
ids-option protectFromFlood {
limit-session {
source-ip-based 1200;
destination-ip-based 1200;}
}
Answer: D
Explanation:
QUESTION NO: 5
Which type of Web filtering by default builds a cache of server actions associated with each URL it
has checked?
A. Websense Redirect Web filtering
B. integrated Web filtering
C. local Web filtering
D. enhanced Web filtering
Answer: B
Explanation:
QUESTION NO: 6
Which security or functional zone name has special significance to the Junos OS?
A. self
B. trust
C. untrust
D.junos-global
Answer: D
Explanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 4
-
8/22/2019 Juniper JN0-332 v6
5/103
QUESTION NO: 7
Which command do you use to display the status of an antivirus database update?
A. show security utm anti-virus status
B. show security anti-virus database status
C. show security utm anti-virus databaseD. show security utm anti-virus update
Answer: A
Explanation:
QUESTION NO: 8
Which statement contains the correct parameters for a route-based IPsec VPN?
A. [edit security ipsec]
user@host# show
proposal ike1-proposal {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3200;
}
policy ipsec1-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ike1-proposal;
}
vpn VpnTunnel {
interface ge-0/0/1.0;ike {
gateway ike1-gateway;
ipsec-policy ipsec1-policy;
}
establish-tunnels immediately;
}
B. [edit security ipsec]
user@host# show
proposal ike1-proposal {protocol esp;
authentication-algorithm hmac-md5-96;
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 5
-
8/22/2019 Juniper JN0-332 v6
6/103
encryption-algorithm 3des-cbc;
lifetime-seconds 3200;
}
policy ipsec1-policy {
perfect-forward-secrecy {
keys group2;
}proposals ike1-proposal;
}
vpn VpnTunnel {
interface st0.0;
ike {
gateway ike1-gateway;
ipsec-policy ipsec1-policy;
}
establish-tunnels immediately;
}
C. [edit security ipsec]
user@host# show
proposal ike1-proposal {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3200;
}
policy ipsec1-policy {perfect-forward-secrecy {
keys group2;
}
proposals ike1-proposal;
}
vpn VpnTunnel {
bind-interface ge-0/0/1.0;
ike {
gateway ike1-gateway;ipsec-policy ipsec1-policy;
}
establish-tunnels immediately;
}
D. [edit security ipsec]
user@host# show
proposal ike1-proposal {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3200;
}policy ipsec1-policy {
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 6
-
8/22/2019 Juniper JN0-332 v6
7/103
perfect-forward-secrecy {
keys group2;
}
proposals ike1-proposal;
}
vpn VpnTunnel {
bind-interface st0.0;ike {
gateway ike1-gateway;
ipsec-policy ipsec1-policy;
}
establish-tunnels immediately;
}
Answer: D
Explanation:
QUESTION NO: 9
Which zone is system-defined?
A. security
B. functionalC.junos-global
D. management
Answer: C
Explanation:
QUESTION NO: 10
You want to allow your device to establish OSPF adjacencies with a neighboring device connected
to interface ge-0/0/3.0. Interface ge-0/0/3.0 is a member of the HR zone.Under which configuration
hierarchy must you permit OSPF traffic?
A. [edit security policies from-zone HR to-zone HR]
B. [edit security zones functional-zone management protocols]
C. [edit security zones protocol-zone HR host-inbound-traffic]
D. [edit security zones security-zone HR host-inbound-traffic protocols]
Answer: D
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 7
-
8/22/2019 Juniper JN0-332 v6
8/103
Explanation:
QUESTION NO: 11
Which three statements are true regarding IDP? (Choose three.)
A. IDP cannot be used in conjunction with other Junos security features such as SCREEN options,
zones, and security policy.
B. IDP inspects traffic up to the Application Layer.
C. IDP searches the data stream for specific attack patterns.
D. IDP inspects traffic up to the Presentation Layer.
E. IDP can drop packets, close sessions, prevent future sessions, and log attacks for review by
network administrators when an attack is detected.
Answer: B,C,E
Explanation:
QUESTION NO: 12
Click the Exhibit button.
Your IKE SAs are up, but the IPsec SAs are not up.Referring to the exhibit, what is the problem?
A. One or more of the phase 2 proposals such as authentication algorithm, encryption algorithm
do not match.
B. The tunnel interface is down.
C. The proxy IDs do not match.
D. The IKE proposals do not match the IPsec proposals.
Answer: C
Explanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 8
-
8/22/2019 Juniper JN0-332 v6
9/103
QUESTION NO: 13
Which two statements regarding symmetric key encryption are true? (Choose two.)
A. The same key is used for encryption and decryption.
B. It is commonly used to create digital certificate signatures.
C. It uses two keys: one for encryption and a different key for decryption.
D. An attacker can decrypt data if the attacker captures the key used for encryption.
Answer: A,D
Explanation:
QUESTION NO: 14
Regarding content filtering, what are two pattern lists that can be configured in the Junos OS?
(Choose two.)
A. protocol list
B. MIMEC. block list
D. extension
Answer: B,D
Explanation:
QUESTION NO: 15
Which two statements are true about hierarchical architecture? (Choose two.)
A. You can assign a logical interface to multiple zones.
B. You cannot assign a logical interface to multiple zones.
C. You can assign a logical interface to multiple routing instances.
D. You cannot assign a logical interface to multiple routing instances.
Answer: B,DExplanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 9
-
8/22/2019 Juniper JN0-332 v6
10/103
QUESTION NO: 16
Which two statements regarding external authentication servers for firewall user authentication are
true? (Choose two.)
A. Up to three external authentication server types can be used simultaneously.
B. Only one external authentication server type can be used simultaneously.
C. If the local password database is not configured in the authentication order, and the configured
authentication server is unreachable, authentication is bypassed.
D. If the local password database is not configured in the authentication order, and the configured
authentication server rejects the authentication request, authentication is rejected.
Answer: B,D
Explanation:
QUESTION NO: 17
Click the Exhibit button.
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 10
-
8/22/2019 Juniper JN0-332 v6
11/103
In the exhibit, a new policy named DenyTelnet was created. You notice that Telnet traffic is still
allowed.
Which statement will allow you to rearrange the policies for the DenyTelnet policy to be evaluated
before your Allow policy?
A. insert security policies from-zone A to-zone B policy DenyTelnet before policy Allow
B. set security policies from-zone B to-zone A policy DenyTelnet before policy Allow
C. insert security policies from-zone A to-zone B policy DenyTelnet after policy Allow
D. set security policies from-zone B to-zone A policy Allow after policy DenyTelnet
Answer: A
Explanation:
QUESTION NO: 18
Which UTM feature requires a license to function?
A. integrated Web filtering
B. local Web filtering
C. redirect Web filtering
D. content filtering
Answer: A
Explanation:
QUESTION NO: 19
Click the Exhibit button.
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 11
-
8/22/2019 Juniper JN0-332 v6
12/103
System services SSH, Telnet, FTP, and HTTP are enabled on the SRX Series device.
Referring to the configuration shown in the exhibit, which two statements are true? (Choose two.)
A. A user can use SSH to interface ge-0/0/0.0 and ge-0/0/1.0.
B. A user can use FTP to interface ge-0/0/0.0 and ge-0/0/1.0.
C. A user can use SSH to interface ge-0/0/0.0.
D. A user can use SSH to interface ge-0/0/1.0.
Answer: B,C
Explanation:
QUESTION NO: 20
A user wants to establish an HTTP session to a server behind an SRX device but is being pointed
to Web page on the SRX device for additional authentication. Which type of user authentication is
configured?
A. pass-through with Web redirect
B. WebAuth with HTTP redirect
C. WebAuth
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 12
-
8/22/2019 Juniper JN0-332 v6
13/103
D. pass-through
Answer: A
Explanation:
QUESTION NO: 21
Which two UTM features require a license to be activated? (Choose two.)
A. antispam
B. antivirus (full AV)
C. content filtering
D. Web-filtering redirect
Answer: A,B
Explanation:
QUESTION NO: 22
Which two statements in a source NAT configuration are true regarding addresses, rule-sets, or
rules that overlap? (Choose two.)
A. Addresses used for NAT pools should never overlap.
B. If more than one rule-set matches traffic, the rule-set with the most specific context takes
precedence.
C. If traffic matches two rules within the same rule-set, both rules listed in the configuration are
applied.
