-- Exhibit --user@host> show configuration security policies from-zone engineering to-zone hr policy new-policy { match { source-address any; destination-address server1; application hr-data-feed;}then {permit;}}policy old-policy {match {source-address pc1;destination-address server1;application any;}then {deny;log {session-init;}}}user@host> show configuration security policies globaluser@host> show configuration security address-book | match server1 | display set set security address-book book2 address server1 172.19.55.20/32 set security address-book book3 address server1 172.20.11.18/32 user@host> show configuration security address-book | match pc1 | display set set security address-book book1 address pc1 172.18.21.213/32 user@host> show configuration applications application hr-data-feed { protocol tcp; destination-port 38888;}user@host> run show log flow-traceoptions | no-moreJun 13 15:54:09 host clear-log[2503]: logfile clearedJun 13 15:54:10 15:54:10.611915:CID-0:RT:172.18.21.213/38362->172.19.55.20/38888;17> matched filter filter1:Jun 13 15:54:10 15:54:10.611915:CID-0:RT:packet [40] ipid = 38364, @423e421cJun 13 15:54:10 15:54:10.611915:CID-0:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x423e4000, rtbl_idx = 0Jun 13 15:54:10 15:54:10.611915:CID-0:RT: flow process pak fast ifl 70 in_ifp ge-0/0/8.0Jun 13 15:54:10 15:54:10.611915:CID-0:RT: find flow: table 0x49175b08, hash 9077(0xffff), sa 172.18.21.213, da 172.19.55.20, sp 38362, dp 38888, proto 17, tokJun 13 15:54:10 15:54:10.611915:CID-0:RT: flow_first_create_sessionJun 13 15:54:10 15:54:10.611915:CID-0:RT: flow_first_in_dst_nat: in 0/8.0>, out A> dst_adr 172.19.55.20, sp 38362, dp 38888Jun 13 15:54:10 15:54:10.611915:CID-0:RT: chose interface ge-0/0/8.0 as incoming nat if.Jun 13 15:54:10 15:54:10.611915:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 172.19.55.20(38888)Jun 13 15:54:10 15:54:10.611915:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 172.18.21.213, x_dst_ip 172.19.55.20, in ifp ge-0/0/8.0, out ifp N/A sp 38362, dp 38888, ip_proto 17, tos 0Jun 13 15:54:10 15:54:10.611915:CID-0:RT:Doing DESTINATION addr route-lookupJun 13 15:54:10 15:54:10.611915:CID-0:RT: routed (x_dst_ip 172.19.55.20) from engineering (ge-0/0/8.0 in 0) to ge-0/0/10.0, Next-hop: 172.19.55.20Jun 13 15:54:10 15:54:10.611915:CID-0:RT:flow_first_policy_search: policy search from zone engineering-> zone hr (0x0,0x95da97e8,0x97e8)Jun 13 15:54:10 15:54:10.611915:CID-0:RT: app 0, timeout 60s, curr ageout 60sJun 13 15:54:10 15:54:10.611915:CID-0:RT: Error : get sess plugin info 0x4c390388Jun 13 15:54:10 15:54:10.611915:CID-0:RT: Error : get sess plugin info 0x4c390388Jun 13 15:54:10 15:54:10.612416:CID-0:RT: packet dropped, denied by policyJun 13 15:54:10 15:54:10.612416:CID-0:RT: denied by policy old-policy(6), dropping pktJun 13 15:54:10 15:54:10.612416:CID-0:RT: packet dropped, policy deny.Jun 13 15:54:10 15:54:10.612416:CID-0:RT: flow didn't create session, code=-1.Jun 13 15:54:10 15:54:10.612416:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)-- Exhibit --Click the Exhibit button.A user added the new-policy policy to permit traffic. However, they report that the traffic is still not permitted by the device.Using the information in the exhibit, why is the device denying the traffic?
-- Exhibit --user@host> show security flow session...Session ID. 41, Policy name: allow/5, Timeout: 20, ValidIn: 172.168.66.143/43886 --> 192.168.100.1/5000;tcp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60Out: 10.100.1.100/5555 --> 172.168.66.143/43886;tcp, If: ge-0/0/2.0, Pkts: 0, Bytes: 0 user@host> show configuration...security {nat {destination {pool server {address 10.100.1.100/32 port 5555;}rule-set rule1 {from zone UNTRUST;rule 1 {match {destination-address 192.168.100.1/32;destination-port 5000;}then {destination-nat pool server;}}}}proxy-arp {interface ge-0/0/1.0 {address {192.168.100.1/32;}}}}policies {from-zone UNTRUST to-zone TRUST {policy allow {match {source-address any;destination-address any;application [ junos-ping tcp-5000 ];}then {permit;}}}}zones {security-zone TRUST {interfaces {ge-0/0/2.0 {host-inbound-traffic {protocols {all;}}}}}security-zone UNTRUST {interfaces {ge-0/0/1.0 {host-inbound-traffic {system-services {ping;}}}}}}}applications {application tcp-5000 {protocol tcp;destination-port 5000;}}-- Exhibit --Click the Exhibit button.Your customer is attempting to reach your new server that should be accessible publicly using 192.168.100.100 on TCP port 5000, and internally using10.100.100.1 on TCP port 5555. You notice a session forms when they attempt to access the server, but they are unable to reach the server.Referring to the exhibit, what will resolve this problem?
