JN0-335 Security, Specialist (JNCIS-SEC) Questions and Answers

 To track BitTorrent traffic on your network, you need to use the Security Intelligence feature, which allows you to apply actions to traffic based on predefined or custom feeds. The High_Risk_Workstations and BitTorrent_Servers are examples of custom feeds that you can create and populate with IP addresses of devices that match certain criteria. To automatically add the workstations and servers to the respective feeds, you need to use the administration-feed option under the application-services security-intelligence hierarchy. This option specifies the feed name and the action to be taken for the traffic that matches the feed. For example, to add the workstations to the High_Risk_Workstations feed and drop the traffic, you would use:

set security policies from-zone untrust policy FindThreat then permit application-services security-intelligence administration-feed High_Risk_Workstations drop

To add the servers to the BitTorrent_Servers feed and log the traffic, you would use:

set security policies from-zone untrust policy FindThreat then permit application-services security-intelligence administration-feed BitTorrent_Servers log

Option B and Option C show the correct commands for these scenarios. Option A and Option D are incorrect because they use the wrong syntax for the administration-feed option. They also use the wrong feed names, as the feeds are case-sensitive and must match the ones defined under the security-intelligence hierarchy. References: Juniper Security, Specialist (JNCIS-SEC) Reference Materials and Juniper Security, Professional (JNCIP-SEC) Reference Materials

References:

• [SRX] Behavior of active sessions when modifying a security policy1

Based on the exhibit, Nancy logged in to the juniper.net Active Directory domain, as shown by the domain name in the user identity information. The IP address of the authenticating domain controller is 172.25.11.140, as shown by the domain controller address in the user identity information. The IP address of Nancy’s client PC is not 172.25.11, but 172.25.11.11, as shown by the source IP address in the user identity information. Nancy is not a member of the Active Directory sales group, but of the marketing group, as shown by the group name in the user identity information34 References:

• active-directory-access | Junos OS | Juniper Networks
• 13. Juniper SRX Active Directory Integration - RAYKA
• Configure Juniper Identity Management Service to Obtain User Identity …
• Create an Active Directory Profile | SD Cloud | Juniper Networks

To manually failover the primary Routing Engine in an SRX Series high availability cluster pair, you need to issue the request chassis cluster failover redundancy-group group-id node node-id command on the primary node, where group-id is the redundancy group number and node-id is the node number of the secondary node. This command initiates a graceful failover of the specified redundancy group to the secondary node, making it the new primary node. The other options are not necessary or correct for this task. Option A would disable the chassis cluster and reboot the primary node, which is not a graceful failover. Option B is not relevant, as the control link recovery solution is used to restore the control link connectivity between the nodes, not to initiate a failover. Option D would not trigger a failover, as the priority of the secondary node would only take effect after a reboot or a control link failure. References:

• Chassis Cluster Redundancy Group Manual Failover
• Initiating a Chassis Cluster Manual Redundancy Group Failover
• SRX Getting Started - Troubleshoot High Availability (HA)

 A chassis cluster is a pair of SRX Series devices that are connected and configured to operate as a single node, providing high availability and load balancing for traffic flows1. A chassis cluster consists of two nodes: one primary and one secondary. Each node can host one or more redundancy groups, which are logical entities that group the interfaces and services that need to fail over together in case of a node failure2. Redundancy group 0 is a special group that monitors the control plane of the cluster, such as the routing engine and the control link. Redundancy group 0 is always active on the primary node and standby on the secondary node3. Therefore, option A is false. Each chassis cluster member requires a unique node ID value, which can be either 0 or 1, to identify itself within the cluster4. However, the cluster ID value is the same for both nodes, and it is used to identify the cluster as a whole. Therefore, option B is false. Each chassis cluster member device can host active redundancy groups, depending on the configuration and the status of the nodes. By default, the primary node hosts all the redundancy groups, but you can configure some groups to be preempted by the secondary node if it has a higher priority or load-sharing between the nodes if they have the same priority. Therefore, option C is true. Chassis cluster member devices must be the same model, because different models have different hardware and software specifications that may not be compatible with each other in a cluster. Therefore, option D is true. References:

