Click the Exhibit button.

userehost# run show route
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, – = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:05:06
> to 172.16.1.1 via ge-0/0/1.0
172.16.1.0/24 *[Direct/O] 00:05:06
> via ge-0/0/1.0
172.16.1.3/32 *[Local/0] 00:05:07
Local via ge-0/0/1.0
192.168.200.2/32 *[Local/0] 00:05:07
Rejectvr-a.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, – = Last Active, * = Both
192.168.1.0/24 *[Direct/0] 00:01:05
> via ge-0/0/2.0
192.168.1.1/32 *[Local/0] 00:01:05
Local via ge-0/0/2.0
vr-b.inet.0: 2 destinations, 2 routes (2 active, 0 holddcwn, 0 hidden) + = Active Route, – = Last Active, * = Both
192.168.1.0/24 *[Direct/O] 00:01:05
> via go-0/0/3.0
192.168.1.1/32 *[Local/0] 00:01:05
Local via ge-0/0/3.0
User 1 will access Server 1 using IP address 10.2.1.1. You need to ensure that return traffic is able to reach
User 1 from Server 1.
Referring to the exhibit, which two configurations allow this communication (Choose two.)

Click the Exhibit button.
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:<1.1.1.100/51303->1.1.1.30/3389;6>
matched filter MatchTraffic:
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:packet [48] ipid = 5015, @423d7e9e Feb 2 09:00:02
09:00:00.1872004:CID-0:RT:—- flow_process_pkt: (thd 1): flow_ctxt type 13, common flag Ox0, mbuf
Ox423d7d00
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: flow process pak fast ifl 72
In_ifp fe-0/0/7.0
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: fe-0/0/7.0:1.1.1.100/51303- >1.1.1.30/3389, top, flag 2 syn
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: find flow: table Ox5258d7b0, hash 17008(Oxffff), sa 1.1.1.100, da
1.1.1.30, sp 51303, dp 3389, proto 6, tok
448
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: no session found, start first
path. in_tunnel – 0, from_cp_flag – 0
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: flow_first_create_session
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: flow first_in_dst_nat: in <fe-0/0/7.0>, out <N/A> dst_adr 1.1.1.30,
sp 51303, dp 3389
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: chose interface fe-0/0/7.0 as incoming nat if.
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_rule_dst_xlate: packet 1.1.1.100->1.1.1.30 nsp2 0.0.0.0-
>192.168.224.30.
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_routing: call flow_route_lookup() src_ip 1.1.1.100,
x_dst_ip 192.168.224.30, in ifp fe-0/0/7.0, out ifp N/A sp 51303, dp 3389, ip_proto 6, tos 0
Feb 2 09:00:02 09:00:00.1872004:CID-O:RT:Doing DESTINATION addr route-lookup Feb 2 09:00:02
09:00:00.1872004:CID-0:RT: routed (x_dst_ip 192 168.224.30)
from untrust (fe-0/0/7.0 in 0) to ge-0/0/0.0, Next-hop: 192.168.224.30
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: policy search from zone untrust-> zone trust
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: policy has timeout 900
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: app 0, timeout 1800s, curr ageout 20s
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_src_xlate: src nat 0.0.0.0(51303) to 192.168.224.30
(3389) returns status 1, rule/pool id 1/2. Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: dip id = 2/0,
1.1.1.100/51303->192.168.224.3/48810
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: choose interface ge-0/0/0.0 as outgoing phy if
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/0.0, addr: 192.168.224.30,
rtt_idx:0
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:sm_flow_interest_check: app_id 0, policy 9, app_svc_en 0, flags
Ox2. not interested
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:sm_flow_interest_check: app_id 1, policy 9, app_svc_en 0, flags
Ox2. not interested
Feb 2 09:00:02 09:00:00.1872004:CID-0:RT:flow_first_service_lookup(): natp(Ox51ee4680): app_id, 0(0).Feb 2 09:00:02 09:00:00.1872004:CID-0:RT: service lookup identified service O.
Referring to the exhibit, which two statements are correct? (Choose two.)

Click the Exhibit button.
user@host> show security flow session extensive
Session ID: 1173, Status: Normal
Flag: Ox0
Policy name: two/6
Source NAT pool: interface, Application: junos-ftp/1
Dynamic application: junos:UNKNOWN,
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: 1800, Current timeout: 1756
Session State: Valid
Start time: 4859, Duration: 99
In: 172.20.103.10/56457 –> 10.210.14.130/21;tcp,
Interface: vlan.103,
Session token: Ox8, Flag: Ox21
Route: 0x100010, Gateway: 172.20.103.10, Tunnel: 0
Port sequence: 0, FIN sequence: 0, FIN state: 0,
Pkts: 12, Bytes: 549
Out: 10.210.14.130/21 –> 10.210.14.133/18698;tcp,
Interface: ge-0/0/0.0,
Session token: 0x7, Flag: Ox20
Route: Oxf0010, Gateway: 10.210 14.130, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 8, Bytes: 514
Total sessions: 1A user complains that they are unable to download files using FTP. They are able to connect to the remote site,
but cannot download any files. You investigate and execute the show security flow session extensive command
to receive the result shown in the exhibit.
What is the cause of the problem?

Which AppSecure module provides Quality of Service?

