[Free] 2017(Jan) EnsurePass Pass4sure Juniper JN0-696 Dumps with VCE and PDF 21-30

Ensurepass.com : Ensure you pass the IT Exams
2017 Jan Juniper Official New Released JN0-696
100% Free Download! 100% Pass Guaranteed!
http://www.EnsurePass.com/JN0-696.html

Security Support, Professional (JNCSP-SEC)

Question No: 21

– Exhibit -user@hostgt; show configuration security utm custom-objects { url-pattern { block- juniper {

value *.spammer.com;

}

}

custom-url-category { blacklist { value block-juniper;

}

} }

feature-profile { anti-spam { address-blacklist block-juniper; sbl {

profile myprofile { no-sbl-default-server; spam-action block;

}

}

}

}

utm-policy wildcard-policy { anti-spam { smtp-profile myprofile;

}

}

– Exhibit –

Click the Exhibit button.

You added a blacklist to your antispam policy to block any e-mails from the spammer.com domain. However, your users are complaining that they are still receiving spam e-mails from that domain. You run the utm teststring test and confirm that the blacklist is not working.

Referring to the exhibit, what is causing this problem?

  1. The wildcard character * cannot be used for the e-mail pattern match.

  2. The protocol-command smtp value sender: needs to be added under custom-objects.

  3. url-pattern is not supported for antispam.

  4. The pattern needs to be preceded by an @ symbol.

Answer: A Explanation:

You can configure entries on either list by IP address, e-mail address, or domain name. You can use asterisk * orQUESTION NO: mark ? wildcards on the local lists. You must precede all wildcard URLs with http://. You can only use the asterisk * wildcard character if it is at the beginning of the URL and is followed by a period. You can only use the QUESTION NO: mark ? wildcard character at the end of the URL. The following wildcard syntax is supported: http://*.juniper.net. The following wildcard syntax is not supported: http://*.

References: http://www.juniper.net/techpubs/en_US/nsm2012.2/topics/task/configuration/threat- mitigation-local-listantispam-configuring-nsm.html

Question No: 22

You are asked to review the logs on an SRX Series device. You issue the command shown below.

[edit] root# run show log messages

You receive the following log message:

Aug 26 20:55:44 root idpd[1045]: IDP_POLICY_LOAD_SUCCEEDED: IDP policy[/var/db/ idpd/bins/test.bin.gz.v] and detector[/var/db/idpd/sec-repository/installeddetector/libidp- detector.so.tgz.v] loaded successfully(Regular load) …

What information does this log describe?

  1. The IDP policy and detector were properly downloaded.

  2. The detector version was successfully loaded.

  3. The IDP policy and detector were properly installed.

  4. The security policy was successfully backed up in/var/db/idpd.

Answer: C Explanation:

This sample output below shows that the policy compilation, sensor configuration, and policy load are successful.

Aug 3 15:47:51 chiron idpd[2678]: IDP_POLICY_LOAD_SUCCEEDED: IDP

policy[/var/db/idpd/bins/ idpengine.bin.gz.v] and detector[/var/db/idpd/sec- repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully(Regular load). References: https://www.juniper.net/techpubs/en_US/junos12.1×47/topics/task/verification/idp-policy- compilation-and-loadstatus-verifying.html

Question No: 23

You recently configured the antivirus feature profile on your Junos device. The security policy is sending traffic for antivirus scanning. However, the traffic is being blocked and you repeatedly receive the system log message that the scan engine is not ready. You must not allow the traffic to be dropped when the scan engine is not ready.

Which action will resolve this problem?

  1. Configure antivirus trickling to prevent the scan engine from timing out.

  2. Configure an antivirus file scanning extension list to reduce the number of files for scanning.

  3. Configure an antivirus fallback option to permit the traffic when the scan engine is not ready.

  4. Configure an antivirus content size limit to minimize the scanning of large files.

Answer: C Explanation:

Configure a fallback so that no traffic gets dropped when you are scanning a lot or big files for instance.

The size of the files that can be scanned can also be configured. References:

http://www.juniper.net/documentation/en_US/junos12.1/topics/reference/configuration- statement/security-editengine-not-ready-sophos-engine.html

Question No: 24

You are asked to troubleshoot a number of dynamic VPN connections on an SRX Series device.

Which three statements are correct? (Choose three.)