D. Dynamic source NAT rules take precedence over static source NAT rules.
Answer: A,B
Explanation:
QUESTION NO: 23
A network administrator has configured source NAT, translating to an address that is on a locally
connected subnet. The administrator sees the translation working, but traffic does not appear tocome back. What is causing the problem?
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 13
-
8/22/2019 Juniper JN0-332 v6
14/103
A. The host needs to open the telnet port.
B. The host needs a route for the translated address.
C. The administrator must use a proxy-arp policy for the translated address.
D. The administrator must use a security policy, which will allow communication between the
zones.
Answer: CExplanation:
QUESTION NO: 24
Which statement describes an ALG?
A. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to
deny the traffic.
B. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic
policies to permit the traffic to pass.
C. An ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic
policies to deny the traffic.
D. An ALG intercepts and analyzes all traffic, allocates resources, and defines dynamic policies to
permit the traffic to pass.
Answer: BExplanation:
QUESTION NO: 25
Which three components can be leveraged when defining a local whitelist or blacklist for antispam
on a branch SRX Series device? (Choose three.)
A. spam assassin filtering score
B. sender country
C. sender IP address
D. sender domain
E. sender e-mail address
Answer: C,D,E
Explanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 14
-
8/22/2019 Juniper JN0-332 v6
15/103
QUESTION NO: 26
What is the correct syntax for applying node-specific parameters to each node in a chassis
cluster?
A. set apply-groups node$
B. set apply-groups (node)C. set apply-groups $(node)
D. set apply-groups (node)all
Answer: C
Explanation:
QUESTION NO: 27
Which statement describes a security zone?
A. A security zone can contain one or more interfaces.
B. A security zone can contain interfaces in multiple routing instances.
C. A security zone must contain two or more interfaces.
D. A security zone must contain bridge groups.
Answer: D
Explanation:
QUESTION NO: 28
A system administrator detects thousands of open idle connections from the same source.Which
problem can arise from this type of attack?
A. It enables an attacker to perform an IP sweep of devices.
B. It enables a hacker to know which operating system the system is running.
C. It can overflow the session table to its limit, which can result in rejection of legitimate traffic.
D. It creates a ping of death and can cause the entire network to be infected with a virus.
Answer: C
Explanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 15
-
8/22/2019 Juniper JN0-332 v6
16/103
QUESTION NO: 29
Under which Junos hierarchy level are security policies configured?
A. [edit security]
B. [edit protocols]
C. [edit firewall]D. [edit policy-options]
Answer: B
Explanation:
QUESTION NO: 30
You must configure a SCREEN option that would protect your device from a session table flood.
Which configuration meets this requirement?
A. [edit security screen]
user@host# show
ids-option protectFromFlood {
icmp {
ip-sweep threshold 5000;
flood threshold 2000;
}
}
B. [edit security screen]
user@host# show
ids-option protectFromFlood {
tcp {
syn-flood {
attack-threshold 2000;
destination-threshold 2000;}
}
}
C. [edit security screen]
user@host# show
ids-option protectFromFlood {
udp {
flood threshold 5000;
}}
D. [edit security screen]
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 16
-
8/22/2019 Juniper JN0-332 v6
17/103
user@host# show
ids-option protectFromFlood {
limit-session {
source-ip-based 1200;
destination-ip-based 1200;
}
}
Answer: D
Explanation:
QUESTION NO: 31
Which three methods of source NAT does the Junos OS support? (Choose three.)
A. interface-based source NAT
B. source NAT with address shifting
C. source NAT using static source pool
D. interface-based source NAT without PAT
E. source NAT with address shifting and PAT
Answer: A,B,C
Explanation:
QUESTION NO: 32
Which three firewall user authentication objects can be referenced in a security policy? (Choose
three.)
A. access profile
B. client group
C. client
D. default profile
E. external
Answer: A,B,C
Explanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 17
-
8/22/2019 Juniper JN0-332 v6
18/103
QUESTION NO: 33
What is the default session timeout for TCP sessions?
A. 1 minute
B. 15 minutes
C. 30 minutesD. 90 minutes
Answer: C
Explanation:
QUESTION NO: 34
Which three advanced permit actions within security policies are valid? (Choose three.)
A. Mark permitted traffic for firewall user authentication.
B. Mark permitted traffic for SCREEN options.
C. Associate permitted traffic with an IPsec tunnel.
D. Associate permitted traffic with a NAT rule.
E. Mark permitted traffic for IDP processing.
Answer: A,C,E
Explanation:
QUESTION NO: 35
Which statement is true regarding the Junos OS for security platforms?
A. SRX Series devices can store sessions in a session table.
B. SRX Series devices accept all traffic by default.
C. SRX Series devices must operate only in packet-based mode.
D. SRX Series devices must operate only in flow-based mode.
Answer: C
Explanation:
QUESTION NO: 36
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 18
-
8/22/2019 Juniper JN0-332 v6
19/103
Click the Exhibit button.
Which type of NAT is being used in the exhibit?
A. no NAT
B. destination NAT
C. source NAT
D. port address translation (PAT)
Answer: C
Explanation:
QUESTION NO: 37
At which two levels of the Junos CLI hierarchy is the host-inbound-traffic command configured?
(Choose two.)
A. [edit security idp]
B. [edit security zones security-zone trust interfaces ge-0/0/0.0]
C. [edit security zones security-zone trust]
D. [edit security screen]
Answer: B,C
Explanation:
QUESTION NO: 38
Which two parameters are configured in IPsec policy? (Choose two.)
A. mode
B. IKE gateway
C. security proposal
D. Perfect Forward Secrecy
Answer: C,D
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 19
-
8/22/2019 Juniper JN0-332 v6
20/103
Explanation:
QUESTION NO: 39
The SRX device receives a packet and determines that it does not match an existing session.AfterSCREEN options are evaluated, what is evaluated next?
A. source NAT
B. destination NAT
C. route lookup
D. zone lookup
Answer: B
Explanation:
QUESTION NO: 40
Which zone type can be specified in a policy?
A. securityB. functional
C. user
D. system
Answer: A
Explanation:
QUESTION NO: 41
Which two statements about Junos software packet handling are correct? (Choose two.)
A. The Junos OS applies service ALGs only for the first packet of a flow.
B. The Junos OS uses fast-path processing only for the first packet of a flow.
C. The Junos OS performs policy lookup only for the first packet of a flow.
D. The Junos OS applies SCREEN options for both first and consecutive packets of a flow.
Answer: C,D
Explanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 20
-
8/22/2019 Juniper JN0-332 v6
21/103
QUESTION NO: 42
Which Web-filtering technology can be used at the same time as integrated Web filtering on a
single branch SRX Series device?
A. Websense redirect Web filtering
B. local Web filtering (blacklist or whitelist)
C. firewall user authentication
D. ICAP
Answer: B
Explanation:
QUESTION NO: 43
In a chassis cluster with two SRX 5800 devices, the interface ge-13/0/0 belongs to which device?
A. This interface is a system-created interface.
B. This interface belongs to node 0 of the cluster.C. This interface belongs to node 1 of the cluster.
D. This interface will not exist because SRX 5800 devices have only 12 slots.
Answer: C
Explanation:
QUESTION NO: 44
An IPsec tunnel is established on an SRX Series Gateway on an interface whose IP address was
obtained using DHCP. Which two statements are true? (Choose two.)
A. Only main mode can be used for IKE negotiation.
B. A local-identity must be defined.
C. It must be the initiator for IKE.
D. A remote-identity must be defined.
Answer: B,C
Explanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 21
-
8/22/2019 Juniper JN0-332 v6
22/103
QUESTION NO: 45
Which two statements about the use of SCREEN options are correct? (Choose two.)
A. SCREEN options are deployed at the ingress and egress sides of a packet flow.
B. Although SCREEN options are very useful, their use can result in more session creation.
C. SCREEN options offer protection against various attacks at the ingress zone of a packet flow.
D. SCREEN options examine traffic prior to policy processing, thereby resulting in fewer resources
used for malicious packet processing.
Answer: C,D
Explanation:
QUESTION NO: 46
Click the Exhibit button.
In the exhibit, you decided to change my Hosts addresses. What will happen to the new sessions
matching the policy and in-progress sessions that had already matched the policy?
