What must be enabled on an SRX Series device for the reporting engine to create reports?

A. packet capture

B. security logging

C. system logging

D. SNMP

You want to block executable files (*.exe) from being downloaded onto your network.
Which UTM feature would you use in this scenario?

A. IPS

B. Web filtering

C. content filtering

D. antivirus

Click the Exhibit button.

Referring to the exhibit, a user is placed in which hierarchy when the exit command is run?

A. [edit security policies from-zone trust to-zone dmz]user@vSRX-1#

B. [edit]user@vSRX-1#

C. [edit security policies]user@vSRX-1#

D. user@vSRX-1>

Which two statements are correct about IKE security associations? (Choose two.)

A. IKE security associations are established during IKE Phase 1 negotiations.

B. IKE security associations are unidirectional.

C. IKE security associations are established during IKE Phase 2 negotiations.

D. IKE security associations are bidirectional.

Which statement about global NAT address persistence is correct?

A. The same IP address from a source NAT pool will be assigned for all sessions from a given host.

B. The same IP address from a source NAT pool is not guaranteed to be assigned for all sessions from a given host.

C. The same IP address from a destination NAT pool will be assigned for all sessions for a given host.

D. The same IP address from a destination NAT pool is not guaranteed to be assigned for all sessions for a given host.

Which statement is correct about Junos security policies?

A. Security policies enforce rules that should be applied to traffic transiting an SRX Series device.

B. Security policies determine which users are allowed to access an SRX Series device.

C. Security policies control the flow of internal traffic within an SRX Series device.

D. Security policies identify groups of users that have access to different features on an SRX Series device.

Click the Exhibit button.

When creating a site-to-site VPN using the J-Web screen shown in the exhibit, which statement is correct?

A. The remote gateway is configured automatically based on the local gateway settings.

B. RIP, OSPF, and BGP are supported under Routing mode.

C. The authentication method is pre-shared key or certificate based.

D. Privately routable IP addresses are required.

Click the Exhibit button.

Which two statements are correct referring to the output shown in the exhibit? (Choose two.)

A. FTP and ping access for the Trus-DMZ-Access policy is permitted.

B. The SSH access for the Trust-DMZ-Block policy is permitted.

C. FTP and ping access for the Trust-DMZ-Access policy is denied.

D. The SSH access for the Trust-DMZ-Block policy is denied.

You are installing a new SRX Series device and you are only provided one IP address from your ISP.
In this scenario, which NAT solution would you implement?

A. pool-based NAT with PAT

B. pool-based NAT with address shifting

C. interface-based source NAT

D. pool-based NAT without PAT

Which two non-configurable zones exist by default on an SRX Series device? (Choose two.)

A. Junos-host

B. functional

C. null

D. management

Which two services does Juniper Connected Security provide? (Choose two.)

A. protection against zero-day threats

B. IPsec VPNs

C. Layer 2 VPN tunnels

D. inline malware blocking

In J-Web, the management and loopback address configuration option allows you to configure which area?

A. the IP address of the primary Gigabit Ethernet port

B. the IP address of the Network Time Protocol server

C. the CIDR address

D. the IP address of the device management port

What is the number of concurrent Secure Connect user licenses that an SRX Series device has by default?

A. 3

B. 4

C. 2

D. 5

The UTM features are performed during which process of the SRX Series device’s packet flow?

A. security policies

B. services

C. zones

D. screens

Which two statements are correct about IPsec security associations? (Choose two.)

A. IPsec security associations are bidirectional.

B. IPsec security associations are unidirectional.

C. IPsec security associations are established during IKE Phase 1 negotiations.

D. IPsec security associations are established during IKE Phase 2 negotiations.

Which statement is correct about unified security policies on an SRX Series device?

A. A zone-based policy is always evaluated first.

B. The most restrictive policy is applied regardless of the policy level.

C. A global policy is always evaluated first.

D. The first policy rule is applied regardless of the policy level.

Screens on an SRX Series device protect against which two types of threats? (Choose two.)

A. IP spoofing

B. ICMP flooding

C. zero-day outbreaks

D. malicious e-mail attachments

Which two statements about user-defined security zones are correct? (Choose two.)

A. Users cannot share security zones between routing instances.

B. Users can configure multiple security zones.

C. Users can share security zones between routing instances.

D. User-defined security zones do not apply to transit traffic.

Which statement about NAT is correct?

A. Destination NAT takes precedence over static NAT.

B. Source NAT is processed before security policy lookup.

C. Static NAT is processed after forwarding lookup.

D. Static NAT takes precedence over destination NAT.

You have an FTP server and a webserver on the inside of your network that you want to make available to users outside of the network. You are allocated a single public IP address.
In this scenario, which two NAT elements should you configure? (Choose two.)

A. destination NAT

B. NAT pool

C. source NAT

D. static NAT

Which two statements are correct about functional zones? (Choose two.)

A. Functional zones must have a user-defined name.

B. Functional zone cannot be referenced in security policies or pass transit traffic.

C. Multiple types of functional zones can be defined by the user.

D. Functional zones are used for out-of-band device management.

When transit traffic matches a security policy, which three actions are available? (Choose three.)

A. Allow

B. Discard

C. Deny

D. Reject

E. Permit

Which statement is correct about global security policies on SRX Series devices?

A. The to-zone any command configures a global policy.

B. The from-zone any command configures a global policy.

C. Global policies are always evaluated first.

D. Global policies can include zone context.

Click the Exhibit button.

Referring to the exhibit, which three statements about the ge-0/0/1 interface are correct? (Choose three.)

