最新の2024年03月14日試験エンジン練習問題JN0-335最新の有効問題集を提供中です
試験解答はJN0-335最新版テストエンジンをタダで提供します
Juniper JN0-335 Security 認定試験は、ネットワークセキュリティのキャリアを追求したい人々を対象に設計されています。この試験は、Juniper Networks 認定プログラム(JNCP)の一部であり、Juniper Networks セキュリティ技術のスキルセットを拡大し、知識を深めたい経験豊富なセキュリティプロフェッショナルを対象としています。JN0-335 試験は、ファイアウォール、VPN、侵入検知と防止、セキュリティポリシーなどのJuniper Networks セキュリティ技術の応用に焦点を当てています。
質問 # 47
While working on an SRX firewall, you execute the show security policies policy-name <name> detail command.
Which function does this command accomplish?
- A. It shows the system log files for the local SRX Series device.
- B. It shows policy counters for a configured policy.
- C. It displays details about the default security policy.
- D. It identifies the different custom policies enabled.
正解:B
解説:
The function that the show security policies policy-name <name> detail command accomplishes is showing policy counters for a configured policy. Policy counters are statistics that indicate how many times a policy has been matched by traffic and what actions have been taken by the policy. Policy counters can help you monitor and troubleshoot the performance and effectiveness of your security policies. The show security policies policy-name <name> detail command displays detailed information about a specific policy, such as its source zone, destination zone, description, state, hit count, byte count, packet count, action count, and session count.
質問 # 48
You are preparing a proposal for a new customer who has submitted the following requirements for a vSRX deployment:
-- globally distributed,
-- rapid provisioning,
-- scale based on demand,
-- and low CapEx.
Which solution satisfies these requirements?
- A. Network Director
- B. Juniper ATP Cloud
- C. VMWare ESXi
- D. AWS
正解:D
解説:
Explanation
vSRX is a virtual firewall that provides security and networking services at the perimeter or edge of virtualized environments1. vSRX can be deployed in various cloud environments, such as AWS, Azure, Google Cloud Platform, and VMware2.
AWS is a cloud computing platform that offers a variety of services, such as compute, storage, networking, security, and analytics3. AWS enables customers to deploy vSRX instances in a virtual private cloud (VPC), which is a logically isolated section of the AWS cloud4.
AWS satisfies the requirements for a vSRX deployment as follows:
Globally distributed: AWS has a global infrastructure that spans 25 geographic regions and 81 availability zones3. Customers can deploy vSRX instances in any region or zone that meets their needs and preferences4.
Rapid provisioning: AWS allows customers to launch vSRX instances in minutes using the AWS Marketplace, which is an online store that offers software products and solutions5. Customers can also use automation tools, such as CloudFormation, Terraform, and Ansible, to provision vSRX instances in a consistent and scalable manner.
Scale based on demand: AWS supports horizontal and vertical scaling of vSRX instances based on the changing traffic and performance demands. Customers can use AWS Auto Scaling, which is a service that automatically adjusts the number of vSRX instances, or AWS Elastic Load Balancing, which is a service that distributes the traffic across multiple vSRX instances.
Low CapEx: AWS operates on a pay-as-you-go model, which means that customers only pay for the resources they use, such as the vSRX instance type, the storage volume, the data transfer, and the license. Customers can also benefit from the AWS Free Tier, which offers a limited amount of free resources for 12 months.
References:
1: vSRX Overview | Junos OS | Juniper Networks
2: vSRX Deployment Guide | Junos OS | Juniper Networks
3: What is AWS? - Amazon Web Services
4: Configure an Amazon Virtual Private Cloud for vSRX Virtual Firewall | Junos OS | Juniper Networks
5: Juniper Networks vSRX - Amazon Web Services (AWS)
[6]: Deploying Juniper Security in AWS and Azure Education Services
[7]: Scaling vSRX Virtual Firewall Instances on AWS | Junos OS | Juniper Networks
[8]: Load Balancing vSRX Virtual Firewall Instances on AWS | Junos OS | Juniper Networks
[9]: Juniper Networks vSRX Pricing - Amazon Web Services (AWS)
[10]: AWS Free Tier - Amazon Web Services (AWS)
質問 # 49
Which two statements are correct about AppTrack? (Choose two.)
- A. AppTrack can only be configured in the main logical system on an SRX Series device.
- B. AppTrack can be configured for any defined logical system on an SRX Series device.