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 22
-
8/22/2019 Juniper JN0-332 v6
23/103
A. New sessions will be evaluated. In-progress sessions will be re-evaluated.
B. New sessions will be evaluated. All in-progress sessions will continue.
C. New sessions will be evaluated. All in-progress sessions will be dropped.
D. New sessions will halt until all in-progress sessions are re-evaluated. In-progress sessions will
be re-evaluated and possibly dropped.
Answer: AExplanation:
QUESTION NO: 47
When using UTM features in an HA cluster, which statement is true for installing the licenses on
the cluster members?
A. One UTM cluster license will activate UTM features on both members.
B. Each device will need a UTM license generated for its serial number.
C. Each device will need a UTM license generated for the cluster, but licenses can be applied to
either member.
D. HA clustering automatically comes with UTM licensing, no additional actions are needed.
Answer: B
Explanation:
QUESTION NO: 48
Which statement is true regarding NAT?
A. NAT is not supported on SRX Series devices.
B. NAT requires special hardware on SRX Series devices.C. NAT is processed in the control plane.
D. NAT is processed in the data plane.
Answer: D
Explanation:
QUESTION NO: 49
Which two functions of the Junos OS are handled by the data plane? (Choose two.)
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 23
-
8/22/2019 Juniper JN0-332 v6
24/103
A. NAT
B. OSPF
C. SNMP
D. SCREEN options
Answer: A,D
Explanation:
QUESTION NO: 50
After applying the policy-rematch statement under the security policies stanza, what would happen
to an existing flow if the policy source address or the destination address is changed and
committed?
A. The Junos OS drops any flow that does not match the source address or destination address.
B. All traffic is dropped.
C. All existing sessions continue.
D. The Junos OS does a policy re-evaluation.
Answer: D
Explanation:
QUESTION NO: 51
Which statement is correct about HTTP trickling?
A. It prevents the HTTP client or server from timing-out during an antivirus update.
B. It prevents the HTTP client or server from timing-out during antivirus scanning.
C. It is an attack.D. It is used to bypass antivirus scanners.
Answer: B
Explanation:
QUESTION NO: 52
For which network anomaly does Junos provide a SCREEN?
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 24
-
8/22/2019 Juniper JN0-332 v6
25/103
A. a telnet to port 80
B. a TCP packet with the SYN and ACK flags set
C. an SNMP getnext request
D. an ICMP packet larger than 1024 bytes
Answer: D
Explanation:
QUESTION NO: 53
What is the proper sequence of evaluation for the SurfControl integrated Web filter solution?
A. whitelists, blacklists, SurfControl categories
B. blacklists, whitelists, SurfControl categories
C. SurfControl categories, whitelists, blacklists
D. SurfControl categories, blacklists, whitelists
Answer: B
Explanation:
QUESTION NO: 54
A network administrator is using source NAT for traffic from source network 10.0.0.0/8. The
administrator must also disable NAT for any traffic destined to the 202.2.10.0/24 network.Which
configuration would accomplish this task?
A. [edit security nat source rule-set test]
user@host# show
from zone trust;to zone untrust;
rule A {
match {
source-address 202.2.10.0/24;
}
then {
source-nat {
pool {
A;
}
}
}
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 25
-
8/22/2019 Juniper JN0-332 v6
26/103
}
rule B {
match {
destination-address 10.0.0.0/8;
}
then {
source-nat {off;
}
}
}
B. [edit security nat source]
user@host# show rule-set test
from zone trust;
to zone untrust;
rule 1 {
match {
destination-address 202.2.10.0/24;
}
then {
source-nat {
off;
}
}
}
rule 2 {match {
source-address 10.0.0.0/8;
}
then {
source-nat {
pool {
A;
}
}}
}
C. [edit security nat source rule-set test]
user@host# show
from zone trust;
to zone untrust;
rule A {
match {
source-address 10.0.0.0/8;
}
then {
source-nat {
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 26
-
8/22/2019 Juniper JN0-332 v6
27/103
pool {
A;
}
}
}
}
rule B {match {
destination-address 202.2.10.0/24;
}
then {
source-nat {
off;
}
}
}
D. [edit security nat source rule-set test]
user@host# show
from zone trust;
to zone untrust;
rule A {
match {
source-address 10.0.0.0/8;
}
then {
source-nat {pool {
A;
}
}
}
}
Answer: B
Explanation:
QUESTION NO: 55
The Junos OS blocks an HTTP request due to the category of the URL. Which form of Web
filtering is being used?
A. redirect Web filtering
B. integrated Web filtering
C. categorized Web filtering
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 27
-
8/22/2019 Juniper JN0-332 v6
28/103
D. local Web filtering
Answer: B
Explanation:
QUESTION NO: 56
Which two statements are true with regard to policy ordering? (Choose two.)
A. The last policy is the default policy, which allows all traffic.
B. The order of policies is not important.
C. New policies are placed at the end of the policy list.
D. The insert command can be used to change the order.
Answer: C,D
Explanation:
QUESTION NO: 57
Regarding fast path processing, when does the system perform the policy check?
A. The policy is determined after the SCREEN options check.
B. The policy is determined only during the first packet path, not during fast path.
C. The policy is determined after the zone check.
D. The policy is determined after the SYN TCP flag.
Answer: B
Explanation:
QUESTION NO: 58
Which URL database do branch SRX Series devices use when leveraging local Web filtering?
A. The SRX Series device will download the database from an online repository to locally inspect
HTTP traffic for Web filtering.
B. The SRX Series device will use an offline database to locally inspect HTTP traffic for Webfiltering.
C. The SRX Series device will redirect local HTTP traffic to an external Websense server for Web
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 28
-
8/22/2019 Juniper JN0-332 v6
29/103
filtering.
D. The SRX Series administrator will define the URLs and their associated action in the local
database to inspect the HTTP traffic for Web filtering.
Answer: D
Explanation:
QUESTION NO: 59
How do you apply UTM enforcement to security policies on the branch SRX series?
A. UTM profiles are applied on a security policy by policy basis.
B. UTM profiles are applied at the global policy level.
C. Individual UTM features like anti-spam or anti-virus are applied directly on a security policy by
policy basis.
D. Individual UTM features like anti-spam or anti-virus are applied directly at the global policy
level.
Answer: A
Explanation:
QUESTION NO: 60
What are two rule base types within an IPS policy on an SRX Series device? (Choose two.)
A. rulebase-ips
B. rulebase-ignore
C. rulebase-idp
D. rulebase-exempt
Answer: A,D
Explanation:
QUESTION NO: 61
Which configuration shows a pool-based source NAT without PAT?
A. [edit security nat source]
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 29
-
8/22/2019 Juniper JN0-332 v6
30/103
user@host# show
pool A {
address {
207.17.137.1/32 to 207.17.137.254/32;
}
}
rule-set 1A {from zone trust;
to zone untrust;
rule 1 {
match {
source-address 10.1.10.0/24;
}
then {
source-nat pool A;
port no-translation;
}
}
}
B. [edit security nat source]
user@host# show
pool A {
address {
207.17.137.1/32 to 207.17.137.254/32;
}
overflow-pool interface;}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
source-address 10.1.10.0/24;
}
then {source-nat pool A;
port no-translation;
}
}
}
C. [edit security nat source]
user@host# show
pool A {
address {
207.17.137.1/32 to 207.17.137.254/32;
}
port no-translation;
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 30
-
8/22/2019 Juniper JN0-332 v6
31/103
}
rule-set 1A {
from zone trust;
to zone untrust;
rule 1 {
match {
source-address 10.1.10.0/24;}
then {
source-nat pool A;
}
}
}
D. [edit security nat source].
user@host# show
pool A {
address {
207.17.137.1/32 to 207.17.137.254/32;
}
overflow-pool interface;
}
rule-set 1A
{
from zone trust;
to zone untrust;
rule 1 {match {
source-address 10.1.10.0/24;
}
then {
source-nat pool A;
}
}
}
Answer: C
Explanation:
QUESTION NO: 62
Which two statements are true regarding IDP? (Choose two.)
A. IDP can be used in conjunction with other Junos security features such as SCREEN options,
zones, and security policy.
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 31
-
8/22/2019 Juniper JN0-332 v6
32/103
B. IDP cannot be used in conjunction with other Junos security features such as SCREEN options,
zones, and security policy.
