Most Recent Jn0-333 Study Guides 2021

NEW QUESTION 1
Which host-inbound-traffic security zone parameter would allow access to the REST API configured to listen on custom TCP port 5080?

• A. http
• B. all
• C. xnm-clear-text
• D. any-service

Answer: D

NEW QUESTION 2
Which statement describes the function of screen options?

• A. Screen options encrypt transit traffic in a tunnel.
• B. Screen options protect against various attacks on traffic entering a security device.
• C. Screen options translate a private address to a public address.
• D. Screen options restrict or permit users individually or in a group.

Answer: B

NEW QUESTION 3
Which UDP port is used in Ipsec tunneling when NAT-T is in use?

• A. 50
• B. 4500
• C. 500
• D. 51

Answer: B

NEW QUESTION 4
Which two statements are true about global security policies? (Choose two.)

• A. Global security policies are evaluated before regular security policies.
• B. Global security policies can be configured to match addresses across multiple zones.
• C. Global security policies can match traffic regardless of security zones.
• D. Global security policies do not support IPv6 traffic.

Answer: BC

NEW QUESTION 5
You are asked to support source NAT for an application that requires that its original source port not be changed.
Which configuration would satisfy the requirement?

• A. Configure a source NAT rule that references an IP address pool with interface proxy ARP enabled.
• B. Configure the egress interface to source NAT fixed-port status.
• C. Configure a source NAT rule that references an IP address pool with the port no-translation parameter enabled.
• D. Configure a source NAT rule that sets the egress interface to the overload status.

Answer: C

NEW QUESTION 6
A link from the branch SRX Series device chassis cluster to the Internet requires more bandwidth. In this scenario, which command would you issue to begin provisioning a second link?

• A. set chassis cluster reth-count 2
• B. set interfaces fab0 fabric-options member-interfaces ge-0/0/1
• C. set interfaces ge-0/0/1 gigether-options redundant-parent reth1
• D. set chassis cluster redundancy-group 1 node 1 priority 1

Answer: B

NEW QUESTION 7
Click the Exhibit button.

Host A is attempting to connect to Host B using the domain name, which is tied to a public IP address. All attempts to connect to Host B have failed. You have examined the configuration on your SRX340 and determined that a NAT policy is required.
Referring to the exhibit, which two NAT types will allow Host A to connect to Host B? (Choose two.)

• A. source NAT
• B. NAT-T
• C. destination NAT
• D. static NAT

Answer: CD

NEW QUESTION 8
Screens help prevent which three attack types? (Choose three.)

• A. SYN flood
• B. port scan
• C. NTP amplification
• D. ICMP fragmentation
• E. SQL injection

Answer: ABD

NEW QUESTION 9
Click the Exhibit button.

Referring to the exhibit, what will happen if client 172.16.128.50 tries to connect to destination 192.168.150.111 using HTTP?

• A. The client will be denied by policy p2.
• B. The client will be denied by policy p1.
• C. The client will be permitted by policy p2.
• D. The client will be permitted by policy p1.

Answer: D

NEW QUESTION 10
Click the Exhibit button.

Which feature is enabled with destination NAT as shown in the exhibit?

• A. NAT overload
• B. block allocation
• C. port translation
• D. NAT hairpinning

Answer: D

NEW QUESTION 11
Which feature is used when you want to permit traffic on an SRX Series device only at specific times?

• A. scheduler
• B. pass-through authentication
• C. ALGs
• D. counters

Answer: A

NEW QUESTION 12
What are three defined zone types on an SRX Series device?

• A. dynamic
• B. junos-host
• C. null
• D. functional
• E. routing

Answer: BCD

NEW QUESTION 13
You recently configured an IPsec VPN between two SRX Series devices. You notice that the Phase1 negotiation succeeds and the Phase 2 negotiation fails.
Which two configuration parameters should you verify are correct? (Choose two.)

• A. Verify that the IKE gateway proposals on the initiator and responder are the same.
• B. Verify that the VPN tunnel configuration references the correct IKE gateway.
• C. Verify that the IKE initiator is configured for main mode.
• D. Verify that the IPsec policy references the correct IKE proposals.

