Answer: C. In secure mode, an implicit deny-all policy is in effect. In router context, an explicit accept-all policy is used. Even so, interfaces and their protocols have to be listed in a zone for communication to occur.

Answer: D. Policy is always needed to permit traffic between zones.

Answer: C. The lack of a security stanza in the original JUNOS configuration results in no interfaces, in any zones, preventing network connectivity.

Answer: B. A services interface is still required, to be placed in the untrust zone, for example. In this way, policy can evaluate traffic that is flowing across the services interface.

Answer: A. The use of 172.16.1.0/24 addressing indicates that no NAT has been performed. SNAT would involve 55.5.5.0/27, and DNAT was using 10.10.12.3 in this example. Note that self-generated traffic does not go through the NAT/policy engine.

Answer: A. Rest assured that the majority of JUNOS software and the CLI are the same. Only services configuration has changed.

Answer: D. ASIC-based platforms such as the M7i and M10i do not support enhanced services. Certain J-series and SSG platforms can be loaded/converted to operate with enhanced services.