Online Access Free JN0-696 Exam Questions

-- Exhibit -user@R1> show security ike security-associations
user@R1> show security zones
Security zone: trust
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bounD. 3
Interfaces:
ge-0/0/0.0
ge-0/0/6.0
lo0.0
Security zone: untrust
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bounD. 1
Interfaces:
ge-0/0/1.0
Security zone: junos-host
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes Interfaces bounD. 0 Interfaces:
user@R1> show interfaces st0
Physical interface: st0, Enabled, Physical link is Up Interface index: 130, SNMP ifIndex: 503 Type: Secure-Tunnel, Link-level type: Secure-Tunnel, MTU: 9192 Device flags : Present Running Interface flags: Point-To-Point Input rate : 0 bps (0 pps) Output rate : 0 bps (0 pps)
Logical interface st0.0 (Index 72) (SNMP ifIndex 546) Flags: Link-Layer-Down Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel Input packets : 3 Output packets: 3 Security: Zone: Null Protocol inet, MTU: 9192 Flags: Sendbcast-pkt-to-re Addresses, Flags: Dest-route-down Is-Preferred Is-Primary Destination: 172.19.0.0/30, Local: 172.19.0.1
user@R1> show interfaces ge-0/0/1 Physical interface: ge-0/0/1, Enabled, Physical link is Up Interface index: 135, SNMP ifIndex: 508
Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, SpeeD. 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Current address: b0:c6:9a:73:27:81, Hardware address: b0:c6:9a:73:27:81 Last flapped : 2013-06-12 15:22:48 UTC (00:59:41 ago) Input rate : 0 bps (0 pps) Output rate : 0 bps (0 pps) Active alarms : None Active defects : None Interface transmit statistics: Disabled
Logical interface ge-0/0/1.0 (Index 71) (SNMP ifIndex 541) Flags: SNMP-Traps 0x0 Encapsulation: ENET2 Input packets : 40 Output packets: 27 Security: Zone: untrust Allowed host-inbound traffic : ping Protocol inet, MTU: 1500 Flags: Sendbcast-pkt-to-re Addresses, Flags: Is-Preferred Is-Primary Destination: 184.0.15.0/30, Local: 184.0.15.1, Broadcast: 184.0.15.3
user@R1> show log ipsec-trace | match "500|drop"
Jun 12 16:32:10 16:32:10.680034:CID-0:RT:ageout 71,184.0.15.2/500->184.0.15.1/500,17, (0/0)
Jun 12 16:32:51 16:32:51.874191:CID-0:RT:184.0.15.2/500->184.0.15.1/500;17> :
Jun 12 16:32:51 16:32:51.874191:CID-0:RT: ge-0/0/1.0:184.0.15.2/500->184.0.15.1/500, udp
Jun 12 16:32:51 16:32:51.874191:CID-0:RT: find flow: table 0x4f160b38, hash 8769(0xffff), sa
184.0.15.2, da 184.0.15.1, sp 500, dp 500, proto 17, tok 8
Jun 12 16:32:51 16:32:51.874191:CID-0:RT:pak_for_self : proto 17, dst port 500, action 0x0
Jun 12 16:32:51 16:32:51.874191:CID-0:RT: flow_first_in_dst_nat: in 0/1.0>, out A> dst_adr
184.0.15.1, sp 500, dp 500
Jun 12 16:32:51 16:32:51.874555:CID-0:RT: packet droppeD. for self but not interested
Jun 12 16:32:51 16:32:51.874555:CID-0:RT: packet dropped, packet droppeD. for self but not
interested.
Jun 12 16:32:54 16:32:54.680399:CID-0:RT:ageout 71,184.0.15.2/500->184.0.15.1/500,17, (0/0)
Jun 12 16:32:56 16:32:56.888094:CID-0:RT:184.0.15.2/500->184.0.15.1/500;17> :
Jun 12 16:32:56 16:32:56.888094:CID-0:RT: ge-0/0/1.0:184.0.15.2/500->184.0.15.1/500, udp
Jun 12 16:32:56 16:32:56.888094:CID-0:RT: find flow: table 0x4f160b38, hash 8769(0xffff), sa
184.0.15.2, da 184.0.15.1, sp 500, dp 500, proto 17, tok 8
Jun 12 16:32:56 16:32:56.888094:CID-0:RT:pak_for_self : proto 17, dst port 500, action 0x0
Jun 12 16:32:56 16:32:56.888094:CID-0:RT: flow_first_in_dst_nat: in 0/1.0>, out A> dst_adr
184.0.15.1, sp 500, dp 500
Jun 12 16:32:56 16:32:56.888094:CID-0:RT: packet droppeD. for self but not interested
Jun 12 16:32:56 16:32:56.888094:CID-0:RT: packet dropped, packet droppeD. for self but not
interested.
Jun 12 16:33:00 16:33:00.680794:CID-0:RT:ageout 71,184.0.15.2/500->184.0.15.1/500,17, (0/0)
Jun 12 16:33:07 16:33:06.902220:CID-0:RT:184.0.15.2/500->184.0.15.1/500;17> :
Jun 12 16:33:07 16:33:06.902220:CID-0:RT: ge-0/0/1.0:184.0.15.2/500->184.0.15.1/500, udp
Jun 12 16:33:07 16:33:06.902220:CID-0:RT: find flow: table 0x4f160b38, hash 8769(0xffff), sa
184.0.15.2, da 184.0.15.1, sp 500, dp 500, proto 17, tok 8
Jun 12 16:33:07 16:33:06.902220:CID-0:RT:pak_for_self : proto 17, dst port 500, action 0x0
Jun 12 16:33:07 16:33:06.902220:CID-0:RT: flow_first_in_dst_nat: in 0/1.0>, out A> dst_adr
184.0.15.1, sp 500, dp 500 Jun 12 16:33:07 16:33:06.902220:CID-0:RT: packet droppeD. for self but not interested Jun 12 16:33:07 16:33:06.902220:CID-0:RT: packet dropped, packet droppeD. for self but not
interested.
-- Exhibit -
Click the Exhibit button.
You are asked to troubleshoot a new IPsec tunnel that is not establishing between R1 and R2. The remote team has verified that R2's configuration is correct.
Referring to the exhibit, which two actions are required to resolve the problem? (Choose two.)