  1. The configuration supports DH groups 1, 3, and 5.

  2. Only RSAs are supported for IKE phase 1 authentication.

  3. Dynamic VPN tunnels must be configured with extended authentication (XAUTH).

  4. The SRX Series device requires a license for each remote client.

  5. Only policy-based VPNs are supported.

Answer: C,D,E Explanation:

C: Dynamic VPN tunnels must be configured with extended authentication (XAuth).

D: When configuring a shared or group IKE ID gateway, you can configure the maximum number of connections to be greater than the number of installed dynamic VPN licenses. However, if a new connection exceeds the number of licensed connections, the connection will be denied.

E: Only policy-based VPNs are supported. Route-based VPNs are not supported with dynamic VPN tunnels.

Incorrect:

A: The dynamic VPN client supports DH groups 1,2, and 5.

B: Only preshared keys are supported for Phase 1 authentication with dynamic VPN tunnels.

References: http://www.juniper.net/documentation/en_US/junos12.1×44/topics/concept/vpn-security- dynamic-tunnelunderstanding.html

Question No: 25

Two SRX Series devices are having problems establishing an IPsec VPN session. One of the devices has a

firewall filter applied to its gateway interface that rejects UDP traffic. What would resolve the problem?

  1. Disable the IKE Phase 1 part of the session establishment.

  2. Disable the IKE Phase 2 part of the session establishment.

  3. Change the configuration so that session establishment uses TCP.

  4. Edit the firewall filter to allow UDP port 500.

Answer: D Explanation:

UDP port 500 is used by IKE.

Question No: 26

Users at a branch office report that they cannot reach an internal Web server. The users connect through a single SRX Series device to reach the Web server. A security policy has been configured on the device that allows traffic to flow between interfaces in the Trust zone.

What is causing this problem?

  1. The interface on the device that connects to the Web server is not in the Trust zone.

  2. The IPsec VPN connection between the users and the Web server is down.

  3. There is a host inbound traffic configuration problem.

  4. There is an antispam configuration problem.

Answer: A Explanation:

Host inbound traffic configuration is ignored as this is not destined to the device (SRX) itself.

Question No: 27

– Exhibit –

Ensurepass 2017 PDF and VCE

– Exhibit –

Click the Exhibit button.

You have created a new VPN tunnel to your partner#39;s site but IKE Phase 1 is not coming up. You check the trace log and find the following log message:

Jun

[IKED 2] iked_pm_id_validate id NOT matched.

Considering the topology and the SRX Series device#39;s configuration shown in the exhibit, which modification is needed under [edit security gateway Partner]?

  1. rename address 20.1.1.1 to address 192.168.1.1

  2. set remote-identity inet 192.168.1.1

  3. set local-identity inet 20.1.1.1

  4. set local-identity inet 50.1.1.1

Answer: B Explanation:

You stablish the tunnel against a public IP of a firewall, which maps NAT to the private IP. The address is right, as you never been able to reach a private IP address through the internet.

You need to stablish the tunnel with the private IP, so the remote address command is the right choice.

References: http://kb.juniper.net/InfoCenter/index?page=contentamp;id=KB25462

Question No: 28

You have an SRX branch device with two ISP connections. During analysis of the traffic, you notice that traffic from internal users to ISP 1 are replied to by ISP 2.

Which two configurations will correct the asymmetric problem? (Choose two.)

  1. Create a security policy to allow traffic through ISP 1 only.

  2. Create routing instances that include routes to ISP 1 and ISP 2.

  3. Configure filter-based forwarding to provide load balancing.

  4. Create an interface-specific firewall filter to forward the traffic to ISP 1.

Answer: A,B

Question No: 29

– Exhibit -user@hostgt; show log ike-test

Jun 13 10:36:52 ike_st_i_cr: Start

Jun 13 10:36:52 ike_st_i_cert: Start

Jun 13 10:36:52 ike_st_i_private: Start

Jun 13 10:36:52 ike_st_o_iD. Start

Jun 13 10:36:52 ike_st_o_hash: Start

Jun 13 10:36:52 ike_find_pre_shared_key: Find pre shared key key for 172.168.100.2:500, id = ipv4(udp:500,

[0..3]=172.168.100.2) -gt; 192.168.101.2:500, id = No Id

Jun 13 10:36:52 ike_policy_reply_find_pre_shared_key: Start Jun 13 10:36:52 ike_calc_maC. Start, initiator = true, local = true Jun 13 10:36:52 ike_st_o_status_n: Start

