You are asked to provide single sign-on (SSO) to Juniper ATP Cloud. Which two steps accomplish this goal? (Choose two.)
Correct Answer: C,D
Question 72
You are attempting to ping the IP address that is assigned to the loopback interface on the SRX series device shown in the exhibit. What is causing this problem?
Correct Answer: A
Question 73
An ADVPN configuration has been verified on both the hub and spoke devices and it seems fine. However, OSPF is not functioning as expected. Referring to the exhibit, which two statements under interface st0.0 on both the hub and spoke devices would solve this problem? (Choose two.)
Correct Answer: A,B
For ADVPN with OSPF, using a point-to-multipoint (p2mp) interface type and enabling dynamic-neighbors are crucial. This configuration allows dynamic discovery of neighbors and the establishment of tunnels. For more information, refer to Juniper ADVPN Configuration Guide. In the ADVPN configuration, OSPF isn't functioning as expected due to the interface configuration on st0.0. Here are the adjustments needed: * Interface Type p2mp (Answer A): OSPF requires that the tunnel interface be set to p2mp (point-to- multipoint) to allow OSPF to communicate with multiple dynamic neighbors over the ADVPN tunnels. Command Example: bash set interfaces st0.0 family inet ospf interface-type p2mp * Dynamic Neighbors (Answer B): The dynamic neighbors statement allows OSPF to discover and communicate with dynamically established spokes in an ADVPN environment. This is essential for ADVPN to function properly since the tunnel endpoints are not static. Command Example: bash set protocols ospf area 0.0.0.0 interface st0.0 dynamic-neighbors These settings ensure OSPF properly functions over dynamically created ADVPN tunnels.
Question 74
Referring to the exhibit, which two statements are correct about the NAT configuration? (Choose two.)
Correct Answer: B,D
The NAT setup allows only specific external hosts to reach the internal network post-initial session, providing controlled access. Reflexive NAT preserves the source port from the original request, maintaining continuity. More on this can be found in Juniper NAT Configuration Documentation. Looking at the NAT configuration, we observe the use ofpersistent NATwith the keywordpermit target-host . Here's a detailed breakdown: * Persistent NAT (Correct: Option B):Whenpersistent NATis configured with thepermit target-host option, it allows the internal host (from the 172.16.1.0/24 network) to initiate communication with an external host. After the initial session is established, only the specific external host (target host) is allowed to initiate subsequent sessions to the internal host using the reflexive address. This ensures that random external hosts cannot initiate sessions, which enhances security. * Original Destination Port Reuse (Correct: Option D):In this configuration, theinterface-based source NATuses the original destination port of the incoming session as the source port for the outbound session. This maintains port transparency for NATed traffic, which can be crucial for certain types of applications that depend on consistent port numbers. * Incorrect Options: * Option Ais incorrect because persistent NAT with target-host does not allow both internal and external hosts to initiate sessions freely. Only the specific external hostcan initiate a session after the initial session is established by the internal host. * Option Cis incorrect because only the specific external host can initiate subsequent sessions, not any random external host. Juniper References: * Juniper NAT Documentation: Describes the behavior of persistent NAT and how target-host restrictions work for enhanced security.
Question 75
You are configuring transparent mode on an SRX Series device. You must permit IP-based traffic only, and BPDUs must be restricted to the VLANs from which they originate. Which configuration accomplishes these objectives?
