JUNIPER JN0-332 EXAM QUESTIONS & ANSWERS

Transcription

1 JUNIPER JN0-332 EXAM QUESTIONS & ANSWERS Number: JN0-332 Passing Score: 800 Time Limit: 120 min File Version: JUNIPER JN0-332 EXAM QUESTIONS & ANSWERS Exam Name: uniper Networks Certified Internet Specialist, SEC (JNCIS-SEC)

2 Actualanswers QUESTION 1 Which High availability feature is supported only on juno security platforms A. Virtual Chassis B. VRRP C. Chassis clustering D. Graceful restart Correct Answer: C /Reference: : QUESTION 2 What is a security policy? A. A set of rules that controls traffic from a specified source to a specified destination using a specified service B. A collection of one or more network segments sharing identical security requirements C. A method of providing a secure connection across a network D. A tool to protect against DoS Attacks Correct Answer: A /Reference: : QUESTION 3 What is a Zone? A. A set of rules that controls traffic from a specified source to a specified destination using a specified service B. A collection of one or more network segments sharing identical security requirements C. A method of providing a secure connection across a network D. A tool to protect against DoS Attacks /Reference: : QUESTION 4 You have packet loss on a IPsec VPN using the default maximum transmission unit (MTU) where the packets have the DF-bit (do not fragment) set. Which configuration solves this problem? A. Set an increased MTU value on the physical interface. B. Set a reduced MSS value for VPN traffic under the [edit security flow tcp-mss] hierarchy C. Set a reduced MTU value for VPN traffic under the [Edit security flow] hierarchy-global

3 D. Set an increased MSS value on the st0 interface. /Reference: : QUESTION 5 Which configuration must be completed to use both packet-based and session-based forwarding on a branch SRX Series Services Gateway? A. A stateless firewall filter must be used on the ingress interface to match traffic to be processed as a session based. B. A security policy rule must be used on the ingress interface to match traffic to be processed as session based C. A global security policy rule must be used on the ingress interface to match traffic to be processed as packet based D. A stateless firewall filter must be used on the ingress interface to match traffic to be processed as packet based Correct Answer: D /Reference: : QUESTION 6 Referring to the exhibit, which policy will allow traffic from host 1, host 2, and host 3 to the internet? A. [edit security policies] global { policy allow-internet { match { source-address [host-1 host-2 host-3]; destination-address any application any; Then permit; B. [edit security policies] from-zone all to-zone all { policy allow-internet match { source-address [host-1 host-2 host-3]; destination-address any;

4 application any; Then permit; C. [edit security policies] default { policy allow-internet { match { source-address [ host-1 host-2 host-3]; destination-address any; application any; Then permit; D. [edit security policies] from-zone any to-zone any { policy allow-internet { match { source-address [ host-1 host-2 host-3]; destination-address any; application any; Then permit; Correct Answer: A /Reference: : QUESTION 7 You have just added the policy deny-host-a to prevent traffic form host A that was previously allowed by the policy permit-all. After committing the changes, you notice that all traffic, including traffic form host A, is still allowed. Which configuration statement will prevent traffic form host A, while still allowing other hosts to send traffic? A. Activate security policies from-zone trust to-zone untrust policy deny-host-a B. Deactivate security policies from-zone trust to-zone untrust policy permit-all C. Delete security policies from-zone trust to-zone untrust policy permit-all D. Insert security policies from-zone trust to-zone untrust policy deny-host-a before policy permit-all Correct Answer: D /Reference: : QUESTION 8 You want to enable local logging for security policies and have log information stored in a separate file on a branch SRX Series device. Which configuration will accomplish this task A. [edit system syslog] file sec-pol-log { user info;

5 B. [edit system syslog] host { user info; C. [edit system syslog] file sec-pol-log { any any; D. [edit system syslog] file sec-pol-log { security info; Correct Answer: C /Reference: : QUESTION 9 Which statement is true about implementing IP spoofing protection as a Junos Screen option? A. It ensures that the active route to the source has the same egress interface as the ingress interface for the packet. B. It ensures that a route, active or not, to the source exists with the same egress interface as the ingress interface of the packet C. It ensures that the active route to the source has the same egress zone as the ingress zone for the packet D. It ensure that a route, active or not, to the source exists with the same egress zone as the ingress zone for the packet. Correct Answer: A /Reference: : QUESTION 10 You want to protect against attacks on interfaces in Zone A. you create a Junos Screen option called no-flood and commit the configuration. In the weeks that follow, the screen does not appear to be working, whenever you enter the command show security screen statistics zone Zone A, all counters show 0. What would solve this problem? A. user@host>clear security screen no-flood statistics B. [edit security zones security-zone ZoneA] C. user@host# set screen no-flood D. user@host>clear security screen statistics zone ZoneA E. [edit security zones] F. user@host# set screen no-flood

