Far Out Jn0-333 Vce 2021

NEW QUESTION 1
Which statement describes the function of screen options?

• A. Screen options encrypt transit traffic in a tunnel.
• B. Screen options protect against various attacks on traffic entering a security device.
• C. Screen options translate a private address to a public address.
• D. Screen options restrict or permit users individually or in a group.

Answer: B

NEW QUESTION 2
You have configured source NAT with port address translation. You also need to guarantee that the same IP address is assigned from the source NAT pool to a specific host for multiple concurrent sessions.
Which NAT parameter would meet this requirement?

• A. port block-allocation
• B. port range twin-port
• C. address-persistent
• D. address-pooling paired

Answer: D

NEW QUESTION 3
What is the function of redundancy group 0 in a chassis cluster?

• A. Redundancy group 0 identifies the node controlling the cluster management interface IP addresses.
• B. The primary node for redundancy group 0 identifies the first member node in a chassis cluster.
• C. The primary node for redundancy group 0 determines the interface naming for all chassis cluster nodes.
• D. The node on which redundancy group 0 is primary determines which Routing Engine is active in the cluster.

Answer: D

NEW QUESTION 4
Which SRX5400 component is responsible for performing first pass security policy inspection?

• A. Routing Engine
• B. Switch Control Board
• C. Services Processing Unit
• D. Modular Port Concentrator

Answer: C

NEW QUESTION 5
Click the Exhibit button.

Which two statements describe the output shown in the exhibit? (Choose two.)

• A. Node 0 is controlling traffic for redundancy group 1.
• B. Node 1 is controlling traffic for redundancy group 1.
• C. Redundancy group 1 experienced an operational failure.
• D. Redundancy group 1 was administratively failed over.

Answer: BD

NEW QUESTION 6
You are asked to change when your SRX high availability failover occurs. One network interface is considered more important than others in the high availability configuration. You want to prioritize failover based on the state of that interface.
Which configuration would accomplish this task?

• A. Create a VRRP group configuration that lists the reth’s IP address as the VIP while using each physical interface that make up the reth definition of each SRX HA pair.
• B. Configure IP monitoring of the important interface’s IP address and adjust the heartbeat interval and heartbeat threshold to the shortest settings.
• C. Create a separate redundancy group to isolate the important interface; set the priority of the new redundancy group to 255.
• D. Configure interface monitor inside the redundancy group that contains the important physical interface; adjust the weight associated with the monitored interface to 255.

Answer: D

NEW QUESTION 7
You are asked to support source NAT for an application that requires that its original source port not be changed.
Which configuration would satisfy the requirement?

• A. Configure a source NAT rule that references an IP address pool with interface proxy ARP enabled.
• B. Configure the egress interface to source NAT fixed-port status.
• C. Configure a source NAT rule that references an IP address pool with the port no-translation parameter enabled.
• D. Configure a source NAT rule that sets the egress interface to the overload status.

Answer: C

NEW QUESTION 8
You want to protect your SRX Series device from the ping-of-death attack coming from the untrust security zone.
How would you accomplish this task?

• A. Configure the host-inbound-traffic system-services ping except parameter in the untrust security zone.
• B. Configure the application tracking parameter in the untrust security zone.
• C. Configure a from-zone untrust to-zone trust security policy that blocks ICMP traffic.
• D. Configure the appropriate screen and apply it to the [edit security zone security-zone untrust] hierarchy.

Answer: D

NEW QUESTION 9
Which statement is true when destination NAT is performed?

• A. The source IP address is translated according to the configured destination NAT rules and then the security policies are applied.
• B. The destination IP address is translated according to the configured source NAT rules and then the security policies are applied.
• C. The destination IP address is translated according to the configured security policies and then the security destination NAT rules are applied.
• D. The destination IP address is translated according to the configured destination NAT rules and then the security policies are applied.

Answer: D

NEW QUESTION 10
Which two statements about security policy actions are true? (Choose two.)

• A. The log action implies an accept action.
• B. The log action requires an additional terminating action.
• C. The count action implies an accept action.
• D. The count action requires an additional terminating action.

Answer: BD

NEW QUESTION 11
Click the Exhibit button.

Host A is attempting to connect to Host B using the domain name, which is tied to a public IP address. All attempts to connect to Host B have failed. You have examined the configuration on your SRX340 and determined that a NAT policy is required.
Referring to the exhibit, which two NAT types will allow Host A to connect to Host B? (Choose two.)

• A. source NAT
• B. NAT-T
• C. destination NAT
• D. static NAT

Answer: CD

NEW QUESTION 12
You want to implement IPsec on your SRX Series devices, but you do not want to use a preshared key. Which IPsec implementation should you use?

• A. public key infrastructure
• B. next-hop tunnel binding
• C. tunnel mode
• D. aggressive mode

Answer: A

NEW QUESTION 13
Click the Exhibit button.

