Juniper Juniper Certifications JN0-533 Questions & Answers

• Question 31:

  Traffic is not passing the ScreenOS device due to an incorrectly configured policy. You must determine exactly which security policy the traffic is using. Which two CLI commands should be used? (Choose two.)

  A. snoop

  B. get session

  C. debug flow basic

  D. get counter stats

  Correct Answer: BC

• Question 32:

  In a policy, which two statements are true about the no-hw-sess command? (Choose two.)

  A. It increases the load on the CPU.

  B. It is used for debugging.

  C. It increases the load on the ASIC card.

  D. It reduces the load on the CPU.

  Correct Answer: AB

• Question 33:

  What are three policy types? (Choose three.)

  A. destination-based policy

  B. intrazone policy

  C. source-based policy

  D. interzone policy

  E. global zone policy

  Correct Answer: BDE

• Question 34:

  What are three required policy elements? (Choose three.)

  A. source address

  B. protocol

  C. service

  D. log

  E. destination address

  Correct Answer: ACE

• Question 35:

  An SSG5 has a default configuration loaded on it. Which two statements are correct? (Choose two.)

  A. Intrazone blocking is enabled for the trust zone.

  B. Intrazone blocking is disabled for the trust zone.

  C. Intrazone blocking is enabled for the untrust zone.

  D. Intrazone blocking is disabled for the untrust zone.

  Correct Answer: BC

• Question 36:

  How is the maximum bandwidth pool allocated when all policies share the same priority?

  A. first come first served

  B. round robin

  C. packet DSCP value

  D. policy order number

  Correct Answer: B

• Question 37:

  What are two advantages for using the count parameter on a security policy? (Choose two.)

  A. to see any NAT traffic drops for that policy

  B. to see how many times users log in to the ScreenOS device

  C. to count the total number of bytes of traffic for that policy

  D. to see if the policy is temporarily not being used

  Correct Answer: CD

• Question 38:

  You configure NAT on your ScreenOS device to route the services shown in the exhibit to the internal addresses. Which commands will you use to configure this scenario?

  

  A. ssg5-> set interface ethernet3 vip 1.1.1.3 53 dns 10.1.1.3 ssg5-> set interface ethernet3 vip 1.1.1.3 80 http 10.1.1.4 ssg5-> set interface ethernet3 vip 1.1.1.3 5983 ldap 10.1.1.4 ssg5-> set interface ethernet3 vip 1.1.1.3 5631 pcanywhere

  10.1.1.5 ssg5-> set interface ethernet3 mip 1.1.1.3 53 dns 10.1.1.3

  B. ssg5-> set interface ethernet3 mip 1.1.1.3 80 http 10.1.1.4 ssg5-> set interface ethernet3 mip 1.1.1.3 5631 pcanywhere 10.1.1.4 ssg5-> set interface ethernet3 mip 1.1.1.3 5983 ldap 10.1.1.5 ssg5-> set interface ethernet3 dip 1.1.1.3 53 dns 10.1.1.3

  C. ssg5-> set interface ethernet3 dip 1.1.1.3 80 http 10.1.1.4 ssg5-> set interface ethernet3 dip 1.1.1.3 5631 pcanywhere 10.1.1.4 ssg5-> set interface ethernet3 dip 1.1.1.3 5983 ldap 10.1.1.5 ssg5-> set interface ethernet3 vip 1.1.1.3 53 dns

  10.1.1.3

  D. ssg5-> set interface ethernet3 vip 1.1.1.3 80 http 10.1.1.4 ssg5-> set interface ethernet3 vip 1.1.1.3 5631 pcanywhere 10.1.1.4 ssg5-> set interface ethernet3 vip 1.1.1.3 5983 ldap 10.1.1.5

  Correct Answer: D

• Question 39:

  Referring to the debug output shown in the exhibit, which NAT configuration is being used?

  ns5gt-> get int Interfaces in vsys Root: Name IP Address Zone MAC VLAN State VSD eth1 192.168.1.1/24 Trust 0014.f693.edc2 - U eth2 2.2.2.2/30 Untrust 0014.f693.edc8 - U ns5gt-> get db stream ****** .0: packet received [69]****** ipid = 22281(5709), @059ff214 packet passed sanity check. flow_decap_vector IPv4 process ethernet1:192.168.1.102/52380->4.2.2.2/53,17 no session found flow_first_sanity_check: in , out chose interface ethernet1 as incoming nat if. flow_first_routing: in , out search route to (ethernet1, 192.168.1.102->4.2.2.2) in vr trust-vr for vsd-0/flag-0/ifp-null [ Dest] 7.route 4.2.2.2->2.2.2.1, to ethernet2 routed (x_dst_ip 4.2.2.2) from ethernet1 (ethernet1 in 0) to ethernet2 Permitted by policy 1 dip id = 2, 192.168.1.102/52380->2.2.2.2/2157 choose interface ethernet2 as outgoing phy if no loop on ifp ethernet2. routed (x_dst_ip 4.2.2.2) from ethernet1 (ethernet1 in 0) to ethernet2 policy search from zone 2-> zone 1

  A. MIP

  B. destination-based NAT

  C. source-based NAT

  D. VIP

  Correct Answer: C

• Question 40:

  You need to add a DIP pool to the interface shown in the exhibit. The DIP pool has been assigned the IP addresses 20.20.20.1 through 20.20.20.10. Which command would you use to accomplish this task?

  ssg5(M)-> get conf | incl ethernet1/2 set interface "ethernet1/2" zone "Untrust" set interface ethernet1/2 ip 10.0.0.1/24 set interface ethernet1/2 route set interface "ethernet1/2" description "Internet Connection 1" set interface ethernet1/2 ip manageable set interface ethernet1/2 manage ping

  A. set interface ethernet1/2 ext ip 20.20.20.1 255.255.255.0 dip 1 20.20.20.1 20.20.20.10

  B. set interface ethernet1/2 ext ip 10.0.0.1 255.255.255.0 dip 1 20.20.20.1 20.20.20.10

  C. set interface ethernet1/2 dip 1 20.20.20.1 20.20.20.10

  D. set interface ethernet1/2 secondary ip 20.20.20.1 255.255.255.0 dip 1 20.20.20.1 20.20.20.10

  Correct Answer: A