JN0-335 Security, Specialist (JNCIS-SEC) Questions and Answers

Juniper ATP Cloud is a cloud-based service that provides advanced threat prevention for SRX Series devices. Juniper ATP Cloud can inspect files for malware by sending them to the cloud or performing a hash lookup. To reduce delays in the inspection of files, Juniper ATP Cloud performs the following two functions12:

• Juniper ATP Cloud allows the creation of allowlists. Allowlists are lists of trusted files or domains that are not sent to the cloud for inspection. This reduces the network traffic and the processing time for the files that are known to be safe. You can create allowlists from the Juniper ATP Cloud Web UI or the SRX Series device CLI.
• Juniper ATP Cloud performs a cache lookup on files. Cache lookup is a feature that checks if a file has been previously scanned by Juniper ATP Cloud and returns the cached verdict. This avoids sending the same file to the cloud again and saves bandwidth and time. Cache lookup is enabled by default and can be configured from the SRX Series device CLI. References:
• Juniper ATP Cloud User Guide
• Juniper ATP Cloud Deployment Guide for SRX Series Devices

• AppTrack is a logging and reporting tool that provides statistics for analyzing bandwidth usage of your network. It can be enabled on any logical system on an SRX Series device1. AppTrack collects byte, packet, and duration statistics for application flows in the specified zone2. AppTrack sends log messages through syslog providing application activity update messages1.
• AppTrack does not identify or block traffic flows that might be malicious. That is the function of AppSecure, which is a suite of application security tools that includes AppID, AppFW, AppQoS, and AppDoS3. AppTrack is a complementary tool that provides visibility into the types of applications traversing through the SRX Series gateway4.
• AppTrack can be configured in any logical system on an SRX Series device, not just the main one1. This allows for more flexibility and granularity in monitoring application traffic across different logical systems.

References:

• 1: Application Tracking | Junos OS | Juniper Networks
• 2: application-tracking | Junos OS | Juniper Networks
• 3: Juniper Networks AppSecure | NetworkScreen.com
• 4: [SRX] AppTrack log messages continue to get generated even after disabling the feature - Juniper Networks

SSL proxy is a feature that allows SRX Series devices to act as an intermediary between the client and the server for SSL/TLS encrypted traffic. SRX Series devices support two types of SSL proxy: SSL forward proxy and SSL reverse proxy. SSL forward proxy is also known as web proxy or client-protection, and SSL reverse proxy is also known as server-protection1.

SSL forward proxy enables the SRX Series device to decrypt the client-side traffic and apply security policies before re-encrypting and forwarding it to the server. This allows the SRX Series device to inspect the application data and identify the applications and threats in the encrypted traffic2.

SSL reverse proxy enables the SRX Series device to decrypt the server-side traffic and apply security policies before re-encrypting and forwarding it to the client. This allows the SRX Series device to protect the server from malicious clients and provide load balancing and high availability for the server3.

References:

• Configuring SSL Proxy
• SSL Forward Proxy Overview
• SSL Reverse Proxy Overview

The commands in the exhibit show how to configure a firewall filter on the loopback interface (lo0) of an SRX Series device. The loopback interface is a gateway for all the control traffic that enters the Routing Engine of the device. The firewall filter can be used to monitor and protect this control traffic from various attacks. Two statements that are true based on the exhibit are:

• The loopback interface blocks invalid traffic on its entry into the device: The firewall filter applied on lo0 has a term that matches any packet with an invalid source address (such as 0.0.0.0/8 or 127.0.0.0/8) and discards it. This prevents spoofing or DoS attacks using invalid source addresses.
• The device manager can access the device from 10.253.1.2: The firewall filter applied on lo0 has a term that matches any packet with a source address of 10.253.1.2 and accepts it. This allows the device manager to access the device from this IP address using protocols such as SSH, Telnet, HTTP, or HTTPS.

