Security, Associate (JNCIA-SEC) Questions and Answers
Question 17
Which statement is correct about source NAT?
Options:
A.
It translates MAC addresses to private IP addresses.
B.
It translates private IP addresses to public IP addresses.
C.
It performs bidirectional IP address translation.
D.
It performs translation on ingress traffic only.
Answer:
B
Explanation:
Source NAT (Network Address Translation) is used on SRX devices to allow hosts with private IP addresses to access external networks, such as the Internet. The SRX translates theprivate IP address of the source host into a public IP addressbefore forwarding traffic toward the destination.
It does not translate MAC addresses (Option A).
NAT is unidirectional in this case: it specifically translates private-to-public in the outbound direction, while the reverse (return traffic) is handled automatically through the session table. It is not a bidirectional translation (Option C).
NAT processing occurs as part of the flow module, not limited only to ingress traffic (Option D).
Therefore, the correct statement is that source NAT translatesprivate IP addresses to public IP addresses.
[Reference:Juniper Networks –Junos OS Security Fundamentals, NAT Concepts and Source NAT Processing., ]
Question 18
Which statement is correct about exception traffic?
Options:
A.
Exception traffic is only handled on the Packet Forwarding Engine.
B.
Exception traffic is rate-limited on the connection between the Packet Forwarding Engine and the Routing Engine.
C.
Exception traffic is anything that is rejected by security policies and requires additional processing.
D.
Exception traffic refers to malformed IP packets received on the Packet Forwarding Engine.
Answer:
B
Explanation:
Exception traffic refers to traffic that must be sent from thePacket Forwarding Engine (PFE) to the Routing Engine (RE)for processing, such as routing protocol updates, management traffic, and control-plane destined packets.
Option B:Correct. Exception traffic is rate-limited on the internal connection between the PFE and RE to protect the Routing Engine from denial-of-service attacks.
Option A:Incorrect. Exception traffic is not handled only on the PFE; it requires RE involvement.
Option C:Incorrect. Rejected traffic by security policies is simply dropped, not classified as exception traffic.
Option D:Incorrect. Malformed packets are dropped, not considered exception traffic.
Correct Statement:Exception traffic is rate-limited between the PFE and RE.
[Reference:Juniper Networks –Exception Traffic and RE Protection, Junos OS Security Fundamentals., ]
Question 19
What is the purpose of assigning logical interfaces to separate security zones in Junos OS?
Options:
A.
to simplify the configuration of network interfaces
B.
to manage routing protocols and updates
C.
to control traffic that traverses different VLANs using security policies
D.
to enable network monitoring through SNMP
Answer:
C
Explanation:
In Junos OS, security zones are the foundation of SRX firewall policy enforcement. Logical interfaces must be assigned to zones. This enables:
Separation of traffic by zone boundaries.
Enforcement ofsecurity policiesfor traffic traversing between zones.
Control of traffic across VLANs, subnets, or functional areas (e.g., trust, untrust, DMZ).
Other options:
Zone assignment is not used to simplify interface configuration (A).
Routing protocols and updates (B) are handled by routing instances, not zones.
SNMP monitoring (D) is enabled under system or services configuration, not zones.
[Reference:Juniper Networks –Security Zones and Policy Enforcement, Junos OS Security Fundamentals., ]