6 /Reference: :the correct answer should be a combination of b and C QUESTION 11 during packet flow on an SRX Series Device, which two processes occur before route lookup? (choose two) A. static NAT B. destination NAT C. source NAT D. reverse static NAT Correct Answer: AB /Reference: : QUESTION 12 which Junos NAT implementation requires the use of proxy ARP? A. Destination NAT using a pool outside the IP network of the device s interface B. Source NAT using the device s egress interface C. Source NAT using a pool in the same IP network as the device s interface D. Source NAT using a pool outside the IP network of the device s interface Correct Answer: C /Reference: : When addresses defined in the static NAT and source NAT pool are in the same subnet as that of the ingress interface (Source NAT and Static NAT scenario) When addresses in the original destination address entry in the destination NAT rules are in the same subnet as that of the ingress interface (Destination NAT scenario) QUESTION 13 Referring to the exhibit, which two statements are true? (Choose two) [edit security nat source] pool A address { /32 Rule-set 1A { From zone trust; To zone untrust; Rule 1 Match { Source-address /24 Then {

7 Source-nat { Pool { A; A. Pat is enabled B. PAT is Disabled C. Address persistence is enabled D. Address persistence is disabled Correct Answer: AD /Reference: : QUESTION 14 You have implemented source NAT using a source pool for address translation. However, traffic destined for should have NAT applied to it. The configuration shown in the exhibit is not working correctly. Which change is needed to correct this problem? [edit security nat] source pool pool-one { address { Rule-set trust-to-untrust { From zone trust; To zone untrust; Rule pool-nat { Match { Source-address /24 Then { Source-nat Pool { Pool-one; Rule no-nat { Match{ Destination-address /32 Then { Source-nat { Off; A. Insert no-nat before pool-nat

8 B. The no-nat rule should be in separate rule-set C. Destination NAT should be used to exclude the traffic destined for D. Proxy ARP needs to be applied on the address for the rule to function. /Reference: : QUESTION 15 Which function does Diffie-Hellman exchange perform for IPsec VPN? A. It encrypts end-user traffic between the two VPN peers. B. It securely exchanges the pre-shared keys over the network. C. It negotiates IPsec Phase 2 parameters with the VPN peer D. It exchanges static routes with the VPN peer. /Reference: : QUESTION 16 You are asked to establish an IPsec VPN between two sites. The remote device has been pre-configured. Which two parameters must be identical to the remote device s parameters when designing the local IKE proposal? (choose two). A. Security protocol B. Diffie-Hellman group C. Encryption algorithm D. Perfect forward secrecy keys C /Reference: : QUESTION 17 Which two statements are correct about IPsec Security associations? (choose two) A. Established during IKE Phase 1 negotiations B. Security associations are unidirectional C. Established during IKE Phase 2 negotiations D. Security associations are bidirectional C

9 /Reference: : QUESTION 18 Referring to the exhibit, which two statements are correct about IPsec configuration? (choose two) A. IKE Phase 2 establishes when payload traffic flows B. IKE Phase 2 establishes immediately C. Protocol ESP is used D. Protocol AH is used C /Reference: :Needs Exhibit QUESTION 19 Referring to the exhibit, you are setting up the hub in a hub-and-spoke IPsec VPN. You have verified that all configured parameters are correct at all sites, but your IPsec VPN is not established to both sites. Which configuration parameter is missing at the hub to complete the configuration? A. A different external-interface is needed for vpn1 B. A different st0 logical interface is needed for vpn2 C. Establish-tunnels immediately must be configured for vpn1 D. Multipoint needs to be configured under the st0.0 interface Correct Answer: A /Reference: :Needs Exhibit QUESTION 20 Server A is communicating with server B directly over the internet. The servers now must begin exchanging additional information through an unencrypted protocol. To protect this new data exchange, you want to establish a VPN tunnel between the two sites that will encrypt just the unencrypted data while leaving the existing communications directly over the internet. Which statement would achieve the desired results? A. Configure a route-based VPN and use filter-based forwarding to direct traffic into the VPN tunnel. B. Configure a route-based VPN tunnel with traffic engineering to direct traffic into the VPN tunnel. C. Configure policy-based VPN with a security policy that matches the unencrypted traffic and directs it into the VPN tunnel. D. Configure a policy-based VPN tunnel and use filter-based forwarding to direct the unencrypted traffic into interface st0.0 Correct Answer: C /Reference: : QUESTION 21