- C. AppTrack identifies and blocks traffic flows that might be malicious regardless of the ports being used.
- D. AppTrack collects traffic flow information including byte, packet, and duration statistics.
正解:B、D
解説:
Explanation
AppTrack is a logging and reporting tool that provides statistics for analyzing bandwidth usage of your network. It can be enabled on any logical system on an SRX Series device1. AppTrack collects byte, packet, and duration statistics for application flows in the specified zone2. AppTrack sends log messages through syslog providing application activity update messages1.
AppTrack does not identify or block traffic flows that might be malicious. That is the function of AppSecure, which is a suite of application security tools that includes AppID, AppFW, AppQoS, and AppDoS3. AppTrack is a complementary tool that provides visibility into the types of applications traversing through the SRX Series gateway4.
AppTrack can be configured in any logical system on an SRX Series device, not just the main one1.
This allows for more flexibility and granularity in monitoring application traffic across different logical systems.
References:
1: Application Tracking | Junos OS | Juniper Networks
2: application-tracking | Junos OS | Juniper Networks
3: Juniper Networks AppSecure | NetworkScreen.com
4: [SRX] AppTrack log messages continue to get generated even after disabling the feature - Juniper Networks
質問 # 50
Referring to the exhibit, what do you determine about the status of the cluster?
- A. Node 2 is down.
- B. There are no issues with the cluster.
- C. Both nodes determine that they are in a primary state.
- D. Node 1 is down
正解:A
質問 # 51
You are asked to implement IPS on your SRX Series device.
In this scenario, which two tasks must be completed before a configuration will work? (Choose two.)
- A. Enroll the SRX Series device with Juniper ATP Cloud.
- B. Install the IPS signature database.
- C. Reboot the SRX Series device.
- D. Download the IPS signature database.
正解:B、D
解説:
Explanation
To implement IPS on your SRX Series device, you need to download and install the IPS signature database.
The IPS signature database contains the attack signatures and predefined attack groups that are used to detect and prevent intrusions. You can download the IPS signature database from the Juniper Networks website or from a local server. You can install the IPS signature database manually or automatically. You do not need to enroll the SRX Series device with Juniper ATP Cloud or reboot the SRX Series device to implement IPS34 References:
Configuring the IPS Policy on SRX Series Devices Using NSM
Installing SRX 1400 with IPS activation ??? | SRX - Juniper Networks
Download an IPS Signature | J-Web for SRX Series 21.2 - Juniper Networks IPS Configuration (CLI) | Junos OS | Juniper Networks
質問 # 52
Click the Exhibit button.
You have deployed Sky ATP to protect your network from attacks so that users are unable to download malicious files. However, after a user attempts to download a malicious file, they are still able to communicate through the SRX Series device.
Referring to the exhibit, which statement is correct?
- A. Remove the fallback options in the advanced anti-malware policy.
- B. Lower the verdict threshold in the advanced anti-malware policy.
- C. Configure a security intelligence policy and apply it to the security policy.
- D. Change the security policy from a standard security policy to a unified security policy.
正解:C
質問 # 53
Click the Exhibit button.
Which two statements describe the output shown in the exhibit? (Choose two.)
- A. Node 1 is passing traffic for redundancy group1.
- B. Redundancy group 1 experienced an operational failure.
- C. Redundancy group 1 was administratively failed over.
- D. Node 0 is passing traffic for redundancy group 1.
正解:A、C
質問 # 54
Your manager asks you to provide firewall and NAT services in a private cloud.
Which two solutions will fulfill the minimum requirements for this deployment? (Choose two.)
- A. a cSRX for firewall services and a separate cSRX for NAT services
- B. a single cSRX
- C. a single vSRX
- D. a vSRX for firewall services and a separate vSRX for NAT services
正解:A、D
解説:
A single vSRX or cSRX cannot provide both firewall and NAT services simultaneously. To meet the minimum requirements for this deployment, you need to deploy a vSRX for firewall services and a separate vSRX for NAT services (option B), or a cSRX for firewall services and a separate cSRX for NAT services (option C). This is according to the Juniper Networks Certified Security Specialist (JNCIS-SEC) Study Guide.
質問 # 55
When referencing a SSL proxy profile in a security policy, which two statements are correct? (Choose two.)
- A. If you apply an SSL proxy profile to a security policy and forget to apply any Layer7 services to the security policy, any encrypted traffic that matches the security policy is not decrypted.