• Chassis Cluster User Guide for SRX Series Devices
• Understanding Chassis Cluster Redundancy Groups
• Understanding Redundancy Group 0
• Understanding Chassis Cluster Node IDs
• [Understanding Chassis Cluster Cluster IDs]
• [Configuring Chassis Cluster Redundancy Group Settings]
• [Chassis Cluster Feature Guide for SRX Series Devices]

 The configuration shown in the exhibit is a pre-ID default policy, which is a security policy that applies to traffic that cannot be identified by the SRX Series device before the user authentication process is complete. The pre-ID default policy has the following characteristics1:

• It is applied to all traffic that matches the from-zone and to-zone parameters, regardless of the source and destination addresses or applications.
• It can only have the permit action, and it cannot be deleted or renamed.
• It can have optional parameters such as log, session-timeout, and session-class.

The session-timeout parameter specifies the maximum time that a session can remain idle before it is closed by the SRX Series device. The session-timeout parameter can have different values for different types of traffic, such as TCP, UDP, or others. The others parameter applies to traffic that is not TCP or UDP, such as ICMP or GRE. The value of the others parameter is in seconds, not milliseconds. Therefore, the others 300 parameter means unidentified traffic flows will be dropped in 300 seconds, not milliseconds2. This statement is correct, so option B is a valid answer.

The log parameter enables the SRX Series device to generate a log message for each session that matches the pre-ID default policy. The log parameter can have two values: session-init and session-close. The session-init value logs the session when it is created, and the session-close value logs the session when it is closed. The session-init value is useful for identifying the source and destination of the unidentified traffic, while the session-close value is useful for measuring the duration and volume of the traffic3. The configuration shown in the exhibit has the session-init value, which means every session that enters the SRX Series device will generate an event. This statement is correct, so option C is a valid answer.

The session-class parameter is used to assign a priority to the sessions that match the pre-ID default policy. The session-class parameter can have four values: high, medium-high, medium-low, and low. The session-class parameter is useful for managing the resources allocated to the sessions and for applying quality of service (QoS) policies. The session-class parameter is not only used when troubleshooting, but also when optimizing the performance and security of the SRX Series device4. This statement is incorrect, so option A is not a valid answer.

Replacing the session-init parameter with session-lose will not log unidentified flows, but rather log the sessions that are closed due to session timeout or other reasons. This will not help in identifying the source and destination of the unidentified traffic, but rather provide information about the duration and volume of the traffic. This statement is incorrect, so option D is not a valid answer.

References:

• Pre-ID Default Policy Overview
• Configuring Session Timeout Values for Security Policies
• Configuring Logging for Security Policies
• Configuring Session Class for Security Policies

An Application Layer Gateway (ALG) is a software component that is designed to manage specific protocols such as Session Initiation Protocol (SIP) or FTP on Juniper Networks devices running Junos OS. The ALG module is responsible for Application-Layer aware packet processing on switches1. The ALG can perform various functions such as modifying the payload and header of packets, opening secondary connections, translating addresses and ports, and applying security policies1. The ALG does not use software processes for permitting or disallowing specific IP address ranges, as this is the function of firewall filters or security zones2. The ALG does not use software that is used by a single TCP session using the same port numbers as the application, as this is the definition of a stateful firewall3. The ALG does not contain protocols that use one application session for each TCP session, as this is the characteristic of some application protocols such as HTTP or SMTP4. References:

• 1: ALG Overview | Junos OS | Juniper Networks
• 2: Firewall Filters Overview | Junos OS | Juniper Networks
• 3: Stateful Firewall Overview | Junos OS | Juniper Networks
• 4: Application Layer Protocols | Junos OS | Juniper Networks

• AppTrack is a logging and reporting tool that provides statistics for analyzing bandwidth usage of your network. It can be enabled on any logical system on an SRX Series device1. AppTrack collects byte, packet, and duration statistics for application flows in the specified zone2. AppTrack sends log messages through syslog providing application activity update messages1.
• AppTrack does not identify or block traffic flows that might be malicious. That is the function of AppSecure, which is a suite of application security tools that includes AppID, AppFW, AppQoS, and AppDoS3. AppTrack is a complementary tool that provides visibility into the types of applications traversing through the SRX Series gateway4.
• AppTrack can be configured in any logical system on an SRX Series device, not just the main one1. This allows for more flexibility and granularity in monitoring application traffic across different logical systems.