References := Firewall Filter Support on Loopback Interface, [MX/SRX] The behavior of firewall filters that are applied on the loopback interfaces in virtual routers

Juniper Secure Analytics (JSA) is a security information and event management (SIEM) system that consolidates, analyzes, and manages surveillance data from network devices, endpoints, and applications. JSA uses two types of data collectors: Event Collector and Flow Collector1

The Event Collector collects and parses logs from various log sources, such as firewalls, routers, servers, and intrusion detection or prevention systems. The Event Collector normalizes the log data into a common format and sends it to the JSA console for further analysis and correlation. The Event Collector supports different protocols for log collection, such as syslog, SNMP, JDBC, and SDEE12

The Flow Collector collects and processes network traffic data from various flow sources, such as Flowlog files, NetFlow, J-Flow, sFlow, and Packeteer. The Flow Collector enriches the flow data with additional information, such as application identification, geolocation, and threat intelligence. The Flow Collector sends the flow data to the JSA console for further analysis and correlation. The Flow Collector can use statistical sampling to reduce the amount of flow data that is collected and processed, which can improve the performance and scalability of the system12

The Event Collector does not collect information using BGP FlowSpec, which is a protocol that allows the distribution of traffic flow specification rules among BGP peers. BGP FlowSpec is not a supported flow source for JSA3

The Flow Collector does not parse logs, which are textual records of network activity generated by log sources. The Flow Collector only handles flow data, which are binary records of network traffic generated by flow sources12

References: 1: Data Collection | JSA 7.5.0 | Juniper Networks 2: Data Collection - TechLibrary - Juniper Networks 3: Understanding BGP FlowSpec - TechLibrary - Juniper Networks

To manually failover the primary Routing Engine in an SRX Series high availability cluster pair, you need to issue the request chassis cluster failover redundancy-group group-id node node-id command on the primary node, where group-id is the redundancy group number and node-id is the node number of the secondary node. This command initiates a graceful failover of the specified redundancy group to the secondary node, making it the new primary node. The other options are not necessary or correct for this task. Option A would disable the chassis cluster and reboot the primary node, which is not a graceful failover. Option B is not relevant, as the control link recovery solution is used to restore the control link connectivity between the nodes, not to initiate a failover. Option D would not trigger a failover, as the priority of the secondary node would only take effect after a reboot or a control link failure. References:

• Chassis Cluster Redundancy Group Manual Failover
• Initiating a Chassis Cluster Manual Redundancy Group Failover
• SRX Getting Started - Troubleshoot High Availability (HA)

 JIMS domain PC probes are a mechanism to obtain username to IP address mapping information from devices in a customer’s domain. JIMS initiates a domain PC probe when it receives a request from an SRX Series device for a username to IP address mapping that is not found in the domain security event log. JIMS uses the administrative credentials configured for PC probes to access the device and query the Windows Management Instrumentation (WMI) service for the username to IP address mapping12 References:

• 1: Juniper Identity Management Service Feature Guide - TechLibrary - Juniper Networks
• 2: Juniper Identity Management Service (JIMS) Documentation - Juniper Networks

 To implement IPS on your SRX Series device, you need to download and install the IPS signature database. The IPS signature database contains the attack signatures and predefined attack groups that are used to detect and prevent intrusions. You can download the IPS signature database from the Juniper Networks website or from a local server. You can install the IPS signature database manually or automatically. You do not need to enroll the SRX Series device with Juniper ATP Cloud or reboot the SRX Series device to implement IPS34 References:

• Configuring the IPS Policy on SRX Series Devices Using NSM
• Installing SRX 1400 with IPS activation ??? | SRX - Juniper Networks
• Download an IPS Signature | J-Web for SRX Series 21.2 - Juniper Networks
• IPS Configuration (CLI) | Junos OS | Juniper Networks

AppFW and APPID are two application security features that can be used to block malicious applications regardless of the port number being used. AppFW provides policy-based enforcement and control on traffic based on application signatures. By using AppFW, you can block any application traffic not sanctioned by the enterprise. APPID identifies applications based on their behavior and characteristics, regardless of port, protocol, or encryption method. By using APPID, you can classify applications and apply appropriate security policies to them123 References:

