ExamGecko
Home Home / Juniper / JN0-637

Juniper JN0-637 Practice Test - Questions Answers, Page 4

Question list
Search
Search

List of questions

Search

Which two statements are correct about the ICL in an active/active mode multinode HA environment? (Choose two.)

A.

The ICL is strictly a Layer 2 interface.

A.

The ICL is strictly a Layer 2 interface.

Answers
B.

The ICL uses a separate routing instance to communicate with remote multinode HA peers.

B.

The ICL uses a separate routing instance to communicate with remote multinode HA peers.

Answers
C.

The ICL traffic can be encrypted.

C.

The ICL traffic can be encrypted.

Answers
D.

The ICL is the local device management interface in a multinode HA environment.

D.

The ICL is the local device management interface in a multinode HA environment.

Answers
Suggested answer: B, C

Exhibit:

Your company uses SRX Series devices to establish an IPsec VPN that connects Site-1 and the HQ networks. You want VoIP traffic to receive priority over data traffic when it is forwarded across the VPN.

Which three actions should you perform in this scenario? (Choose three.)

A.

Enable next-hop tunnel binding.

A.

Enable next-hop tunnel binding.

Answers
B.

Create a firewall filter that identifies VoIP traffic and associates it with the correct forwarding class.

B.

Create a firewall filter that identifies VoIP traffic and associates it with the correct forwarding class.

Answers
C.

Configure CoS forwarding classes and scheduling parameters.

C.

Configure CoS forwarding classes and scheduling parameters.

Answers
D.

Enable the copy-outer-dscp parameter so that DSCP header values are copied to the tunneled packets.

D.

Enable the copy-outer-dscp parameter so that DSCP header values are copied to the tunneled packets.

Answers
E.

Enable the multi-sa parameter to enable two separate IPsec SAs for the VoIP and data traffic.

E.

Enable the multi-sa parameter to enable two separate IPsec SAs for the VoIP and data traffic.

Answers
Suggested answer: B, C, E

Your IPsec tunnel is configured with multiple security associations (SAs). Your SRX Series device supports the CoS-based IPsec VPNs with multiple IPsec SAs feature. You are asked to configure CoS for this tunnel.

Which two statements are true in this scenario? (Choose two.)

A.

The local and remote gateways do not need the forwarding classes to be defined in the same order.

A.

The local and remote gateways do not need the forwarding classes to be defined in the same order.

Answers
B.

A maximum of four forwarding classes can be configured for a VPN with the multi-sa forwarding-classes statement.

B.

A maximum of four forwarding classes can be configured for a VPN with the multi-sa forwarding-classes statement.

Answers
C.

The local and remote gateways must have the forwarding classes defined in the same order.

C.

The local and remote gateways must have the forwarding classes defined in the same order.

Answers
D.

A maximum of eight forwarding classes can be configured for a VPN with the multi-sa forwarding-classes statement.

D.

A maximum of eight forwarding classes can be configured for a VPN with the multi-sa forwarding-classes statement.

Answers
Suggested answer: A, D

The exhibit shows part of the flow session logs.

A.

The existing session is found in the table, and the fast path process begins.

A.

The existing session is found in the table, and the fast path process begins.

Answers
B.

This packet arrives on interface ge-0/0/4.0.

B.

This packet arrives on interface ge-0/0/4.0.

Answers
C.

Junos captures a TCP packet from source address 172.20.101.10 destined to 10.0.1.129.

C.

Junos captures a TCP packet from source address 172.20.101.10 destined to 10.0.1.129.

Answers
D.

Destination NAT occurs.

D.

Destination NAT occurs.

Answers
Suggested answer: B, D

You have deployed automated threat mitigation using Security Director with Policy Enforcer, Juniper ATP Cloud, SRX Series devices, Forescout, and third-party switches.

In this scenario, which device is responsible for communicating directly to the third-party switches when infected hosts need to be blocked?

A.

Forescout

A.

Forescout

Answers
B.

Policy Enforcer

B.

Policy Enforcer

Answers
C.

Juniper ATP Cloud

C.

Juniper ATP Cloud

Answers
D.

SRX Series device

D.

SRX Series device

Answers
Suggested answer: B

Explanation:

Policy Enforcer receives these policies and translates them into device-specific commands. It then communicates with the third-party switches (using protocols like SNMP, RADIUS, or vendor-specific APIs) to enforce those commands, such as blocking the infected hosts' MAC addresses or port access.

Why Policy Enforcer is the Right Choice:

Centralized Enforcement: Policy Enforcer acts as the central point of enforcement for Security Director policies, ensuring consistent security across the network.

Multi-Vendor Support: It can interact with a wide range of network devices, including switches from different vendors.

Automation: Policy Enforcer automates the policy enforcement process, enabling rapid response to threats.

Referring to the exhibit,

which two statements are correct about the NAT configuration? (Choose two.)

A.

Both the internal and the external host can initiate a session after the initial translation.

A.

Both the internal and the external host can initiate a session after the initial translation.

Answers
B.

Only a specific host can initiate a session to the reflexive address after the initial session.

B.

Only a specific host can initiate a session to the reflexive address after the initial session.

Answers
C.

Any external host will be able to initiate a session to the reflexive address.