10 Which two statements are correct about establishing a chassis cluster with IPv6? (choose two) A. Only an active/passive cluster can be deployed B. Dual-stacked interface addresses are allowed. C. IPsec site-to-site VPNs over IPv6 are supported. D. IPv6 address book entries can be used D /Reference: : QUESTION 22 You re asked to set up a chassis cluster between you SRX Series device. You must ensure that the solution provides both dual redundant links per node and node redundancy. Which setting should you use? A. Aggregated Ethernet B. Redundant Ethernet C. Aggregated Ethernet LAG D. Redundant Ethernet LAG Correct Answer: D /Reference: : QUESTION 23 Redundant Ethernet interfaces (reths) have a virtual MAC address based on which two attributes? A. Interface ID of the reth B. MAC of member interfaces C. Redundancy group ID D. Cluster ID Correct Answer: AD /Reference: : QUESTION 24 You have a chassis cluster established between two SRX Series devices. You re monitoring the status of the cluster and notice that some redundancy groups show disabled. What are two explanations for this behavior? (choose two) A. The fxp0 interface is down B. The fxp1 interface is down C. The fab interface is down D. The swfab interface is down.

11 C /Reference: : QUESTION 25 You have a chassis cluster with redundancy group 1 configured to monitor three interfaces. You must ensure that redundancy group 1 fails over to the other node if any two of the three monitored interfaces fail. What would ensure this behavior? A. Set each interface weight to 64 B. Set each interface weight to 128 C. Set each interface weight to 256 D. Set each interface weight to 512 /Reference: :The question asks for fail over is any two interfaces fail, therefore the cumulative weight of two interfaces should equal 255. QUESTION 26 Which statement is true about real-time objects in an SRX chassis cluster? A. Real-time objects are exchanged over the fxp1 link to provide highly accurate time synchronization B. Real-time objects are exchange over the fxp1 link to synchronize IPsec security associations C. Real-time objects are exchanged over the fab links to provide configuration file synchronization D. Real-time objects are exchanged over the fab links to synchronize session tale entries Correct Answer: D /Reference: : QUESTION 27 You are configuring the SRX Series Service Gateway in chassis cluster mode. What is a valid way to configure redundancy Groups (RGs) 1 and 2 for active/active redundancy? A. Configure RG 1 primary for Node 0 and RG 2 primary for Node 1 B. Configure RG 1 and RG 2 primary for Node 0 C. Configure RG 1 and RG 2 primary for Node 1 D. Configure RG 0 primary for Node 0 Correct Answer: A /Reference: :

12 QUESTION 28 Referring to the exhibit, you have built a chassis cluster, set up a reth, and put interfaces into the reth. However, when you try to commit the configuration, you receive an error shown in the exhibit. Which configuration command will correct this error? user@host# set interfaces ge-0/0/5 gigether-options redundant-parent reth1 user@host# set interfaces ge-5/0/5 gigether-options redundant=parent reth1 user@host# set interfaces reth1.0 family inet address /30 user@host# commit [edit interfaces reth1] unit 0 Reth1 needs to be associated with a non-zero redundancy-group Error:configuration check-out failed A. Set chassis cluster reth-count 2 B. Set chassis cluster redundancy-group 1 interface-monitor reth1 C. Set interfaces reth1 redundant-ether-options redundancy-group 1 D. Set chassis cluster redundancy-group 0 interface-monitor reth1 Correct Answer: C /Reference: : QUESTION 29 Referring to the exhibit, you see that Node 0 is currently primary for redundancy Group 0. You have not yet configured any chassis cluster parameters. You want to ensure that Node 1 is always the primary node for this redundancy group if both nodes reboot at same time. Which configuration step would accomplish this task? user@host>show chassis cluster status cluster ID: 1 Node Priority Status Preempt Manual Failover Redundancy group: 0,Failover count: 1 Node0 1 primary no no Node1 1 secondary no no A. user@host# set chassis cluster redundancy-group 0 node 1 priority 1 B. user@host# set chassis cluster redundancy-group 0 node 1 C. user@host# set chassis cluster redundancy-group 0 preempt D. user@host# set chassis cluster redundancy-group 0 node 0 priority 255 E. user@host# set chassis cluster redundancy-group 0 node 1 priority 254 Correct Answer: E /Reference: : QUESTION 30 referring to the exhibit, you have two SRX Series Devices in a chassis cluster, Node 0 is currently the primary node. You want to ensure that traffic using those interfaces fails over to Node 1 if one interface goes down. Which configuration change should be made to ensure failover to Node 1? chassis cluster reth-count 2;