Jun 13 10:36:52 ike_st_o_private: Start

Jun 13 10:36:52 ike_policy_reply_private_payload_out: Start Jun 13 10:36:52 ike_st_o_encrypt: Marking encryption for packet

Jun 13 10:36:52 ike_encode_packet: Start, SA = { 0x86b8160b 93a10c7c – c6c3a771 f0475656 } / 00000000, nego = -1

Jun 13 10:36:52 ike_send_packet: Start, send SA = { 86b8160b 93a10c7c – c6c3a771 f0475656}, nego = -1, src = 172.168.100.2:500, dst = 192.168.101.2:500, routing table id = 0

Jun 13 10:36:52 ike_get_sA. Start, SA = { 86b8160b 93a10c7c – c6c3a771 f0475656 } / 4cb03305, remote = 192.168.101.2:500

Jun 13 10:36:52 ike_sa_finD. Found SA = { 86b8160b 93a10c7c – c6c3a771 f0475656 }

Jun 13 10:36:52 ike_alloc_negotiation: Start, SA = { 86b8160b 93a10c7c – c6c3a771 f0475656}

Jun 13 10:36:52 ike_decode_packet: Start

Jun 13 10:36:52 ike_decode_packet: Start, SA = { 86b8160b 93a10c7c – c6c3a771 f0475656} / 4cb03305, nego = 0

Jun 13 10:36:52 ike_st_i_n: Start, doi = 1, protocol = 1, code = Payload malformed (16), spi[0..16] = 86b8160b 93a10c7c …, data[0..113] = 800c0001 80030081 …

Jun 13 10:36:52 172.168.100.2:500 (Responder) -gt; 192.168.101.2:500 { 86b8160b

93a10c7c – c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Notification data has attribute list

Jun 13 10:36:52 172.168.100.2:500 (Responder) -gt; 192.168.101.2:500 { 86b8160b

93a10c7c – c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Notify message version = 1

Jun 13 10:36:52 172.168.100.2:500 (Responder) -gt; 192.168.101.2:500 { 86b8160b

93a10c7c – c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending payload type = 129

Jun 13 10:36:52 172.168.100.2:500 (Responder) -gt; 192.168.101.2:500 { 86b8160b

93a10c7c – c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending payload data offset = 1

Jun 13 10:36:52 172.168.100.2:500 (Responder) -gt; 192.168.101.2:500 { 86b8160b

93a10c7c – c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Error text = Incorrect pre-shared key (Reserved not 0)

Jun 13 10:36:52 172.168.100.2:500 (Responder) -gt; 192.168.101.2:500 { 86b8160b

93a10c7c – c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Offending message id = 0x00000000

Jun 13 10:36:52 172.168.100.2:500 (Responder) -gt; 192.168.101.2:500 { 86b8160b

93a10c7c – c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Received notify err = Payload malformed (16) to isakmp sa, delete it

Jun 13 10:37:07 ike_free_negotiation_info: Start, nego = 0

Jun 13 10:37:07 ike_free_negotiation: Start, nego = 0

Jun 13 10:37:07 ike_retransmit_callback: Start, retransmit SA = { 17ef27d0 508bc5db – 00000000 00000000}, nego = -1

Jun 13 10:37:07 ike_send_packet: Start, retransmit previous packet SA = { 17ef27d0 508bc5db – 00000000 00000000}, nego = -1, src = 172.168.100.2:500, dst =

192.168.103.3:500, routing table id = 0

Jun 13 10:37:17 ike_free_negotiation_info: Start, nego = 0

Jun 13 10:37:17 ike_free_negotiation: Start, nego = 0

Jun 13 10:37:19 ike_get_sA. Start, SA = { 4326380f a67dbcf3 – 00000000 00000000 } / 00000000, remote = 192.168.103.2:500

Jun 13 10:37:19 ike_sa_allocate: Start, SA = { 4326380f a67dbcf3 – a8307123 9c0e1f9d } Jun 13 10:37:19 ike_init_isakmp_sA. Start, remote = 192.168.103.2:500, initiator = 0

Jun 13 10:37:19 ike_decode_packet: Start

Jun 13 10:37:19 ike_decode_packet: Start, SA = { 4326380f a67dbcf3 – a8307123 9c0e1f9d} / 00000000, nego = -1

