Juniper Juniper Certifications JN0-533 Questions & Answers

• Question 71:

  Which ScreenOS security feature helps protect against port scans and denial of service attacks?

  A. session-based stateful firewall

  B. IPsec VPNs

  C. security policies

  D. Screen options

  Correct Answer: D

• Question 72:

  Referring to the exhibit, what does this output show?

  

  A. the number of supported physical interfaces on the device

  B. the number of supported route tables on the device

  C. the number of supported VRs on the device

  D. the amount of system memory on the device

  Correct Answer: C

• Question 73:

  Based on the output shown in the exhibit, in which log were these events displayed?

  Date Time Module Level Type Description 2012-11-30 12:49:41 system warn 00528 SSH: Password authentication failed for admin user 'firewall-user' at host

  10.210.62.67.

  2012-11-30 12:49:41 system warn 00518 ADM: Local admin authentication

  failed for login name firewall-user: invalid login name 2012-11-30 12:49:28 system info 00536 IKE 66.129.232.26 Phase 1: Retransmission limit has been reached. 2012-11-30 12:42:23 system notif 00531 The system clock was updated from primary NTP server type 209.244.0.5 with an adjustment of 234 ms. Authentication was None. Update mode was Automatic

  A. event

  B. self

  C. login

  D. traffic

  Correct Answer: A

• Question 74:

  Given the output shown in the exhibit, which command would you use to view the number of attacks that have been blocked by the Screen options on the Untrust zone?

  

  A. ssg5-> get counter screen interface ethernet2/1

  B. ssg5-> get zone Untrust screen

  C. ssg5-> get counter screen zone Untrust

  D. ssg5-> get counter statistics interface ethernet2/1

  Correct Answer: C

• Question 75:

  A host in the untrust zone sends 1000 SYN packets in a single second to a host in your trust zone destined for port 80. Referring to the exhibit, which statement describes the behavior of the ScreenOS device?

  ssg5-> get conf | include syn set zone untrust screen syn-flood attack-threshold 625 set zone untrust screen syn-flood alarm-threshold 250 set zone untrust screen syn-flood timeout 20 set zone untrust screen syn-flood queue-size 1000 set zone untrust screen syn-flood set flow syn-proxy syn-cookie

  A. It will maintain this state for all 1000 connection attempts.

  B. It will begin to drop the SYN packets.

  C. It will block further connection attempts from this host for 20 seconds.

  D. It will reply with SYN-ACK packets.

  Correct Answer: D

• Question 76:

  Referring to the exhibit, both clustered devices are in a master state. What is the cause of this situation?

  NSPROD1(M)-> get nsrp ha-link total_ha_port = 2 probe on ha-link is disabled unused channel: ethernet8 (ifnum: 11) maC. 0010db1d1e8b statE. down unused channel: ethernet7 (ifnum: 10) maC. 0010db1d1e8a statE. down ha control link not available ha data link not available ha secondary path link not available

  A. The cluster is not configured for NSRP.

  B. The cluster is in the process of failing over from the primary node to the secondary node.

  C. Probes on the HA links have been disabled, causing the HA links to go down.

  D. The control and the data link is down.

  Correct Answer: D

• Question 77:

  Referring to the exhibit, which three statements are true? (Choose three.)

  NS5200(M)-> get nsrp nsrp version: 2.0 cluster info: cluster iD. 1, namE. 5200 local unit iD. 8000208 active units discovereD. index: 0, unit iD. 8014208, ctrl maC. 0010db000085, data maC. 0010db000086 index: 1, unit iD. 8337344, ctrl maC. 0010db0000c5, data maC. 0010db0000c6 total number of units: 2 VSD group info: init hold timE. 5 heartbeat lost thresholD. 3 heartbeat interval: 200(ms) master always exist: enabled group priority preempt holddown inelig master PB other members 0 50 yes 45 no myself 8330044 total number of vsd groups: 1 Total iteration= ,time=878546093,max=4900,min=170,average=18 RTO mirror info: run time object synC. enabled ping session synC. enabled coldstart sync done nsrp data packet forwarding is enabled nsrp link info: control channel: ha1 (ifnum: 5) maC. 0010db000085 statE. up data channel: ha2 (ifnum: 6) maC. 0010db000086 statE. up ha secondary path link not available NSRP encryption: disabled NSRP authentication: disabled device based nsrp monitoring thresholD. 255, weighted sum: 0, not failed device based nsrp monitor interfacE. ethernet2/1(weight 255, UP) ethernet2/3(weight 255, UP) ethernet2/4(weight 255, UP) ethernet2/5(weight 255, UP) ethernet2/2 (weight 255, UP) device based nsrp monitor zonE. device based nsrp track ip: (weight: 255, disabled) number of gratuitous arps: 4 (default) config synC. enabled track ip: disabled

  A. This cluster is configured as an active/active cluster.

  B. RTO sync is enabled.

  C. No secondary path is configured.

  D. master-always-exists is enabled.

  E. Only one interface is used for both the control and data links.

  Correct Answer: BCD

• Question 78:

  Which two statements are true about the exhibit? (Choose two.)

  

  A. It contains information regarding Phase 1 of IPsec.

  B. It contains information regarding Phase 2 of IPsec.

  C. The VPN is using certificates.

  D. The VPN is using preshared keys.

  Correct Answer: AD

• Question 79:

  The exhibit displays output from the event log of a ScreenOS device. Given the information shown in the exhibit, which two statements are correct? (Choose two.)

  

  A. The VPN initiator is sending a proxy ID of: local: 10.20.1.0/24 remote:10.204.1.0/24 service:ANY

  B. The VPN contains a proxy ID mismatch.

  C. Phase 2 negotiations completed successfully.

  D. Phase 1 negotiations completed successfully.

  Correct Answer: BD

• Question 80:

  What is shown in the exhibit?

  

  A. a route-based VPN

  B. a global policy

  C. a policy-based VPN

  D. a policy with counting enabled

  Correct Answer: C

  Explanation:

  The "Tunnel" action is specific to policy-based VPN