• AppSecure: Application Visibility and Control Solution Brief
• Application Firewall | Junos OS | Juniper Networks
• Security Policy Applications and Application Sets | Junos OS | Juniper Networks

References: SSL Proxy Overview Configuring Certificate Authority Profiles Configuring a Root CA Certificate

• Cluster failovers occur when one node in a chassis cluster becomes inactive or unreachable, and the other node takes over the processing of traffic and services. To control when cluster failovers occur, you can configure two specific parameters on an SRX Series device: heartbeat-interval and heartbeat-threshold12.
• Heartbeat-interval is the time interval, in milliseconds, between heartbeat messages sent by each node to the other node. The default value is 1000 ms. You can configure the heartbeat-interval value from 100 through 3000 ms1.
• Heartbeat-threshold is the number of consecutive heartbeat messages that can be missed before a node is considered to be down. The default value is 3. You can configure the heartbeat-threshold value from 2 through 2551.
• The combination of heartbeat-interval and heartbeat-threshold determines the failover time, which is the maximum time it takes for a node to detect the failure of the other node and initiate a failover. The failover time is calculated as follows: failover time = heartbeat-interval x heartbeat-threshold1.
• For example, if the heartbeat-interval is 1000 ms and the heartbeat-threshold is 3, the failover time is 3000 ms. This means that if a node does not receive three consecutive heartbeat messages from the other node within 3000 ms, it will assume that the other node is down and initiate a failover1.
• You can configure the heartbeat-interval and heartbeat-threshold parameters using the set chassis cluster redundancy-group group-id node node-id priority priority heartbeat-interval interval heartbeat-threshold threshold command1.

References:

• 1: Configuring Chassis Cluster Redundancy Group Properties | Junos OS | Juniper Networks
• 2: Example: Configuring an Active/Passive Cluster Deployment | Junos OS | Juniper Networks

= SSL proxy server protection is a type of reverse proxy that enables the SRX Series device to act as an intermediary between external clients and internal servers that use SSL encryption. SSL proxy server protection provides benefits such as load balancing, caching, compression, encryption, authentication, and application firewalling. To enable SSL proxy server protection, you do not need to configure the servers to use the SSL proxy function on the SRX Series device. The SRX Series device will terminate the SSL connection from the client and initiate a new SSL connection to the server, without requiring any changes on the server side. However, you must load the server certificates on the SRX Series device, so that the SRX Series device can present the server certificate to the client and establish a secure connection. You must also import the root CA on the servers, so that the servers can trust the SRX Series device as a valid intermediary and accept the connection from the SRX Series device. References: SSL Proxy, Configuring SSL Proxy, JNCIP-SEC Certification

References:

• Security Policies Feature Guide for Security Devices
• Application Security User Guide for Security Devices
• Understanding Micro Application Detection
• Configuring Micro Application Detection
• Content Filtering Feature Guide for Security Devices

 To track BitTorrent traffic on your network, you need to use the Security Intelligence feature, which allows you to apply actions to traffic based on predefined or custom feeds. The High_Risk_Workstations and BitTorrent_Servers are examples of custom feeds that you can create and populate with IP addresses of devices that match certain criteria. To automatically add the workstations and servers to the respective feeds, you need to use the administration-feed option under the application-services security-intelligence hierarchy. This option specifies the feed name and the action to be taken for the traffic that matches the feed. For example, to add the workstations to the High_Risk_Workstations feed and drop the traffic, you would use:

set security policies from-zone untrust policy FindThreat then permit application-services security-intelligence administration-feed High_Risk_Workstations drop

To add the servers to the BitTorrent_Servers feed and log the traffic, you would use:

set security policies from-zone untrust policy FindThreat then permit application-services security-intelligence administration-feed BitTorrent_Servers log

