最新の無料JN0-636効率的問題集をダウンロード2024年03月08日更新された117問がある [Q25-Q48]

Share

最新の無料JN0-636効率的問題集をダウンロード2024年03月08日更新された117問がある

Juniper JN0-636試験練習テスト解答


Juniper JN0-636試験では、IPSEC VPN、高可用性クラスタリング、高度なセキュリティポリシー、高度なNAT、セキュリティロギングとレポートなど、ネットワークセキュリティのさまざまな側面における候補者の知識とスキルをテストします。候補者は、ジュニパーのセキュリティ製品とサービスに関連する問題をトラブルシューティングして解決する能力についてもテストされています。


JN0-636試験に合格した候補者は、Juniper Networks認定インターネットプロフェッショナルセキュリティ(JNCIP-SEC)認定を取得します。この認定は、候補者がジュニパーセキュリティソリューションを深く理解しており、ジュニパーテクノロジーを使用して安全なネットワークを設計、実装、および管理できることを示しています。

 

質問 # 25
Your company recently acquired a competitor. You want to use using the same IPv4 address space as your company.
Referring to the exhibit, which two actions solve this problem? (Choose two)

  • A. Configure static NAT on the SRX Series devices.
  • B. Identify two neutral IPv4 address spaces for address translation.
  • C. Configure IPsec Transport mode.
  • D. Connect the competitor network using IPsec policy-based VPNs.

正解:A、D


質問 # 26
Click the Exhibit button.

When attempting to enroll an SRX Series device to JATP, you receive the error shown in the exhibit. What is the cause of the error?

  • A. The SRX Series device certificate does not match the JATP certificate
  • B. The SRX Series device does not have an IP address assigned to the interface that accesses JATP
  • C. A firewall is blocking HTTPS on fxp0
  • D. The fxp0 IP address is not routable

正解:B


質問 # 27
Exhibit

You are using traceoptions to verify NAT session information on your SRX Series device. Referring to the exhibit, which two statements are correct? (Choose two.)

  • A. The SRX Series device is performing both source and destination NAT on this session.
  • B. The SRX Series device is performing only source NAT on this session.
  • C. This is the first packet in the session.
  • D. This is the last packet in the session.

正解:A、D


質問 # 28
Regarding IPsec CoS-based VPNs, what is the number of IPsec SAs associated with a peer based upon?

  • A. The number of classifiers configured for the VPN.
  • B. The number of CoS queues configured for the VPN.
  • C. The number of traffic selectors configured for the VPN.
  • D. The number of forwarding classes configured for the VPN.

正解:D

解説:
In IPsec CoS-based VPNs, the number of IPsec Security Associations (SAs) associated with a peer is based on the number of forwarding classes configured for the VPN. The forwarding classes are used to classify and prioritize different types of traffic, such as voice and data traffic. Each forwarding class requires a separate IPsec SA to be established between the peers, in order to provide the appropriate level of security and quality of service for each type of traffic.


質問 # 29
Exhibit

Which two statements are correct about the output shown in the exhibit. (Choose two.)

  • A. The packet matches a user-configured policy
  • B. The source address is translated.
  • C. The packet is an SSH packet
  • D. The destination address is translated.

正解:B、C

解説:
The source address is translated because the traceoptions output shows that the source IP address 192.168.5.2 is translated to 192.168.100.1 and the source port 0 is translated to 14777. The traceoptions output also shows the flag flow_first_src_xlate, which indicates that this is the first time that source NAT is applied to this session.
The packet is an SSH packet because the traceoptions output shows that the application protocol is tcp/22, which is the default port for SSH. The traceoptions output also shows the flag flow_tcp_syn, which indicates that this is the first packet of a TCP connection.
Reference:
traceoptions (Security NAT) | Junos OS | Juniper Networks
[SRX] How to interpret Flow TraceOptions output for NAT troubleshooting


質問 # 30
While troubleshooting security policies, you added the count action.
Where do you see the result of this action?