-- Exhibit --user@host> show log ibgp-trace...Jun 12 10:21:08 10:21:08.367627:CID-0:RT:192.168.2.1/49170->192.168.1.1/179;6> matched filter ibgp-traffic:Jun 12 10:21:08 10:21:08.367747:CID-0:RT:packet [64] ipid = 11792, @423f741cJun 12 10:21:08 10:21:08.367747:CID-0:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x423f7200, rtbl_idx = 0Jun 12 10:21:08 10:21:08.367747:CID-0:RT: flow process pak fast ifl 71 in_ifp ge-0/0/3.0Jun 12 10:21:08 10:21:08.367747:CID-0:RT: ge-0/0/3.0:192.168.2.1/49170->192.168.1.1/179, tcp, flag 2 synJun 12 10:21:08 10:21:08.367747:CID-0:RT: find flow: table 0x4f161150, hash 15898(0xffff), sa 192.168.2.1, da 192.168.1.1, sp 49170, dp 179, proto 6, tok 7Jun 12 10:21:08 10:21:08.367747:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0Jun 12 10:21:08 10:21:08.367747:CID-0:RT: flow_first_create_sessionJun 12 10:21:08 10:21:08.367747:CID-0:RT:Doing DESTINATION addr route-lookupJun 12 10:21:08 10:21:08.367747:CID-0:RT: routed (x_dst_ip 192.168.1.1) from trust (ge-0/0/3.0 in 0) to lo0.0, Next-hop: 92.168.1.1Jun 12 10:21:08 10:21:08.367747:CID-0:RT:flow_first_policy_search: policy search from zone trust-> zone loopback-zone (0x0,0xc01200b3,0xb3)Jun 12 10:21:08 10:21:08.367747:CID-0:RT: policy has timeout 900Jun 12 10:21:08 10:21:08.367747:CID-0:RT: app 0, timeout 1800s, curr ageout 20sJun 12 10:21:08 10:21:08.367747:CID-0:RT: permitted by policy allow-bgp(8)Jun 12 10:21:08 10:21:08.368250:CID-0:RT: flow_first_install_session======> 0x5394a110Jun 12 10:21:08 10:21:08.368250:CID-0:RT:flow_first_service_lookup(): natp(0x5394a110): app_id, 0(0).Jun 12 10:21:08 10:21:08.368250:CID-0:RT: service lookup identified service 0.Jun 12 10:21:08 10:21:08.368250:CID-0:RT: flow_first_final_check: in 0/3.0>, outJun 12 10:21:08 10:21:08.368250:CID-0:RT: existing vector list 2-49c75930.Jun 12 10:21:08 10:21:08.368250:CID-0:RT: Session (id:137) created for first pak 2Jun 12 10:21:08 10:21:08.368250:CID-0:RT: post addr xlation: 192.168.2.1->192.168.1.1.Jun 12 10:21:08 10:21:08.368250:CID-0:RT:check self-traffic on lo0.0, in_tunnel 0x0Jun 12 10:21:08 10:21:08.368250:CID-0:RT:retcode: 0xa01Jun 12 10:21:08 10:21:08.368250:CID-0:RT:pak_for_self : proto 6, dst port 179, action 0x0Jun 12 10:21:08 10:21:08.368250:CID-0:RT: flow_first_create_sessionJun 12 10:21:08 10:21:08.368250:CID-0:RT: flow_first_in_dst_nat: in , out A> dst_adr 192.168.1.1, sp 49170, dp 179Jun 12 10:21:08 10:21:08.368752:CID-0:RT: chose interface lo0.0 as incoming nat if.Jun 12 10:21:08 10:21:08.368752:CID-0:RT: packet droppeD. for self but not interestedJun 12 10:21:08 10:21:08.368752:CID-0:RT: packet dropped, packet droppeD. for self but not interested.Jun 12 10:21:08 10:21:08.368752:CID-0:RT: flow find session returns error.Jun 12 10:21:08 10:21:08.368752:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)-- Exhibit --Click the Exhibit button.You are asked to troubleshoot a new IBGP peering problem on your SRX Series device. The IBGP peering is not establishing.Referring to the outputs in the exhibit, what is causing the problem?
-- Exhibit --user@host> show configuration...security {nat {destination {pool server {address 10.100.100.1/32 port 5555;}rule-set rule1 {from zone UNTRUST;rule 1 {match {destination-address 192.168.100.1/32;destination-port 5000;}then {destination-nat pool server;}}}}proxy-arp {interface ge-0/0/1.0 {address {192.168.100.1/32;}}}}policies {from-zone UNTRUST to-zone TRUST {policy allow {match {source-address any;destination-address any;application [ junos-ping tcp-5000 ];}then {permit;}}}}zones {security-zone TRUST {interfaces {ge-0/0/2.0 {host-inbound-traffic {protocols {all;}}}}}security-zone UNTRUST {interfaces {ge-0/0/1.0 {host-inbound-traffic {system-services {ping;}}}}}}}applications {application tcp-5000 {protocol tcp;destination-port 5000;}}-- Exhibit --Click the Exhibit button.Your customer is attempting to reach a new server that should be accessible publicly using 192.168.100.100 on TCP port 5000, and internally using 10.100.100.1 on TCP port 5555. You notice no sessions form when the customer attempts to access the server.Referring to the exhibit, what will resolve this problem?
-- Exhibit ""-- Exhibit --Click the Exhibit button.Your company has a Web server in the trust zone. You configure a NAT rule to allow Internet users from the untrust zone to access this Web server. Internet users use the public IP address 70.1.1.1 to access this Web server, but they report that the server is not accessible.Referring to the exhibit, which configuration change would resolve this problem?
You are having problems establishing an IPsec tunnel between two SRX Series devices.What are two explanations for this problem? (Choose two.)