- B. A security policy can reference both a client-protection SSL proxy profile and a server-protection proxy profile.
- C. A security policy can only reference a client-protection SSL proxy profile or a server-protection SSL proxy profile.
- D. If you apply an SSL proxy profile to a security policy and forget to apply any Layer7 services to the security policy, any encrypted traffic that matches the security policy is decrypted.
正解:A、C
質問 # 56
Which solution enables you to create security policies that include user and group information?
- A. ATP Appliance
- B. Network Director
- C. JIMS
- D. NETCONF
正解:C
解説:
The solution that enables you to create security policies that include user and group information is JIMS (Juniper Identity Management Service). JIMS collects and maintains a large database of user, device, and group information from Active Directory domains or syslog sources, and enables SRX Series devices to rapidly identify thousands of users in a large, distributed enterprise. With JIMS, you can create security policies that include user and group information, and enforce user-based access control policies to protect network resources.
質問 # 57
A client has attempted communication with a known command-and-control server and it has reached the configured threat level threshold.
Which feed will the clients IP address be automatically added to in this situation?
- A. the infected host cloud feed
- B. the command-and-control cloud feed
- C. the allowlist and blocklist feed
- D. the custom cloud feed
正解:A
解説:
Infected hosts are internal hosts that have been compromised by malware and are communicating with external C&C servers. Juniper ATP Cloud provides infected host feeds that list internal IP addresses or subnets of infected hosts along with a threat level. Once the Juniper ATP Cloud global threshold for an infected host is met, that host is added to the infected host feed and assigned a threat level of 10 by the cloud. You can also configure your SRX Series device to block traffic from these IP addresses using security policies.
質問 # 58
Which two statements are correct about SSL proxy server protection? (Choose two.)
- A. You must load the server certificates on the SRX Series device.
- B. The servers must be configured to use the SSL proxy function on the SRX Series device.
- C. You must import the root CA on the servers.
- D. You do not need to configure the servers to use the SSL proxy the function on the SRX Series device.
正解:D
解説:
Explanation
= SSL proxy server protection is a type of reverse proxy that enables the SRX Series device to act as an intermediary between external clients and internal servers that use SSL encryption. SSL proxy server protection provides benefits such as load balancing, caching, compression, encryption, authentication, and application firewalling. To enable SSL proxy server protection, you do not need to configure the servers to use the SSL proxy function on the SRX Series device. The SRX Series device will terminate the SSL connection from the client and initiate a new SSL connection to the server, without requiring any changes on the server side. However, you must load the server certificates on the SRX Series device, so that the SRX Series device can present the server certificate to the client and establish a secure connection. You must also import the root CA on the servers, so that the servers can trust the SRX Series device as a valid intermediary and accept the connection from the SRX Series device. References: SSL Proxy, Configuring SSL Proxy, JNCIP-SEC Certification
質問 # 59
Exhibit
Referring to the exhibit, which two statements describe the type of proxy used? (Choose two.)
- A. forward proxy
- B. client protection proxy
- C. server protection proxy
- D. reverse proxy
正解:B、C
解説:
B) Client protection proxy: This statement is correct because a forward proxy can also be called a client protection proxy since it protects the user's identity and computer information from the web server4.
C) Server protection proxy: This statement is correct because a reverse proxy can also be called a server protection proxy since it protects the web server's identity and location from the user4.
質問 # 60
What are two types of collectors for the JATP core engine? (Choose two.)
- A. telemetry
- B. SNMP
- C. Web
- D. e-mail
正解:C、D
質問 # 61
Exhibit
Referring to the exhibit, what do you determine about the status of the cluster.
- A. There are no issues with the cluster.
- B. Node 2 is down.
- C. Both nodes determine that they are in a primary state.
- D. Node 1 is down
正解:C
解説:
Explanation
Referring to the exhibit, we can see that the output of the show chassis cluster status command on both nodes shows that they have the same cluster ID, node ID, priority, and status. The status for both nodes is primary, which means that they are both active and ready to process traffic for all redundancy groups1.
This situation can occur when the control link between the two nodes is down or not configured properly, and the heartbeat messages cannot be exchanged. Without the heartbeat messages, each node assumes that the other node is down and takes over the primary role for all redundancy groups12.
This is not a desirable state for the cluster, as it can cause traffic disruption, configuration inconsistency, and split-brain scenarios. To resolve this issue, the control link should be checked and fixed, and the cluster should be synchronized12.
