JN0-336 Security, Specialist (JNCIS-SEC) Questions and Answers

The correct answers are C and D. Juniper Secure Connect is Juniper’s remote-access VPN client for SRX Series Firewalls. Juniper describes it as a flexible SSL VPN and IPsec application that gives remote workers secure access to corporate and cloud-protected resources. That directly supports option D, because SSL VPN provides a connection method that is useful when traditional IPsec ports are restricted or blocked. Juniper’s Secure Connect guide also states that enabling SSL VPN gives the client flexibility in connecting to SRX Series Firewalls and that SSL VPN is enabled by default.

Option C is also correct because Juniper Secure Connect supports external authentication, allowing users to authenticate with enterprise identity systems rather than relying only on local firewall credentials. Juniper’s external authentication procedure notes that this method lets users use the same username and password as their domain login and is recommended for authenticating users.

Option A is not the best answer because having a client application is not the specific connection/authentication flexibility being tested. Option B is wrong because Kerberos is not the stated Secure Connect authentication method in this context. Reference topics: Juniper Secure Connect, remote-access VPN, SSL VPN, IPsec, external authentication.

The correct answer is A. by granting access based on user roles or identities. Juniper identity-aware firewall moves enforcement beyond simple IP-address-based policy by associating traffic with authenticated users, groups, devices, and roles. Juniper states that identity parameters can be used to configure security policies so that policies provide the appropriate level of access to authenticated users. It further explains that identity helps secure access to resources based on username, roles, and groups, and that firewalls can create and enforce rules based on user identity rather than only an IP address.

This directly supports compliance because regulated environments usually require least-privilege access, auditable user-based control, and role-based authorization. Option B is wrong because identity-aware security might simplify policy operations in some cases, but network architecture simplification is not its compliance function. Option C is wrong because capacity expansion has no direct relationship to identity-based regulatory enforcement. Option D is too vague and not the mechanism being tested; confidentiality is a security goal, but identity-aware firewall enforces access decisions by mapping traffic to users and groups. Reference topics: Identity-Aware Security Policies, user identity, role-based access control, group-based policy enforcement, authentication table.

The correct answer is B. The node with the highest priority will become a primary node. In an SRX chassis cluster, redundancy groups determine which node is primary and which node is secondary. Juniper states that when priorities are assigned to nodes in a redundancy group, the node with the higher configured priority is initially designated as the primary, while the other node becomes secondary. This is the direct mechanism an administrator uses to influence primary-node selection for a redundancy group.

Option A is wrong because the burnt-in address is not the administrative method used to designate the primary node. BIA can be part of deterministic hardware identity behavior, but primary election is controlled through redundancy-group priority, preemption behavior, and failover state. Option C is the opposite of Juniper behavior; the lower-priority node does not win the election. Option D is also wrong because a priority of one is still a valid low priority. The ineligible value is 0, and Juniper specifically warns about failover behavior involving nodes with priority 0 because such nodes are not ready to accept traffic.

Reference topics: HA Clustering, redundancy groups, node priority, primary/secondary election, preemption, chassis cluster failover.

The correct answers are B, D, and E. Security Director device onboarding depends on management reachability and valid administrative access. Juniper’s device discovery documentation states that Junos Space discovers network devices using SSH, with optional ping and SNMP, and connects to the physical device to retrieve running configuration and status information. It also explains that device authentication uses administrator login credentials, SSH credentials, SNMP settings, or keys depending on the discovery method.

Option E is required because Security Director must target a reachable management IP address or hostname. Juniper’s discovery-profile workflow explicitly uses the target IP address, hostname, IP range, or subnet to locate devices. Option D is required because invalid username/password or insufficient privileges prevent discovery and management; Juniper’s device-management guidance identifies credentials as required input for discovering devices. Option B is required because onboarding uses SSH, so the correct SSH service and port must be reachable. Juniper’s device access procedure explicitly includes a Port field for the SSH connection.

Option A is wrong because chassis serial number is not the normal troubleshooting field for Security Director discovery. Option C is wrong because active security policies do not determine whether Security Director can initially discover and onboard the device. Reference topics: Security Director, device discovery, SSH access, management IP reachability, authentication credentials.

