which two statements are true?

You are asked to troubleshoot ongoing problems with IPsec tunnels and security policy
processing. Your network consists of SRX240s and SRX5600s.
Regarding this scenario, which two statements are true? (Choose two.)

A.
You must enable data plane logging on the SRX240 devices to generate security policy logs.

B.
You must enable data plane logging on the SRX5600 devices to generate security policy logs.

C.
IKE logs are written to the kmd log file by default.

D.
IPsec logs are written to the kmd log file by default.

Explanation:

Reference: http://kb.juniper.net/InfoCenter/index?page=content&id=KB16506
http://www.google.co.in/url?sa=t&rct=j&q=IKE%20logs%20are%20written%20to%20the%20kmd%

20log%20file%20by%20default&source=web&cd=2&ved=0CC8QFjAB&url=http%3A%2F%2Fwww
.juniper.net%2Fus%2Fen%2Flocal%2Fpdf%2Fapp-notes%2F3500175-en.pdf&ei=SNHzUZntEcaPrQfnpICYDQ&usg=AFQjCNGb-rMrVcm6cqqBLWDif54CaCTrrw

Show Hint

← Previous question

Next question →

Leave a Reply 6

Josh

KMD would actually show IKE logs, so “C” is correct.

Juniper

Josh, dont give an answer if you are not sure if it is correct. It is misleading and may confuse other people. Even though KMD log shows ike logs, those logs cont show transit traffic, only ike phase 1 negotiation entries. The question refers to a problem with a security policy (Transit traffic) for which ike logs have nothing to do.

Nelson

thanksssssssss

new

thanks

o_O

i think josh is right
http://kb.juniper.net/InfoCenter/index?page=content&id=KB10097
here they says KMD used for ike logs, so if you want to debug phase2 don’t create another kmd file, create file with different name

juniper

D is right : AJSEC book part 2 chapter 9 page 43:
“IPSEC automatically logs to /var/log/kmd”
B is right : AJSEC book part chapter 9 page 16:
“On branch SRX devices, the junos OS logs locally by default… On high-end SRX devices, data plane logs are not logged by default.”