CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Juniper
  5. JN0-636

Free JN0-636 Exam Braindumps (page: 13)

Page 12 of 29
PDF with 115 Questions

Which two features would be used for DNS doctoring on an SRX Series firewall? (Choose two.)

  1. The DNS ALG must be enabled.
  2. static NAT
  3. The DNS ALG must be disabled.
  4. source NAT

Answer(s): A,B

Explanation:

DNS doctoring is a feature that allows the SRX Series firewall to modify the IP address in a DNS response based on a static NAT rule. This can be useful when the DNS server returns an IP address that is not reachable by the client, such as a private IP address or an IP address from a different network. To use DNS doctoring, the following requirements must be met:
The DNS ALG must be enabled. The DNS ALG is responsible for parsing the DNS messages and performing the IP address translation. The DNS ALG can be enabled globally or per security policy. To enable the DNS ALG globally, use the command set security alg dns enable. To enable the DNS ALG per security policy, use the command set security policies from-zone zone1 to-zone zone2 policy policy1 then permit application-services application-firewall rule-set rule-set-name application junos-dns.
Static NAT must be configured for the IP address that needs to be translated. Static NAT is a type of NAT that maps a fixed IP address to another fixed IP address. Static NAT can be configured using the command set security nat static rule-set rule-set-name rule rule-name match destination-address address and set security nat static rule-set rule-set-name rule rule-name then static-nat prefix prefix.


Reference:

DNS ALG and Doctoring Support
Understanding DNS ALG and NAT Doctoring
Disabling DNS ALG and NAT Doctoring
SRX Getting Started - Configure DNS



Exhibit



You are not able to ping the default gateway of 192.168 100 1 (or your network that is located on your SRX Series firewall.
Referring to the exhibit, which two commands would correct the configuration of your SRX Series device? (Choose two.)
A)



B)



C)



D)

  1. Option A
  2. Option B
  3. Option C
  4. Option D

Answer(s): A,B



You configured a chassis cluster for high availability on an SRX Series device and enrolled this HA cluster with the Juniper ATP Cloud.
Which two statements are correct in this scenario? (Choose two.)

  1. You must use different license keys on both cluster nodes.
  2. When enrolling your devices, you only need to enroll one node.
  3. You must set up your HA cluster after enrolling your devices with Juniper ATP Cloud
  4. You must use the same license key on both cluster nodes.

Answer(s): B,D

Explanation:

When enrolling your devices, you only need to enroll one node: The Juniper ATP Cloud automatically recognizes the HA configuration and applies the same license and configuration to both nodes of the cluster.
You must use the same license key on both cluster nodes: The HA cluster needs to share the same license key in order to be recognized as a single device by the Juniper ATP Cloud. You must set up your HA cluster before enrolling your devices with Juniper ATP Cloud. And it is not necessary to use different license keys on both cluster nodes because the HA cluster shares the same license key.

The two statements that are correct in this scenario are:
When enrolling your devices, you only need to enroll one node. This is because the Juniper ATP Cloud service supports chassis cluster mode for SRX Series devices.
When you enroll a chassis cluster, you only need to enroll the primary node of the cluster. The secondary node will be automatically enrolled and synchronized with the primary node. You do not need to enroll the secondary node separately or perform any additional configuration on it. You must use the same license key on both cluster nodes. This is because the Juniper ATP Cloud service requires a license key to activate the service on the SRX Series devices. The license key is tied to the serial number of the device.
When you enroll a chassis cluster, you must use the same license key on both nodes of the cluster. The license key must match the serial number of the primary node of the cluster. You cannot use different license keys on the cluster nodes.


Reference:

Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents:
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-atp-cloud-

enrolling-srx-series.html https://www.juniper.net/documentation/en_US/junos/topics/concept/security-atp-cloud-licensing- overview.html



Exhibit



You are implementing filter-based forwarding to send traffic from the 172.25.0.0/24 network through ISP-1 while sending all other traffic through your connection to ISP-2. Your ge-0/0/1 interface connects to two networks, including the 172.25.0.0/24 network. You have implemented the configuration shown in the exhibit. The traffic from the 172.25.0.0/24 network is being forwarded as expected to 172.20.0.2, however traffic from the other network (172.25.1.0/24) is not being forwarded to the upstream 172.21.0.2 neighbor.
In this scenario, which action will solve this problem?

  1. You must specify that the 172.25.1.1/24 IP address is the primary address on the ge-0/0/1 interface.
  2. You must apply the firewall filter to the lo0 interface when using filter-based forwarding.
  3. You must add another term to the firewall filter to accept the traffic from the 172.25.1.0/24 network.
  4. You must create the static default route to neighbor 172.21 0.2 under the ISP-1 routing instance hierarchy.

Answer(s): C

Explanation:

The exhibit shows the configuration of filter-based forwarding on an SRX Series device. Filter-based forwarding is a feature that allows the device to use firewall filters to direct traffic to different routing instances based on the match criteria. In this scenario, the device has two routing instances - ISP-1 and ISP-2 - and two firewall filters - FBF and FBF-ISP-1. The FBF filter is applied to the ge-0/0/1 interface as an input filter. The FBF filter has one term that matches the traffic from the 172.25.0.0/24 network and directs it to the ISP-1 routing instance. The ISP-1 routing instance has a static route to the next hop 172.20.0.2. The FBF-ISP-1 filter is applied to the ge-0/0/0 interface as an output filter. The FBF-ISP-1 filter has one term that matches the traffic to the 172.20.0.2 next hop and sets the forwarding class to expedited-forwarding.
The problem in this scenario is that the traffic from the other network (172.25.1.0/24) is not being forwarded to the upstream 172.21.0.2 neighbor. This is because the FBF filter does not have a term that accepts the traffic from the 172.25.1.0/24 network. The FBF filter only has one term that matches the traffic from the 172.25.0.0/24 network and directs it to the ISP-1 routing instance. The traffic from the 172.25.1.0/24 network does not match this term and is therefore discarded by the implicit deny action at the end of the filter. The traffic from the 172.25.1.0/24 network should be forwarded to the ISP-2 routing instance, which has a static default route to the next hop 172.21.0.2. To solve this problem, you must add another term to the FBF filter to accept the traffic from the 172.25.1.0/24 network. This term should have the action accept, which means that the traffic will be forwarded according to the routing table of the master routing instance. The master routing instance has a static default route to the ISP-2 routing instance, which in turn has a static default route to the next hop 172.21.0.2. By adding this term, the traffic from the 172.25.1.0/24 network will be forwarded to the upstream 172.21.0.2 neighbor as expected. The configuration of the new term in the FBF filter could look something like this:
[edit firewall family inet filter FBF] term 2 { from { source-address { 172.25.1.0/24; } } then { accept; } }


Reference:

Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents:
https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-option-filter- based-forwarding-overview.html https://www.juniper.net/documentation/en_US/junos/topics/example/filter-based-forwarding- example.html






Post your Comments and Discuss Juniper JN0-636 exam with other Community members:

JN0-636 Discussions & Posts