You have an SRX Series Layer 2 enforcer providing 802.1X authentication for connected endpoints. Your security policy requires that users who fail their authentication be placed in a specific VLAN.On the Layer 2 enforcer, at the [edit protocols dot1x auth

第1题：

第2题：

第3题：

You have a share on your local computer. This share contains some sensitive applications in theform of .exe files. You want to audit the users who are trying to execute these programs. What should you do？（）

• A、Turn on auditing for objects in the Local Security Policy and Select 'Process Tracking'.
• B、Turn on auditing for objects in the Local Security Policy and Select 'Object Access'.
• C、Use Windows Explorer to turn on auditing for the specific files. 
• D、Have the administrator for domains log you on as an administrator and enable auditing for a  specific file.
• E、Turn on auditing for objects in the Local Security Policy and Select 'Account Management'.
• F、Allow only one account at a time to log on to your shared folder. Check the event viewer to  see who logged on. 

第4题：

You have created a security policy on an SRX240 that permits traffic from any source-address, any destination-address, and any application. The policy will be a source IP policy for use with the Junos Pulse Access Control Service. What must you add to complete the security policy configuration?（）

• A、The intranet-auth authentication option
• B、The redirect-portal application service
• C、The uac-policy application service
• D、The ipsec-vpn tunnel

第5题：

You are installing a MAG Series device for access control using an SRX Series device as the firewall enforcer. The MAG Series device resides in the same security zone as users. However, the users reside in different subnets and use the SRX Series device as an IP gateway.Which statement is true?（）

• A、You must configure a security policy on the SRX Series device to allow traffic to flow from the user devices to the MAG Series device.
• B、No security policy is necessary on the SRX Series device to allow traffic to flow from the user devices to the MAG Series device.
• C、You must configure host-inbound traffic on the SRX Series device to allow SSL traffic between the MAG Series device and the user devices.
• D、You must configure host-inbound traffic on the SRX Series device to allow EAP traffic between the MAG Series device and the user devices.

第6题：

You have a firewall enforcer protecting resources in a data center. A user is experiencing difficulty connecting to a protected resource.Which two elements must exist so the user can access the resource?（）

• A、Resource access policy on the MAG Series device
• B、IPsec routing policy on the MAG Series device
• C、General traffic policy blocking access through the firewall enforcer
• D、Auth table entry on the firewall enforcer

第7题：

You administer a network containing SRX Series firewalls. New policy requires that you implement MAG Series devices to provide access control for end users. The policy requires that the SRX Series devices dynamically enforce security policy based on the source IP address of the user. The policy also requires that the users communicate with protected resources using encrypted traffic. Which two statements are true?（）

• A、The endpoints can use agentless access.
• B、Encrypted traffic flows between the endpoint and the enforcer.
• C、Encrypted traffic flows between the endpoint and the protected resource
• D、The endpoints can use the Odyssey Access Client.

第8题：

Your company’s network includes client computers that run Windows 7. You design a wireless network to use Extensible Authentication Protocol-Transport Level Security （EAP-TLS）.   The Network Policy Server has a certificate installed.   Client computers are unable to connect to the wireless access points.    You need to enable client computers to connect to the wireless network.   What should you do？（）

• A、Configure client computers to use Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 （PEAP-MS-CHAP v2）.
• B、Configure client computers to use Protected Extensible Authentication Protocol-Transport Layer Security （PEAP-TLS）.
• C、Install a certificate in the Trusted Root Certification Authorities certificate store.
• D、Install a certificate in the Third-Party Root Certification Authorities certificate store.

第9题：

You are the network administrator for your company. The network consists of a single Active Directory domain.  The company has remote users in the sales department who work from home. The remote users’ client computers run Windows XP Professional， and they are not members of the domain. The remote users’ client computers have local Internet access through an ISP.   The company is deploying a Windows Server 2003 computer named Server1 that has Routing and Remote Access installed. Server1 will function as a VPN server， and the remote users will use it to connect to the company network. Confidential research data will be transmitted from the remote users’ client computers. Security is critical to the company and Server1 must protect the remote users’ data transmissions to the main office. The remote client computers will use L2TP/IPSec to connect to the VPN server.  You need to choose a secure authentication method.   What should you do？ （）

• A、 Use the authentication method of the default IPSec policies.
• B、 Create a custom IPSec policy and use the Kerberos version 5 authentication protocol.
• C、 Create a custom IPSec policy and use certificate-based authentication.
• D、 Create a custom IPSec policy and use preshared key authentication.
• E、 Use the authentication method of the Routing and Remote Access custom IPSec policy for L2TP connection.