  • A. In the show firewall log command output.
  • B. In the show security flow statistics command output.
  • C. In the show security policies detail command output.
  • D. In the show security policies hit-count command output.

正解:A


質問 # 31
you must find an infected host and where the a􀆩ack came from using the Juniper ATP Cloud. Which two monitor workspaces will return the requested information? (Choose Two)

  • A. File Scanning
  • B. Encrypted Traffic
  • C. Threat Sources
  • D. Hosts

正解:C、D

解説:
To find an infected host and where the attack came from using the Juniper ATP Cloud, you need to use the Hosts and Threat Sources monitor workspaces. The other options are incorrect because:
B) The File Scanning monitor workspace shows the files that have been scanned by the Juniper ATP Cloud and their verdicts (clean, malicious, or unknown). It does not show the infected hosts or the attack sources1.
D) The Encrypted Traffic monitor workspace shows the encrypted traffic that has been decrypted by the Juniper ATP Cloud and the certificates that have been used. It does not show the infected hosts or the attack sources2.
Therefore, the correct answer is A and C. You need to use the Hosts and Threat Sources monitor workspaces to find an infected host and where the attack came from using the Juniper ATP Cloud. To do so, you need to perform the following steps:
For Hosts, you need to access the Hosts monitor workspace in the Juniper ATP Cloud WebUI by selecting Monitor > Hosts. You can see the list of hosts that have been detected by the Juniper ATP Cloud and their risk scores, infection levels, and threat categories. You can filter the hosts by various criteria, such as IP address, hostname, domain, or threat category. You can also drill down into each host to see the details of the files, applications, and incidents associated with the host. You can identify the infected host by looking for the host with the highest risk score, infection level, or threat category3.
For Threat Sources, you need to access the Threat Sources monitor workspace in the Juniper ATP Cloud WebUI by selecting Monitor > Threat Sources. You can see the list of threat sources that have been detected by the Juniper ATP Cloud and their risk scores, threat categories, and geolocations. You can filter the threat sources by various criteria, such as IP address, domain, or threat category. You can also drill down into each threat source to see the details of the files, applications, and incidents associated with the threat source. You can identify the attack source by looking for the threat source with the highest risk score, threat category, or geolocation that matches the infected host.
Reference:
File Scanning
Encrypted Traffic
Hosts
[Threat Sources]


質問 # 32
Exhibit

Referring to the exhibit, which statement is true?

  • A. This custom block list feed will be used instead of the Juniper Seclntel block list feed
  • B. This custom block list feed cannot be saved if the Juniper Seclntel block list feed is configured.
  • C. This custom block list feed will be used after the Juniper Seclntel block list feed.
  • D. This custom block list feed will be used before the Juniper Seclntel

正解:C


質問 # 33
You must setup a Ddos solution for your ISP. The solution must be agile and not block legitimate traffic.
Which two products will accomplish this task? (Choose two.)

  • A. Contrail Insights
  • B. SRX Series device
  • C. Corero Smartwall TDD
  • D. MX Series device