Click the Exhibit button.
[edit protocols ospf area 0.0.0.0]
user@host# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote
Address
3289542 UP 48d928408940de28 e418fc7702fe483b Main
172.31.50.1
3289543 UP eb45940484082b14 428086b100427326 Main 10.10.50.1
[edit protocols ospf area 0.0.0.0]
user@host# run show security ipsec; security-associations
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:des/ shal 6d40899b 1360/ unlim – root 500 10.10.50.1
>131073 ESP:des/ shal 5a89400e 1360/ unlim – root 500 10.10.50.1
<131074 ESP:des/ shal c04046f 1359/ unlim – root 500 172.31.50.1
>131074 ESP:des/ shal 5508946c 1359/ unlim – root 500 172.31.50.1
[edit protocols ospf area 0.0.0.0]
user@host# run show ospf neighbor
Address Interface State ID Pri Dead
10.40.60.1 st0.0 Init 10.30.50.1 128 35
10.40.60.2 st0.0 Full 10.30.50.1 128 31
[edit protocols ospf area 0.0.0.0]
user@host# show
interface st0.0;
You have already configured a hub-and-spoke VPN with one hub device and two spoke devices. However, the
hub device has one neighbor in the Init state and one neighbor in the Full state.What would you do to resolve this problem?

Click the Exhibit button.
user @host> show bgp summary logical-system LSYS1
Groups : 11 Peers : 10 Down peers: 1
Table Tot. Paths Act Paths Suppressed History Damp State
Pending
inet.0 141 129 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/
Damped…
192.168.64.12 65008 11153 11459 0 26 3d
3:10:43 9/10/10/0 0/0/0/0
192.168.72.12 65009 11171 11457 0 26 3d
3:10:39 11/12/12/0 0/0/0/0
192.168.80.12 65010 9480 9729 0 27 3d
3:10:42 11/12/12/0 0/0/0/0
192.168.88.12 65011 11171 11457 0 25 3d
3:10:31 12/13/13/0 0/0/0/0192.168.96.12 65012 9479 9729 0 26 3d
3:10:34 12/13/13/0 0/0/0/0
192.168.10.12 65013 111689 11460 0 27 3d
3:10:46 9/10/10/0 0/0/0/0
192.168.11.12 65014 111688 11458 0 25 3d
3:10:42 9/10/10/0 0/0/0/0
192.168.12.12 65015 111687 11457 0 25 3d
3:10:38 9/10/10/0 0/0/0/0
192.68.11.12 650168 9478 9729 0 25 3d
3:10:42 9/10/10/0 0/0/0/0
192.168.13.12 65017 111687 11457 0 27 3d
3:10:30 9/10/10/0 0/0/0/0
192.168.16.12 65017 111687 11457 0 27 1w3d2h
Connect
user@host> show interfaces ge-0/0/7.0 extensive
Logical interface ge-0/0/7.0 (Index 76) (SNMP ifIndex 548) (Generation 141)
…
Security: Zone: log
Allowed host-inbound traffic : bootp dns dhcp finger ftp tftp ident-reset http https ike netconf ping reversetelnet reverse-ssh rloqin rpm rsh snmp
snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip
r2cp
Flow Statistics:
Flow Input statistics:
Self packets: 0
ICMP packets: 0
VPN packets: 0
Multicast packets: 0
Bytes permitted by policy: 0
Connections established: 0
Flow Output statistics:
Multicast packets: 0
Bytes permitted by policy: 0
Flow error statistics (Packets dropped due to):
Address spoofing: 0
Authentication failed: 0
Incoming NAT errors: 0
Invalid zone received packet: 0
Multiple user authentications: 0
Multiple incoming NAT: 0
No parent for a gate: 0
No one interested in self pakets: 0
No minor session: 0
No more sessions: 589723
No NAT gate: 0
No route present: 0
No SA for incoming SPI: 0
No tunnel found: 0
No session for a gate: 0
No zone or NULL zone binding 0
Policy denied: 0
Security association not active: 0
TCP sequence number out of window: 0
Syn-attack protection: 0
User authentication errors: 0
Protocol inet, MTU: 1500, Generation: 1685, Route table: 0
Flags: Sendbcast-pkt-to-re
Addresses, F1ags: Is-Preferred Is-Primary
Destination: 10.5.123/24, Local: 10.5.123.3, Broadcast:10.5.123.255, Generation: 156
Protocol multiservice, MTU: Unlimited, Generation: 1686, Route table: 0
Policer: Input: __default_arp_policer__
…
…
An SRX Series device has been configured with a logical system LSYS1. One of the BGP peers is down.
Referring to the exhibit, which statement explains this problem?

You are asked to configure your SRX Series device to support IDP SSL inspections for up to 6,000 concurrent
HTTP sessions to a server within your network.
Which two statements are true in this scenario? (Choose two.)

Click the Exhibit button.
[edit security application-firewall]
user@host# show
rule-sets web {
rule one {
match {
dynamic-application junos:HTTP;
}
then {permit;
}
}
default-rule {
reject;
}
}
What will happen to non-HTTP traffic that matches the application-firewall policy shown in the exhibit?

The IPsec VPN on your SRX Series device establishes both the Phase 1 and Phase 2 security associations.
Users are able to pass traffic through the VPN. During peak VPN usage times, users complain about
decreased performance. Network connections outside of the VPN are not seriously impacted.
Which two actions will resolve the problem? (Choose two.)

Click the Exhibit button.
[edit security idp-policy test]
user@host# show
rulebase-ips {
rule R3 {
match {
source-address any;
destination-address any;
attacks {
predefined-attacks FTP:USER:ROOT;
}
}
then {
action {
recommended;
}
}
terminal;
}
rule R4 {
match {
source-address any;
destination-address any;
attacks {
predefined-attacks HTTP:HOTMAIL:FILE-UPLOAD;
}}
then {
action {
recommended;
}
}
}
}
You have just committed the new IDP policy shown in the exhibit. However, you notice no action is taken on
traffic matching the R4 IDP rule.
Which two actions will resolve the problem? (Choose two.)