Option B and Option C show the correct commands for these scenarios. Option A and Option D are incorrect because they use the wrong syntax for the administration-feed option. They also use the wrong feed names, as the feeds are case-sensitive and must match the ones defined under the security-intelligence hierarchy. References: Juniper Security, Specialist (JNCIS-SEC) Reference Materials and Juniper Security, Professional (JNCIP-SEC) Reference Materials

The SRX Series device will drop packets from the infected hosts with a threat level of 8 and no log message will be generated. This is because the security intelligence profile “ATP_Infected-Hosts” has a rule “Rule-1” that matches packets with a threat level of 8 and the action is to block and drop them. There is no log option specified in the action, so no log message will be generated. Options A and B are not correct because the rule only matches packets with a threat level of 8, not 8 or above. Option C is not correct because the action is to drop, not permit, the packets. References: The answer can be verified from Juniper’s official documentation on security intelligence available on their website. Here are some relevant links:

• Security Intelligence Feature Guide for Security Devices
• security-intelligence | Junos OS
• Configure the Security Intelligence Policy on the SRX Series Device

Junos OS generates system log messages (also called syslog messages) to record system events that occur on the device, such as routine operations, failure and error conditions, and critical conditions that might require urgent resolution1. System log messages can be sent to different destinations, such as files, remote hosts, userterminals, or the system console2. There are two types of system logs that Junos generates: data plane logs and control plane logs3.

Data plane logs are generated by the Packet Forwarding Engine (PFE), which is responsible for forwarding packets according to the information in the forwarding table. Data plane logs include information about firewall filters, policers, NAT, IPSec, and other features that are applied to the traffic passing through the device4.

Control plane logs are generated by the Routing Engine (RE), which is responsible for running the routing protocols, managing the configuration, and maintaining the routing and forwarding tables. Control plane logs include information about system processes, libraries, services, and applications that run on the device14.

SQL log files and system core dump files are not types of system logs that Junos generates. SQL log files are used by database management systems to store queries and transactions. System core dump files are generated when a process crashes and dumps its memory contents to a file for debugging purposes. References:

• 1: System Logging Overview | Junos OS | Juniper Networks
• 2: syslog (System) | Junos OS | Juniper Networks
• 3: What are two types of system logs that Junos generates? (Choose two …) | Exam4Training
• 4: System Log Messages | Junos OS | Juniper Networks
• [5]: Core dump - Wikipedia

The fab interface is the data link between the nodes of a chassis cluster and is used to forward traffic between the chassis and to synchronize the data plane software’s dynamic runtime state. Real-time objects (RTOs) are exchanged on the fab interface to maintain session synchronization for operations such as authentication, NAT, ALGs, and IPsec. In an active/active configuration, inter-chassis transit traffic is sent over the fab interface, as traffic arriving on a node that needs to be processed on the other or traffic processed on a node that needs to exit through an interface on the other is forwarded over the fabric. The fab interface does not enable configuration synchronization, as this is done by the control link. Heartbeat signals sent on the fab interface monitor the health of the data plane link, not the control plane link. References: Chassis Cluster Fabric Interfaces, HA Chassis cluster, difference between Swfab and Fab

 The error occurred because the “http” application is not defined in this context of Juniper SRX Series device configuration. One solution is to create a custom application named “http” at the [edit applications] hierarchy level (Option C). Another solution is to modify the security policy to use the built-in “junos-http” application which is predefined and doesn’t need an explicit definition (Option D). Options A and B are not correct because they do not address the root cause of the error, which is the undefined application “http”. References: The answers can be verified from Juniper’s official documentation on security policies and applications available on their website. Here are some relevant links:

• Security Policies Feature Guide for Security Devices
• Understanding Applications and Application Sets for SRX Series Devices
• Configuring Custom Applications for SRX Series Devices
• Predefined Applications for SRX Series Devices

The Juniper Networks solution that will accomplish the task of alerting if the wrong password is used more than three times on a single device within five minutes is Juniper Secure Analytics (JSA). JSA is a security intelligence platform that collects, analyzes, and correlates network data from various sources, such as firewalls, routers, switches, servers, and applications. JSA can detect and respond to threats, anomalies, and vulnerabilities in real time using rules, offenses, reports, and dashboards. JSA can also integrate with JIMS (Juniper Identity Management Service) to obtain user identity information from Active Directory domains or syslog sources. JSA can use this information to create custom rules that trigger offenses or alerts based on user behavior or activity, such as failed login attempts or password changes.