第10题：

第11题：

第12题：

第13题：

第14题：

Which deployed VoWLAN client security option is recommended by Cisco?（）

• A、Layer 3 with Layer 3 Security set to None and Web Policy set to Authentication
• B、Layer 3 with Layer 3 Security set to None and Web Policy set to VPN Pass-Through
• C、Layer 3 with Layer 3 Security set to VPN Pass-Through
• D、Layer 2 with Layer 2 Security set to 802.1X

第15题：

Company.com network consists of a single Active Directory domain named  Company.com.Company.com has an Exchange Server 2010 organization.The Company.com employees use Microsoft Office Outlook 2007 to connect to their mailboxes.RPC over HTTP and Auto discover are configured on Microsoft Office Outlook 2007. A new Company.com security policy requires that the employees connected to the domain does not need authentication when using Outlook Anywhere.However， those not connected t the domain needs to be authentication when using Outlook Anywhere.The employees need to comply with the new Company.com security policy.  What should you do？（）

• A、You should consider using Basic authentication on Outlook Anywhere and set up only Basic authentication on the RPC virtual directory.
• B、You should consider using NTLM authentication on Outlook Anywhere and set up Basic authentication and NTLM authentication on the RPC virtual directory.
• C、You should consider using NTLM authentication on Outlook Anywhere and set up only Basic authentication on the RPC virtual directory.
• D、You should consider using Basic authentication on Outlook Anywhere and set up Basic authentication and NTLM authentication on the RPC virtual directory.

第16题：

You are configuring an SRX210 as a firewall enforcer that will tunnel IPsec traffic from several Junos Pulse users.Which two parameters must you configure on the SRX210?（）

• A、access profile
• B、IKE parameters
• C、tunneled interface
• D、redirect policy

第17题：

You are receiving reports of possible unauthorized access to resources protected by a firewall enforcer running the Junos OS. You want to verity which users are currently accessing resources through the enforcer.Which command should you use to verify user access on the enforcer?（）

• A、show services unified-access-control authentication-table
• B、show auth table
• C、show services unified-access-control policies
• D、show services unified-access-control captive-portal

第18题：

You navigate to "UAC" > "Infranet Enforcer" > "Auth Table Mapping" in the admin GUI. You see one policy, which is the unmodified, original default policy.Which statement is true?（）

• A、Dynamic auth table mapping is not enabled.
• B、A successful authentication attempt will result in a new authentication table entry, which will be delivered only to the Junos enforcer protecting the network from which the user has authenticated.
• C、To create a static auth table mapping, you must delete the default policy.
• D、The default policy applies only to the factory-default role User.

第19题：

You are performing the initial setup of a new MAG Series device and have installed a valid CA- signed certificate on the MAG Series device. Connectivity to an existing SRX Series firewall enforcer cannot be obtained.What are two explanations for this behavior?（）

• A、The MAG Series device has multiple ports associated with the certificate.
• B、The MAG Series device's serial number needs to be configured on the SRX Series device.
• C、The SRX Series device must have a certificate signed by the same authority as the MAG Series device.
• D、The MAG Series device and SRX Series device are not synchronized to an NTP server.

第20题：

You deploy mobile devices that run Microsoft Windows Mobile 5.0.   Company security policy requires an authentication process that is stronger than a user name and password combination.   You need to ensure that Microsoft ActiveSync sessions use an authentication process that meets the company security policy.   What should you do？（）

• A、Deploy a two-factor authentication process.
• B、Deploy a single-factor authentication process.
• C、Deploy a simple PIN policy for the Windows Mobilebased devices.
• D、Deploy a complex PIN policy for the Windows Mobilebased devices.

第21题：

第22题：

第23题：

第24题：