Answer: AB

NEW QUESTION 14
Click the Exhibit button.
You are configuring an OSPF session between two SRX Series devices. The session will not come up. Referring to the exhibit, which configuration change will solve this problem?

• A. Configure a loopback interface and add it to the trust zone.
• B. Configure the host-inbound-traffic protocols ospf parameter in the trust security zone.
• C. Configure the application junos-ospf parameter in the allow-trusted-traffic security policy.
• D. Configure the host-inbound-traffic system-services any-service parameter in the trust security zone.

Answer: A

NEW QUESTION 15
What are the maximum number of redundancy groups that would be used on a chassis cluster?

• A. The maximum number of redundancy groups use is equal to the number of configured physical interfaces.
• B. The maximum number of redundancy groups use is equal to one more than the number of configured physical interfaces.
• C. The maximum number of redundancy groups use is equal to the number of configured logical interfaces.
• D. The maximum number of redundancy groups use is equal to one more than the number of configured logical interfaces.

Answer: C

NEW QUESTION 16
What are three characteristics of session-based forwarding, compared to packet-based forwarding, on an SRX Series device? (Choose three.)

• A. Session-based forwarding uses stateful packet processing.
• B. Session-based forwarding requires less memory.
• C. Session-based forwarding performs faster processing of existing session.
• D. Session-based forwarding uses stateless packet processing,
• E. Session-based forwarding uses six tuples of information.

Answer: ACE

NEW QUESTION 17
What are three valid virtual interface types for a vSRX? (Choose three.)

• A. SR-IOV
• B. fxp0
• C. eth0
• D. VMXNET 3
• E. virtio

Answer: ABD

NEW QUESTION 18
You have recently configured an IPsec tunnel between two SRX Series devices. One of the devices is assigned an IP address using DHCP with an IP address that changes frequently. Initial testing indicates that the IPsec tunnel is not working. Troubleshooting has revealed that Phase 1 negotiations are failing.
Which two actions would solve the problem? (Choose two.)

• A. Verify that the device with the IP address assigned by DHCP is the traffic initiator.
• B. Verify that VPN monitoring is enabled.
• C. Verify that the IKE policy is configured for aggressive mode.
• D. Verify that PKI is properly configured.

Answer: AC

NEW QUESTION 19
Which process describes the implementation of screen options on an SRX Series device?

• A. Configured screen options are only applied when traffic does not match a valid route.
• B. Configured screen options are applied only to the first packet that is processed in a stateful session.
• C. Configured screen options are applied to all packets that are processed by the stateful session firewall processor.
• D. Configured screen options are only applied when traffic does not match a valid policy.

Answer: C

NEW QUESTION 20
Click the Exhibit button.

You are monitoring traffic, on your SRX300 that was configured using the factory default security parameters. You notice that the SRX300 is not blocking traffic between Host A and Host B as expected.
Referring to the exhibit, what is causing this issue?

• A. Host B was not assigned to the Untrust zone.
• B. You have not created address book entries for Host A and Host B.
• C. The default policy has not been committed.
• D. The default policy permits intrazone traffic within the Trust zone.

Answer: D

NEW QUESTION 21
Which three statements describes traditional firewalls? (Choose three.)

• A. A traditional firewall performs stateless packet processing.
• B. A traditional firewall offers encapsulation, authentication, and encryption.
• C. A traditional firewall performs stateful packet processing.
• D. A traditional firewall forwards all traffic by default.
• E. A traditional firewall performs NAT and PAT.

Answer: BCE

NEW QUESTION 22
Click the Exhibit button.

Which statement would explain why the IP-monitoring feature is functioning incorrectly?

• A. The global weight value is too large for the configured global threshold.
• B. The secondary IP address should be on a different subnet than the reth IP address.
• C. The secondary IP address is the same as the reth IP address.
• D. The monitored IP address is not on the same subnet as the reth IP address.

Answer: C

NEW QUESTION 23
......