References:
1: Troubleshooting an SRX Chassis Cluster with One Node in the Primary State and the Other Node in the Disabled State
2: SRX Series Chassis Cluster Configuration Overview
質問 # 62
Regarding static attack object groups, which two statements are true? (Choose two.)
- A. Group membership automatically changes when Juniper updates the IPS signature database.
- B. You must manually add matching attack objects to a custom group.
- C. Matching attack objects are automatically added to a custom group.
- D. Group membership does not automatically change when Juniper updates the IPS signature database.
正解:A、D
解説:
Static attack object groups are predefined groups of attack objects that are included in Juniper's IPS signature database. These groups do not change automatically when Juniper updates the database.
質問 # 63
You want to manually failover the primary Routing Engine in an SRX Series high availability cluster pair.
Which step is necessary to accomplish this task?
- A. Implement the control link recover/ solution before adjusting the priorities.
- B. Manually request the failover and identify the secondary node
- C. Issue the set chassis cluster disable reboot command on the primary node.
- D. Adjust the priority in the configuration on the secondary node.
正解:B
解説:
Explanation
To manually failover the primary Routing Engine in an SRX Series high availability cluster pair, you need to issue the request chassis cluster failover redundancy-group group-id node node-id command on the primary node, where group-id is the redundancy group number and node-id is the node number of the secondary node.
This command initiates a graceful failover of the specified redundancy group to the secondary node, making it the new primary node. The other options are not necessary or correct for this task. Option A would disable the chassis cluster and reboot the primary node, which is not a graceful failover. Option B is not relevant, as the control link recovery solution is used to restore the control link connectivity between the nodes, not to initiate a failover. Option D would not trigger a failover, as the priority of the secondary node would only take effect after a reboot or a control link failure. References:
Chassis Cluster Redundancy Group Manual Failover
Initiating a Chassis Cluster Manual Redundancy Group Failover
SRX Getting Started - Troubleshoot High Availability (HA)
質問 # 64
Which statement regarding Juniper Identity Management Service (JIMS) domain PC probes is true?
- A. JIMS domain PC probes analyze domain controller security event logs at60-mmute intervals by default.
- B. JIMS domain PC probes are triggered if no username to IP address mapping is found in the domain security event log.
- C. JIMS domain PC probes are triggered to map usernames to group membership information.
- D. JIMS domain PC probes are initiated by an SRX Series device to verify authentication table information.
正解:B
解説:
Explanation
JIMS domain PC probes are a mechanism to obtain username to IP address mapping information from devices in a customer's domain. JIMS initiates a domain PC probe when it receives a request from an SRX Series device for a username to IP address mapping that is not found in the domain security event log. JIMS uses the administrative credentials configured for PC probes to access the device and query the Windows Management Instrumentation (WMI) service for the username to IP address mapping12 References:
1: Juniper Identity Management Service Feature Guide - TechLibrary - Juniper Networks
2: Juniper Identity Management Service (JIMS) Documentation - Juniper Networks
質問 # 65
Which two statements are correct about server-protection SSP proxy? (Choose two.)
- A. The server-protection SSL proxy is also known as SSL reverse proxy.
- B. The server-protection SSL proxy acts as the server from the client's perspective.
- C. The server-protection SSL proxy intercepts the server certificate.
- D. The server-protection SSL proxy forwards the server certificate after modification.
正解:A、B
質問 # 66
Which two statements describe superflows in Juniper Secure Analytics? (Choose two.)
- A. Superflows can negatively impact licensing limitations.
- B. JSA only supports Type A and Type C superflows.
- C. Disk space usage is reduced on the JSA device.
- D. Superflows combine many flows into a single flow.
正解:C、D
質問 # 67
Which three statements are correct about fabric interfaces on the SRX5800? (Choose three.)
- A. Fabric interfaces must be user-assigned interfaces.
- B. Fabric interfaces must be on the same Layer 2 segment.
- C. Fabric interfaces must be system-assigned interfaces.
- D. Fabric interfaces must have a user-assigned IP address.
- E. Fabric interfaces must be same interface type.
正解:B、C、E
質問 # 68
......
JN0-335試験問題集で無料サンプルは365日更新されます:https://www.passtest.jp/Juniper/JN0-335-shiken.html
合格させるJN0-335試験問題と最新のJN0-335テスト問題集PDF:https://drive.google.com/open?id=1-HhfbtQeyitxIQRBKW3K7abXPErx4KxO