CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Juniper
  5. JN0-636

Free JN0-636 Exam Braindumps (page: 11)

Page 2 of 29
PDF with 115 Questions

Exhibit



You are using trace options to verity NAT session information on your SRX Series device Referring to the exhibit, which two statements are correct? (Choose two.)

  1. This packet is part of an existing session.
  2. The SRX device is changing the source address on this packet from
  3. This is the first packet in the session
  4. The SRX device is changing the destination address on this packet 10.0.1 1 to 172 20.101.10.

Answer(s): A,D

Explanation:

According to the trace options output in the exhibit, the following statements are correct:
This packet is part of an existing session. This is indicated by the line flow session id 0x00000000, hash 0x00000000, table 0x00000000, flow process exit, which shows that the packet matches an existing session entry in the flow table.
The SRX device is changing the destination address on this packet from 10.0.1.1 to 172.20.101.10. This is indicated by the line nat: translated 10.0.1.1->172.20.101.10, which shows that the packet undergoes destination NAT2.
The following statements are incorrect:
The SRX device is changing the source address on this packet. There is no indication of source NAT in the trace options output.
This is the first packet in the session. The first packet in a session would have a different trace options output, which would include the line flow_first_inline_processing and show the creation of a new session entry in the flow table.


Reference:

1: SRX Getting Started ­ Troubleshooting Traffic Flows and Session Establishment 2: SRX Getting Started - Configure NAT (Network Address Translation)



Exhibit



You are asked to establish an IBGP peering between the SRX Series device and the router, but the session is not being established. In the security flow trace on the SRX device, packet drops are observed as shown in the exhibit.
What is the correct action to solve the problem on the SRX device?

  1. Create a firewall filter to accept the BGP traffic
  2. Configure destination NAT for BGP traffic.
  3. Add BGP to the Allowed host-inbound-traffic for the interface
  4. Modify the security policy to allow the BGP traffic.

Answer(s): C

Explanation:

According to the security flow trace in the exhibit, the packets are dropped for self but not interested. This means that the SRX device is receiving packets destined to itself, but it does not have the corresponding service configured in the host-inbound-traffic stanza for the interface. In this case, the service is BGP, which uses TCP port 179. Therefore, the correct action to solve the problem on the SRX device is to add BGP to the allowed host-inbound-traffic for the interface. This can be done by using the following command:
set security zones security-zone <zone-name> interfaces <interface-name> host-inbound-traffic system-services bgp
This command will allow the SRX device to accept BGP packets on the specified interface and zone. Alternatively, the command can be applied to all interfaces in a zone by using the all- interfaces option.


Reference:

1: SRX Getting Started - Troubleshoot Security Policy
2: Configuring System Services Allowed for Host Inbound Traffic



SRX Series device enrollment with Policy Enforcer fails To debug further, the user issues the following command show configuration services security--intelligence url https : //cloudfeeds . argon . juniperaecurity . net/api/manifeat. xml and receives the following output:
What is the problem in this scenario?

  1. The device is directly enrolled with Juniper ATP Cloud.
  2. The device is already enrolled with Policy Enforcer.
  3. The SRX Series device does not have a valid license.
  4. Junos Space does not have matching schema based on the

Answer(s): C

Explanation:

According to the output of the command show configuration services security-intelligence url, the SRX Series device is directly enrolled with Juniper ATP Cloud. This is indicated by the URL https://cloudfeeds.argon.junipersecurity.net/api/manifest.xml, which is the default URL for Juniper ATP Cloud. This means that the device is not enrolled with Policy Enforcer, which would use a different URL that includes the IP address of the Policy Enforcer server. Therefore, the problem in this scenario is that the device is directly enrolled with Juniper ATP Cloud, which prevents it from being enrolled with Policy Enforcer.
To enroll the device with Policy Enforcer, the user needs to disenroll the device from Juniper ATP Cloud first. This can be done by using the following command:
delete services security-intelligence url.
This command will remove the Juniper ATP Cloud URL from the device configuration and stop the device from receiving threat feeds from Juniper ATP Cloud. After that, the user can enroll the device with Policy Enforcer by using the Security Director GUI or the SLAX script.


Reference:

1: Configuring Juniper ATP Cloud on SRX Series Devices 2: Enrolling SRX Series Devices with Policy Enforcer



Exhibit



Referring to the exhibit, which three statements are true? (Choose three.)

  1. The packet's destination is to an interface on the SRX Series device.
  2. The packet's destination is to a server in the DMZ zone.
  3. The packet originated within the Trust zone.
  4. The packet is dropped before making an SSH connection.
  5. The packet is allowed to make an SSH connection.

Answer(s): A,C,D

Explanation:

According to the exhibit, which is a security flow trace on an SRX Series device, the following statements are true:
The packet's destination is to an interface on the SRX Series device. This is indicated by the line packet dropped for self but not interested, which means that the packet is destined to the SRX device itself, but the device does not have the corresponding service configured in the host-inbound- traffic stanza for the interface.
The packet originated within the Trust zone. This is indicated by the line zone name: Trust, which shows that the packet belongs to the Trust zone. The Trust zone is typically the zone where the internal network is connected to the SRX device.
The packet is dropped before making an SSH connection. This is indicated by the line flow_first_inline_processing: pak(0x4a9c0d0), which shows that the packet is the first packet in the session and is processed by the firewall. The packet is dropped because it does not match any security policy or host-inbound-traffic rule. The packet is trying to make an SSH connection, which uses TCP port 22, as shown by the line source port: 22.
The following statements are false:
The packet's destination is to a server in the DMZ zone. There is no indication of the DMZ zone in the trace output. The DMZ zone is typically the zone where the external servers are connected to the SRX device.
The packet is allowed to make an SSH connection. The packet is not allowed to make an SSH connection, as explained above.


Reference:

1: SRX Getting Started - Troubleshoot Security Policy 2: SRX Getting Started - Configure Security Zones






Post your Comments and Discuss Juniper JN0-636 exam with other Community members:

JN0-636 Exam Discussions & Posts