The correct answers are B and D. IKE Phase 2 negotiates the IPsec security associations used to protect actual user data through the VPN tunnel. Juniper explains that after Phase 1 establishes a secure authenticated channel, Phase 2 negotiates SAs for the data transmitted through the IPsec tunnel. A Phase 2 proposal includes the IPsec security protocol, which is either ESP or AH, along with selected encryption and authentication algorithms. In the wording of this question, that maps to the tunnel/security protocol property.

Option D, Perfect Forward Secrecy, is also correct because Phase 2 proposals can specify a Diffie-Hellman group when PFS is desired. PFS forces a new DH key exchange for Phase 2 keys so that compromise of earlier keying material does not expose later IPsec encryption keys. Option A is wrong because routing protocols are not negotiated by IKE Phase 2; routing is handled separately over or toward the tunnel interface. Option C is wrong because aggressive mode is an IKEv1 Phase 1 exchange mode, not a Phase 2 property. Juniper specifically states that Phase 2 always uses quick mode in IKEv1. Reference topics: IKE Phase 2, IPsec SA negotiation, ESP/AH, Perfect Forward Secrecy, quick mode.

The correct answers are A and C. In SSL forward proxy, the SRX sits between internal clients and external SSL/TLS servers. Juniper’s SSL proxy configuration documentation shows that a forward proxy profile is created when root-ca is configured and server-certificate is not configured. This root CA is used by the SRX to generate substitute certificates for intercepted SSL sessions, so internal clients must trust the CA used by the firewall. Juniper’s procedure specifically includes generating or loading a local certificate and applying it as the root-ca in the SSL proxy profile.

Option C is also correct because forward proxy terminates the client-side SSL session and establishes a separate SSL session toward the destination server. Juniper states that the SSL proxy acts as an SSL server to the client and establishes a new SSL session to the server; from the server’s perspective, the SRX is the SSL client. Option B is wrong because forward proxy intercepts the server certificate and creates a substitute certificate; forwarding the actual server certificate unchanged is associated with reverse proxy behavior. Option D is wrong because Encrypted Traffic Insights is not the required forward-proxy mechanism here. Reference topics: SSL Proxy, SSL forward proxy, root CA, client protection, certificate interception.

The correct answers are A, D, and E. In IPsec VPN terminology, DES, 3DES, and AES are encryption algorithms used to provide confidentiality for protected IP traffic. Juniper’s IPsec material identifies AES, DES, and Triple DES/3DES as IPsec encryption standards, while separating them from authentication hash algorithms such as MD5, SHA-1, and SHA-2. This distinction matters heavily in JNCIS-SEC because IPsec proposals contain different cryptographic functions: encryption protects packet confidentiality, while authentication/hash algorithms validate integrity and origin.

Option B, SHA-1, is incorrect because SHA-1 is a hashing/authentication algorithm, not an encryption algorithm. It produces a message digest used for integrity checking and authentication, commonly as an HMAC variant. Option C, MD5, is also incorrect for the same reason: MD5 is a message-digest algorithm used for authentication/integrity, not for encrypting payload data. AES is the modern preferred encryption family because it is cryptographically stronger than DES and 3DES at comparable key strengths, while DES and 3DES remain historically recognized IPsec encryption algorithms. Reference topics: IPsec VPN, IPsec proposals, encryption algorithms, authentication algorithms, DES, 3DES, AES, SHA, and MD5.

The correct answers are B and D. On SRX Series Firewalls, SSL proxy is configured by creating an SSL proxy profile and then applying that profile to the relevant security policy as an application service. Juniper’s SSL proxy configuration overview lists the required workflow: configure certificates and CA profile material, configure the SSL proxy profile, create a security policy matching the traffic to be inspected, and apply the SSL proxy profile to that security policy. Juniper further states that SSL proxy is enabled as an application service within a security policy, where the policy match criteria identify the traffic and the SSL proxy profile is applied to that traffic.

Option A is wrong because enabling the SSL ALG is not the required control point for SSL proxy. SSL proxy is a decryption/inspection service applied through policy, not simply an ALG toggle. Option C is wrong because creating a separate SSL application object is not the mandatory SSL proxy configuration action. The policy can match the desired traffic and then invoke SSL proxy through then permit application-services ssl-proxy profile-name. Juniper’s example explicitly shows applying the SSL proxy profile under the security policy action.

Reference topics: SSL Proxy, SSL forward proxy, SSL proxy profiles, security policy application-services, encrypted traffic inspection.