A. The interface has not been placed in a zone.

B. The interface is located on Slot1.

C. IPv4 and IPv6 have been configured.

D. The physical and logical units are up.

E. Logical unit0 has been configured.

When configuring antispam, where do you apply any local lists that are configured?

A. custom objects

B. advanced security policy

C. antispam feature-profile

D. antispam UTM policy

You are configuring an SRX Series device. You have a set of servers inside your private network that need one-to-one mappings to public IP addresses.
Which NAT configuration is appropriate in this scenario?

A. source NAT with PAT

B. destination NAT

C. NAT-T

D. static NAT

Click the Exhibit button.

You are asked to allow only ping and SSH access to the security policies shown in the exhibit.
Which statement will accomplish this task?

A. Rename policy Rule-2 to policy Rule-0.

B. Insert policy Rule-2 before policy Rule-1.

C. Replace application any with application [junos-ping junos-ssh] in policy Rule-1.

D. Rename policy Rule-1 to policy Rule-3.

What is the order of the first path packet processing when a packet enters a device?

A. security policies –> screens –> zones

B. screens –> security policies –> zones

C. screens –> zones –> security policies

D. security policies –> zones –> screens

What does the number “2” indicate in interface ge-0/1/2?

A. the physical interface card (PIC)

B. the flexible PIC concentrator (FPC)

C. the interface logical number

D. the port number

Which two statements about the Junos OS CLI are correct? (Choose two.)

A. The default configuration requires you to log in as the admin user.

B. A factory-default login assigns the hostname Amnesiac to the device.

C. Most Juniper devices identify the root login prompt using the % character.

D. Most Juniper devices identify the root login prompt using the > character.

Which IPsec protocol is used to encrypt the data payload?

A. ESP

B. IKE

C. AH

D. TCP

You are monitoring an SRX Series device that has the factory-default configuration applied.
In this scenario, where are log messages sent by default?

A. Junos Space Log Director

B. Junos Space Security Director

C. to a local syslog server on the management network

D. to a local log file named messages

Which two components are part of a security zone? (Choose two.)

A. inet.0

B. fxp0

C. address book

D. ge-0/0/0.0

You must monitor security policies on SRX Series devices dispersed throughout locations in your organization using a “single pane of glass” cloud-based solution.
Which solution satisfies the requirement?

A. Juniper Sky Enterprise

B. J-Web

C. Junos Secure Connect

D. Junos Space

Which two statements are correct about the default behavior on SRX Series devices? (Choose two.)

A. The SRX Series device is in flow mode.

B. The SRX Series device supports stateless firewalls filters.

C. The SRX Series device is in packet mode.

D. The SRX Series device does not support stateless firewall filters.

You have configured a UTM feature profile.
Which two additional configuration steps are required for your UTM feature profile to take effect? (Choose two.)

A. Associate the UTM policy with an address book.

B. Associate the UTM policy with a firewall filter.

C. Associate the UTM policy with a security policy.

D. Associate the UTM feature profile with a UTM policy.

What is the default timeout value for TCP sessions on an SRX Series device?

A. 30 seconds

B. 60 minutes

C. 60 seconds

D. 30 minutes

Which two traffic types are considered exception traffic and require some form of special handling by the PFE? (Choose two.)

A. SSH sessions

B. ICMP reply messages

C. HTTP sessions

D. traceroute packets

What are two valid address books? (Choose two.)

A. 66.129.239.128/25

B. 66.129.239.154/24

C. 66.129.239.0/24

D. 66.129.239.50/25

Which statement about service objects is correct?

A. All applications are predefined by Junos.

B. All applications are custom defined by the administrator.

C. All applications are either custom or Junos defined.

D. All applications in service objects are not available on the vSRX Series device.

You want to verify the peer before IPsec tunnel establishment.
What would be used as a final check in this scenario?

A. traffic selector

B. perfect forward secrecy

C. st0 interfaces

D. proxy ID

Which statement is correct about Web filtering?

A. The Juniper Enhanced Web Filtering solution requires a locally managed server.

B. The decision to permit or deny is based on the body content of an HTTP packet.

C. The decision to permit or deny is based on the category to which a URL belongs.

D. The client can receive an e-mail notification when traffic is blocked.

What are two logical properties of an interface? (Choose two.)

A. link mode

B. IP address

C. VLAN ID

D. link speed

What are three primary match criteria used in a Junos security policy? (Choose three.)

A. application

B. source address

C. source port

D. class

E. destination address

What information does the show chassis routing-engine command provide?

A. chassis serial number

B. resource utilization

C. system version

D. routing tables

Which two statements are correct about the null zone on an SRX Series device? (Choose two.)

A. The null zone is created by default.

B. The null zone is a functional security zone.

C. Traffic sent or received by an interface in the null zone is discarded.

D. You must enable the null zone before you can place interfaces into it.

Which two criteria should a zone-based security policy include? (Choose two.)

A. a source port

B. a destination port

C. zone context

D. an action

You want to prevent other users from modifying or discarding your changes while you are also editing the configuration file.
In this scenario, which command would accomplish this task?

A. configure master

B. cli privileged

C. configure exclusive

D. configure

You want to implement user-based enforcement of security policies without the requirement of certificates and supplicant software.
Which security feature should you implement in this scenario?

A. integrated user firewall

B. screens

C. 802.1X

D. Juniper ATP

An application firewall processes the first packet in a session for which the application has not yet been identified.
In this scenario, which action does the application firewall take on the packet?

A. It allows the first packet.

B. It denies the first packet and sends an error message to the user.

C. It denies the first packet.

D. It holds the first packet until the application is identified.