正解:C、D

解説:
You must set up a DDoS solution for your ISP. The solution must be agile and not block legitimate traffic. The two products that will accomplish this task are:
B) MX Series device. MX Series devices are high-performance routers that can provide DDoS protection at the network edge by integrating with Corero SmartWall Threat Defense Director (TDD) software. MX Series devices can leverage the packet processing capabilities of the MX-SPC3 Services Card to perform real-time DDoS detection and mitigation at line rate, scaling from 50 Gbps to 40 Tbps. MX Series devices can also use Juniper Networks Security Intelligence (SecIntel) to receive threat intelligence feeds from Juniper ATP Cloud or Juniper Threat Labs and apply them to the security policies. MX Series devices can provide an agile and effective DDoS solution for your ISP without blocking legitimate traffic12.
C) Corero SmartWall TDD. Corero SmartWall TDD is a software solution that runs on MX Series devices and PTX Series devices to provide DDoS protection at the network edge. Corero SmartWall TDD uses behavioral analytics and detailed network visibility to detect and block DDoS attacks in seconds, without affecting the normal traffic. Corero SmartWall TDD can also provide advanced protection from "carpet bombing" attacks, 5G DDoS visibility, and multi-tenant portal for as-a-service offerings or views by department within an enterprise. Corero SmartWall TDD can provide an agile and effective DDoS solution for your ISP without blocking legitimate traffic34.
The other options are incorrect because:
A) Contrail Insights. Contrail Insights is a software solution that provides network analytics and visibility for cloud and data center environments. Contrail Insights can help you monitor, troubleshoot, and optimize the performance and security of your network, but it does not provide DDoS protection by itself. Contrail Insights can integrate with other Juniper products, such as Contrail Enterprise Multicloud, Contrail Service Orchestration, and AppFormix, to provide a comprehensive network management solution, but it is not a DDoS solution for your ISP5.
D) SRX Series device. SRX Series devices are high-performance firewalls that can provide DDoS protection at the network perimeter by integrating with Juniper ATP Cloud and Juniper Threat Labs. SRX Series devices can use SecIntel to receive threat intelligence feeds from Juniper ATP Cloud or Juniper Threat Labs and apply them to the security policies. SRX Series devices can also use IDP to detect and prevent application-level attacks, such as SQL injection, cross-site scripting, and buffer overflow. SRX Series devices can provide a robust and effective DDoS solution for your network, but they are not designed to handle high-volume DDoS attacks at the network edge, as MX Series devices and Corero SmartWall TDD are .
Reference:
Juniper and Corero Joint DDoS Protection Solution
MX-SPC3 Services Card Overview
Corero SmartWall Threat Defense Director (TDD)
Juniper Networks and Corero: A Modern Approach to DDoS Protection at Scale Contrail Insights Overview
[SRX Series Services Gateways]
[Juniper Networks Security Intelligence (SecIntel)]


質問 # 34
Exhibit:
Referring to the exhibit, your company's infrastructure team implemented new printers To make sure that the policy enforcer pushes the updated Ip address list to the SRX.
Which three actions are required to complete the requirement? (Choose three )

  • A. Configure Security Director to create a C&C feed.
  • B. Configure Security Director to create a dynamic address feed
  • C. Configure server feed URL as https://172.25.10.254/myprinters.
  • D. Configure the server feed URL as http://172.25.10.254/myprinters
  • E. Create a security policy that uses the dynamic address feed to allow access

正解:B、D、E

解説:
Referring to the exhibit, your company's infrastructure team implemented new printers. To make sure that the policy enforcer pushes the updated IP address list to the SRX, you need to perform the following actions:
A) Configure the server feed URL as http://172.25.10.254/myprinters. The server feed URL is the address of the remote server that provides the custom feed data. You need to configure the server feed URL to match the location of the file that contains the IP addresses of the new printers. In this case, the file name is myprinters and the server IP address is 172.25.10.254, so the server feed URL should be http://172.25.10.254/myprinters1.
B) Create a security policy that uses the dynamic address feed to allow access. A security policy is a rule that defines the action to be taken for the traffic that matches the specified criteria, such as source and destination addresses, zones, protocols, ports, and applications. You need to create a security policy that uses the dynamic address feed as the source or destination address to allow access to the new printers. A dynamic address feed is a custom feed that contains a group of IP addresses that can be entered manually or imported from external sources. The dynamic address feed can be used in security policies to either deny or allow traffic based on either source or destination IP criteria2.
C) Configure Security Director to create a dynamic address feed. Security Director is a Junos Space application that enables you to create and manage security policies and objects. You need to configure Security Director to create a dynamic address feed that contains the IP addresses of the new printers. You can create a dynamic address feed by using the local file or the remote file server option. In this case, you should use the remote file server option and specify the server feed URL as http://172.25.10.254/myprinters3.
The other options are incorrect because:
D) Configuring Security Director to create a C&C feed is not required to complete the requirement. A C&C feed is a security intelligence feed that contains the IP addresses of servers that are used by malware or attackers to communicate with infected hosts. The C&C feed is not related to the new printers or the dynamic address feed.
E) Configuring the server feed URL as https://172.25.10.254/myprinters is not required to complete the requirement. The server feed URL can use either the HTTP or the HTTPS protocol, depending on the configuration of the remote server. In this case, the exhibit shows that the remote server is using the HTTP protocol, so the server feed URL should use the same protocol1.
Reference:
Configuring the Server Feed URL
Dynamic Address Overview
Creating Custom Feeds
[Command and Control Feed Overview]