13 redundancy-group 1 { node 0 priority 200; node 1 priority 100; interface-monitor { ge-0/0/5 weight 85; ge-0/0/6 weight 85; ge-0/0/7 weight 85; ge-0/0/8 weight 85; ge-5/0/5 weight 85; ge-5/0/6 weight 85; ge-5/0/7 weight 85; ge-5/0/8 weight 85; A. Decrease the weight of the interfaces to 1 B. Increase the weight of the interfaces to 255 C. Increase the weight of the interfaces to between 128 and 254. D. Decrease the weight of the interfaces to between 1 and 64. /Reference: : QUESTION 31 Which three unified threat Management features requires a license? (choose three) A. Antivirus B. Surf control we filtering C. Websense web filtering D. Content filtering E. Antispam Correct Answer: ABE /Reference: : QUESTION 32 Which Global UTM configuration parameter contains lists, such as MIME patterns, filename extensions, and URL patterns, that can be used across all UTM features? A. Custom objects B. Feature profile C. UTM policy D. Address sets Correct Answer: A /Reference: :

14 QUESTION 33 You have configured antispam on your SRX Series device as shown in the exhibit. Assuming the antispam profile has been properly applied, what happens when an message arrives at the SRX device from at IP address ? A. The message matches the whitelist and is forwarded to the destination B. The message matches the blacklist and is blocked C. The message matches the blacklist and is forwarded to the destination with SPAM automatically appended to the beginning of the subject line D. The message matches both lists and is blocked because the SRX device defaults to the more restrictive setting. Correct Answer: A /Reference: :Needs exhibit QUESTION 34 Which antivirus protection feature uses the first several packets of file to determine if the file contains malicious code? A. Express scanning B. Intelligent prescreening C. Full file-based D. Kaspersky /Reference: : QUESTION 35 Referring to the exhibit, you have just committed the UTM antivirus configuration. You notice that the SRX Series device shows that Kaspersky scanning is being used instead of express scanning. What must you do to resolve this problem? A. You must configure the antivirus type to use express scanning B. You must configure the antivirus type to disable Kaspersky C. You must update the antivirus signatures D. You must wait until the next pattern update Correct Answer: A /Reference: :Need exhibit QUESTION 36 You have implemented integrated SurfControl Web filtering on an SRX device. You ave also created a whitelist and a blacklist on the SRX device. One particular web site is matching all three: the Whitelist, blacklist, and

15 SurfControl policy. Which statement is correct? A. Access is not allowed because the blacklist is processed first B. Access is allowed because the whitelist is processed first C. Access will be controlled by SurfControl policy, because it is processed first. D. Access is based on the priority of each policy as defined in the fallback settings in the UTM policy. Correct Answer: A /Reference: : QUESTION 37 You have deployed enhanced Web filtering on an SRX Series device. A user requests a URL that is not in the URL filtering cache. What happens? A. The request is permitted immediately but the SRX device then requests the category from the configured server and caches the response for the use with subsequent requests B. The request is blocked immediately but the SRX device then requests the category from the configured server and caches the response for use with subsequent requests. C. The SRX device requests the category from the configured server. Once the response is received, the SRX device processes the request against the policy based on the information received and caches the response D. The SRX device will either permit or deny the request immediately depending on the configuration in the UTM policy. The SRX device then requests the category form the central server and caches the response for use with subsequent requests. Correct Answer: C /Reference: : QUESTION 38 Your SRX Series device includes the content filtering configuration shown in the exhibit. Assuming the content filtering profile has been properly applied, what happens when a user attempts to send a zip file through the SRX device using FTP? [edit security utm feature-profile content-filtering] user@host show profile profile { block-content-type { exe; zip; Notification-options { Type message; Custom-message Not permitted: illegal file type ; A. The file is blocked and silently dropped B. The file is blocked and a message is sent back to the user C. The file is permitted and forwarded to its destination, and a message is sent back to the user