References := Juniper Secure Analytics Troubleshooting Guide, Juniper Identity Management Service User Guide

AppQoS is a feature that enables you to identify and control access to specific applications and provides the granularity of the stateful firewall rule base to match and enforce quality of service (QoS) at the application layer. AppQoS expands the capability of Junos OS class of service (CoS) to include the following capabilities12:

• Re-write DSCP values based on Layer-7 application types. DSCP values are used to convey the packet’s quality of service through both the forwarding class and a loss priority.
• Assign a forwarding class based on the application type. Forwarding classes are used to group packets with similar QoS requirements and map them to output queues on the egress interface.
• Rate-limit traffic based on the application type. Rate limiters are used to control the transmission speed and volume for the associated queues. You can configure rate limiters and profiles to specify the bandwidth, burst size, and action for each application type.

AppQoS does not have the capability to re-write the TTL or reserve bandwidth. Re-writing the TTL is not related to QoS and could cause routing loops or packet drops. Reserving bandwidth is a function of traffic engineering, not AppQoS. References:

• 1: Application QoS | Junos OS | Juniper Networks
• 2: AppQoS for Tenant Systems | Junos OS | Juniper Networks

 To create a security policy that will automatically add infected hosts to the infected hosts feed and block further communication through the SRX Series device, you need to add a security intelligence policy to the permit portion of the security policy. A security intelligence policy is a set of rules that defines the actions to be taken for traffic thatmatches a specific category of threat feeds, such as infected hosts, command and control servers, or botnets. By adding a security intelligence policy to the permit portion of the security policy, you can enable the SRX Series device to dynamically update the infected hosts feed based on the advanced anti-malware policy results, and block the traffic from or to the infected hosts. Options B, C, and D are not correct because they do not enable the automatic addition of infected hosts to the feed or the blocking of their communication. References: The answer can be verified from Juniper’s official documentation on security intelligence and advanced anti-malware available on their website. Here are some relevant links:

• Security Intelligence Feature Guide for Security Devices
• Advanced Anti-Malware Feature Guide for Security Devices
• Configuring Security Intelligence Policy on the SRX Series Device
• [Configuring Advanced Anti-Malware Policy on the SRX Series Device]

A reth LAG is a redundant Ethernet interface that includes one or more physical interfaces from each node of a chassis cluster. A reth LAG provides increased bandwidth and link availability for the cluster. To configure a reth LAG, you need to follow these steps:

• Configure the physical interfaces on each node as aggregated Ethernet interfaces with the same speed and duplex settings. This is required to ensure that the links can form a LAG andpass traffic correctly. You can use different cable types (such as copper or fiber-optic) for the links, but the speed must be the same.
• Configure the reth interface with the redundant-ether-options statement and specify the aggregated Ethernet interfaces as child links. You should have at least two interfaces (one from each node) in the reth LAG, but you can add more for redundancy and load balancing. You can also specify the minimum-links statement to set the minimum number of child links that must be up for the reth interface to be up. The default value is one, but you can change it to a higher value if needed.
• Configure the reth interface with the appropriate IP address, security zone, and other settings as needed. You can also enable LACP on the reth interface to dynamically negotiate the LAG parameters with the peer devices.