References:

• 1: Application Tracking | Junos OS | Juniper Networks
• 2: application-tracking | Junos OS | Juniper Networks
• 3: Juniper Networks AppSecure | NetworkScreen.com
• 4: [SRX] AppTrack log messages continue to get generated even after disabling the feature - Juniper Networks

 Logging for a security policy can be configured to generate log entries at session initialization, at session close, or both. Logging at session initialization records the initial packet that matches the policy and triggers the session creation. Logging at session close records the summary statistics of the session, such as bytes and packets transmitted and received, and the reason for session termination. Logging at session initialization and close provides the most complete information about the traffic that matches the policy. Logging at fixed intervals, such as every 10 minutes or every 60 seconds, is not supported by Junos OS security policies. References:

• Security, Professional (JNCIP-SEC) Exam Objectives, Firewall Filters section
• Junos OS Security Configuration Guide, Understanding Security Policy Logging section
• Advanced Juniper Security (AJSEC) Course, Chapter 4: Advanced Logging and Reporting

Juniper ATP Cloud is a cloud-based service that provides advanced threat prevention for SRX Series devices. Juniper ATP Cloud can inspect files for malware by sending them to the cloud or performing a hash lookup. To reduce delays in the inspection of files, Juniper ATP Cloud performs the following two functions12:

• Juniper ATP Cloud allows the creation of allowlists. Allowlists are lists of trusted files or domains that are not sent to the cloud for inspection. This reduces the network traffic and the processing time for the files that are known to be safe. You can create allowlists from the Juniper ATP Cloud Web UI or the SRX Series device CLI.
• Juniper ATP Cloud performs a cache lookup on files. Cache lookup is a feature that checks if a file has been previously scanned by Juniper ATP Cloud and returns the cached verdict. This avoids sending the same file to the cloud again and saves bandwidth and time. Cache lookup is enabled by default and can be configured from the SRX Series device CLI. References:
• Juniper ATP Cloud User Guide
• Juniper ATP Cloud Deployment Guide for SRX Series Devices

JIMS (Juniper Identity Management Service) is a standalone Windows service application that collects and maintains a large database of user, device, and group information from Active Directory domains1. You can use JIMS to obtain user identity information and populate the identity management authentication table on SRX Series devices1. You can then use the username or group name in security policies to identify a user and not rely directly on the IP address of the device used2. JIMS also supports integration with ClearPass, which is another solution for user authentication and enforcement2.

ATP Appliance is a solution for advanced threat prevention and detection, not for user and group information. Network Director is a solution for network management and orchestration, not for user and group information. NETCONF is a protocol for network configuration, not for user and group information. References:

• 2: Configure Juniper Identity Management Service to Obtain User Identity Information | Junos OS | Juniper Networks
• 6: Enforce Security Policies using ClearPass | Junos OS | Juniper Networks
• [7]: Juniper Advanced Threat Prevention Appliance | Juniper Networks
• [8]: Network Director | Juniper Networks
• [9]: NETCONF | Junos OS | Juniper Networks

Juniper Identity Management Service (JIMS) is a service that collects and maintains a large database of user, device, and group information from identity sources, enabling SRX Series Service Gateways to rapidly identify users in a large, distributed enterprise1. JIMS supports the following identity sources: Microsoft Active Directory on Windows Server 2008 R2 and later, and Microsoft Exchange Server 2010 with Service Pack 3 (SP3) and later2. JIMS collects username and device IP addresses from these sources by monitoring the event logs of the Active Directory domain controllers and the Exchange servers3. JIMS does not use DNS or OpenLDAP service ports as identity sources. References:

• Juniper Identity Management Service User Guide, Introduction section
• Supported Identity Sources, Juniper Identity Management Service 1.6.0 Release Notes
• Configure Juniper Identity Management Service to Obtain User Identity Information, Junos OS Security Configuration Guide