Jun 13 10:37:19 ike_decode_payload_sA. Start

Jun 13 10:37:19 ike_decode_payload_t: Start, # trans = 2 Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = afcad713 68a1f1c9 …

Jun 13 10:37:19 ike_st_i_viD. VID[0..28] = 69936922 8741c6d4 … Jun 13 10:37:19

ike_st_i_viD. VID[0..16] = 27bab5dc 01ea0760 … Jun 13 10:37:19 ike_st_i_viD. VID[0..16]

= 6105c422 e76847e4 …

Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 4485152d 18b6bbcd … Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = cd604643 35df21f8 …

Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 90cb8091 3ebb696e … Jun 13 10:37:19 ike_st_i_viD. VID[0..16] = 7d9419a6 5310ca6f … Jun 13 10:37:19 ike_st_i_sa_proposal: Start

Jun 13 10:37:19 ike_isakmp_sa_reply: Start

Jun 13 10:37:19 ike_st_i_cr: Start

Jun 13 10:37:19 ike_st_i_cert: Start

Jun 13 10:37:19 ike_st_i_private: Start

Jun 13 10:37:19 ike_st_o_sa_values: Start

Jun 13 10:37:19 172.168.100.2:500 (Responder) -gt; 192.168.103.2:500 { 4326380f

a67dbcf3 – a8307123

9c0e1f9d [-1] / 0x00000000 } IP; Error = No proposal chosen (14)

Jun 13 10:37:19 ike_alloc_negotiation: Start, SA = { 4326380f a67dbcf3 – a8307123 9c0e1f9d}

Jun 13 10:37:19 ike_encode_packet: Start, SA = { 0x4326380f a67dbcf3 – a8307123 9c0e1f9d } / 1a8c665d, nego = 0

Jun 13 10:37:19 ike_send_packet: Start, send SA = { 4326380f a67dbcf3 – a8307123 9c0e1f9d}, nego = 0, src

= 172.168.100.2:500, dst = 192.168.103.2:500, routing table id = 0

Jun 13 10:37:19 ike_delete_negotiation: Start, SA = { 4326380f a67dbcf3 – a8307123 9c0e1f9d}, nego = 0 – Exhibit –

Click the Exhibit button.

You are asked to set up an IPsec tunnel to the destination 192.168.103.2. After applying the configuration, you notice in the show security ike security-associations output that the destination stays in a down state.

Referring to exhibit, what is causing the problem?

  1. The preshared key is incorrect.

  2. The proposal does not match.

  3. The gateway is incorrect.

  4. The IKE policy does not match.

Answer: A Explanation:

See line:

Jun 13 10:36:52 172.168.100.2:500 (Responder) -gt; 192.168.101.2:500 { 86b8160b

93a10c7c -c6c3a771 f0475656 [0] / 0x4cb03305 } Info; Error text = Incorrect pre-shared key (Reserved not 0)

References: http://blog.twine-networks.com/201403/troubleshooting-ipsec-log-messages/

Question No: 30

Click the Exhibit button.

Ensurepass 2017 PDF and VCE

You are reviewing the status of a high-end SRX Series chassis cluster and notice that some interfaces have error messages.

Referring to the exhibit, which two steps would you use to troubleshoot the problem? (Choose two.)

  1. Verify the security policies for incoming traffic.

  2. Verify if there are Layer 1 or Layer 2 issues between the node devices.

  3. Recognize the control link port to a different Services Processing Card (SPC), move the cable, and rebootboth nodes.

  4. Reconfigure the firewall filters to allow traffic.

Answer: B,C Explanation:

B: If the Control Link is SFP-type port, change the transceiver on both ends. Ensure that the transceivers are same type (LX, SX, etc.) and that they are Juniper-branded parts.

C: Change the cable that you are using for control link. Is the interface link light GREEN now?

Yes – Previous link cable was faulty. Recommend to now reboot both the nodes simultaneously.

References: http://kb.juniper.net/InfoCenter/index?page=contentamp;id=kb20698amp;actp=search

100% Ensurepass Free Download!
Download Free Demo:JN0-696 Demo PDF
100% Ensurepass Free Guaranteed!
Download 2017 EnsurePass JN0-696 Dumps

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

2017 EnsurePass IT Certification PDF and VCE

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.