質問 # 35
Exhibit

You have recently configured Adaptive Threat Profiling and notice 20 IP address entries in the monitoring section of the Juniper ATP Cloud portal that do not match the number of entries locally on the SRX Series device, as shown in the exhibit.
What is the correct action to solve this problem on the SRX device?

  • A. You must configure the DAE in a security policy on the SRX device.
  • B. Flush the DNS cache on the SRX device.
  • C. Refresh the feed in ATP Cloud.
  • D. Force a manual download of the Proxy__Nodes feed.

正解:C

解説:
The correct action to solve this problem on the SRX device is to refresh the feed in ATP Cloud. This is because the number of IP address entries in the monitoring section of the Juniper ATP Cloud portal does not match the number of entries locally on the SRX Series device. This discrepancy can be caused by a number of factors, such as the SRX device not being properly configured for Adaptive Threat Profiling, or the feed not being properly downloaded from the Juniper ATP Cloud portal. By refreshing the feed in ATP Cloud, the SRX device can synchronize its local feed with the latest feed from the cloud service and ensure that the entries are consistent and accurate. Reference: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-adaptive-threat-profiling-configuring.html


質問 # 36
You are asked to configure a security policy on the SRX Series device. After committing the policy, you receive the "Policy is out of sync between RE and PFE <SPU-name(s)>." error.
Which command would be used to solve the problem?

  • A. request security polices resync
  • B. request security polices check
  • C. restart security-intelligence
  • D. request service-deployment

正解:A

解説:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB30443&cat=SRX_SERIES&actp=LIST


質問 # 37
You are asked to determine if the 203.0.113.5 IP address has been added to the third-party security feed, DS hield, from Juniper Seclnte1. You have an SRX Series device that is using Seclnte1 feeds from Juniper ATP Cloud Which command will return this information?

  • A. show security dynamic-address category-name IP Filter I match 203.0.113.5
  • B. show security dynamic-address category-name CC | match 203.0.113.5
  • C. show security dynamic-address category-name Infected-Hosts | match 203.0.113.5
  • D. show Security dynamic-address category-name JWAS | match 203.0.113.5

正解:B

解説:
The command "show security dynamic-address category-name DS hield" will show the IP addresses that are part of the DS hield category. By filtering the output of this command with the "match 203.0.113.5" command, you can determine if the IP address 203.0.113.5 is part of the DS hield feed. This command will check the feeds that are configured on SRX Series device and are associated to juniper ATP Cloud.


質問 # 38
you must create a secure fabric in your company's network
In this Scenario, Which three statements are correct? (Choose Three)

  • A. MX Series device associated with tenants can belong to only one site
  • B. A switch must be assigned to the site to enforce an infected host policy within the network
  • C. SRX Series devices can belong to only one site
  • D. SRX Series devices can belong to multiple sites
  • E. Switches and connectors cannot be added to the same site