Juniper ATP Cloud is the threat intelligence hub for Juniper customers, identifying indicators of compromise for users and devices across the network. It provides security intelligence feeds, such as command and control (C&C) and infected hosts, that can be used to block or log malicious traffic. When you configure the C&C category with Juniper ATP Cloud, you need to specify the authentication token, the URL, and the update interval for the feeds. After you commit the configuration, the feeds are downloaded automatically from the Juniper ATP Cloud server. This may take a few minutes, depending on the network latency and the size of the feeds. Therefore, no action is required from the user, and the feeds will have non-zero objects once the download is complete. You can verify the status of the feeds by using the show services security intelligence category summary command, as shown in the exhibit. References:

• Introduction to Juniper ATP Cloud
• security-intelligence (services)
• Juniper ATP Cloud CLI Reference Guide

Juniper ATP Cloud is a cloud-based threat detection service that protects all hosts in your network against evolving security threats. Juniper ATP Cloud performs the following tasks:

• It extracts potentially malicious objects and files from the traffic and sends them to the cloud for analysis.
• It uses multiple antivirus software packages to analyze files and identify known malicious files quickly. It also uses other techniques, such as machine learning, sandboxing, and behavioral analysis, to identify new malware and add it to the known list of malware.
• It correlates between newly identified malware and known command and control (C&C) sites to aid analysis.
• It blocks known malicious file downloads and outbound C&C traffic.
• It provides features such as DNS, Encrypted Traffic Insights (ETI) and IoT security if you have ATP Cloud premium license.

Based on this information, we can infer the following:

• Option B is correct because Juniper ATP Cloud uses multiple antivirus software packages to analyze files, as well as other techniques, to provide robust coverage against sophisticated, evasive threats.
• Option D is correct because Juniper ATP Cloud does not use antivirus software packages to protect against zero-day threats, which are unknown and undetected by traditional antivirus solutions. Instead, it uses other techniques, such as machine learning, sandboxing, and behavioral analysis, to identify and mitigate zero-day threats.
• Option A is incorrect because Juniper ATP Cloud does not only use one antivirus software package to analyze files, but multiple ones, as well as other techniques.
• Option C is incorrect because Juniper ATP Cloud does not use antivirus software packages to protect against zero-day threats, but other techniques.

References: Juniper Security, Specialist (JNCIS-SEC) Reference Materials and Juniper Security, Professional (JNCIP-SEC) Reference Materials

https://blogs.juniper.net/en-us/security/juniper-strengthens-connected-security-portfolio-with-new-risk-based-access-control-capabilities-and-remote-access-vpn

https://blogs.juniper.net/en-us/security/juniper-strengthens-connected-security-portfolio-with-new-risk-based-access-control-capabilities-and-remote-access-vpn

References: SSL Proxy Overview Configuring Certificate Authority Profiles Configuring a Root CA Certificate

Juniper Secure Analytics (JSA) is a security information and event management (SIEM) system that consolidates, analyzes, and manages surveillance data from network devices, endpoints, and applications. JSA uses two types of data collectors: Event Collector and Flow Collector1

The Event Collector collects and parses logs from various log sources, such as firewalls, routers, servers, and intrusion detection or prevention systems. The Event Collector normalizes the log data into a common format and sends it to the JSA console for further analysis and correlation. The Event Collector supports different protocols for log collection, such as syslog, SNMP, JDBC, and SDEE12

The Flow Collector collects and processes network traffic data from various flow sources, such as Flowlog files, NetFlow, J-Flow, sFlow, and Packeteer. The Flow Collector enriches the flow data with additional information, such as application identification, geolocation, and threat intelligence. The Flow Collector sends the flow data to the JSA console for further analysis and correlation. The Flow Collector can use statistical sampling to reduce the amount of flow data that is collected and processed, which can improve the performance and scalability of the system12

The Event Collector does not collect information using BGP FlowSpec, which is a protocol that allows the distribution of traffic flow specification rules among BGP peers. BGP FlowSpec is not a supported flow source for JSA3

The Flow Collector does not parse logs, which are textual records of network activity generated by log sources. The Flow Collector only handles flow data, which are binary records of network traffic generated by flow sources12

References: 1: Data Collection | JSA 7.5.0 | Juniper Networks 2: Data Collection - TechLibrary - Juniper Networks 3: Understanding BGP FlowSpec - TechLibrary - Juniper Networks

