FWV, Specialist (JNCIS-FWV) v6.0
Question 1
What is the purpose of a virtual system profile?
- A. to limit virtual system access
- B. to limit virtual system resources
- C. to limit the number of virtual system interfaces
- D. to limit the number of VPNs
Answer : B
Question 2
-- Exhibit --
set admin name "admin"
set admin password "nOsYMqrbAs/McFsJrs6HwcIt3AF6yn"
set admin user "User1" password "nLZwKErINPPCcphC6sFMXrJ" privilege "read-only" set admin port 8080 set admin access attempts 5 set admin access lock-on-failure 5 set admin auth web timeout 10 set admin auth server "Local"
-- Exhibit --
User1 wants to create the policy in the ScreenOS device, but is not successful.
Referring to the exhibit, what is the problem?
- A. The User1 account has been suspended.
- B. User1 does not have any account in this device.
- C. User1 logged in to the device with wrong port.
- D. User1 does not have the proper permission to create a policy.
Answer : D
Question 3
You are configuring a VPN with IKE between headquarters and a branch office that uses a dynamic public IP address. Which IKE mode should you use?
- A. quick mode
- B. main mode
- C. aggressive mode
- D. wizard mode
Answer : C
Question 4
You have configured integrated Web filtering in the ScreenOS software. You find that users trying to access http://www.example.com are being blocked by your Web-filtering configuration. However, you want all users to be able to access this Web site.
What are two methods to allow this traffic? (Choose two.)
- A. Configure an SC-CPA exception for the URL.
- B. Configure the URL as part of a custom category and allow requests in that category.
- C. Configure the URL as part of the blacklist.
- D. Configure the URL as part of the whitelist.
Answer : BD
Question 5
Click the Exhibit button.
In the network shown in the exhibit, you have been asked to enable users in the Untrust zone to contact Server1 on TCP port 80 using IP address 1.1.1.1. You also need to allow
Server1 to make connections to hosts in the Untrust zone. When Server1 makes connections to the Untrust zone, the source address of its traffic should be translated to
1.1.1.1.
What would you use to configure this behavior?
- A. MIP
- B. VIP
- C. DIP
- D. SIBR
Answer : A
Question 6
-- Exhibit --
NS5200(M)-> get nsrp -
nsrp version: 2.0
cluster info:
cluster iD.1, namE.5200
local unit iD.8000208
active units discovereD.
index: 0, unit iD.8014208, ctrl maC.0010db000085, data maC.0010db000086 index: 1, unit iD.8337344, ctrl maC.0010db0000c5, data maC.0010db0000c6 total number of units: 2
VSD group info:
init hold timE.5
heartbeat lost thresholD.3
heartbeat interval: 200(ms)
master always exist: enabled
group priority preempt holddown inelig master PB other members
0 50 yes 45 no myself 8330044
total number of vsd groups: 1
Total iteration= ,time=878546093,max=4900,min=170,average=18
RTO mirror info:
run time object synC.enabled
ping session synC.enabled
coldstart sync done
nsrp data packet forwarding is enabled
nsrp link info:
control channel: ha1 (ifnum: 5) maC.0010db000085 statE.up
data channel: ha2 (ifnum: 6) maC.0010db000086 statE.up
ha secondary path link not available
NSRP encryption: disabled -
NSRP authentication: disabled -
device based nsrp monitoring thresholD.255, weighted sum: 0, not failed device based nsrp monitor interfacE.ethernet2/1(weight 255, UP) ethernet2/3(weight 255,
UP) ethernet2/4(weight 255, UP) ethernet2/5(weight 255, UP) ethernet2/2(weight 255, UP) device based nsrp monitor zonE. device based nsrp track ip: (weight: 255, disabled) number of gratuitous arps: 4 (default) config synC.enabled track ip: disabled
-- Exhibit --
Referring to the exhibit, which three statements are true? (Choose three.)
- A. This cluster is configured as an active/active cluster.