C. IDP inspects traffic up to the Presentation Layer.
D. IDP inspects traffic up to the Application Layer.
Answer: A,D
Explanation:
QUESTION NO: 63
What is the purpose of a chassis cluster?
A. Chassis clusters are used to aggregate routes.
B. Chassis clusters are used to create aggregate interfaces.
C. Chassis clusters are used to group two chassis into one logical chassis.
D. Chassis clusters are used to group all interfaces into one cluster interface.
Answer: A
Explanation:
QUESTION NO: 64
Which three statements are true when working with high-availability clusters? (Choose three.)
A. The valid cluster-id range is between 0 and 255.
B. Junos OS security devices can belong to more than one cluster if cluster virtualization is
enabled.
C. If the cluster-id value is set to 0 on a Junos security device, the device will not participate in the
cluster.D. A reboot is required if the cluster-id or node value is changed.
E. Junos OS security devices can belong to one cluster only.
Answer: C,D,E
Explanation:
QUESTION NO: 65
A network administrator wants to permit Telnet traffic initiated from the address book entry
the10net in a zone called UNTRUST to the address book entry Server in a zone called TRUST.
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 32
-
8/22/2019 Juniper JN0-332 v6
33/103
However, the administrator does not want the server to be able to initiate any type of traffic from
the TRUST zone to the UNTRUST zone.Which configuration statement would correctly
accomplish this task?
A. from-zone UNTRUST to-zone TRUST {
policy DenyServer {
match {source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}from-zone TRUST to-zone UNTRUST {
policy AllowTelnetin {
match {
source-address the10net;
destination-address Server;
application junos-telnet;
}
then {
permit;}
}
}
B. from-zone TRUST to-zone UNTRUST {
policy DenyServer {
match {
source-address Server;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone UNTRUST to-zone TRUST {
policy AllowTelnetin {
match {
source-address the10net;destination-address Server;
application junos-telnet;
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 33
-
8/22/2019 Juniper JN0-332 v6
34/103
}
then {
permit;
}
}
}
C. from-zone UNTRUST to-zone TRUST {policy AllowTelnetin {
match {
source-address the10net;
destination-address Server;
application junos-ftp;
}
then {
permit;
}
}
}
D. from-zone TRUST to-zone UNTRUST {
policy DenyServer {
match {
source-address Server;
destination-address any;
application any;
}
then {permit;
}
}
}
from-zone UNTRUST to-zone TRUST {
policy AllowTelnetin {
match {
source-address the10net;
destination-address Server;application junos-telnet;
}
then {
permit;
}
}
}
Answer: B
Explanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 34
-
8/22/2019 Juniper JN0-332 v6
35/103
QUESTION NO: 66
Which command do you use to manually remove antivirus patterns?
A. request security utm anti-virus juniper-express-engine pattern-delete
B. request security utm anti-virus juniper-express-engine pattern-reload
C. request security utm anti-virus juniper-express-engine pattern-remove
D. delete security utm anti-virus juniper-express-engine antivirus-pattern
Answer: A
Explanation:
QUESTION NO: 67
Which three parameters are configured in the IKE policy? (Choose three.)
A. mode
B. preshared key
C. external interface
D. security proposalsE. dead peer detection settings
Answer: A,B,D
Explanation:
QUESTION NO: 68
Which two statements are true about the relationship between static NAT and proxy ARP?
(Choose two.)
A. It is necessary to forward ARP requests to remote hosts.
B. It is necessary when translated traffic belongs to the same subnet as the ingress interface.
C. It is not automatic and you must configure it.
D. It is enabled by default and you do not need to configure it.
Answer: B,CExplanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 35
-
8/22/2019 Juniper JN0-332 v6
36/103
QUESTION NO: 69
Which CLI command do you use to block MIME content at the [edit security utm feature-profile]
hierarchy?
A. set content-filtering profile permit-command block-mime
B. set content-filtering profile block-mime
C. set content-filtering block-content-type block-mime
D. set content-filtering notifications block-mime
Answer: B
Explanation:
QUESTION NO: 70
If both nodes in a chassis cluster initialize at different times, which configuration example will allow
you to ensure that the node with the higher priority will become primary for your RGs other than
RG0?
A. [edit chassis cluster]user@host# show
redundancy-group 1 {
node 0 priority 200;
node 1 priority 150;
preempt;
}
B. [edit chassis cluster]
user@host# show
redundancy-group 1 {
node 0 priority 200;
node 1 priority 150;
monitoring;
}
C. [edit chassis cluster]
user@host# show
redundancy-group 1 {
node 0 priority 200;
node 1 priority 150;
control-link-recovery;}
D. [edit chassis cluster]
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 36
-
8/22/2019 Juniper JN0-332 v6
37/103
user@host# show
redundancy-group 1 {
node 0 priority 200;
node 1 priority 150;
strict-priority;
}
Answer: A
Explanation:
QUESTION NO: 71
By default, how is traffic evaluated when the antivirus database update is in progress?
A. Traffic is scanned against the old database.
B. Traffic is scanned against the existing portion of the currently downloaded database.
C. All traffic that requires antivirus inspection is dropped and a log message generated displaying
the traffic endpoints.
D. All traffic that requires antivirus inspection is forwarded with no antivirus inspection and a log
message generated displaying the traffic endpoints.
Answer: D
Explanation:
QUESTION NO: 72
Which statement is true regarding IPsec VPNs?
A. There are five phases of IKE negotiation.B. There are two phases of IKE negotiation.
C. IPsec VPN tunnels are not supported on SRX Series devices.
D. IPsec VPNs require a tunnel PIC in SRX Series devices.
Answer: C
Explanation:
QUESTION NO: 73
Which command would you use to enable chassis cluster on an SRX device, setting the cluster ID
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 37
-
8/22/2019 Juniper JN0-332 v6
38/103
to 1 and node to 0?
A. user@host# set chassis cluster cluster-id 1 node 0 reboot
B. user@host> set chassis cluster id 1 node 0 reboot
C. user@host> set chassis cluster cluster-id 1 node 0 reboot
D. user@host# set chassis cluster id 1 node 0 reboot
Answer: C
Explanation:
QUESTION NO: 74
Which three are necessary for antispam to function properly on a branch SRX Series device?
(Choose three.)
A. an antispam license
B. DNS servers configured on the SRX Series device
C. SMTP services on SRX
D. a UTM profile with an antispam configuration in the appropriate security policy
E. antivirus (full or express)
Answer: A,B,D
Explanation:
QUESTION NO: 75
How many IDP policies can be active at one time on an SRX Series device by means of the set
security idp active-policy configuration statement?
A. 1
B. 2
C. 4
D. 8
Answer: A
Explanation:
QUESTION NO: 76
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 38
-
8/22/2019 Juniper JN0-332 v6
39/103
Which two statements regarding firewall user authentication client groups are true? (Choose two.)
A. A client group is a list of clients associated with a group.
B. A client group is a list of groups associated with a client.
C. Client groups are referenced in security policy in the same manner in which individual clients
are referenced.D. Client groups are used to simplify configuration by enabling firewall user authentication without
security policy.
Answer: B,C
Explanation:
QUESTION NO: 77
Your task is to provision the Junos security platform to permit transit packets from the Private zone
to the External zone by using an IPsec VPN and log information at the time of session close.
Which configuration meets this requirement?
A. [edit security policies from-zone Private to-zone External]
user@host# show
policy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn VPN;
}}
log {
session-init;
}
}
}
B. [edit security policies from-zone Private to-zone External]
user@host# show
policy allowTransit {match {
source-address PrivateHosts;
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 39
-
8/22/2019 Juniper JN0-332 v6
40/103
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn VPN;}
}
count {
session-close;
}
}
}
C. [edit security policies from-zone Private to-zone External]
user@host#
showpolicy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn VPN;}
}
log {
session-close;
}
}
}
D. [edit security policies from-zone Private to-zone External]
user@host# showpolicy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn VPN;
log;
count session-close;
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 40
-
8/22/2019 Juniper JN0-332 v6
41/103
}
}
}
}
Answer: C
Explanation:
QUESTION NO: 78
A user wants to establish an FTP session to a server behind an SRX device but must authenticate
to a Web page on the SRX device for additional authentication. Which type of user authentication
is configured?
A. pass-through
B. WebAuth
C. WebAuth with Web redirect
D. pass-through with Web redirect
Answer: B
Explanation:
QUESTION NO: 79
What is the functionality of redundant interfaces (reth) in a chassis cluster?
