Our pass rate is high to 98.9% and the similarity percentage between our JN0-633 study guide and real exam is 90% based on our seven-year educating experience. Do you want achievements in the Juniper JN0-633 exam in just one try? I am currently studying for the Juniper JN0-633 exam. Latest Juniper JN0-633 Test exam practice questions and answers, Try Juniper JN0-633 Brain Dumps First.

Q81. Click the Exhibit button.

-- Exhibit–

-- Exhibit --

Host traffic is traversing through an IPsec tunnel. Users are complaining of intermittent issues with their connection.

Referring to the exhibit, what is the problem?

A. The tunnel is down due to a configuration change.

B. The do-not-fragment bit is copied to the tunnel header.

C. The MSS option on the SYN packet is set to 1300.

D. The TCP SYN check option is disabled for tunnel traffic.

Answer: B


Q82. You have recently deployed a dynamic VPN. The remote users are complaining that communications with devices on the same subnet as the SRX device are intermittent and often fail. The tunnel is stable and up, and communications with remote devices on different subnets work without any issues.Which configuration setting would resolve this issue?

A. adding local-redirect at the [edit security nat] hierarchy

B. adding local-redirect at the [edit interfaces <interface-name>] hierarchy

C. adding proxy-arp at the [edit security nat] hierarchy

D. adding proxy-arp at the [edit interfaces <interface-name>] hierarchy

Answer: C

Explanation:

Reference : http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf


Q83. Which two are required for the SRX device to perform DNS doctoring? (Choose two.)

A. DNS ALG

B. dns-doctoring stanza

C. name-server

D. static NAT

Answer: A,D

Explanation:

Reference :http://www.juniper.net/techpubs/en_US/junos12.1x44/information-products/pathway-pages/security/security-alg-dns.pdf


Q84. Click the Exhibit button.

-- Exhibit–

-- Exhibit --

An attacker is using a nonstandard port for HTTP for reconnaissance into your network. Referring to the exhibit, which two statements are true? (Choose two.)

A. The IPS engine will not detect the application due to the nonstandard port.

B. The IPS engine will detect the application regardless of the nonstandard port.

C. The IPS engine will perform application identification until the session is established.

D. The IPS engine will perform application identification until it processes the first 256 bytes of the packet.

Answer: B,D 

Explanation: Reference:https://www.juniper.net/techpubs/en_US/idp/topics/example/simple/intrusion-detection-prevention-idp-rulebase-default-service-usage.html


Q85. You want to verify that all application traffic traversing your SRX device uses standard ports. For example, you need to verify that only DNS traffic runs through port 53, and no other protocols.How would you accomplish this goal?

A. Use an IDP policy to identify the application regardless of the port used.

B. Use a custom ALG to detect the application regardless of the port used.

C. Use AppTrack to detect the application regardless of the port used.

D. Use AppID to detect the application regardless of the port used.

Answer: A

Explanation:

AppTrack for detailed visibility of application traffic Also AppTrack is aka AppID Reference :http://forums.juniper.net/t5/SRX-Services-Gateway/What-is-AppTrack-aka- AppID/td-p/63029

An Application Layer Gateway (ALG) is a software component that is designed to manage specific protocols

Reference :http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos- security-swconfig-security/id-79332.html


Q86. You are asked to ensure traffic from your executive staff does not use the same ISP connection as your other traffic.

Which three actions are required to accomplish this task? (Choose three)

A. Create a firewall filter to match this traffic and send this traffic to the routing instance.

B. Create a routing instance and define the type asno-forwarding.

C. Assign the outgoing interface to theno-forwardinginstance.

D. Create a routing instance and define the type asforwarding.

E. Create a RIB group to share routes between the main instance and the routing instance.

Answer: A,D,E


Q87. Click the Exhibit button.

user@host> show services application-identification application-system—cache Application System Cache Configurations:

Application-cache: off nested-application-cache: on cache-unknown-result: on

cache-entry-timeout: 3600 seconds

You are using the application identification feature on your SRX Series device. The help desk reports that users are complaining about slow Internet connectivity. You issue the command shown in the exhibit.

What must you do to correct the problem?

A. Modify the configuration with thedelete services application-identification no-application- system-cachecommand and commit the change.

B. Modify the configuration with thedelete services application-identification no-clear- application-system-cachecommand and commit the change.

C. Reboot the SRX Series device.

D. Modify the configuration with thedelete services application-identification no-application

–identificationcommand and commit the change.

Answer: B


Q88. What are the three types of attack objects used in an IPS engine? (Choose three.)

A. signature

B. chargen

C. compound

D. component

E. anomaly

Answer: A,C,E 

Explanation: Reference:http://www.juniper.net/techpubs/en_US/idp5.0/topics/concept/intrusion-detection-prevention-idp-rulebase-attack-object-using.html


Q89. You are asked to deploy dynamic VPNs between the corporate office and remote employees that work from home. The gateway device at the corporate office consists of a pair of SRX650s in a chassis cluster.Which two statements about the deployment are true? (Choose two.)

A. The SRX650s must be separated as standalone devices to support the dynamic VPNs.

B. The remote clients must install client software to establish a tunnel with the corporate network.

C. The remote clients must reside behind an SRX device configured as the local tunnel endpoint.

D. The SRX650 must have HTTP or HTTPS enabled to aid in the client software distribution process.

Answer: B,D

Explanation:

Reference :http://www.juniper.net/us/en/local/pdf/app-notes/3500201-en.pdf


Q90. Click the Exhibit button.

{primarynode0}[edit security idp idp-policy test-ips-policy] user@host# show

rulebase-ips { rule r1 { match {

source-address any; attacks {

predefined-attack-groups “HTTP - All”;

}

}

then { action {

drop-packet;

}

}

terminal;

}

rule r2 { match {

source-address 172.16.0.0/12; attacks {

predefined-attack-groups “FTP - All”;

}

then { action { no-action;

}

}

}

rule r3 { match {

source-address 172.16.0.0/12; attacks {

predefined-attack-groups “TELNET - All”;

}

}

then { action { no-action;

}

}

}

rule r4 { match {

source-address any; attacks {

predefined-attack-groups “FTP - All”;

}

}

then { action {

drop-packet;

}

}

}

}

A user with IP address 172.301.100 initiates an FTP session to a host with IP address 10.100.1.50 through an SRX Series device and is subject to the IPS policy shown in the exhibit.

If the user tries to execute thecd ~rootcommand, which statement is correct?

A. The FTP command will be denied with the offending packet dropped and the session will be closed by the SRX device.

B. The FTP command will be denied with the offending packet dropped and the rest of the FTP session will be inspected by the IPS policy.

C. The FTP command will be allowed to execute and the rest of the FTP session will be ignored by the IPS policy.

D. The FTP command will be allowed to execute but any other attacks executed during the session will be inspected.

Answer: D