- B. RTO sync is enabled.
- C. No secondary path is configured.
- D. master-always-exists is enabled.
- E. Only one interface is used for both the control and data links.
Answer : B,C,D
Question 7
You have configured a single-port VIP to forward HTTP traffic from the untrust interface on your ScreenOS device to an internal Web server. You have configured a policy to allow thistraffic. Traffic from the untrust interface that matches this policy is unable to connect to the Web server.What is a solution to this problem?
- A. You must reboot the ScreenOS device for the VIP to become active.
- B. You must ensure the ScreenOS device has a route to the Web server.
- C. You must ensure the Web server is directly connected to the ScreenOS device.
- D. You must save the ScreenOS device configuration for the VIP to become active.
Answer : B
Question 8
You have created a site-to-site IPsec VPN between two devices. You want to keep the tunnel up at all times, even when no user traffic is using it.Which two configuration additions will accomplish this goal? (Choose two.)
- A. set vpn "RemoteVPN" monitor source-interface ethernet0/1 destination-ip
- B. set vpn "RemoteVPN" monitor source-interface ethernet0/1 destination-ip rekey
- C. set vpn "RemoteVPN" monitor source-interface ethernet0/1 destination-ip keepalive
- D. set vpn "RemoteVPN" monitor source-interface ethernet0/1 destination-ip rekey optimized
Answer : BD
Question 9
What are two routing tables contained in a virtual router? (Choose two.)
- A. destination-based
- B. NHTB
- C. source-based
- D. zone-based
Answer : AC
Question 10
Policy-based routing (PBR) policies can be bound to which three ScreenOS objects?
(Choose three.)
- A. virtual routers
- B. interfaces
- C. zones
- D. security policies
- E. virtual system
Answer : ABC
Question 11
A routing table contains an IBGP route for 192.168.0.0/24, a RIP route for 192.168.0.0/23, an OSPF route for 192.168.0.0/22, and a static route for 192.168.0.0/16.
When the router receives traffic destined for 192.168.0.1, which route will the router use?
- A. the IBGP route
- B. the OSPF route
- C. the RIP route
- D. the static route
Answer : A
Question 12
-- Exhibit --
NSPROD1(M)-> get nsrp ha-link -
total_ha_port = 2
probe on ha-link is disabled
unused channel: ethernet8 (ifnum: 11) maC.0010db1d1e8b statE.down unused channel: ethernet7 (ifnum: 10) maC.0010db1d1e8a statE.down ha control link not available ha data link not available ha secondary path link not available
-- Exhibit --
Referring to the exhibit, both clustered devices are in a master state.
What is the cause of this situation?
- A. The cluster is not configured for NSRP.
- B. The cluster is in the process of failing over from the primary node to the secondary node.
- C. Probes on the HA links have been disabled, causing the HA links to go down.
- D. The control and the data link is down.
Answer : D
Question 13
What is the function of NAT?
- A. It performs Layer 3 routing.
- B. It evaluates and redirects matching traffic into secure tunnels.
- C. It provides translation between IP addresses.
- D. It performs Layer 2 switching.
Answer : B
Question 14
A ScreenOS device evaluates five primary elements when performing a security policy check on a new session.Which five elements are evaluated?
- A. source IP address, destination IP address, source route, source port, and destination port
- B. source IP address, destination IP address, source port, destination port, and protocol
- C. source IP address, destination IP address, source port, destination port, and payload
- D. destination IP address, source port, destination port, protocol, and payload
Answer : B
Question 15
Click the Exhibit button.
Which two statements are true about the default route configuration based on the output shown in the exhibit? (Choose two.)
- A. A default route is configured in the trust-vr with a next-hop IP address of 1.1.1.1.
- B. A default route is configured in the trust-vr with a next hop of ethernet3/1.
- C. A default route is configured in the trust-vr with a next hop of the untrust-vr.
- D. A default route is configured in the untrust-vr with a next-hop IP address of 1.1.1.1.
Answer : CD