16 D. The file is permitted and forwarded to its destination /Reference: : QUESTION 39 When the first packet in a new flow is received, which high-end SRX component is responsible for setting up the flow A. Routing Engine B. I/O card C. Network processing card D. Services processing card /Reference: : QUESTION 40 How is the control plane separated from the data plane on the branch SRX Series devices? A. By running separate kernels inside the Junos OS B. By dedicating a separate CPU Core for the control plane C. By using separate CPUs for the control plane and the data plane D. By offloading control plane traffic to the SPC /Reference: : QUESTION 41 Which three parameters does the junos OS attempt to match against during session lookup? (choose three) A. Session token B. Ingress interface C. Protocol number D. Source port number E. Egress interface Correct Answer: ACD /Reference:

17 : QUESTION 42 The branch SRX Series Services Gateways implement the data plane on which two components? (choose two) A. IOCs B. SPCs C. CPU cores D. PIMs Correct Answer: CD /Reference: : QUESTION 43 What are two system-defined zones? (choose two) A. Null zone B. System zone C. Junos host zone D. Functional zone Correct Answer: AC /Reference: : QUESTION 44 Which statement is correct about zone and interface dependencies? A. A logical interface can be assigned to multiple zones B. A zone can be assigned to multiple routing instances C. Logical interfaces are assigned to a zone D. A logical interface can be assigned to multiple routing instances Correct Answer: C /Reference: : QUESTION 45 What are two functions of the junos-host zone (choose two) A. Storing global address book entries B. Controlling self-generated traffic C. Controlling host inbound traffic D. Controlling global Junos Screen settings

18 C /Reference: : QUESTION 46 Which two parameters are configured under the [edit security zones security-zone zonea] stanza? (choose two) A. The TCP RST feature B. The security policies for intrazone communication C. The zone-specific address book D. The default policy action for firewall rules in this zone. Correct Answer: AC /Reference: : QUESTION 47 What are two predefined address-book entries? (choose two) A. All B. Any-ipv6 C. Any-ipv4 D. All-ipv4 C /Reference: : QUESTION 48 Referring to the exhibit, you have configured a scheduler to allow hosts access to the internet during specific times. You notice that hosts are unable to access the internet. What is blocking hosts form accessing the internet? Security { Policies { From-zone TRUST to-zone UNTRUST { Policy allow-all { Match { Source-address any; Destination-address any; Application any; Then Deny; Policy allow-hosts { Match {

19 Source-address hosts; Destination-address any Application junos-http; Then Permit; Scheduler-name block-hosts; Policy deny { Match { Source-address any; Destination address any; Application any; Then Deny; Schedulers { Scheduler block-hosts { Daily{ Start-time 10:00:00 stop-time 18:00:00 A. The policy allow-all should have the scheduler applied B. The policy allow-hosts should match on source-address any C. The policy allow-hosts should have an application of any D. The policy allow-all should have a then statement of permit Correct Answer: D /Reference: : QUESTION 49 You must create a security policy for a customer application that requires a longer session timeout then the default application offers. Which two actions are valid? (choose two) A. Set the timeout value in the security forwarding-options section of the CLI B. Set the timeout value for the application in the security zone configuration C. Alter the built-in application and set the timeout value under the application-protocol section of the CLI D. Create a customer application and set the timeout value under the application-protocol section of the CLI. Correct Answer: CD /Reference: : QUESTION 50

