Click the Exhibit button.

Which two statements are correct about the partial policies shown in the exhibit? (Choose two.)

A. UDP traffic matched by the deny-all policy will be silently dropped.

B. TCP traffic matched by the reject-all policy will have a TCP first sent.

C. TCP traffic matched from the zone trust is allowed by the permit-all policy.

D. UDP traffic matched by the reject-all policy will be silently dropped.

What is the number of concurrent Secure Connect user licenses that an SRX Series device has by default?

A. 3

B. 4

C. 2

D. 5

What does the number “2” indicate in interface ge-0/1/2?

A. the physical interface card (PIC)

B. the flexible PIC concentrator (FPC)

C. the interface logical number

D. the port number

You are assigned a project to configure SRX Series devices to allow connections to your webservers. The webservers have a private IP address, and the packets must use NAT to be accessible from the Internet. The webservers must use the same address for both connections from the Internet and communication with update servers.
Which NAT type must be used to complete this project?

A. source NAT

B. destination NAT

C. static NAT

D. hairpin NAT

Which two statements about user-defined security zones are correct? (Choose two.)

A. Users cannot share security zones between routing instances.

B. Users can configure multiple security zones.

C. Users can share security zones between routing instances.

D. User-defined security zones do not apply to transit traffic.

Which statement is correct about unified security policies on an SRX Series device?

A. A zone-based policy is always evaluated first.

B. The most restrictive policy is applied regardless of the policy level.

C. A global policy is always evaluated first.

D. The first policy rule is applied regardless of the policy level.

Which two statements are correct about functional zones? (Choose two.)

A. Functional zones must have a user-defined name.

B. Functional zone cannot be referenced in security policies or pass transit traffic.

C. Multiple types of functional zones can be defined by the user.

D. Functional zones are used for out-of-band device management.

What are two functions of Juniper ATP Cloud? (Choose two.)

A. malware inspection

B. Web content filtering

C. DDoS protection

D. Geo IP feeds

Which two IKE Phase 1 configuration options must match on both peers to successfully establish a tunnel? (Choose two.)

A. VPN name

B. gateway interfaces

C. IKE mode

D. Diffie-Hellman group

Which two statements are correct about screens? (Choose two.)

A. Screens process inbound packets.

B. Screens are processed on the routing engine.

C. Screens process outbound packets.

D. Screens are processed on the flow module.

Which statement is correct about static NAT?

A. Static NAT supports port translation.

B. Static NAT rules are evaluated after source NAT rules.

C. Static NAT implements unidirectional one-to-one mappings.

D. Static NAT implements unidirectional one-to-many mappings.

You are investigating a communication problem between two hosts and have opened a session on the SRX Series device closest to one of the hosts and entered the show security flow session command.
What information will this command provide? (Choose two.)

A. The total active time of the session.

B. The end-to-end data path that the packets are taking.

C. The IP address of the host that initiates the session.

D. The security policy name that is controlling the session.

Which two statements are correct about global policies? (Choose two.)

A. Global policies are evaluated after default policies.

B. Global policies do not have to reference zone context.

C. Global policies are evaluated before default policies.

D. Global policies must reference zone contexts.

What are two valid address books? (Choose two.)

A. 66.129.239.128/25

B. 66.129.239.154/24

C. 66.129.239.0/24

D. 66.129.239.50/25

When configuring antispam, where do you apply any local lists that are configured?

A. custom objects

B. advanced security policy

C. antispam feature-profile

D. antispam UTM policy

Which two statements are correct about the null zone on an SRX Series device? (Choose two.)

A. The null zone is created by default.

B. The null zone is a functional security zone.

C. Traffic sent or received by an interface in the null zone is discarded.

D. You must enable the null zone before you can place interfaces into it.

Which two traffic types are considered exception traffic and require some form of special handling by the PFE? (Choose two.)

A. SSH sessions

B. ICMP reply messages

C. HTTP sessions

D. traceroute packets

Click the Exhibit button.

Which two statements are correct referring to the output shown in the exhibit? (Choose two.)

