Which configuration statement would correctly accomplish this task?

A network administrator wants to permit Telnet traffic initiated from the address book entry the10net in a zone called UNTRUST to the address book entry Server in a zone called TRUST.
However, the administrator does not want the server to be able to initiate any type of traffic from the TRUST zone to the UNTRUST zone.Which configuration statement would correctly accomplish this task?

A network administrator wants to permit Telnet traffic initiated from the address book entry the10net in a zone called UNTRUST to the address book entry Server in a zone called TRUST.
However, the administrator does not want the server to be able to initiate any type of traffic from the TRUST zone to the UNTRUST zone.Which configuration statement would correctly accomplish this task?

A.
from-zone UNTRUST to-zone TRUST {
policy DenyServer {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone TRUST to-zone UNTRUST {
policy AllowTelnetin {
match {
source-address the10net;
destination-address Server;
application junos-telnet;
}
then {
permit;
}
}
}

B.
from-zone TRUST to-zone UNTRUST {
policy DenyServer {
match {
source-address Server;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone UNTRUST to-zone TRUST {
policy AllowTelnetin {
match {
source-address the10net;
destination-address Server;
application junos-telnet;
}
then {
permit;
}
}
}

C.
from-zone UNTRUST to-zone TRUST {
policy AllowTelnetin {
match {
source-address the10net;
destination-address Server;
application junos-ftp;
}
then {
permit;
}
}
}

D.
from-zone TRUST to-zone UNTRUST {
policy DenyServer {
match {
source-address Server;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone UNTRUST to-zone TRUST {
policy AllowTelnetin {
match {
source-address the10net;
destination-address Server;
application junos-telnet;
}
then {
permit;
}
}
}



Leave a Reply 3

Your email address will not be published. Required fields are marked *


Junos

Junos

Tricky question:

If we will take a “default” Juniper behaviour to block all traffic, unless explicitly allowed the correct answer is C

However if we are talking about Branch office SRX which comes with “factory-default” settings applied – allowing TRUST to UNTRUST the correct answer changes to B.

Interesting. Safe bet answer is B, explicitly deny something does not hurt.

w3pgrrrrr

w3pgrrrrr

Junos, I will agree.. VERY tricky question.
Very typical “asshole test writer” question.

There CORRECT answer is (B)!

Answer A is incorrect because:
The “policy DenyServer” denies ALL traffic from untrust to trust, thus blocking “the10net” from talking telnet inbound

Answer C is incorrect because:
“application junos-ftp;”
there’s no policy that permits telnet! We’re trying to talk TELNET not FTP

Answer D is incorrect because:
The “policy DenyServer” is actually allowing the server in TRUST to talk to the UNTRUST server (this was something that is not supposed to happen per the question)

networkmanagers

networkmanagers

B