The fab interface is the data link between the nodes of a chassis cluster and is used to forward traffic between the chassis and to synchronize the data plane software’s dynamic runtime state. Real-time objects (RTOs) are exchanged on the fab interface to maintain session synchronization for operations such as authentication, NAT, ALGs, and IPsec. In an active/active configuration, inter-chassis transit traffic is sent over the fab interface, as traffic arriving on a node that needs to be processed on the other or traffic processed on a node that needs to exit through an interface on the other is forwarded over the fabric. The fab interface does not enable configuration synchronization, as this is done by the control link. Heartbeat signals sent on the fab interface monitor the health of the data plane link, not the control plane link. References: Chassis Cluster Fabric Interfaces, HA Chassis cluster, difference between Swfab and Fab

A vSRX is a virtualized security platform that runs on various hypervisors and cloud environments. It provides firewall and NAT services, as well as other security features, such as IPS, VPN, UTM, and AppSecure. A single vSRX can fulfill the minimum requirements for providing firewall and NAT services in a private cloud, as it can be deployed as a gateway or an edge device, and can scale up or down as needed. A vSRX can also interoperate with other Juniper and third-party products, such as Contrail Networking, Junos Space Security Director, and Sky ATP. A single vSRX is more cost-effective and simpler to manage than having separate vSRX instances for firewall and NAT services. A cSRX is a containerized version of vSRX that runs on Linux-based platforms. It provides similar security features as vSRX, but with a smaller footprint and faster deployment. However, a cSRX is not yet supported on all cloud environments, and it may have some limitations compared to vSRX, such as lower throughput and fewer interfaces. Therefore, a single cSRX may not be able to fulfill the minimum requirements for providing firewall and NAT services in a private cloud, depending on the specific cloud platform and the performance and scalability needs. A cSRX for firewall services and a separate cSRX for NAT services would also introduce more complexity and overhead than a single vSRX. References: vSRX Overview, cSRX Overview, JNCIP-SEC Certification

SRX chassis clustering is a high availability feature that allows two SRX Series devices to operate as a single logical device. The two devices are connected by a control link and a fabric link, which are used to synchronize the configuration, state, and traffic between the nodes. The control plane is responsible for managing the cluster configuration, monitoring the health and status of the nodes, and performing failover operations. The data plane is responsible for processing and forwarding the traffic through the cluster. SRX chassis clustering supports two modes for the data plane: active/passive and active/active. In active/passive mode, only one node is active for each redundancy group, which is a logical grouping of interfaces and services. The active node handles all the traffic for the redundancy group, while the passive node acts as a backup. In active/active mode, both nodes are active for different redundancy groups, and they can share the traffic load for the cluster. SRX chassis clustering supports only one mode for the control plane: active/passive. In this mode, only one node is the primary node, which is the master of the cluster configuration and the source of truth for the cluster state. The primary node also initiates the failover process in case of a node or interface failure. The other node is the secondary node, which is the slave of the cluster configuration and the backup of the cluster state. The secondary node takes over the primary role if the primary node fails or is manually disabled. References: Chassis Cluster Overview, SRX Series Chassis Cluster Configuration Overview, Chassis Cluster Overview

 To implement IPS on your SRX Series device, you need to download and install the IPS signature database. The IPS signature database contains the attack signatures and predefined attack groups that are used to detect and prevent intrusions. You can download the IPS signature database from the Juniper Networks website or from a local server. You can install the IPS signature database manually or automatically. You do not need to enroll the SRX Series device with Juniper ATP Cloud or reboot the SRX Series device to implement IPS34 References:

• Configuring the IPS Policy on SRX Series Devices Using NSM
• Installing SRX 1400 with IPS activation ??? | SRX - Juniper Networks
• Download an IPS Signature | J-Web for SRX Series 21.2 - Juniper Networks
• IPS Configuration (CLI) | Junos OS | Juniper Networks

• Referring to the exhibit, we can see that the output of the show chassis cluster status command on both nodes shows that they have the same cluster ID, node ID, priority, and status. The status for both nodes is primary, which means that they are both active and ready to process traffic for all redundancy groups1.
• This situation can occur when the control link between the two nodes is down or not configured properly, and the heartbeat messages cannot be exchanged. Without the heartbeat messages, each node assumes that the other node is down and takes over the primary role for all redundancy groups12.
• This is not a desirable state for the cluster, as it can cause traffic disruption, configuration inconsistency, and split-brain scenarios. To resolve this issue, the control link should be checked and fixed, and the cluster should be synchronized12.

