What does the device do?

Click the Exhibit button.
[edit security]
user@host# show
zones {
security-zone ZoneA {
tcp-rst;
host-inbound-traffic {
system-services {
ping;
telnet;
}}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0;
}}
security-zone ZoneB {
interfaces {
ge-0/0/3.0;
}}}
policies {
from-zone ZoneA to-zone ZoneB {
policy A-to-B {
match {
source-address any;
destination-address any;
application any;

}
then {
permit;
}}}}
In the exhibit, a host attached to interface ge-0/0/0.0 sends a SYN packet to open a Telnet
connection to the device’s ge-0/0/1.0 IP address.
What does the device do?

Click the Exhibit button.
[edit security]
user@host# show
zones {
security-zone ZoneA {
tcp-rst;
host-inbound-traffic {
system-services {
ping;
telnet;
}}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0;
}}
security-zone ZoneB {
interfaces {
ge-0/0/3.0;
}}}
policies {
from-zone ZoneA to-zone ZoneB {
policy A-to-B {
match {
source-address any;
destination-address any;
application any;

}
then {
permit;
}}}}
In the exhibit, a host attached to interface ge-0/0/0.0 sends a SYN packet to open a Telnet
connection to the device’s ge-0/0/1.0 IP address.
What does the device do?

A.
The device sends back a TCP reset packet.

B.
The device silently discards the packet.

C.
The device forwards the packet out the ge-0/0/1.0 interface.

D.
The device responds with a TCP SYN/ACK packet and opens the connection.

← Previous question

Next question →

Leave a Reply 6

Bob Bundred

Why is the answer B?

Reply

Foo

From page 65 from the Junos Security Software Guide

You must configure FTP and telnet at the interface level, not the zone level. For incoming FTP and telnet requests to be recognized, the interface must be known to the server.

user@host# set security zones security-zone ABC interfaces ge-0/0/1.3
host-inbound-traffic system-services ftp
user@host# set security zones security-zone ABC interfaces ge-0/0/1.1
host-inbound-traffic system-services telnet

Reply

Mike

Notice the tcp-rst command under the zone level that Sends RST for NON-SYN packet not matching TCP session so i would say A

Reply

Jonathan

But this is a SYN packet, not a NON-SYN packet, so this tcp-rst command does not apply on this scenario.

Reply

Mohamad Akhter

I believe it to be Ans B. This is because there is no intra-zone policy preesnt which allows traffic to flow within ZoneA.

Reply

networkengineer

The Juniper certification guide says that “If destination traffic to the SRX device is its incoming/ingress interface, security policies are not applicable. The only examination that takes place is the list of services and protocols allowed into that interface using the host-inbound-traffic statement within a zone definition.” From the configuration the 2 interfaces will inherit the system services ping and telnet so I would expect the traffic to be permitted. For me the answer is C.

Reply