JN0-335 Security, Specialist (JNCIS-SEC) Question and Answers

• Referring to the exhibit, we can see that the output of the show chassis cluster status command on both nodes shows that they have the same cluster ID, node ID, priority, and status. The status for both nodes is primary, which means that they are both active and ready to process traffic for all redundancy groups1.
• This situation can occur when the control link between the two nodes is down or not configured properly, and the heartbeat messages cannot be exchanged. Without the heartbeat messages, each node assumes that the other node is down and takes over the primary role for all redundancy groups12.
• This is not a desirable state for the cluster, as it can cause traffic disruption, configuration inconsistency, and split-brain scenarios. To resolve this issue, the control link should be checked and fixed, and the cluster should be synchronized12.

References:

• 1: Troubleshooting an SRX Chassis Cluster with One Node in the Primary State and the Other Node in the Disabled State
• 2: SRX Series Chassis Cluster Configuration Overview

SRX Series device chassis clusters are created by physically connecting two identical cluster-supported SRX Series devices using a pair of the same type of Ethernet connections. The connection is made for both a control link and a fabric (data) link between the two devices. The chassis cluster data plane is connected with revenue ports, which are the ports that carry user traffic. The chassis cluster can contain a maximum of two devices, as only two nodes can form a cluster. The chassis cluster data plane is not connected with SPC ports, which are the ports that provide services processing. The chassis cluster cannot contain more than two devices, as this would violate the cluster design. References: Chassis Cluster Overview, Connecting SRX Series Firewalls to Create a Chassis Cluster

JIMS (Juniper Identity Management Service) is a standalone Windows service application that collects and maintains a large database of user, device, and group information from Active Directory domains1. You can use JIMS to obtain user identity information and populate the identity management authentication table on SRX Series devices1. You can then use the username or group name in security policies to identify a user and not rely directly on the IP address of the device used2. JIMS also supports integration with ClearPass, which is another solution for user authentication and enforcement2.

ATP Appliance is a solution for advanced threat prevention and detection, not for user and group information. Network Director is a solution for network management and orchestration, not for user and group information. NETCONF is a protocol for network configuration, not for user and group information. References:

• 2: Configure Juniper Identity Management Service to Obtain User Identity Information | Junos OS | Juniper Networks
• 6: Enforce Security Policies using ClearPass | Junos OS | Juniper Networks
• [7]: Juniper Advanced Threat Prevention Appliance | Juniper Networks
• [8]: Network Director | Juniper Networks
• [9]: NETCONF | Junos OS | Juniper Networks

AppQoS is a service that allows you to prioritize and manage the quality of service (QoS) for different types of applications on SRX Series devices. AppQoS uses application signatures to identify and classify the traffic, and then applies QoS policies to assign bandwidth, priority, and scheduling parameters to the traffic. AppQoS can help you optimize the performance of critical applications, such as VoIP, and ensure that they get the required bandwidth and latency in a congested network12. In this scenario, you can use AppQoS to prioritize the VoIP traffic over other traffic and guarantee its QoS on the SRX Series device at the branch office. References:

• Understanding Application Quality of Service
• Configuring Application Quality of Service

Juniper ATP Cloud is a cloud-based threat detection service that protects all hosts in your network against evolving security threats. Juniper ATP Cloud performs the following tasks:

• It extracts potentially malicious objects and files from the traffic and sends them to the cloud for analysis.
• It uses multiple antivirus software packages to analyze files and identify known malicious files quickly. It also uses other techniques, such as machine learning, sandboxing, and behavioral analysis, to identify new malware and add it to the known list of malware.
• It correlates between newly identified malware and known command and control (C&C) sites to aid analysis.
• It blocks known malicious file downloads and outbound C&C traffic.
• It provides features such as DNS, Encrypted Traffic Insights (ETI) and IoT security if you have ATP Cloud premium license.