正解:B、C、E

解説:
To create a secure fabric in your company's network, you need to know the following facts:
A secure fabric is a collection of sites that contain network devices (switches, routers, firewalls, and other security devices) that are used in policy enforcement groups. A site is a grouping of network devices that contribute to threat prevention. When threat prevention policies are applied to policy enforcement groups, the system automatically discovers to which sites those groups belong. This is how threat prevention is aggregated across your secure fabric1.
MX Series devices associated with tenants can belong to multiple sites. Tenants are logical partitions of the network that can have their own security policies and enforcement points. Sites that are associated with tenants do not need switches as enforcement points, because MX Series devices can perform tenant-based policy enforcement1.
SRX Series devices can belong to only one site. SRX Series devices are firewalls that can act as perimeter enforcement points for the secure fabric. They can send potentially malicious objects and files to the Juniper ATP Cloud for analysis and receive threat intelligence from the Juniper ATP Cloud to block malicious traffic. SRX Series devices cannot belong to multiple sites, because they do not support tenant-based policy enforcement1.
A switch must be assigned to the site to enforce an infected host policy within the network. An infected host policy is a policy that blocks or quarantines hosts that are identified as infected by the Juniper ATP Cloud. A switch can act as an internal enforcement point for the secure fabric by applying the infected host policy to the hosts that are connected to it. A switch must be assigned to the site where the infected hosts are located, because SRX Series devices cannot enforce infected host policies1.
Switches and connectors cannot be added to the same site. Connectors are software agents that can be installed on Windows or Linux servers to enable them to act as enforcement points for the secure fabric. Connectors can apply infected host policies to the hosts that are connected to them. However, connectors cannot coexist with switches in the same site, because they use different methods of policy enforcement. Switches use VLANs and ACLs, while connectors use IPtables and WFP1.
Therefore, the correct answer is B, D, and E. The other options are incorrect because:
A) MX Series devices associated with tenants can belong to multiple sites, not only one site1.
C) SRX Series devices can belong to only one site, not multiple sites1.
Reference:
Secure Fabric Overview


質問 # 39
You are asked to configure a security policy on the SRX Series device. After committing the policy, you receive the "Policy is out of sync between RE and PFE <SPU-name(s)>." error.
Which command would be used to solve the problem?

  • A. request security polices resync
  • B. request security polices check
  • C. restart security-intelligence
  • D. request service-deployment

正解:A


質問 # 40
Which Junos security feature is used for signature-based attack prevention?

  • A. AppQoS
  • B. IPS
  • C. RADIUS
  • D. PIM

正解:B


質問 # 41
You are configuring transparent mode on an SRX Series device. You must permit IP-based traffic only, and BPDUs must be restricted to the VLANs from which they originate.
Which configuration accomplishes these objectives?
A)

B)

C)

D)

  • A. Option C
  • B. Option D
  • C. Option B
  • D. Option A

正解:B

解説:
https://www.juniper.net/documentation/us/en/software/junos/multicast-l2/topics/ref/statement/family-ethernet-switching-edit-interfaces-qfx-series.html#statement-name-statement__d26608e73


質問 # 42
You want to enforce I DP policies on HTTP traffic.
In this scenario, which two actions must be performed on your SRX Series device? (Choose two )

  • A. Choose an attacks type in the predefined-attacks-group HTTP-All.
  • B. Disable screen options on the Untrust zone.
  • C. Specify an action of None.
  • D. Match on application junos-http.

正解:A、D

解説:
To enforce IDP policies on HTTP traffic on an SRX Series device, the following actions must be performed:
Choose an attacks type in the predefined-attacks-group HTTP-All: This allows the SRX Series device to match on specific types of attacks that can occur within HTTP traffic. For example, it can match on SQL injection or cross-site scripting (XSS) attacks.
Match on application junos-http: This allows the SRX Series device to match on HTTP traffic specifically, as opposed to other types of traffic. It is necessary to properly identify the traffic that needs to be protected.
Disabling screen options on the Untrust zone and specifying an action of None are not necessary to enforce IDP policies on HTTP traffic. The first one is a feature used to prevent certain types of attacks, the second one is used to take no action in case of a match.


質問 # 43
You want to enroll an SRX Series device with Juniper ATP Appliance. There is a firewall device in the path between the devices. In this scenario, which port should be opened in the firewall device?

  • A. 0
  • B. 1
  • C. 2
  • D. 3

正解:A


質問 # 44
Exhibit

You are validating bidirectional traffic flows through your IPsec tunnel. The 4546 session represents traffic being sourced from the remote end of the IPsec tunnel. The 4547 session represents traffic that is sourced from the local network destined to the remote network.
Which statement is correct regarding the output shown in the exhibit?