A. FTP and ping access for the Trus-DMZ-Access policy is permitted.

B. The SSH access for the Trust-DMZ-Block policy is permitted.

C. FTP and ping access for the Trust-DMZ-Access policy is denied.

D. The SSH access for the Trust-DMZ-Block policy is denied.

An application firewall processes the first packet in a session for which the application has not yet been identified.
In this scenario, which action does the application firewall take on the packet?

A. It allows the first packet.

B. It denies the first packet and sends an error message to the user.

C. It denies the first packet.

D. It holds the first packet until the application is identified.

Which Web filtering solution uses a direct Internet-based service for URL categorization?

A. Juniper ATP Cloud

B. Websense Redirect

C. Juniper Enhanced Web Filtering

D. local blocklist

What information does the show chassis routing-engine command provide?

A. chassis serial number

B. resource utilization

C. system version

D. routing tables

Which two addresses are valid address book entries? (Choose two.)

A. 173.145.5.21/255.255.255.0

B. 153.146.0.145/255.255.0.255

C. 203.150.108.10/24

D. 191.168.203.0/24

You are assigned a project to configure SRX Series devices to allow connections to your webservers. The webservers have a private IP address, and the packets must use NAT to be accessible from the Internet. You do not want the webservers to initiate connections with external update servers on the Internet using the same IP address as customers use to access them.
Which two NAT types must be used to complete this project? (Choose two.)

A. static NAT

B. hairpin NAT

C. destination NAT

D. source NAT

Which statement about NAT is correct?

A. Destination NAT takes precedence over static NAT.

B. Source NAT is processed before security policy lookup.

C. Static NAT is processed after forwarding lookup.

D. Static NAT takes precedence over destination NAT.

Click the Exhibit button.

You are asked to allow only ping and SSH access to the security policies shown in the exhibit.
Which statement will accomplish this task?

A. Rename policy Rule-2 to policy Rule-0.

B. Insert policy Rule-2 before policy Rule-1.

C. Replace application any with application [junos-ping junos-ssh] in policy Rule-1.

D. Rename policy Rule-1 to policy Rule-3.

You want to verify the peer before IPsec tunnel establishment.
What would be used as a final check in this scenario?

A. traffic selector

B. perfect forward secrecy

C. st0 interfaces

D. proxy ID

Your company is adding IP cameras to your facility to increase physical security. You are asked to help protect these IoT devices from becoming zombies in a DDoS attack.
Which Juniper ATP feature should you configure to accomplish this task?

A. IPsec

B. static NAT

C. allowlists

D. C&C feeds

What are two Juniper ATP Cloud feed analysis components? (Choose two.)

A. IDP signature feed

B. C&C cloud feed

C. infected host cloud feed

D. US CERT threat feed

What are three Junos UTM features? (Choose three.)

A. screens

B. antivirus

C. Web filtering

D. IDP/IPS

E. content filtering

Which two statements are true about Juniper ATP Cloud? (Choose two.)

A. Juniper ATP Cloud is an on-premises ATP appliance.

B. Juniper ATP Cloud can be used to block and allow IPs.

C. Juniper ATP Cloud is a cloud-based ATP subscription.

D. Juniper ATP Cloud delivers intrusion protection services.

SRX Series devices have a maximum of how many rollback configurations?

A. 40

B. 60

C. 50

D. 10

Which feature would you use to protect clients connected to an SRX Series device from a SYN flood attack?

A. security policy

B. host inbound traffic

C. application layer gateway

D. screen option

What is the main purpose of using screens on an SRX Series device?

A. to provide multiple ports for accessing security zones

B. to provide an alternative interface into the CLI

C. to provide protection against common DoS attacks

D. to provide information about traffic patterns traversing the network

Which two services does Juniper Connected Security provide? (Choose two.)

A. protection against zero-day threats

B. IPsec VPNs

C. Layer 2 VPN tunnels

D. inline malware blocking

You want to implement user-based enforcement of security policies without the requirement of certificates and supplicant software.
Which security feature should you implement in this scenario?