You have an IPsec tunnel between two devices. You clear the IKE security associations, but traffic continues to flow across the tunnel.
Referring to the exhibit, which statement is correct in this scenario?

• A. The IPsec security association is independent from the IKE security association
• B. The traffic is no longer encrypted
• C. The IKE security association immediately reestablishes
• D. The traffic is using an alternate path

Answer: AB

NEW QUESTION 14
Which host-inbound-traffic security zone parameter would allow access to the REST API configured to listen on custom TCP port 5080?

• A. http
• B. all
• C. xnm-clear-text
• D. any-service

Answer: D

NEW QUESTION 15
You want to trigger failover of redundancy group 1 currently running on node 0 and make node 1 the primary node the redundancy group 1.
Which command would be used accomplish this task?

• A. user@host# set chassis cluster redundancy-group 1 node 1
• B. user@host> request chassis cluster failover redundancy-group 1 node 1
• C. user@host# set chassis cluster redundancy-group 1 preempt
• D. user@host> request chassis cluster failover reset redundancy-group 1

Answer: B

NEW QUESTION 16
Click the Exhibit button.

You have configured NAT on your network so that Host A can communicate with Server B. You want to ensure that Host C can initiate communication with Host A using Host A’s reflexive address.
Referring to the exhibit, which parameter should you configure on the SRX Series device to satisfy this requirement?

• A. Configure persistent NAT with the target-host parameter.
• B. Configure persistent NAT with the target-host-port parameter.
• C. Configure persistent NAT with the any-remote-host parameter.
• D. Configure persistent NAT with the port-overloading parameter.

Answer: A

NEW QUESTION 17
Which action will restrict SSH access to an SRX Series device from a specific IP address which is connected to a security zone named trust?

• A. Implement a firewall filter on the security zone trust.
• B. Implement a security policy from security zone junos-host to security zone trust.
• C. Implement host-inbound-traffic system-services to allow SSH.
• D. Implement a security policy from security zone trust to security zone junos-host.

Answer: D

NEW QUESTION 18
You have recently configured an IPsec tunnel between two SRX Series devices. One of the devices is assigned an IP address using DHCP with an IP address that changes frequently. Initial testing indicates that the IPsec tunnel is not working. Troubleshooting has revealed that Phase 1 negotiations are failing.
Which two actions would solve the problem? (Choose two.)

• A. Verify that the device with the IP address assigned by DHCP is the traffic initiator.
• B. Verify that VPN monitoring is enabled.
• C. Verify that the IKE policy is configured for aggressive mode.
• D. Verify that PKI is properly configured.

Answer: AC

NEW QUESTION 19
Click the Exhibit button.

Which statement would explain why the IP-monitoring feature is functioning incorrectly?

• A. The global weight value is too large for the configured global threshold.
• B. The secondary IP address should be on a different subnet than the reth IP address.
• C. The secondary IP address is the same as the reth IP address.
• D. The monitored IP address is not on the same subnet as the reth IP address.

Answer: C

NEW QUESTION 20
You are changing the default vCPU allocation on a vSRX. How are the additional vCPUs allocated in this scenario?

• A. The vCPU are allocated equally across the Junos control plane and packet forwarding engine.
• B. One dedicated vCPU is allocated for the Junos control plane and the remaining vCPUs for the packet forwarding engine.
• C. One dedicated vCPU is allocated for the packet forwarding engine, one for the Junos control plane, and the remaining vCPUs are equally balanced.
• D. One dedicated vCPU is allocated for the packet forwarding engine and the remaining vCPUs for the Junos plane.

Answer: B

NEW QUESTION 21
Which two modes are supported during the Phase 1 IKE negotiations used to establish an IPsec tunnel? (Choose two.)

• A. transport mode
• B. aggressive mode
• C. main mode
• D. tunnel mode

Answer: BC

NEW QUESTION 22
You recently configured an IPsec VPN between two SRX Series devices. You notice that the Phase1 negotiation succeeds and the Phase 2 negotiation fails.
Which two configuration parameters should you verify are correct? (Choose two.)

• A. Verify that the IKE gateway proposals on the initiator and responder are the same.
• B. Verify that the VPN tunnel configuration references the correct IKE gateway.
• C. Verify that the IKE initiator is configured for main mode.
• D. Verify that the IPsec policy references the correct IKE proposals.

Answer: AB

NEW QUESTION 23
Click the Exhibit button.

You notice that your SRX Series device is not blocking HTTP traffic as expected. Referring to the exhibit, what should you do to solve the problem?

• A. Commit the configuration.
• B. Reboot the SRX Series device.
• C. Configure the SRX Series device to operate in packet-based mode.
• D. Move the deny-http policy to the bottom of the policy list.

Answer: B

NEW QUESTION 24
......