  • A. NAT is being used to change the source address of outgoing packets
  • B. The session information indicates that the IPsec tunnel has not been established
  • C. The local gateway address for the IPsec tunnel is 10.20.20.2
  • D. The remote gateway address for the IPsec tunnel is 10.20.20.2

正解:C

解説:
According to the output shown in the exhibit, which is a security flow session on an SRX Series device, the correct statement is that the local gateway address for the IPsec tunnel is 10.20.20.2. This is indicated by the line In: 10.20.20.2/2060 -> 10.20.20.1/3382, which shows that the source IP address of the incoming packet is 10.20.20.2, which is the local gateway address of the IPsec tunnel. The destination IP address of the incoming packet is 10.20.20.1, which is the remote gateway address of the IPsec tunnel.
The following statements are incorrect or not supported by the output:
The remote gateway address for the IPsec tunnel is 10.20.20.2. This is false, as explained above. The remote gateway address for the IPsec tunnel is 10.20.20.1, not 10.20.20.2.
The session information indicates that the IPsec tunnel has not been established. This is false, as the output shows that there are two active sessions with the communication tag IPSec VPN: vpn1, which indicates that the IPsec tunnel has been established and is named vpn11.
NAT is being used to change the source address of outgoing packets. This is not supported by the output, as there is no indication of NAT being applied to the outgoing packets. The source IP address of the outgoing packet is 192.168.1.1, which is the same as the source IP address of the original packet. If NAT was being used, the source IP address of the outgoing packet would be different from the source IP address of the original packet.


質問 # 45
You are asked to secure your network against TOR network traffic.
Which two Juniper products would accomplish this task? (Choose two.)

  • A. Juniper ATP Appliance
  • B. Contrail Edge
  • C. Juniper Sky ATP
  • D. Contrail Insights

正解:A、C


質問 # 46
Exhibit:
Referring to the exhibit, which two statements are correct?

  • A. All of the entries are a threat level 8
  • B. All of the entries are a threat level 10.
  • C. All of the entries are Dshield entries
  • D. All of the entries are command and control entries.

正解:C、D

解説:
Referring to the exhibit, the following statements are correct:
B) All of the entries are command and control entries. Command and control entries are dynamic addresses that represent the IP addresses of servers that are used by malware to communicate with infected hosts. The SRX Series device can block or log the traffic to or from these IP addresses based on the security policies. The exhibit shows that all of the entries have the category DC/1, which stands for command and control1.
C) All of the entries are Dshield entries. Dshield is a feed source that provides a list of IP addresses that are associated with malicious activities, such as scanning, spamming, or attacking. The SRX Series device can download the Dshield feed and use it to populate the dynamic address entries. The exhibit shows that all of the entries have the feed dshield, which indicates that they are from the Dshield feed source2.
The other statements are incorrect because:
A) All of the entries are not a threat level 8, but a threat level 10. The threat level is a numeric value that indicates the severity of the threat associated with a dynamic address entry. The higher the threat level, the more dangerous the threat. The SRX Series device can use the threat level to prioritize the actions for the dynamic address entries. The exhibit shows that all of the entries have the cc CN, which stands for country code China. According to the Juniper documentation, the country code China has a threat level of 10, which is the highest.
D) All of the entries are not a threat level 10, but they are. See the explanation for option A.
Reference:
Understanding Dynamic Address Categories
Understanding Dynamic Address Feed Sources
[Understanding Dynamic Address Threat Levels]


質問 # 47
Referring to the exhibit, which three protocols will be allowed on the ge-0/0/5.0 interface?
(Choose three.)

  • A. IPsec
  • B. NTP
  • C. IBGP
  • D. DHCP
  • E. OSPF

正解:A、B、E


質問 # 48
......

最新の検証済みJN0-636問題集と解答合格保証もしくは全額返金です:https://jp.fast2test.com/JN0-636-premium-file.html

最新の認証試験JN0-636問題集練習テスト解答はこちら:https://drive.google.com/open?id=13NzmHiqJJ-_KQ50BjQUquJI_5YWP-mD5


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어