Based on this information, we can infer the following:

• Option B is correct because Juniper ATP Cloud uses multiple antivirus software packages to analyze files, as well as other techniques, to provide robust coverage against sophisticated, evasive threats.
• Option D is correct because Juniper ATP Cloud does not use antivirus software packages to protect against zero-day threats, which are unknown and undetected by traditional antivirus solutions. Instead, it uses other techniques, such as machine learning, sandboxing, and behavioral analysis, to identify and mitigate zero-day threats.
• Option A is incorrect because Juniper ATP Cloud does not only use one antivirus software package to analyze files, but multiple ones, as well as other techniques.
• Option C is incorrect because Juniper ATP Cloud does not use antivirus software packages to protect against zero-day threats, but other techniques.

References: Juniper Security, Specialist (JNCIS-SEC) Reference Materials and Juniper Security, Professional (JNCIP-SEC) Reference Materials

https://blogs.juniper.net/en-us/security/juniper-strengthens-connected-security-portfolio-with-new-risk-based-access-control-capabilities-and-remote-access-vpn

https://blogs.juniper.net/en-us/security/juniper-strengthens-connected-security-portfolio-with-new-risk-based-access-control-capabilities-and-remote-access-vpn

Adaptive Threat Profiling is a feature that allows SRX Series Firewalls to generate, propagate, and consume threat feeds based on their own advanced detection and policy-match events. This feature enables you to configure security or IDP policies that, when matched, inject the source IP address, destination IP address, source identity, or destination identity into a threat feed, which can be leveraged by other devices as a dynamic-address-group (DAG). With adaptive threat profiling, the Juniper ATP Cloud service acts as a feed-aggregator and consolidates feeds from SRX across your enterprise and shares the deduplicated results back to all SRX Series Firewalls in the realm at regular intervals. SRX Series Firewalls can then use these feeds to perform further actions against the traffic. This feature allows you to find systems running applications that increase the risks on your network and ensure these systems are processed through IPS and Juniper ATP Cloud for malware and virus protection1. References:

• Adaptive Threat Profiling Overview and Configuration
• Adaptive Threat Profiling Overview
• Juniper Launches Adaptive Threat Profiling, New VPN Features
• Juniper Networks Answers Who and What is On the Network with Risk-Based Access Control Capabilities and New VPN Application
• Adaptive Threat Profiling Overview | SD Cloud

• vSRX is a virtual firewall that provides security and networking services at the perimeter or edge of virtualized environments1. vSRX can be deployed in various cloud environments, such as AWS, Azure, Google Cloud Platform, and VMware2.
• AWS is a cloud computing platform that offers a variety of services, such as compute, storage, networking, security, and analytics3. AWS enables customers to deploy vSRX instances in a virtual private cloud (VPC), which is a logically isolated section of the AWS cloud4.
• AWS satisfies the requirements for a vSRX deployment as follows:

References:

• 1: vSRX Overview | Junos OS | Juniper Networks
• 2: vSRX Deployment Guide | Junos OS | Juniper Networks
• 3: What is AWS? - Amazon Web Services
• 4: Configure an Amazon Virtual Private Cloud for vSRX Virtual Firewall | Junos OS | Juniper Networks
• 5: Juniper Networks vSRX - Amazon Web Services (AWS)
• [6]: Deploying Juniper Security in AWS and Azure Education Services
• [7]: Scaling vSRX Virtual Firewall Instances on AWS | Junos OS | Juniper Networks
• [8]: Load Balancing vSRX Virtual Firewall Instances on AWS | Junos OS | Juniper Networks
• [9]: Juniper Networks vSRX Pricing - Amazon Web Services (AWS)
• [10]: AWS Free Tier - Amazon Web Services (AWS)

References:

• [Juniper Security, Professional (JNCIP-SEC) Reference Materials] 1
• [Juniper Security, Specialist (JNCIS-SEC) Reference Materials] 2
• [How to configure a custom signature to block specific URLs using application firewall (AppFW)] 3

SSL proxy uses application identification services to dynamically detect if a particular session is SSL encrypted.https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-ssl-proxy-unified-policies.html

After JSA receives external events and flows, the data goes through the following steps in the event and flow pipeline 1:

• Event and flow collection: JSA accepts event logs and flow records from various sources by using different protocols and methods. The data is parsed and normalized into a JSA-usable format.
• Event and flow processing: JSA applies rules, custom properties, and anomaly detection to the data. The data is also coalesced, filtered, and forwarded as needed. The data is stored in an asset database and an Ariel database for further analysis and reporting.
• Event and flow correlation: JSA analyzes the data for patterns that indicate malicious activity or policy violations. JSA generates offenses, alerts, and notifications based on the correlation rules and building blocks.
• Event and flow response: JSA responds to the offenses and alerts by taking active measures such as blocking IP addresses, quarantining hosts, or updating reference data. JSA also provides investigation and remediation tools for analysts to handle the incidents. References:
• 1: JSA Events and Flows | Junos OS | Juniper Networks

 To implement IPS on your SRX Series device, you need to download and install the IPS signature database. The IPS signature database contains the attack signatures and predefined attack groups that are used to detect and prevent intrusions. You can download the IPS signature database from the Juniper Networks website or from a local server. You can install the IPS signature database manually or automatically. You do not need to enroll the SRX Series device with Juniper ATP Cloud or reboot the SRX Series device to implement IPS34 References:

• Configuring the IPS Policy on SRX Series Devices Using NSM
• Installing SRX 1400 with IPS activation ??? | SRX - Juniper Networks
• Download an IPS Signature | J-Web for SRX Series 21.2 - Juniper Networks
• IPS Configuration (CLI) | Junos OS | Juniper Networks

 Juniper ATP Cloud profiles let you define which files to send to the cloud for inspection. You can group types of files to be scanned together (such as.tar,.exe, and.java) under a common name and create multiple profiles based on the content you want scanned. Then enter the profile names on eligible SRX Series devices to apply them1. To update a custom profile, you can use the ATP Cloud Ul and navigate to Configure > File Inspection Management > Profiles. There you can edit the existing profile and change the scan limit for executable files to 30 MB, while keeping the scan limit for other files at 10 MB. This way, you can scan larger executable files without increasing the scan time for other file types. References: File Inspection Profiles Overview

The cSRX is a containerized version of the SRX Series firewall that provides advanced security services, including content security, AppSecure, and unified threat management (UTM) in the form of a container1. The cSRX supports easy, flexible, and highly scalable deployment options covering various customer use cases, including application protection, microsegmentation, or as an edge gateway for secure IoT deployments through a Docker container management solution2. The cSRX also supports SDN via Contrail Enterprise Multicloud, OpenContrail, and other third-party solutions2. The cSRX also integrates with other next-generation cloud orchestration tools such as Kubernetes3.

The cSRX supports firewall, NAT, IPS, and UTM services, so option A is incorrect1. The cSRX does not only support Layer 2 “bump-in-the-wire” deployments, but also Layer 3 deployments with routing protocols such as BGP, OSPF, and IS-IS, so option B is correct4. The cSRX supports BGP, OSPF, and IS-IS routing services, so option C is correct4. The cSRX does not have three default zones, but instead inherits the zones from the host SRX Series device, so option D is incorrect5. References:

• 1: cSRX Container Firewall | Juniper Networks US
• 2: cSRX Container Firewall Datasheet | Juniper Networks US
• 3: Understanding cSRX with Kubernetes - Juniper Networks
• 4: Extending Security to All Points of Connection: Containerized Security …
• 5: cSRX Container Firewall | Juniper Networks UK&I

 SSL proxy is a transparent proxy that performs SSL encryption and decryption between the client and the server. It allows inspection of encrypted traffic by terminating the SSL connection from either end and applying security policies to the clear text. SSL proxy can leverage pre-match or post-match results to determine whether to apply SSL proxy to a session. Pre-match results are based on the initial packet of the session, while post-match results are based on the application identification after the session is established. In the exhibit, the session shows that the application services identification is “ssl-proxy”, which means that SSL proxy is applied based on the pre-match results. The cache lookup status for application services is “on”, which means that the SRX Series device uses the application system cache to store the pre-match results for faster processing. Therefore, the correct answer is D. SSL proxy leverages pre-match result. References: = SSL Proxy, Configuring SSL Proxy, and Application System Cache

In a Juniper Networks chassis clustering setup, when you enable chassis clustering on two devices and assign a cluster ID and a node ID to each device, the correct order for rebooting the devices is: C. Reboot the primary device, then the secondary device. Explanation: After assigning the cluster ID and node ID to each device, it is a good practice to reboot the primary device first. This ensures that the primary device comes online with the specified cluster and node IDs. Once the primary device is up and running, you can then reboot the secondary device. The secondary device will recognize the existing cluster and node IDs assigned to the primary device and join the cluster accordingly.