A. reth interfaces are used only for VRRP.
B. reth interfaces are the same as physical interfaces.
C. reth interfaces are pseudo-interfaces that are considered the parent interface for two physicalinterfaces.
D. Each cluster member has a reth interface that can be used to share session state information
with the other cluster members.
Answer: C
Explanation:
QUESTION NO: 80
A network administrator receives complaints from the engineering group that an application on one
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 41
-
8/22/2019 Juniper JN0-332 v6
42/103
server is not working properly. After further investigation, the administrator determines that source
NAT translation is using a different source address after a random number of flows. Which two
actions can the administrator take to force the server to use one address? (Choose two.)
A. Use the custom application feature.
B. Configure static NAT for the host.
C. Use port address translation (PAT).D. Use the address-persistent option.
Answer: B,D
Explanation:
QUESTION NO: 81
What is the default session timeout for UDP sessions?
A. 30 seconds
B. 1 minute
C. 5 minutes
D. 30 minutes
Answer: B
Explanation:
QUESTION NO: 82
Which two statements about the Diffie-Hellman (DH) key exchange process are correct? (Choose
two.)
A. In the DH key exchange process, the session key is never passed across the network.
B. In the DH key exchange process, the public and private keys are mathematically related using
the DH algorithm.
C. In the DH key exchange process, the session key is passed across the network to the peer for
confirmation.
D. In the DH key exchange process, the public and private keys are not mathematically related,
ensuring higher security.
Answer: A,BExplanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 42
-
8/22/2019 Juniper JN0-332 v6
43/103
QUESTION NO: 83
You are required to configure a SCREEN option that enables IP source route option detection.
Which two configurations meet this requirement? (Choose two.)
A. [edit security screen]
user@host# show
ids-option protectFromFlood {
ip {
loose-source-route-option;
strict-source-route-option;
}
}
B. [edit security screen]user@host# show
ids-option protectFromFlood {
ip {
source-route-option;
}
}
C. [edit security screen]
user@host# show
ids-option protectFromFlood {ip {
record-route-option;
security-option;
}
}
D. [edit security screen]
user@host# show
ids-option protectFromFlood {
ip {strict-source-route-option;
record-route-option;
}
}
Answer: A,B
Explanation:
QUESTION NO: 84
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 43
-
8/22/2019 Juniper JN0-332 v6
44/103
What are three configuration objects used to build Junos IDP rules? (Choose three.)
A. zone objects
B. policy objects
C. attack objects
D. alert and notify objects
E. network and address objects
Answer: A,C,E
Explanation:
QUESTION NO: 85
Click the Exhibit button.
Assume the default-policy has not been configured. Given the configuration shown in the exhibit,
which two statements about traffic from host_a in the HR zone to host_b in the trust zone are true?
(Choose two.)
A. DNS traffic is denied.
B. HTTP traffic is denied.
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 44
-
8/22/2019 Juniper JN0-332 v6
45/103
C. FTP traffic is permitted.
D. SMTP traffic is permitted.
Answer: A,C
Explanation:
QUESTION NO: 86
When an SRX series device receives an ESP packet, what happens?
A. If the destination address of the outer IP header of the ESP packet matches the IP address of
the ingress interface, it will immediately decrypt the packet.
B. If the destination IP address in the outer IP header of ESP does not match the IP address of the
ingress interface, it will discard the packet.
C. If the destination address of the outer IP header of the ESP packet matches the IP address of
the ingress interface, based on SPI match, it will decrypt the packet.
D. If the destination address of the outer IP header of the ESP packet matches the IP address of
the ingress interface, based on SPI match and route lookup of inner header, it will decrypt the
packet.
Answer: C
Explanation:
QUESTION NO: 87
Click the Exhibit button.
[A] establishes an IPsec tunnel with [B]. The NAT device translates the IP address 1.1.1.1 to
2.1.1.1.On which port is the IKE SA established?
A. TCP 500
B. UDP 500
C. TCP 4500
D. UDP 4500
Answer: D
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 45
-
8/22/2019 Juniper JN0-332 v6
46/103
Explanation:
QUESTION NO: 88
Click the Exhibit button.
What are two valid reasons for the output shown in the exhibit? (Choose two.)
A. The local Web-filtering daemon is not enabled or is not running.
B. The integrated Web-filtering policy server is not reachable.
C. No DNS is configured on the SRX Series device.
D. No security policy is configured to use Web filtering.
Answer: B,C
Explanation:
QUESTION NO: 89
What is the maximum number of layers of decompression that juniper-express-engine (express
AV) can decompress for the HTTP protocol?
A. 0
B. 1
C. 4
D. 8
Answer: B
Explanation:
QUESTION NO: 90
Which three features are part of the branch SRX series UTM suite? (Choose three.)
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 46
-
8/22/2019 Juniper JN0-332 v6
47/103
A. antispam
B. antivirus
C. IPS
D. application firewalling
E. Web filtering
Answer: A,B,EExplanation:
QUESTION NO: 91
What are two TCP flag settings that are considered suspicious? (Choose two.)
A. Do-Not-Fragment flag is set.
B. Both SYN and FIN flags are set.
C. Both ACK and PSH flags are set.
D. FIN flag is set and ACK flag is not set.
Answer: B,D
Explanation:
QUESTION NO: 92
The Junos OS blocks an HTTP request due to a Websense server response. Which form of Web
filtering is being used?
A. redirect Web filtering
B. integrated Web filtering
C. categorized Web filteringD. local Web filtering
Answer: A
Explanation:
QUESTION NO: 93
Which two statements are true regarding redundancy groups? (Choose two.)
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 47
-
8/22/2019 Juniper JN0-332 v6
48/103
A. When priority settings are equal and the members participating in a cluster are initialized at the
same time, the primary role for redundancy group 0 is assigned to node 0.
B. The preempt option determines the primary and secondary roles for redundancy group 0 during
a failure and recovery scenario.
C. Redundancy group 0 manages the control plane failover between the nodes of a cluster.
D. The primary role can be shared for redundancy group 0 when the active-active option is
enabled.
Answer: A,C
Explanation:
QUESTION NO: 94
What are two components of the Junos software architecture? (Choose two.)
A. Linux kernel
B. routing protocol daemon
C. session-based forwarding module
D. separate routing and security planes
Answer: B,C
Explanation:
QUESTION NO: 95
Which IDP policy action closes the connection and sends an RST packet to both the client and the
server?
A. close-connectionB. terminate-connection
C. close-client-and-server
D. terminate-session
Answer: C
Explanation:
QUESTION NO: 96
Which statement describes the UTM licensing model?
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 48
-
8/22/2019 Juniper JN0-332 v6
49/103
A. Install the license key and all UTM features will be enabled for the life of the product.
B. Install one license key per feature and the license key will be enabled for the life of the product.
C. Install one UTM license key, which will activate all UTM features; the license will need to be
renewed when it expires.
D. Install one UTM license key per UTM feature; the licenses will need to be renewed when they
expire.
Answer: D
Explanation:
QUESTION NO: 97
You have configured a UTM profile called Block-Spam, which has the appropriate antispam
configuration to block undesired spam e-mails. Which configuration would protect an SMTP serverin the dmz zone from spam originating in the untrust zone?
A. set security policies from-zone dmz to-zone untrust policy anti-spam then permit application-
services utm-policy Block-Spam
B. set security policies from-zone untrust to-zone dmz policy anti-spam then permit application-
services utm-policy Block-Spam
C. set security policies from-zone untrust to-zone dmz policy anti-spam then permit application-
services anti-spam-policy Block-Spam
D. set security policies from-zone untrust to-zone dmz policy anti-spam then permit application-services Block-Spam
Answer: B
Explanation:
QUESTION NO: 98
Which two statements about the use of SCREEN options are correct? (Choose two.)
A. SCREEN options offer protection against various attacks.
B. SCREEN options are deployed prior to route and policy processing in first path packet
processing.
C. SCREEN options are deployed at the ingress and egress sides of a packet flow.
D. When you deploy SCREEN options, you must take special care to protect OSPF.
Answer: A,B
Explanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 49
-
8/22/2019 Juniper JN0-332 v6
50/103
QUESTION NO: 99
Click the Exhibit button.
Given the configuration shown in the exhibit, which protocol(s) are allowed to communicate with
the device on ge-0/0/0.0?