• A.Add the st0.0 interface to a security zone.
• B.Enable IKE for host inbound traffic in the trust zone.
• C.Change the st0.0 interface MTU to 1400.
• D.Enable IKE for host inbound traffic in the untrust zone.

-- Exhibit - -- Exhibit -

Click the Exhibit button.
Your company has a Web server in the trust zone. You configure a NAT rule to allow Internet users from the untrust zone to access this Web server. Internet users use the public IP address
70.1.1.1 to access this Web server, but they report that the server is not accessible.
Referring to the exhibit, which configuration change would resolve this problem?

• A.set security zones security-zone untrust host-inbound-traffic system-services http
• B.set security nat destination rule-set http rule 1 match source-address 0.0.0.0/0
• C.set security address-book global address web-server 192.168.1.11/32
• D.set security nat proxy-arp interface fe-0/0/2 address 70.1.1.0/24

In preparation for future expansion, a user decides to configure a stand-alone SRX Series device for chassis-clustering mode. The user enters the command set chassis cluster cluster-id 0 node 0 reboot on the device. After the device reboots, the user sees this output:
user@host> show chassis cluster status
error: Chassis cluster is not enabled.
user@host>
The device does not enter chassis-clustering mode.
What is the problem?

• A.Node ID 0 is not valid for a chassis cluster.
• B.An SRX Series device will only enter chassis-clustering mode when it finds a peer that is also configured for chassis-clustering mode.
• C.An SRX Series device will not enter chassis-clustering mode unless the fxp0 and fxp1 interfaces are defined in the configuration.
• D.Cluster ID 0 is not valid for a chassis cluster.

-- Exhibit --
user@host> show configuration security utm
custom-objects {
url-pattern {
block-juniper {
value *.spammer.com;
}
}
custom-url-category {
blacklist {
value block-juniper;
}
}
}
feature-profile {
anti-spam {
address-blacklist block-juniper;
sbl {
profile myprofile {
no-sbl-default-server;
spam-action block;
}
}
}
}
utm-policy wildcard-policy {
anti-spam { smtp-profile myprofile; }
} -- Exhibit -
Click the Exhibit button.
You added a blacklist to your antispam policy to block any e-mails from the spammer.com domain. However, your users are complaining that they are still receiving spam e-mails from that domain. You run the utm test-string test and confirm that the blacklist is not working.
Referring to the exhibit, what is causing this problem?

• A.The pattern needs to be preceded by an @ symbol.
• B.The wildcard character * cannot be used for the e-mail pattern match.
• C.url-pattern is not supported for antispam.
• D.The protocol-command smtp value sender: needs to be added under custom-objects.

Two SRX Series devices are having problems establishing an IPsec VPN session. One of the devices has a firewall filter applied to its gateway interface that rejects UDP traffic.
What would resolve the problem?

• A.Disable the IKE Phase 1 part of the session establishment.
• B.Disable the IKE Phase 2 part of the session establishment.
• C.Change the configuration so that session establishment uses TCP.
• D.Edit the firewall filter to allow UDP port 500.