Juniper Secure Analytics (JSA) is a security information and event management (SIEM) system that consolidates, analyzes, and manages surveillance data from network devices, endpoints, and applications. JSA uses two types of data collectors: Event Collector and Flow Collector1

The Event Collector collects and parses logs from various log sources, such as firewalls, routers, servers, and intrusion detection or prevention systems. The Event Collector normalizes the log data into a common format and sends it to the JSA console for further analysis and correlation. The Event Collector supports different protocols for log collection, such as syslog, SNMP, JDBC, and SDEE12

The Flow Collector collects and processes network traffic data from various flow sources, such as Flowlog files, NetFlow, J-Flow, sFlow, and Packeteer. The Flow Collector enriches the flow data with additional information, such as application identification, geolocation, and threat intelligence. The Flow Collector sends the flow data to the JSA console for further analysis and correlation. The Flow Collector can use statistical sampling to reduce the amount of flow data that is collected and processed, which can improve the performance and scalability of the system12

The Event Collector does not collect information using BGP FlowSpec, which is a protocol that allows the distribution of traffic flow specification rules among BGP peers. BGP FlowSpec is not a supported flow source for JSA3

The Flow Collector does not parse logs, which are textual records of network activity generated by log sources. The Flow Collector only handles flow data, which are binary records of network traffic generated by flow sources12

References: 1: Data Collection | JSA 7.5.0 | Juniper Networks 2: Data Collection - TechLibrary - Juniper Networks 3: Understanding BGP FlowSpec - TechLibrary - Juniper Networks

SRX chassis clustering is a high availability feature that allows two SRX Series devices to operate as a single logical device. The two devices are connected by a control link and a fabric link, which are used to synchronize the configuration, state, and traffic between the nodes. The control plane is responsible for managing the cluster configuration, monitoring the health and status of the nodes, and performing failover operations. The data plane is responsible for processing and forwarding the traffic through the cluster. SRX chassis clustering supports two modes for the data plane: active/passive and active/active. In active/passive mode, only one node is active for each redundancy group, which is a logical grouping of interfaces and services. The active node handles all the traffic for the redundancy group, while the passive node acts as a backup. In active/active mode, both nodes are active for different redundancy groups, and they can share the traffic load for the cluster. SRX chassis clustering supports only one mode for the control plane: active/passive. In this mode, only one node is the primary node, which is the master of the cluster configuration and the source of truth for the cluster state. The primary node also initiates the failover process in case of a node or interface failure. The other node is the secondary node, which is the slave of the cluster configuration and the backup of the cluster state. The secondary node takes over the primary role if the primary node fails or is manually disabled. References: Chassis Cluster Overview, SRX Series Chassis Cluster Configuration Overview, Chassis Cluster Overview

The fab interface is the data link between the nodes of a chassis cluster and is used to forward traffic between the chassis and to synchronize the data plane software’s dynamic runtime state. Real-time objects (RTOs) are exchanged on the fab interface to maintain session synchronization for operations such as authentication, NAT, ALGs, and IPsec. In an active/active configuration, inter-chassis transit traffic is sent over the fab interface, as traffic arriving on a node that needs to be processed on the other or traffic processed on a node that needs to exit through an interface on the other is forwarded over the fabric. The fab interface does not enable configuration synchronization, as this is done by the control link. Heartbeat signals sent on the fab interface monitor the health of the data plane link, not the control plane link. References: Chassis Cluster Fabric Interfaces, HA Chassis cluster, difference between Swfab and Fab