A. RIP
B. OSPF
C. BGP and RIP
D. RIP and PIM
Answer: A
Explanation:
QUESTION NO: 100
Which two statements about static NAT are true? (Choose two.)
A. Static NAT can only be used with destination NAT.
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 50
-
8/22/2019 Juniper JN0-332 v6
51/103
B. Static NAT rules take precedence over overlapping dynamic NAT rules.
C. NAT rules take precedence over overlapping static NAT rules.
D. A reverse mapping is automatically created.
Answer: B,D
Explanation:
QUESTION NO: 101
Which three situations will trigger an e-mail to be flagged as spam if a branch SRX Series device
has been properly configured with antispam inspection enabled for the appropriate security policy?
(Choose three.)
A. The server sending the e-mail to the SRX Series device is a known open SMTP relay.
B. The server sending the e-mail to the SRX Series device is running unknown SMTP server
software.
C. The server sending the e-mail to the SRX Series device is on an IP address range that is
known to be dynamically assigned.
D. The e-mail that the server is sending to the SRX Series device has a virus in its attachment.
E. The server sending the e-mail to the SRX Series device is a known spammer IP address.
Answer: A,C,E
Explanation:
QUESTION NO: 102
Which statement is true regarding a session key in the Diffie-Hellman key-exchange process?
A. A session key value is exchanged across the network.B. A session key never passes across the network.
C. A session key is used as the key for asymmetric data encryption.
D. A session key is used as the key for symmetric data encryption.
Answer: B
Explanation:
QUESTION NO: 103
Which zone type will allow transit-traffic?
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 51
-
8/22/2019 Juniper JN0-332 v6
52/103
A. system
B. security
C. default
D. functional
Answer: B
Explanation:
QUESTION NO: 104
Which two statements are true for a security policy? (Choose two.)
A. It controls inter-zone traffic.
B. It controls intra-zone traffic.
C. It is named with a system-defined name.
D. It controls traffic destined to the device's ingress interface.
Answer: A,B
Explanation:
QUESTION NO: 105
Which CLI command provides a summary of what the content-filtering engine has blocked?
A. show security utm content-filtering statistics
B. show security flow session
C. show security flow statistics
D. show security utm content-filtering summary
Answer: A
Explanation:
QUESTION NO: 106
Click the Exhibit button.
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 52
-
8/22/2019 Juniper JN0-332 v6
53/103
You are the responder for an IPsec tunnel and you see the error messages shown in the exhibit.
What is the problem?
A. One or more of the phase 1 proposals such as authentication algorithm, encryption algorithm,
or pre-shared key does not match.
B. There is no route for 2.2.2.2.
C. There is no IKE definition in the configuration for peer 2.2.2.2.D. system services ike is not enabled on the interface with IP 1.1.1.2.
Answer: C
Explanation:
QUESTION NO: 107
Which URL will match the URL pattern www.news.com/asia?
A. www.news.com
B. www.news.com/asia/japan
C. www-1.news.com/asia
D. www.news.asia.com
Answer: B
Explanation:
QUESTION NO: 108
Click the Exhibit button.
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 53
-
8/22/2019 Juniper JN0-332 v6
54/103
In the exhibit, what is the function of the configuration statements?
A. This section is where you define all chassis clustering configuration.
B. This configuration is required for members of a chassis cluster to talk to each other.
C. You can apply this configuration in the chassis cluster to make configuration easier.
D. This section is where unique node configuration is applied.
Answer: D
Explanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 54
-
8/22/2019 Juniper JN0-332 v6
55/103
QUESTION NO: 109
A network administrator repeatedly receives support calls about network issues. After investigating
the issues, the administrator finds that the source NAT pool is running out of addresses. To be
notified that the pool is close to exhaustion, what should the administrator configure?
A. Use the pool-utilization-alarm raise-threshold under the security nat source stanza.B. Use a trap-group with a category of services under the SNMP stanza.
C. Use an external script that will run a show command on the SRX Series device to see when the
pool is close to exhaustion.
D. Configure a syslog message to trigger a notification when the pool is close to exhaustion.
Answer: A
Explanation:
QUESTION NO: 110
Which two statements are true when describing the capabilities of integrated Web filtering on
branch SRX Series devices? (Choose two.)
A. Integrated Web filtering can enforce UTM policies on traffic encrypted in SSL.
B. Integrated Web filtering can detect client-side exploits that attack the user's Web browser.
C. Integrated Web filtering can permit or deny access to specific categories of sites.
D. Different integrated Web-filtering policies can be applied on a firewall rule-by-rule basis to allow
different policies to be enforced for different users.
Answer: C,D
Explanation:
QUESTION NO: 111
Which statement is true when express AV detects a virus in TCP session?
A. TCP RST is sent and a session is restarted.
B. TCP connection is closed gracefully and the data content is dropped.
C. TCP traffic is allowed and an SNMP trap is sent.
D. AV scanning is restarted.
Answer: B
Explanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 55
-
8/22/2019 Juniper JN0-332 v6
56/103
QUESTION NO: 112
Click the Exhibit button.
Which command is needed to change this policy to a tunnel policy for a policy-based VPN?
A. set policy tunnel-traffic then tunnel remote-vpn
B. set policy tunnel-traffic then permit tunnel remote-vpn
C. set policy tunnel-traffic then tunnel ipsec-vpn remote-vpn permit
D. set policy tunnel-traffic then permit tunnel ipsec-vpn remote-vpn
Answer: D
Explanation:
QUESTION NO: 113
Which two statements describe the difference between Junos software for security platforms and atraditional router? (Choose two.)
A. Junos software for security platforms supports NAT and PAT; a traditional router does not
support NAT or PAT.
B. Junos software for security platforms does not forward traffic by default; a traditional router
forwards traffic by default.
C. Junos software for security platforms uses session-based forwarding; a traditional router uses
packet-based forwarding.
D. Junos software for security platforms performs route lookup for every packet; a traditional router
performs route lookup only for the first packet.
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 56
-
8/22/2019 Juniper JN0-332 v6
57/103
Answer: B,C
Explanation:
QUESTION NO: 114
Using a policy with the policy-rematch flag enabled, what happens to the existing and new
sessions when you change the policy action from permit to deny?
A. The new sessions matching the policy are denied. The existing sessions are dropped.
B. The new sessions matching the policy are denied. The existing sessions, not being allowed to
carry any traffic, simply timeout.
C. The new sessions matching the policy might be allowed through if they match another policy.
The existing sessions are dropped.
D. The new sessions matching the policy are denied. The existing sessions continue until they are
completed or their timeout is reached.
Answer: A
Explanation:
QUESTION NO: 115
Which two content-filtering features does FTP support? (Choose two.)
A. block extension list
B. block MIME type
C. protocol command list
D. notifications-options
Answer: A,CExplanation:
QUESTION NO: 116
Which statement is true about a NAT rule action of off?
A. The NAT action of off is only supported for destination NAT rule-sets.
B. The NAT action of off is only supported for source NAT rule-sets.
C. The NAT action of off is useful for detailed control of NAT.
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 57
-
8/22/2019 Juniper JN0-332 v6
58/103
D. The NAT action of off is useful for disabling NAT when a pool is exhausted.
Answer: C
Explanation:
QUESTION NO: 117
You want to create an out-of-band management zone and assign the ge-0/0/0.0 interface to that
zone. From the [edit] hierarchy, which command do you use to configure this assignment?
A. set security zones management interfaces ge-0/0/0.0
B. set zones functional-zone management interfaces ge-0/0/0.0
C. set security zones functional-zone management interfaces ge-0/0/0.0
D. set security zones functional-zone out-of-band interfaces ge-0/0/0.0
Answer: C
Explanation:
QUESTION NO: 118
Host A opens a Telnet connection to Host B. Host A then opens another Telnet connection to Host
B. These connections are the only communication between Host A and Host B. The security policy
configuration permits both connections. How many sessions exist between Host A and Host B?
A. 1
B. 2
C. 3
D. 4
Answer: B
Explanation:
QUESTION NO: 119
Click the Exhibit button.
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 58
-
8/22/2019 Juniper JN0-332 v6
59/103
A network administrator receives complaints that the application voicecube is timing out after
being idle for 30 minutes. Referring to the exhibit, what is a resolution?