References:

• [Aggregated Ethernet Interfaces in a Chassis Cluster] 1
• [Chassis Cluster Redundant Ethernet Interfaces] 2
• [LACP / LAG on Chassis Cluster - Interface Monitoring?] 3
• [URGENT (LAG - RETH Interconnect)] 4

Policy Enforcer is a Junos Space Security Director component that allows updated security policies to be deployed across Juniper SRX Series firewalls, MX Series 5G Universal Routing Platforms, EX Series Ethernet Switches, QFX Series Switches, and third-party network devices1. Policy Enforcer can leverage the DDoS protection feature of Juniper devices to detect and mitigate DDoS attacks on the network. The DDoS protection feature is based on two main components: the classification of host-bound control plane traffic and a hierarchical set of individual- and aggregate-level policers that cap the volume of control plane traffic that each protocol type is able to send to the Routing Engine (RE) for processing2. The DDoS protection feature is supported on MX Series routers and QFX Series switches, among other devices3. Therefore, the correct devices to use for DDoS protection with Policy Enforcer are MX and QFX.

The other options are not correct for the following reasons:

• vQFX is a virtual switch that emulates the QFX Series switches for testing and development purposes. It does not support the DDoS protection feature4.
• vMX is a virtual router that emulates the MX Series routers for testing and development purposes. It does not support the DDoS protection feature.

References: Policy Enforcer DDoS Protection Case Study Protection against distributed denial of service (DDoS) attacks vQFX10000 Overview [vMX Overview]

 SSL proxy is a transparent proxy that performs SSL encryption and decryption between the client and the server. It allows inspection of encrypted traffic by terminating the SSL connection from either end and applying security policies to the clear text. SSL proxy can leverage pre-match or post-match results to determine whether to apply SSL proxy to a session. Pre-match results are based on the initial packet of the session, while post-match results are based on the application identification after the session is established. In the exhibit, the session shows that the application services identification is “ssl-proxy”, which means that SSL proxy is applied based on the pre-match results. The cache lookup status for application services is “on”, which means that the SRX Series device uses the application system cache to store the pre-match results for faster processing. Therefore, the correct answer is D. SSL proxy leverages pre-match result. References: = SSL Proxy, Configuring SSL Proxy, and Application System Cache

A vSRX is a virtualized security platform that runs on various hypervisors and cloud environments. It provides firewall and NAT services, as well as other security features, such as IPS, VPN, UTM, and AppSecure. A single vSRX can fulfill the minimum requirements for providing firewall and NAT services in a private cloud, as it can be deployed as a gateway or an edge device, and can scale up or down as needed. A vSRX can also interoperate with other Juniper and third-party products, such as Contrail Networking, Junos Space Security Director, and Sky ATP. A single vSRX is more cost-effective and simpler to manage than having separate vSRX instances for firewall and NAT services. A cSRX is a containerized version of vSRX that runs on Linux-based platforms. It provides similar security features as vSRX, but with a smaller footprint and faster deployment. However, a cSRX is not yet supported on all cloud environments, and it may have some limitations compared to vSRX, such as lower throughput and fewer interfaces. Therefore, a single cSRX may not be able to fulfill the minimum requirements for providing firewall and NAT services in a private cloud, depending on the specific cloud platform and the performance and scalability needs. A cSRX for firewall services and a separate cSRX for NAT services would also introduce more complexity and overhead than a single vSRX. References: vSRX Overview, cSRX Overview, JNCIP-SEC Certification

 vSRX is a virtual firewall that runs on various cloud platforms, including AWS and OpenStack. AWS is a cloud service provider that offers infrastructure as a service (IaaS) solutions, such as compute, storage, and networking resources. OpenStack is an open source software platform that enables cloud orchestration, which is the automated management of cloud resources and services. vSRX supports both AWS and OpenStack as deployment options, and integrates with their features and tools. For example, vSRX can use cloud-init to automate the initialization of vSRX instances in AWS and OpenStack environments. vSRX can also leverage the security groups and elastic IP addresses of AWS, and the network and security services of OpenStack. References:

• vSRX Deployment Guide for AWS
• vSRX Virtual Firewall
• Use Cloud-Init in an OpenStack Environment to Automate the Initialization of vSRX Instances