References:

• 1: Troubleshooting an SRX Chassis Cluster with One Node in the Primary State and the Other Node in the Disabled State
• 2: SRX Series Chassis Cluster Configuration Overview

Encrypted Traffic Insights is a feature of Juniper ATP Cloud and SRX Series firewalls that can detect malicious threats that are hidden in encrypted traffic without intercepting and decrypting the traffic. It permits organizations greater visibility and policy control over encrypted traffic, without requiring resource-intensive SSL Decryption1.

Encrypted Traffic Insights assesses the threat of the traffic by using two methods:

• It validates the certificates used by the external servers that the internal hosts are trying to connect to. It compares the certificate signatures with a blocklist of known malicious certificates and also checks the certificate validity, issuer, and subject. If the certificate is invalid or matches a malicious signature, the connection is blocked or alerted2.
• It reviews the timing and frequency of the connections to the external servers. It uses behavior analysis and machine learning to identify patterns and anomalies that indicate malicious activity, such as command and control (C&C) communications, botnet traffic, or data exfiltration. It also uses threat intelligence feeds to enrich the analysis and provide additional context2.

Encrypted Traffic Insights does not decrypt the file or the data in a sandbox or to validate the hash, as these methods would require breaking the encryption of the traffic, which would violate data privacy laws and introduce latency and performance issues21. References:

• 3: SRX5400, SRX5600, SRX5800 Firewalls Datasheet - Juniper Networks
• 2: Encrypted Traffic Insights Overview and Benefits | ATP Cloud | Juniper …
• 1: Juniper Networks Expands Connected Security Portfolio with Encrypted …

To log denied traffic, you need to configure a security policy with the action of deny and the option of log session-init. The deny action blocks the traffic that matches the policy criteria, and the log session-init option generates a log entry when the session is denied. The session-close option is not required, as it only logs the end of a session. The count option is not required, as it only increments a counter for the policy. References:

• [SRX] How to log traffic that is denied by default system security policy1
• [SRX] How to log traffic for the default deny policy2
• How to log traffic dropped by Juniper SRX firewalls3

 The show security policies policy-name detail command shows policy counters for a configured policy. Policy counters display the number of packets and bytes that match the policy, as well as the number of sessions that are created, denied, or closed by the policy. Policy counters can help monitor and troubleshoot the traffic flow and security policy enforcement on the SRX firewall1.

The show security policies policy-name detail command does not display details about the default security policy, which is the implicit policy that is applied when no other policy matches the traffic. The default security policy can be viewed by using the show security policies default-policy command2.

The show security policies policy-name detail command does not identify the different custom policies enabled, which are the user-defined policies that specify the action and conditions for the traffic between zones. The custom policies can be viewed by using the show security policies command without any options1.

The show security policies policy-name detail command does not show the system log files for the local SRX Series device, which are the files that record the events and messages generated by the device. The system log files can be viewed by using the show log command with the name of the file3. References:

• 1: show security policies | Junos OS | Juniper Networks
• 2: Understanding Default Security Policies | Junos OS | Juniper Networks
• 3: show log | Junos OS | Juniper Networks

SRX Series device chassis clusters are created by physically connecting two identical cluster-supported SRX Series devices using a pair of the same type of Ethernet connections. The connection is made for both a control link and a fabric (data) link between the two devices. The chassis cluster data plane is connected with revenue ports, which are the ports that carry user traffic. The chassis cluster can contain a maximum of two devices, as only two nodes can form a cluster. The chassis cluster data plane is not connected with SPC ports, which are the ports that provide services processing. The chassis cluster cannot contain more than two devices, as this would violate the cluster design. References: Chassis Cluster Overview, Connecting SRX Series Firewalls to Create a Chassis Cluster