A. [edit]
user@host# set applications application voicecube inactivity-timeout never
B. [edit]
user@host# set applications application voicecube inactivity-timeout 2
C. [edit]
user@host# set applications application voicecube destination-port 5060
D. [edit]
user@host# set security policies from-zone trust to-zone trust policy intrazone then timeout never
Answer: A
Explanation:
QUESTION NO: 120
Which parameters are valid SCREEN options for combating operating system probes?
A. syn-fin, syn-flood, and tcp-no-frag
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 59
-
8/22/2019 Juniper JN0-332 v6
60/103
B. syn-fin, port-scan, and tcp-no-flag
C. syn-fin, fin-no-ack, and tcp-no-frag
D. syn-fin, syn-ack-ack-proxy, and tcp-no-frag
Answer: C
Explanation:
QUESTION NO: 121
You have configured your chassis cluster to include redundancy group 1. Node 0 is configured to
be the primary node for this redundancy group. You need to verify that the redundancy group
failover is successful. Which command do you use to manually test the failover?
A. request chassis cluster manual failover group 1 node 1
B. request cluster failover redundancy-group 1 node 1
C. request chassis cluster manual failover redundancy-group 1 node 1
D. request chassis cluster failover redundancy-group 1 node 1
Answer: D
Explanation:
QUESTION NO: 122
The Junos OS blocks an HTTP request due to its inclusion on the url-blacklist. Which form of Web
filtering on the branch SRX device is fully executed within the device itself?
A. redirect Web filtering
B. integrated Web filtering
C. blacklist Web filteringD. local Web filtering
Answer: D
Explanation:
QUESTION NO: 123
In the Junos OS, which statement is true?
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 60
-
8/22/2019 Juniper JN0-332 v6
61/103
A. vlan.0 belongs to the untrust zone.
B. You must configure Web authentication to allow inbound traffic in the untrust zone.
C. he zone name untrust has no special meaning
D. The untrust zone is not configurable.
Answer: C
Explanation:
QUESTION NO: 124
Which statement is true about SurfControl integrated Web filter solution?
A. The SurfControl server in the cloud provides the SRX device with the category of the URL as
well as the reputation of the URL.
B. The SurfControl server in the cloud provides the SRX device with only the category of the URL.
C. The SurfControl server in the cloud provides the SRX device with only the reputation of the
URL.
D. The SurfControl server in the cloud provides the SRX device with a decision to permit or deny
the URL.
Answer: B
Explanation:
QUESTION NO: 125
Click the Exhibit button.
Referring to the exhibit, you are not able to telnet to 192.168.10.1 from client PC
192.168.10.10.What is causing the problem?
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 61
-
8/22/2019 Juniper JN0-332 v6
62/103
A. Telnet is not being permitted by self policy.
B. Telnet is not being permitted by security policy.
C. Telnet is not allowed because it is not considered secure.
D. Telnet is not enabled as a host-inbound service on the zone.
Answer: D
Explanation:
QUESTION NO: 126
Which two statements are true regarding firewall user authentication? (Choose two.)
A. When configured for pass-through firewall user authentication, the user must first open a
connection to the Junos security platform before connecting to a remote network resource.
B. When configured for Web firewall user authentication only, the user must first open a
connection to the Junos security platform before connecting to a remote network resource.
C. If a Junos security device is configured for pass-through firewall user authentication, new
sessions are automatically intercepted to perform authentication.
D. If a Junos security device is configured for Web firewall user authentication, new sessions are
automatically intercepted to perform authentication.
Answer: B,C
Explanation:
QUESTION NO: 127
You want to create a security policy allowing traffic from any host in the Trust zone to
hostb.example.com (172.19.1.1) in the Untrust zone. How do you create this policy?
A. Specify the IP address (172.19.1.1/32) as the destination address in the policy.
B. Specify the DNS entry (hostb.example.com) as the destination address in the policy.
C. Create an address book entry in the Trust zone for the 172.19.1.1/32 prefix and reference this
entry in the policy.
D. Create an address book entry in the Untrust zone for the 172.19.1.1/32 prefix and reference
this entry in the policy.
Answer: D
Explanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 62
-
8/22/2019 Juniper JN0-332 v6
63/103
QUESTION NO: 128
Which three types of content filtering are supported only for HTTP? (Choose three.)
A. block Flash
B. block Java applets
C. block ActiveXD. block EXE files
E. block MIME type
Answer: B,C,D
Explanation:
QUESTION NO: 129
Which three represent IDP policy match conditions? (Choose three.)
A. protocol
B. source-address
C. port
D. application
E. attacks
Answer: B,D,E
Explanation:
QUESTION NO: 130
Which two statements are true regarding the system-default security policy [edit security policies
default-policy]? (Choose two.)
A. Traffic is permitted from the trust zone to the untrust zone.
B. Intrazone traffic in the trust zone is permitted.
C. All traffic through the device is denied.
D. The policy is matched only when no other matching policies are found.
Answer: C,D
Explanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 63
-
8/22/2019 Juniper JN0-332 v6
64/103
QUESTION NO: 131
Which configuration shows the correct application of a security policy scheduler?
A. [edit security policies from-zone Private to-zone External]
user@host# show
policy allowTransit {match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn myTunnel;}
scheduler-name now;
}
}
}
B. [edit security policies from-zone Private to-zone External]
user@host# show
policy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
}
then {
permit {
tunnel {
ipsec-vpn myTunnel;
}
}}
scheduler-name now;
}
C. [edit security policies from-zone Private to-zone External]
user@host# show
policy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;application ExtApps;
}
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 64
-
8/22/2019 Juniper JN0-332 v6
65/103
then {
permit {
tunnel {
ipsec-vpn myTunnel;
scheduler-name now;
}
}}
}
D. [edit security policies from-zone Private to-zone External]
user@host# show
policy allowTransit {
match {
source-address PrivateHosts;
destination-address ExtServers;
application ExtApps;
scheduler-name now;
}
then {
permit {
tunnel {
ipsec-vpn myTunnel;
}
}
}
scheduler-name now;}
Answer: B
Explanation:
QUESTION NO: 132
Which three functions are provided by the Junos OS for security platforms? (Choose three.)
A. VPN establishment
B. stateful ARP lookups
C. Dynamic ARP inspection
D. Network Address Translation
E. inspection of packets at higher levels (Layer 4 and above)
Answer: A,D,E
Explanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 65
-
8/22/2019 Juniper JN0-332 v6
66/103
QUESTION NO: 133
Which three options represent IDP policy match conditions? (Choose three.)
A. service
B. to-zone
C. attacks
D. port
E. destination-address
Answer: B,C,E
Explanation:
QUESTION NO: 134
Which three security concerns can be addressed by a tunnel mode IPsec VPN secured by ESP?
(Choose three.)
A. data integrity
B. data confidentialityC. data authentication
D. outer IP header confidentiality
E. outer IP header authentication
Answer: A,B,C
Explanation:
QUESTION NO: 135
Which two statements apply to policy scheduling? (Choose two.)
A. An individual policy can have only one scheduler applied.
B. You must manually configure system-time updates.
C. Multiple policies can use the same scheduler.
D. Policies that do not have schedulers are not active.
Answer: A,C
Explanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 66
-
8/22/2019 Juniper JN0-332 v6
67/103
QUESTION NO: 136
Which three actions can a branch SRX Series device perform on a spam e-mail message?
(Choose three.)
A. It can drop the connection at the IP address level.
B. It can block the e-mail based upon the sender ID.
C. It can allow the e-mail and bypass all UTM inspection.
D. It can allow the e-mail to be forwarded, but change the intended recipient to a new e-mail
address.
E. It can allow the e-mail to be forwarded to the destination, but tag it with a custom value in the
subject line.
Answer: A,B,E
Explanation:
QUESTION NO: 137
What are three different integrated UTM components available on the branch SRX Series
devices? (Choose three.)
A. antivirus (full AV, express AV)
B. antivirus (desktop AV)
C. Web filtering
D. antispam
E. firewall user authentication
Answer: A,C,D
Explanation:
QUESTION NO: 138
You want to test a configured screen value prior to deploying. Which statement will allow you to
accomplish this?
