Q31. Click the Exhibit button.

[edit] user@host# run show log debug

Feb3 22:04:31 22:04:31.824294:CID-0:RT:flow_first_policy_search: policy search from zone host-> zone attacker (Ox0,0xe4089404,0x17)

Feb3 22:04:31 22:04:31.824297:CID-0:RT:Policy lkup: vsys 0 zone(9:host) -> zone(10:attacker) scope: 0

Feb3 22:04:31 22:04:31.824770:CID-0:RT: -> proto 6

Feb3 22:04:31 22:04:31.824778:CID-0:RT:Policy lkup: vsys 0 zone(5:Umkmowm) -> zone(5:Umkmowm) scope: 0

Feb3 22:04:31 22:04:31.824780:CID-0:RT: -> proto 6

Feb3 22:04:31 22:04:31.824783:CID-0:RT: app 10, timeout 1800s, curr ageout 20s Feb3 22:04:31 22:04:31.824785:CID-0:RT: permitted by policy default-policy-00(2)

Feb3 22:04:31 22:04:31.824787:CID-0:RT: packet passed, Permitted by policy.

Feb3 22:04:31 22:04:31.824790:CID-0:RT:flow_first_src_xlate: nat_src_xlated: False, nat_src_xlate_failed; False

Feb3 22:04:31 22:04:31.824834:CID-0:RT:flow_first_src_xlate: incoming src port is: 38118 Which two statements are true regarding the output shown in the exhibit? (Choose two.)

A. The packet does not match any user-configured security policies.

B. The user has configured a security policy to allow the packet.

C. The log is showing the first path packet flow.

D. The log shows the reverse flow of the session.

Answer: C

Q32. Your manager asks you to show which attacks have been detected on your SRX Series device using the IPS feature.

Which command would you use to accomplish this task?

A. show security idp attack detail

B. show security idp attack table

C. show security idp memory

D. show security idp counters

Answer: B

Q33. You are asked to deploy a group VPN between various sites associated with your company. The gateway devices at the remote locations are SRX240 devices.

Which two statements about the new deployment are true? (Choose two.)

A. The networks at the various sites must use NAT.

B. The participating endpoints in the group VPN can belong to a chassis cluster.

C. The networks at the various sites cannot use NAT.

D. The participating endpoints in the group VPN cannot be part of a chassis cluster.

Answer: C,D


Reference :http://www.thomas-krenn.com/redx/tools/mb_download.php/mid.x6d7672335147784949386f3d/Manual_Confi guring_Group_VPN_Juniper_SRX.pdf http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/NT260/SRX_HA_Deployment_Guide_v1.2.pdf

Q34. Click the Exhibit button.

Traffic is flowing between the Host-1 and Host-2 devices through a hub-and-spoke IPsec VPN. All devices are SRX Series devices.

Referring to the exhibit, which two statements are correct? (Choose two.)

A. Traffic is encrypted on the Hub device.

B. Traffic is encrypted on the Spoke-2 device.

C. Traffic is not encrypted on the Spoke-2 device.

D. Traffic is not encrypted on the Hub device.

Answer: D

Q35. What are two intrusion protection mechanisms available on SRX Series Services Gateways? (Choose two.)

A. routing update detection

B. traffic anomaly detection

C. NAT anomaly protection

D. DoS protection

Answer: B,D


Juniper IPS system prevents Traffic Anamoly detection and DoS/DDoS attacks. Reference: http://www.juniper.net/in/en/products-services/software/router-services/ips/

Q36. You have been asked to establish a dynamic IPsec VPN between your SRX device and a remote user.Regarding this scenario, which three statements are correct? (Choose three.)

A. You must use preshared keys.

B. IKE aggressive mode must be used.

C. Only predefined proposal sets can be used.

D. Only policy-based VPNs are supported.

E. You can use all methods of encryption.

Answer: A,B,D 

Explanation: Reference


Q37. What is a benefit of using a group VPN?

A. It provides a layer of redundancy on top of a point-to-point VPN mesh architecture.

B. It eliminates the need for point-to-point VPN tunnels.

C. It provides a way to grant VPN access on a per-user-group basis.

D. It simplifies IPsec access for remote clients.

Answer: B


Reference :Page 4 http://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCkQFjAA&url=http%3A%2F%2Fwww.thomas-krenn.com%2Fredx%2Ftools%2Fmb_download.php%2Fmid.x6d7672335147784949386f3d%2FManual_Configuring_Group_VPN_Juniper_SRX.pdf%3Futm_source%3Dthomas-krenn.com%26utm_medium%3DRSS-Feed%26utm_content%3DConfiguring%2520Group%2520VPN%26utm_campaign%3DDownloads&ei=C2HrUaSWD8WJrQfXxYGYBA&usg=AFQjCNFgKnv9ZLwqZMmbzAfvGDPvo Mz7dw&bvm=bv.49478099,d.bmk

Q38. You are asked to establish a hub-and-spoke IPsec VPN using your SRX Series device as the hub. All of your spoke devices are third-party devices.

Which statement is correct?

A. You must create a policy-based VPN on the hub device when peering with third-party devices.

B. You must always peer using loopback addresses when using non-Junos devices as your spokes.

C. You must statically configure the next-hop tunnel binding table entries for each of the third-party spoke devices.

D. You must ensure that you are using aggressive mode when incorporating third-party devices as your spokes.

Answer: C

Q39. A security administrator has configured an IPsec tunnel between two SRX devices. The

devices are configured with OSPF on the st0 interface and an external interface destined to the IPsec endpoint. The adminstrator notes that the IPsec tunnel and OSPF adjacency keep going up and down. Which action would resolve this issue?

A. Create a firewall filter on the st0 interface to permit IP protocol 89.

B. Configure the IPsec tunnel to accept multicast traffic.

C. Create a /32 static route to the IPsec endpoint through the external interface.

D. Increase the OSPF metric of the external interface.

Answer: C

Explanation: Reference: http://packetsneverlie.blogspot.in/2013/03/route-based-ipsec-vpn-with-ospf.html

Q40. HostA ( is sending TCP traffic to HostB ( You need to capture the TCP packets locally on the SRX240. Which configuration would you use to enable this capture?

A. [edit security flow] user@srx# show traceoptions {

file dump;

flag basic-datapath;


B. [edit security] user@srx# show application-tracking { enable;


flow { traceoptions { file dump;

flag basic-datapath;



C. [edit firewall filter capture term one] user@srx# show

from {

source-address {;


destination-address {;


protocol tcp;


then {

port-mirror; accept;


D. [edit firewall filter capture term one] user@srx# show

from {

source-address {;


destination-address {;


protocol tcp;


then { sample; accept;


Answer: D

Explanation: Reference:http://khurramkhalid.wordpress.com/2012/05/22/packet-capture-on-srx-devices/