A. integrated user firewall

B. screens

C. 802.1X

D. Juniper ATP

Which two statements are correct about the default behavior on SRX Series devices? (Choose two.)

A. The SRX Series device is in flow mode.

B. The SRX Series device supports stateless firewalls filters.

C. The SRX Series device is in packet mode.

D. The SRX Series device does not support stateless firewall filters.

You have an FTP server and a webserver on the inside of your network that you want to make available to users outside of the network. You are allocated a single public IP address.
In this scenario, which two NAT elements should you configure? (Choose two.)

A. destination NAT

B. NAT pool

C. source NAT

D. static NAT

Your ISP gives you an IP address of 203.0.113.0/27 and informs you that your default gateway is 203.0.113.1. You configure destination NAT to your internal server, but the requests sent to the webserver at 203.0.113.5 are not arriving at the server.
In this scenario, which two configuration features need to be added? (Choose two.)

A. firewall filter

B. security policy

C. proxy-ARP

D. UTM policy

Click the Exhibit button.

Referring to the exhibit, which three statements about the ge-0/0/1 interface are correct? (Choose three.)

A. The interface has not been placed in a zone.

B. The interface is located on Slot1.

C. IPv4 and IPv6 have been configured.

D. The physical and logical units are up.

E. Logical unit0 has been configured.

Which two statements about the Junos OS CLI are correct? (Choose two.)

A. The default configuration requires you to log in as the admin user.

B. A factory-default login assigns the hostname Amnesiac to the device.

C. Most Juniper devices identify the root login prompt using the % character.

D. Most Juniper devices identify the root login prompt using the > character.

Click the Exhibit button.

You are configuring an SRX firewall to NAT user traffic to the Internet.
Referring to the exhibit, which configuration change will enable the NAT policy?

A. delete security nat source rule-set NAT_USERS to zone

B. set security nat source rule-set NAT_USERS from zone NAT

C. set security zones security-zone untrust interfaces ge-0/0/2.0

D. delete security zone security-zone untrust interfaces ge-0/0/1.0

What is the correct order in which interface names should be identified?

A. system slot number –> interface media type –> port number –> line card slot number

B. system slot number –> port number –> interface media type –> line card slot number

C. interface media type –> system slot number –> line card slot number –> port number

D. interface media type –> port number –> system slot number –> line card slot number

Screens on an SRX Series device protect against which two types of threats? (Choose two.)

A. IP spoofing

B. ICMP flooding

C. zero-day outbreaks

D. malicious e-mail attachments

You must monitor security policies on SRX Series devices dispersed throughout locations in your organization using a “single pane of glass” cloud-based solution.
Which solution satisfies the requirement?

A. Juniper Sky Enterprise

B. J-Web

C. Junos Secure Connect

D. Junos Space

Which Juniper ATP feed provides a dynamic list of known botnet servers and known sources of malware downloads?

A. infected host cloud feed

B. Geo IP feed

C. C&C cloud feed

D. blocklist feed

You are deploying an SRX Series firewall with multiple NAT scenarios.
In this situation, which NAT scenario takes priority?

A. interface NAT

B. source NAT

C. static NAT

D. destination NAT

What are two characteristics of a null zone? (Choose two.)

A. The null zone is configured by the super user.

B. By default, all unassigned interfaces are placed in the null zone.

C. All ingress and egress traffic on an interface in a null zone is permitted.

D. When an interface is deleted from a zone, it is assigned back to the null zone.

What must be enabled on an SRX Series device for the reporting engine to create reports?

A. packet capture

B. security logging

C. system logging

D. SNMP

Which order is correct for Junos security devices that examine policies for transit traffic?

A. 1. zone policies2. global policies3. default policies

B. 1. default policies2. zone policies3. global policies

C. 1. default policies2. global policies3. zone policies

D. 1. global policies2. zone policies3. default policies

You are asked to configure your SRX Series device to block all traffic from certain countries. The solution must be automatically updated as IP prefixes become allocated to those certain countries.
Which Juniper ATP solution will accomplish this task?

A. Geo IP

B. unified security policies

C. IDP

D. C&C feed