A. [edit security screen]
user@host# show
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 67
-
8/22/2019 Juniper JN0-332 v6
68/103
ids-option untrust-screen {
alarm-test-only;
}
B. [edit security screen]
user@host# show
ids-option untrust-screen {
alarm-without-drop;}
C. [edit security screen]
user@host# show
ids-option untrust-screen {
alarm-no-drop;
}
D. [edit security screen]
user@host# show
ids-option untrust-screen {
test-without-drop;
}
Answer: B
Explanation:
QUESTION NO: 139
Which three contexts can be used as matching conditions in a source NAT configuration? (Choose
three.)
A. routing-instance
B. zone
C. interface
D. policy
E. rule-set
Answer: A,B,C
Explanation:
QUESTION NO: 140
Which command shows the event and traceoptions file for chassis clusters?
A. show log chassisd
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 68
-
8/22/2019 Juniper JN0-332 v6
69/103
B. show log clusterd
C. show log jsrpd
D. show log messages
Answer: C
Explanation:
QUESTION NO: 141
Which encryption type is used to secure user data in an IPsec tunnel?
A. symmetric key encryption
B. asymmetric key encryption
C. RSA
D. digital certificates
Answer: A
Explanation:
QUESTION NO: 142
Interface ge-0/0/2.0 of your device is attached to the Internet and is configured with an IP address
and network mask of 71.33.252.17/24. A Web server with IP address 10.20.20.1 is running an
HTTP service on TCP port 8080. The Web server is attached to the ge-0/0/0.0 interface of your
device. You must use NAT to make the Web server reachable from the Internet using port
translation. Which type of NAT must you configure?
A. source NAT with address shifting
B. pool-based source NATC. static destination NAT
D. pool-based destination NAT
Answer: D
Explanation:
QUESTION NO: 143
Which two types of attacks are considered to be denial of service? (Choose two.)
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 69
-
8/22/2019 Juniper JN0-332 v6
70/103
A. zombie agents
B. SYN flood
C. IP packet fragments
D. WinNuke
Answer: B,D
Explanation:
QUESTION NO: 144
Which antivirus solution integrated on branch SRX Series devices do you use to ensure maximum
virus coverage for network traffic?
A. express AV
B. full AV
C. desktop AV
D. ICAP
Answer: B
Explanation:
QUESTION NO: 145
Which two statements are true about the Websense redirect Web filter solution? (Choose two.)
A. The Websense redirect Web filter solution does not require a license on the SRX device.
B. The Websense server provides the SRX device with a category for the URL and the SRX
device then matches the category with its configured polices and decides to permit or deny the
URL.C. The Websense server provides the SRX device with a decision as to whether the SRX device
permits or denies the URL.
D. When the Websense server does not know the category of the URL, it sends a request back to
the SRX device to validate against the integrated SurfControl server in the cloud.
Answer: A,C
Explanation:
QUESTION NO: 146
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 70
-
8/22/2019 Juniper JN0-332 v6
71/103
Click the Exhibit button.
Referring to the exhibit, which statement contains the correct gateway parameters?
A. [edit security ike]
user@host# show
gateway ike-phase1-gateway {
policy ike-policy1;
address 10.10.10.1;
dead-peer-detection {
interval 20;
threshold 5;}
external-interface ge-1/0/1.0;
}
B. [edit security ike]
user@host# show
gateway ike-phase1-gateway {
ike-policy ike-policy1;
address 10.10.10.1;
dead-peer-detection {
interval 20;
threshold 5;
}
external-interface ge-1/0/1.0;
}
C. [edit security ike]
user@host# show
gateway ike-phase1-gateway {
policy ike1-policy;
address 10.10.10.1;dead-peer-detection {
interval 20;
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 71
-
8/22/2019 Juniper JN0-332 v6
72/103
threshold 5;
}
external-interface ge-1/0/1.0;
}
D. [edit security ike]
user@host# show
gateway ike-phase1-gateway {ike-policy ike1-policy;
address 10.10.10.1;
dead-peer-detection {
interval 20;
threshold 5;
}
external-interface ge-1/0/1.0;
}
Answer: B
Explanation:
QUESTION NO: 147
Antispam can be leveraged with which two features on a branch SRX Series device to provide
maximum protection from malicious e-mail content? (Choose two.)
A. integrated Web filtering
B. full AV
C. IPS
D. local Web filtering
Answer: B,C
Explanation:
QUESTION NO: 148
Content filtering enables traffic to be permitted or blocked based on inspection of which three
types of content? (Choose three.)
A. MIME pattern
B. file extension
C. IP spoofing
D. POP3
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 72
-
8/22/2019 Juniper JN0-332 v6
73/103
E. protocol command
Answer: A,B,E
Explanation:
QUESTION NO: 149
What are three valid Juniper Networks IPS attack object types? (Choose three.)
A. signature
B. anomaly
C. trojan
D. virus
E. chain
Answer: A,B,E
Explanation:
QUESTION NO: 150
Which two statements are true about AH? (Choose two.)
A. AH provides data integrity.
B. AH is identified by IP protocol 50.
C. AH is identified by IP protocol 51.
D. AH cannot work in conjunction with ESP
Answer: A,C
Explanation:
QUESTION NO: 151
Click the Exhibit button.
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 73
-
8/22/2019 Juniper JN0-332 v6
74/103
Referring to the exhibit, what is the correct proxy-id?
A. local 1.1.1.0/24, remote 2.1.1.0/24
B. local 2.1.1.0/24, remote 1.1.1.0/24
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 74
-
8/22/2019 Juniper JN0-332 v6
75/103
C. local 12.1.1.0/24, remote 11.1.1.0/24
D. local 11.1.1.0/24, remote 12.1.1.0/24
Answer: D
Explanation:
QUESTION NO: 152
On which component is the control plane implemented?
A. IOC
B. PIM
C. RE
D. SPC
Answer: C
Explanation:
QUESTION NO: 153
Which two packet attributes contribute to the identification of a session? (Choose two.)
A. destination port
B. TTL
C. IP options
D. protocol number
Answer: A,D
Explanation:
QUESTION NO: 154
Which interface is used for RTO synchronization and forwarding traffic between the devices in a
cluster?
A. the st interfaceB. the reth interface
C. the fxp1 and fxp0 interfaces
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 75
-
8/22/2019 Juniper JN0-332 v6
76/103
D. the fab0 and fab1 interfaces
Answer: D
Explanation:
QUESTION NO: 155
Click the Exhibit button.
In the configuration shown in the exhibit, you decided to eliminate the junos-ftp application from
the match condition of the policy My Traffic. What will happen to the existing FTP and BGP
sessions?
A. The existing FTP and BGP sessions will continue.
B. The existing FTP and BGP sessions will be re-evaluated and only FTP sessions will be
dropped.
C. The existing FTP and BGP sessions will be re-evaluated and all sessions will be dropped.
D. The existing FTP sessions will continue and only the existing BGP sessions will be dropped.
Answer: B
Explanation:
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 76
-
8/22/2019 Juniper JN0-332 v6
77/103
QUESTION NO: 156
Click the Exhibit button.
Given the configuration shown in the exhibit, which configuration object would be used to
associate both Nancy and Walter with firewall user authentication within a security policy?
A. ftp-group
B. ftp-users
C. firewall-user
D. nancy and walter
Answer: A
Explanation:
QUESTION NO: 157
Which two statements are true about pool-based source NAT? (Choose two.)
A. PAT is not supported.
B. PAT is enabled by default.
C. It supports the address-persistent configuration option.D. It supports the junos-global configuration option.
Juniper JN0-332 Exam
"Pass Any Exam. Any Time." - www.actualtests.com 77
-
8/22/2019 Juniper JN0-332 v6
78/103
Answer: B,C
Explanation:
QUESTION NO: 158
What is the maximum number of layers of compression that kaspersky-lab-engine (full AV) can
decompress for the HTTP protocol?
A. 1
B. 4
C. 8
D. 16
Answer: B
Explanation:
QUESTION NO: 159
The same Web site is visited for the second time using a branch SRX Series Services Gateway
configured with Surf Control integrated Web filtering. Which statement is true?
A. The SRX device sends the URL to the SurfControl server in the cloud and the SurfControl
server provides the SRX with a category of the URL.
B. The SRX device sends the URL to the SurfControl server in the cloud and the SurfControl
server asks the SRX device to permit the URL as it has been previously visited.
C. The SRX device looks at its local cache to find the category of the URL.
D. The SRX device does not perform any Web filtering operation as the Web site has already
been visited.
Answer: C
Explanation:
QUESTION NO: 160
To