-- Exhibit -user@SRX-1> show configuration security ike traceoptions {
file ike-trace;
flag all; } policy juniper {
proposal-set standard;
pre-shared-key ascii-text "$ $ znCO hKMXtuMX - gTz "; ## SECRET-DATA } gateway juniper {
ike-policy juniper; address 192.168.1.11; external-interface fe-0/0/7;
} user@SRX-1> show configuration security ipsec traceoptions {
flag all; } policy juniper {
proposal-set standard; } vpn juniper {
bind-interface st0.0; ike { gateway juniper; ipsec-policy juniper; }
}
user@SRX-1> show security ike security-associations
user@SRX-1> show security ipsec security-associations Total active tunnels: 0
user@SRX-1> show log ike-trace
...
Jun 13 16:21:33 ike_st_o_all_done: MESSAGE: Phase 1 { 0x3f669946 90eba0c7 - 0x76bdffab f8770040 } / 00000000, version = 1.0, xchg = Identity protect, auth_method = Pre shared keys, Responder, cipher = 3des-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 28800 sec, key l Jun 13 16:21:33 192.168.1.10:500 (Responder) -> 192.168.1.11:500 { 3f669946 90eba0c7 76bdffab f8770040 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = 3des-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 28800 sec, key
Jun 13 16:21:33 ike_encode_packet: Start, SA = { 0x3f669946 90eba0c7 - 76bdffab f8770040 } / 00000000, nego = -1
Jun 13 16:21:33 ike_send_packet: Start, send SA = { 3f669946 90eba0c7 - 76bdffab f8770040}, nego = -1, dst = 192.168.1.11:500, routing table id = 0
Jun 13 16:21:33 ike_send_notify: Connected, SA = { 3f669946 90eba0c7 - 76bdffab f8770040}, nego = -1
Jun 13 16:21:33 iked_pm_ike_sa_done: local:192.168.1.10, remote:192.168.1.11 IKEv1
Jun 13 16:21:33 iked_pm_id_validate id NOT matched.
Jun 13 16:21:33 P1 SA 3075313 timer expiry. ref cnt 1, timer reason Defer delete timer expired (3), flags 0x331.
Jun 13 16:21:33 iked_pm_ike_sa_delete_notify_done_cB. For p1 sa index 3075313, ref cnt 1, status: Error ok
Jun 13 16:21:33 ike_expire_callback: Start, expire SA = { 3f669946 90eba0c7 - 76bdffab f8770040}, nego = -1
Jun 13 16:21:33 ike_alloc_negotiation: Start, SA = { 3f669946 90eba0c7 - 76bdffab f8770040}
...
-- Exhibit -
Click the Exhibit button.
You are troubleshooting a new IPsec VPN that is not establishing between SRX-1 and a remote end device.
Referring to the exhibit, what is causing the problem?
A. IKE Phase 1 proposals mismatch
B. IKE Phase 2 proxy ID mismatch
C. IKE Phase 1 IKE ID mismatch
D. Pre-shared key mismatch
正解:C
質問 2:
-- Exhibit --
Apr 27 19:11:09 company-fw init: low_mem_signal_processes: send signal 16 to routing
Apr 27 19:11:09 company-fw /kernel: KERNEL_MEMORY_CRITICAL: System low on free memory, notifying init (#4).
Apr 27 19:11:09 company-fw rpd[1268]: Processing low memory signal
Apr 27 19:11:09 company-fw init: low_mem_signal_processes: send signal 16 to idp-policy
Apr 27 19:11:09 company-fw idpd[1295]: Processing low memory signal
Apr 27 19:11:10 company-fw idpd[1987]: IDP_SECURITY_INSTALL_RESULT: security package install result
Done;Install aborted due to system reaching low memory condition!)
-- Exhibit -
Click the Exhibit button.
You are troubleshooting a problem where the IDP signature database update on your Junos device has failed.
Referring to the exhibit, which action will resolve this problem?
A. Increase the amount of control plane memory by issuing the command set security advanced-services data-plane memory low.
B. Perform a manual update of the IDP signature database by issuing the command request security idp security-package download.
C. Download the IDP signature database on the control plane without updating the data plane detector engine by issuing the command request security idp security-package install update-attack-database-only.
D. Clear the control plane memory used by IDP by issuing the command clear security idp status.
正解:A
質問 3:
-- Exhibit -
-- Exhibit -
Click the Exhibit button.
There is an existing chassis cluster connected to the corporate network 192.168.1.0/24. You are asked to connect another department to this VLAN. To achieve this, you add a new chassis cluster to the network. After connecting to the network, the cluster experiences traffic problems. You have verified that the addresses and VLAN IDs are configured correctly.
Referring to the exhibit, which configuration would resolve this problem?
A. user@SRX-3> set chassis cluster cluster-id 2 node 0 reboot user@SRX-4> set chassis cluster cluster-id 2 node 1 reboot
B. user@SRX-3# set chassis cluster redundancy-group 1 preempt user@SRX-3# commit
C. user@SRX-3> set chassis cluster cluster-id 1 node 0 reboot user@SRX-4> set chassis cluster cluster-id 1 node 1 reboot
D. user@SRX-3# set chassis cluster redundancy-group 1 node 0 priority 100 user@SRX-3# commit
正解:A
質問 4:
You are asked to troubleshoot a user communication problem. Users connected to the Trust zone cannot communicate with other devices connected to the same zone. These users are able to communicate with other devices in all other zones.
How should you resolve this problem?
A. You must enable the all parameter for host inbound traffic for the zone.
B. You must enable the allow-internal parameter under the Trust security zone.
C. You must configure a security policy to allow intrazone communication.
D. You must put each device in a separate subzone to allow internal communication.
正解:C
Komesu -
習問題を掲載しているので本番でも動じない実力を養うことができます。Pass4Testさんのおかげです