20 You are asked to configure a hub-and-spoke VPN. All the VPN components have been configured, and you are able to ping the remote tunnel interfaces at site 1 and site 2 form the hub site as shown in the exhibit. The HUB site s external interface is in security zone untrust and the st0 interfaces from each site are in security zone DMZ. Users in site 2 are unable to connect to a web server in site 1. Which additional step is required at the hub site for users to access the web server? A. Configure a VPN between site 1 and site 2 B. Configure a policy in the untrust zone that allows trafiic between the sites C. Configure a policy in the VPN zone that allows traffic between the sites D. Configure a policy between the VPN and untrust zones Correct Answer: C /Reference: :Need exhibit QUESTION 51 A server in the DMZ of your company is under attack. The attacker is opening a large number of TCP connections to your server which causes resource utilization problems on the server. All of the connections from the attacker appear to be coming from a single IP address. Referring to the exhibit, which Junos Screen option should you enable to limit the effects of the attack while allowing legitimate traffic. A. Apply the Junos Screen option limit-session-based-ip to the Untrust security zone B. Apply the Junos Screen option limit-session source-based-ip to the DMZ security zone C. Apply the junos screen option limit-session destination-based-ip to the Untrust security zone D. Apply the Junos Screen option limit-session destination-based-ip to the DMZ security zone. /Reference: :Need to see the exhibit... Screens should be applied to the ingress interface. Assuming the traffic enters the Untrust interface and is NATed to the DMZ, the screen should be applied to the Untrust interface. QUESTION 52 Which three actions should be used when initially implementing Junos Screen options? (choose three) A. Deploy Junos Screen options only in functional zones B. Deploy junos Screen options only in vulnerable security zones C. Understand the behavior of legitimate applications D. Use the limit-session option E. Use the alarm-without-drop option. CE /Reference: : QUESTION 53 You need to apply the Junos Screen protect-zone to the public zone. Which configuration meets this requirement?

21 A. [edit security zones security-zone public] address-book { address host /32; Screen protect-zone; Host-inbound-traffic { System-services { All; Interfaces { Ge-0/0/0.0; B. [edit security zones security-zone public] address-book { address host /32; Host-inbound-traffic{ Screen protect-zone; System-services { All; Interfaces { Ge-0/0/0.0; C. [edit security zones security-zone public] address-book { address host /32; Host-inbound-traffic { System-services { All; Interfaces { Ge-0/0/0.0; Screen-protect-zone; D. [edit security zones security-zone public] address-book { address host /32; Screen all; Host-inbound-traffic { System-services { All; Interfaces { Ge-0/0/0.0; Correct Answer: A

22 /Reference: : QUESTION 54 You are configuring source NAT. which three elements are used for matching the traffic direction in the from and to statements ( choose three) A. Routing instance B. Zone C. Source address D. Destination address E. Interface Correct Answer: ABE /Reference: : QUESTION 55 Your network management station has generated an alarm regarding NAT utilization based on an SNMP trap received form an SRX Series device. Referring to the exhibit, which statement is correct about the alarm? [edit security nat source] pool snat-pool { address { /32; /32; Pool-utilization-alarm raise-threshold 50 clear-threshold 40; Rule-set user-nat { From zone trust; To zone untrust; Rule snat { Match { Source-address 0.0.0/0; Then { Source-nat { Pool { Snat-pool; A. The network management station will require manual intervention to clear the alarm. B. Once the utilization is below 40 percent, the Junos OS will send an SNMP trap to the network management station to clear the alarm. C. Once the utilization is below 50 percent, the Junos OS will send an SNMP trap to the network management station to clear the alarm.

23 D. Once the utilization is below 80 percent, the Junos OS will send a SNMP trap to the network management station to clear the alarm. /Reference: : QUESTION 56 Which three algorithms are used by an SRX Series device to validate the integrity of the data exchanged through an IPsec VPN? (choose three) A. 3DES B. MD5 C. NHTB D. SHA1 E. SHA2 DE /Reference: : QUESTION 57 Which three diffie-hellman groups are supported during IKE Phase 1 by the Junos OS? (choose three) A. 1 B. 2 C. 3 D. 4 E. 5 Correct Answer: ABE /Reference: : QUESTION 58 A security association is uniquely identified by which two values? ( choose two) A. Security parameter index value B. Security association ID C. Tunnel source address D. Security protocol Correct Answer: AD

24 /Reference: : QUESTION 59 You have just manually failed over a redundancy Group 0 on Node 0 to Node 1. You notice Node 0 is now in the secondary-hold state. Which statement is correct? A. The previous primary node moves to the secondary-hold state because an issue occurred during failover. It stays in that state until the issue is resolved B. The previous primary node moves to the secondary-hold state and stays there until manually reset, after which it moves to the secondary state. C. The previous primary node moves to the secondary-hold state and stays there until the hold-down interval expires, after which it moves to the secondary state D. The previous primary node moves to the secondary-hold state and stays there until manually failed back to the primary node. Correct Answer: C /Reference: : QUESTION 60 Which two SRX platforms support UTM features? (choose two) A. SRX240 with base memory B. SRX100 with high memory C. SRX650 with base memory D. SRX1400 with base memory D /Reference: :