Juniper ATP Cloud is the threat intelligence hub for Juniper customers, identifying indicators of compromise for users and devices across the network. It provides security intelligence feeds, such as command and control (C&C) and infected hosts, that can be used to block or log malicious traffic. When you configure the C&C category with Juniper ATP Cloud, you need to specify the authentication token, the URL, and the update interval for the feeds. After you commit the configuration, the feeds are downloaded automatically from the Juniper ATP Cloud server. This may take a few minutes, depending on the network latency and the size of the feeds. Therefore, no action is required from the user, and the feeds will have non-zero objects once the download is complete. You can verify the status of the feeds by using the show services security intelligence category summary command, as shown in the exhibit. References:

• Introduction to Juniper ATP Cloud
• security-intelligence (services)
• Juniper ATP Cloud CLI Reference Guide

 Logging for a security policy can be configured to generate log entries at session initialization, at session close, or both. Logging at session initialization records the initial packet that matches the policy and triggers the session creation. Logging at session close records the summary statistics of the session, such as bytes and packets transmitted and received, and the reason for session termination. Logging at session initialization and close provides the most complete information about the traffic that matches the policy. Logging at fixed intervals, such as every 10 minutes or every 60 seconds, is not supported by Junos OS security policies. References:

• Security, Professional (JNCIP-SEC) Exam Objectives, Firewall Filters section
• Junos OS Security Configuration Guide, Understanding Security Policy Logging section
• Advanced Juniper Security (AJSEC) Course, Chapter 4: Advanced Logging and Reporting

 A chassis cluster is a pair of SRX Series devices that are connected and configured to operate as a single node, providing high availability and load balancing for traffic flows1. A chassis cluster consists of two nodes: one primary and one secondary. Each node can host one or more redundancy groups, which are logical entities that group the interfaces and services that need to fail over together in case of a node failure2. Redundancy group 0 is a special group that monitors the control plane of the cluster, such as the routing engine and the control link. Redundancy group 0 is always active on the primary node and standby on the secondary node3. Therefore, option A is false. Each chassis cluster member requires a unique node ID value, which can be either 0 or 1, to identify itself within the cluster4. However, the cluster ID value is the same for both nodes, and it is used to identify the cluster as a whole. Therefore, option B is false. Each chassis cluster member device can host active redundancy groups, depending on the configuration and the status of the nodes. By default, the primary node hosts all the redundancy groups, but you can configure some groups to be preempted by the secondary node if it has a higher priority or load-sharing between the nodes if they have the same priority. Therefore, option C is true. Chassis cluster member devices must be the same model, because different models have different hardware and software specifications that may not be compatible with each other in a cluster. Therefore, option D is true. References:

• Chassis Cluster User Guide for SRX Series Devices
• Understanding Chassis Cluster Redundancy Groups
• Understanding Redundancy Group 0
• Understanding Chassis Cluster Node IDs
• [Understanding Chassis Cluster Cluster IDs]
• [Configuring Chassis Cluster Redundancy Group Settings]
• [Chassis Cluster Feature Guide for SRX Series Devices]

 JIMS domain PC probes are a mechanism to obtain username to IP address mapping information from devices in a customer’s domain. JIMS initiates a domain PC probe when it receives a request from an SRX Series device for a username to IP address mapping that is not found in the domain security event log. JIMS uses the administrative credentials configured for PC probes to access the device and query the Windows Management Instrumentation (WMI) service for the username to IP address mapping12 References:

• 1: Juniper Identity Management Service Feature Guide - TechLibrary - Juniper Networks
• 2: Juniper Identity Management Service (JIMS) Documentation - Juniper Networks

Juniper Identity Management Service (JIMS) is a service that collects and maintains a large database of user, device, and group information from identity sources, enabling SRX Series Service Gateways to rapidly identify users in a large, distributed enterprise1. JIMS supports the following identity sources: Microsoft Active Directory on Windows Server 2008 R2 and later, and Microsoft Exchange Server 2010 with Service Pack 3 (SP3) and later2. JIMS collects username and device IP addresses from these sources by monitoring the event logs of the Active Directory domain controllers and the Exchange servers3. JIMS does not use DNS or OpenLDAP service ports as identity sources. References:

• Juniper Identity Management Service User Guide, Introduction section
• Supported Identity Sources, Juniper Identity Management Service 1.6.0 Release Notes
• Configure Juniper Identity Management Service to Obtain User Identity Information, Junos OS Security Configuration Guide

The session table is a limited resource for SRX Series devices. If the session table is full, any new sessions will be rejected by the device. The aggressive session-aging mechanism accelerates the session timeout process when the number of sessions in the session table exceeds the specified high-watermark threshold. This mechanism minimizes the likelihood that the SRX Series devices will reject new sessions when the session table becomes full1. To perform aggressive session aging, you need to configure the following parameters1:

• early-ageout –During aggressive session aging, the sessions with an age-out time lower than the early-ageout threshold are marked as invalid. The early-ageout configuration specifies the timeout value, in seconds, that will be applied once the high-watermark value is met. For example, if you set the early-ageout to 30 seconds, any session that has been inactive for at least 30 seconds will be aged out when the high-watermark is reached2.
• high-watermark –The device performs aggressive session aging when the number of sessions in the session table exceeds the high-watermark threshold. The high-watermark configuration specifies the percentage of how much of the session table can be allocated before applying a more aggressive age-out timer. For example, if you set the high-watermark to 90 percent, the device will start aging out sessions more aggressively when the session table reaches 90 percent of its capacity3.

Therefore, the correct statements are B and D.

References: Understanding Aggressive Session Aging high-watermark early-ageout

An Application Layer Gateway (ALG) is a software component that is designed to manage specific protocols such as Session Initiation Protocol (SIP) or FTP on Juniper Networks devices running Junos OS. The ALG module is responsible for Application-Layer aware packet processing on switches1. The ALG can perform various functions such as modifying the payload and header of packets, opening secondary connections, translating addresses and ports, and applying security policies1. The ALG does not use software processes for permitting or disallowing specific IP address ranges, as this is the function of firewall filters or security zones2. The ALG does not use software that is used by a single TCP session using the same port numbers as the application, as this is the definition of a stateful firewall3. The ALG does not contain protocols that use one application session for each TCP session, as this is the characteristic of some application protocols such as HTTP or SMTP4. References:

• 1: ALG Overview | Junos OS | Juniper Networks
• 2: Firewall Filters Overview | Junos OS | Juniper Networks
• 3: Stateful Firewall Overview | Junos OS | Juniper Networks
• 4: Application Layer Protocols | Junos OS | Juniper Networks

• A stateful firewall in SRX Series devices keeps track of the state of network connections, distinguishing legitimate packets for different types of connections and allowing only packets that match a known active connection. Sessions are created when a TCP SYN packet is received and permitted by the security policy1.
• A security policy is a set of rules that defines how traffic is processed by the SRX Series device. A security policy applies the security rules to the transit traffic within a context (from-zone to to-zone) and each policy is uniquely identified by its name. The traffic is classified by matching the source and destination zones, the source and destination addresses, and the application that the traffic carries in its protocol headers with the policy database in the data plane2.
• A Layer 3 route is a path that a packet takes to reach its destination based on the destination IP address. The SRX Series device performs a longest-match Layer 3 route table lookup to determine the next hop for the packet3.
• An Application Layer Gateway (ALG) is a software component that provides application-level awareness, security, and control for specific protocols. An ALG inspects the application-layer payload of a packet and modifies it if necessary to allow the application to traverse the SRX Series device. For example, an ALG can rewrite IP addresses and port numbers in the payload of FTP or SIP packets4.
• The sequence that an SRX Series device uses when implementing stateful session security policies using Layer 3 routes is as follows3:

References:

• 1: Traffic Processing on SRX Series Firewalls Overview | Junos OS | Juniper Networks
• 2: Best Practices for Defining Policies on High-End SRX Series Devices - TechLibrary - Juniper Networks
• 3: [SRX] Example: Configuring TCP SYN Check options on a per-policy basis
• 4: Application Layer Gateways Overview | Junos OS | Juniper Networks