https://www.examslabs.com/Juniper/JNCIS/best-JN0-333-exam-dumps.html

NEW QUESTION NO: 30
You recently configured an IPsec VPN between two SRX Series devices. You notice that the Phase 1 negotiation succeeds and the Phase 2 negotiation fails.
Which two configuration parameters should you verify are correct? (Choose two.)
A. Verify that the IKE initiator is configured for main mode.
B. Verify that the IPsec policy references the correct IKE proposals.
C. Verify that the VPN tunnel configuration references the correct IKE gateway.
D. Verify that the IKE gateway proposals on the initiator and responder are the same.
Answer: B,D
NEW QUESTION NO: 31
Which three Encapsulating Security Payload protocols do the SRX Series devices support with IPsec?
(Choose three.)
A. TLS
B. RC6
C. DES
D. 3DES
E. AES
Answer: C,D,E
NEW QUESTION NO: 32
Screens help prevent which three attack types? (Choose three.)
A. SQL injection
B. SYN flood
C. port scan
D. NTP amplification
E. ICMP fragmentation
Answer: B,C,E
NEW QUESTION NO: 33
Click to the Exhibit button.

Referring to the exhibit, what does proxy ARP allow?
A. the external network to ARP for the internal address of the server
B. the internal network to ARP for the internal address of the server
C. the internal network to ARP for the public address of the server
D. the external network to ARP for the public address of the server
Answer: B
NEW QUESTION NO: 34
Click the Exhibit button.

Referring to the exhibit, which statement is true?
A. TCP packets entering the interface are failing the TCP sequence check.
B. Packets entering the interface are being dropped due to a stateless filter.
C. Packets entering the interface are getting dropped because there is no route to the destination.
D. Packets entering the interface matching an ALG are getting dropped.
Answer: C
NEW QUESTION NO: 35
You are asked to change when your SRX high availability failover occurs. One network interface is considered more important than others in the high availability configuration. You want to prioritize failover based on the state of that interface.
Which configuration would accomplish this task?
A. Create a VRRP group configuration that lists the reth's IP address as the VIP while using each physical interface that make up the reth definition of each SRX HA pair.
B. Configure IP monitoring of the important interface's IP address and adjust the heartbeat interval and heartbeat threshold to the shortest settings.
C. Create a separate redundancy group to isolate the important interface; set the priority of the new redundancy group to 255.
D. Configure interface monitor inside the redundancy group that contains the important physical interface; adjust the weight associated with the monitored interface to 255.
Answer: D
NEW QUESTION NO: 36
Which statement describes the function of NAT?
A. NAT translates a public address to a private address.
B. NAT encrypts transit traffic in a tunnel.
C. NAT detects various attacks on traffic entering a security device.
D. NAT restricts or permits users individually or in a group.
Answer: A
NEW QUESTION NO: 37
You want to ensure that any certificates used in your IPsec implementation do not expire while in use by your SRX Series devices.
In this scenario, what must be enabled on your devices?
A. CRL
B. TLS
C. SCEP
D. RSA
Answer: C
NEW QUESTION NO: 38
Click the Exhibit button.

You have configured NAT on your network so that Host A can communicate with Server B.
You want to ensure that Host C can initiate communication with Host A using Host A's reflexive address.
Referring to the exhibit, which parameter should you configure on the SRX Series device to satisfy this requirement?
A. Configure persistent NAT with the port-overloadingparameter.
B. Configure persistent NAT with the any-remote-hostparameter.
C. Configure persistent NAT with the target-host-portparameter.
D. Configure persistent NAT with the target-hostparameter.
Answer: D
NEW QUESTION NO: 39
What are three characteristics of session-based forwarding, compared to packet-based forwarding, on an SRX Series device? (Choose three.)
A. Session-based forwarding uses six tuples of information.
B. Session-based forwarding uses stateless packet processing,
C. Session-based forwarding requires less memory.
D. Session-based forwarding uses stateful packet processing.
E. Session-based forwarding performs faster processing of existing session.
Answer: A,D,E
NEW QUESTION NO: 40
What is the function of redundancy group 0 in a chassis cluster?
A. Redundancy group 0 identifies the node controlling the cluster management interface IP addresses.
B. The node on which redundancy group 0 is primary determines which Routing Engine is active in the cluster.
C. The primary node for redundancy group 0 identifies the first member node in a chassis cluster.
D. The primary node for redundancy group 0 determines the interface naming for all chassis cluster nodes.
Answer: B
NEW QUESTION NO: 41
You need to configure an IPsec tunnel between a remote site and a hub site. The SRX Series device at the remote site receives a dynamic IP address on the external interface that you will use for IPsec.
Which feature would you need to configure in this scenario?
A. IKEv2
B. NAT-T
C. aggressive mode
D. crypto suite B
Answer: C
NEW QUESTION NO: 42
What are two fields that an SRX Series device examines to determine if a packet is associated with an existing flow? (Choose two.)
A. source MAC address
B. source IP address
C. protocol
D. type of service
Answer: B,C
NEW QUESTION NO: 43
Which three statements describes traditional firewalls? (Choose three.)
A. A traditional firewall performs stateful packet processing.
B. A traditional firewall offers encapsulation, authentication, and encryption.
C. A traditional firewall forwards all traffic by default.
D. A traditional firewall performs NAT and PAT.
E. A traditional firewall performs stateless packet processing.
Answer: A,B,D
NEW QUESTION NO: 44
Click the Exhibit button.

A customer would like to monitor their VPN using dead peer detection.
Referring to the exhibit, for how many minutes was the peer down before the customer was notified?
A. 2
B. 4
C. 3
D. 5
Answer: D
NEW QUESTION NO: 45
Click the Exhibit button.

The inside server must communicate with the external DNS server. The internal DNS server address is
10.100.75.75. The external DNS server address is 75.75.76.76. Traffic from the inside server to the DNS server fails.
Referring to the exhibit, what is causing the problem?
A. The security policy must match the translated destination address.
B. The security policy must match the translated source and translated destination address.
C. The static NAT rule must use the global address book entry name for the DNS server.
D. Source and static NAT cannot be configured at the same time.
Answer: B
NEW QUESTION NO: 46
Which statement is true about functional zones?
A. Functional zones are the building blocks for security policies.
B. Functional zones provide a means of distinguishing groups of hosts and their resources from one another.
C. Functional zones are a collection of regulated transit network segments.
D. Functional zones are used for management.
Answer: D
NEW QUESTION NO: 47
Which three elements does AH provide in an IPsec implementation? (Choose three.)
A. confidentiality
B. replay attack protection
C. integrity
D. authentication
E. availability
Answer: B,C,D
NEW QUESTION NO: 48
Which statement describes the function of screen options?
A. Screen options protect against various attacks on traffic entering a security device.
B. Screen options encrypt transit traffic in a tunnel.
C. Screen options restrict or permit users individually or in a group.
D. Screen options translate a private address to a public address.
Answer: A
NEW QUESTION NO: 49
Click the Exhibit button.

Which feature is enabled with destination NAT as shown in the exhibit?
A. NAT hairprinting
B. NAT overload
C. port translation
D. block allocation
Answer: C
NEW QUESTION NO: 50
What are two valid zones available on an SRX Series device? (Choose two.)
A. functional zones
B. security zones
C. transit zones
D. policy zones
Answer: A,B