C.

Any external host will be able to initiate a session to the reflexive address.

Answers
D.

The original destination port is used for the source port for the session.

D.

The original destination port is used for the source port for the session.

Answers
Suggested answer: B, D

Explanation:

Persistent NAT with target-host restricts session initiation to specific addresses, enhancing security. Reflexive NAT supports multiple connections by preserving the original port. Refer to Juniper NAT Configuration Documentation.

Referring to the NAT configuration shown in the exhibit:

Specific Host Can Initiate a Session (Answer B): The configuration uses persistent NAT with the permit target-host-port statement. This allows a specific external host (based on the target host and port used in the initial session) to initiate a session back to the internal host after the initial session has been established.

Persistent NAT ensures that the translation state is maintained, allowing external hosts to connect back only under specific conditions (e.g., the same target host and port as used in the original connection).

Original Destination Port (Answer D): The original destination port used by the internal host is retained as the source port when the session is established from outside to inside. This behavior is a result of how persistent NAT binds the internal and external sessions, ensuring that communication occurs over the same port used for the initial session.

You are using ADVPN to deploy a hub-and-spoke VPN to connect your enterprise sites.

Which two statements are true in this scenario? (Choose two.)

A.

ADVPN creates a full-mesh topology.

A.

ADVPN creates a full-mesh topology.

Answers
B.

IBGP routing is required.

B.

IBGP routing is required.

Answers
C.

OSPF routing is required.

C.

OSPF routing is required.

Answers
D.

Certificate-based authentication is required.

D.

Certificate-based authentication is required.

Answers
Suggested answer: C, D

You want to create a connection for communication between tenant systems without using physical revenue ports on the SRX Series device.

What are two ways to accomplish this task? (Choose two.)

A.

Use an external router.

A.

Use an external router.

Answers
B.

Use an interconnect VPLS switch.

B.

Use an interconnect VPLS switch.

Answers
C.

Use a secure wire.

C.

Use a secure wire.

Answers
D.

Use a point-to-point logical tunnel.

D.

Use a point-to-point logical tunnel.

Answers
Suggested answer: B, D

An ADVPN configuration has been verified on both the hub and spoke devices and it seems fine. However, OSPF is not functioning as expected.

Referring to the exhibit, which two statements under interface st0.0 on both the hub and spoke devices would solve this problem? (Choose two.)

A.

interface-type p2mp

A.

interface-type p2mp

Answers
B.

dynamic-neighbors

B.

dynamic-neighbors

Answers
C.

passive

C.

passive

Answers
D.

interface-type p2p

D.

interface-type p2p

Answers
Suggested answer: A, B

Explanation:

For ADVPN with OSPF, using a point-to-multipoint (p2mp) interface type and enabling dynamic-neighbors are crucial. This configuration allows dynamic discovery of neighbors and the establishment of tunnels. For more information, refer to Juniper ADVPN Configuration Guide.

In the ADVPN configuration, OSPF isn't functioning as expected due to the interface configuration on st0.0. Here are the adjustments needed:

Interface Type p2mp (Answer A): OSPF requires that the tunnel interface be set to p2mp (point-to-multipoint) to allow OSPF to communicate with multiple dynamic neighbors over the ADVPN tunnels.

Command Example:

bash

set interfaces st0.0 family inet ospf interface-type p2mp

Dynamic Neighbors (Answer B): The dynamic neighbors statement allows OSPF to discover and communicate with dynamically established spokes in an ADVPN environment. This is essential for ADVPN to function properly since the tunnel endpoints are not static.

Command Example:

bash

set protocols ospf area 0.0.0.0 interface st0.0 dynamic-neighbors

These settings ensure OSPF properly functions over dynamically created ADVPN tunnels.

You have deployed an SRX Series device at your network edge to secure Internet-bound sessions for your local hosts using source NAT. You want to ensure that your users are able to interact with applications on the Internet that require more than one TCP session for the same application session.

Which two features would satisfy this requirement? (Choose two.)

A.

address persistence

A.

address persistence

Answers
B.

STUN

B.

STUN

Answers
C.

persistent NAT

C.

persistent NAT

Answers
D.

double NAT

D.

double NAT

Answers
Suggested answer: A, C

Explanation:

Address persistence ensures that the same NAT IP address is used for all sessions originating from a single source IP. Persistent NAT maintains connections for applications needing multiple sessions, like VoIP. Additional details are available in Juniper NAT Documentation.

For applications that require multiple TCP sessions for the same application session (such as VoIP or certain online games), the SRX device needs to handle NAT properly to maintain session continuity. Here's what helps:

Address Persistence (Answer A): Address persistence ensures that multiple sessions initiated by the same internal host are mapped to the same external IP address. This is crucial for applications that use multiple TCP sessions to maintain a stateful connection with the external server.

Command Example:

bash

set security nat source persistent-nat address-persistence

Persistent NAT (Answer C): This feature allows the external server to initiate new connections to the internal client using the same NAT translation. It's essential for applications that require consistent NAT mappings across multiple sessions.

Command Example:

bash

set security nat source persistent-nat permit target-host-port

These features ensure that applications with multiple TCP sessions work seamlessly across NAT.

Total 115 questions
Go to page: of 12