The correct answer is C. device policy rules. In Junos Space Security Director, a firewall rule that must apply uniquely to one SRX Series device belongs in the device-specific policy layer, not in global or group-level policy. Juniper’s Security Director documentation states that a device can have a device-specific policy and can also be part of multiple group policies; the rule processing order places policies applied before device-specific policies first, then device-specific policies, then policies applied after device-specific policies. Juniper also explains that rules applied before device-specific policies take priority and cannot be overridden, while rules applied after device-specific policies can be overridden by adding a rule in the device-specific policy.

Option A is wrong because all-devices prerules are global mandatory rules applied before device-specific policy, not unique device exceptions. Option B is wrong because group policy prerules apply to a group of devices, not one specific SRX. Option D is wrong because all-devices postrules are still global policy rules, although they can be overridden. For a unique policy requirement on one SRX device, device policy rules are the precise Security Director construct. Reference topics: Security Director, firewall policies, device-specific policies, policy rule precedence, global/group/device rule hierarchy.

The correct answers are A and B. The exhibit shows show chassis cluster statistics. Under Control link statistics, Control link 0 has heartbeat packets sent and received, with heartbeat packet errors: 0. That is the clearest indication that the control link is operating normally. Juniper describes chassis-cluster control-plane verification as checking control-link heartbeat packets sent and received, along with heartbeat errors. If both send and receive counters are incrementing and errors are zero, the control link is functioning.

Option A is also correct because under Fabric link statistics, Child link 0 shows probes sent and probes received. Juniper uses fabric-link probe counters to verify fabric-link operation; nonzero sent and received probe counters indicate that the link is participating in fabric monitoring. Option C is not the safest conclusion from this exhibit alone. Child link 1 shows zero probes sent and received, but the output does not prove that a second fabric child link is configured and failing; it could simply be unused or not configured in this deployment. Option D is directly contradicted by the healthy heartbeat counters. Reference topics: HA Clustering, chassis cluster statistics, control-link heartbeat, fabric-link probes, cluster health verification.

The correct answer is B. ESP. In IPsec, the security protocol responsible for encrypting protected traffic is Encapsulating Security Payload (ESP). Juniper defines ESP as the IPsec protocol used for encrypting the IP packet and authenticating its contents. In practical SRX VPN design, ESP is the normal protocol selected when confidentiality is required because it can provide encryption, packet integrity, authentication, and anti-replay protection depending on the configured IPsec proposal.

Option A, SHA-1, is incorrect because SHA-1 is an authentication/hash algorithm, not an IPsec security protocol and not a payload encryption mechanism. Option C, AH, is incorrect because Authentication Header validates packet source and integrity but does not encrypt payload data. AH is therefore unsuitable when the requirement explicitly says payload data must be encrypted. Option D, PFS, is incorrect because Perfect Forward Secrecy is a key-exchange property used during Phase 2 rekeying; it strengthens key independence but does not itself encrypt packets. In Junos IPsec configuration logic, the security protocol decision is between ESP and AH, and encryption requires ESP. Reference topics: IPsec VPN, ESP, AH, IPsec security protocols, payload confidentiality, IPsec proposal design.

The correct answers are A and D. Juniper provides predefined IDP policy templates to simplify IDP deployment. These templates are supplied by Juniper Networks and include common templates such as client protection, server protection, DMZ services, DNS server, file server, web server, IDP default, and recommended policies. Juniper’s IDP documentation states that predefined templates are available from a secured Juniper Networks website, and the listed templates are explicitly described as being provided by Juniper Networks.

Option D is correct because these templates are not automatically present as usable policies in a factory-default SRX configuration. Juniper’s procedure says that to use predefined IDP policy templates, you download the policy templates and then install them. The CLI process includes request security idp security-package download policy-templates followed by request security idp security-package install policy-templates; committing then makes them available under the IDP policy hierarchy.

Option B is wrong because Juniper specifically says you should customize these templates for your network and recommends using a copied template so you can safely make changes. Option C is wrong because they must be downloaded and installed, so they are not simply available in the factory-default configuration. Reference topics: IDP, predefined IDP policy templates, security-package download, security-package install, active IDP policy.

The correct answer is D. exempt. In Junos IDP, the exempt rulebase is specifically used to prevent selected traffic from triggering known false-positive detections. Juniper’s IDP documentation explains that exempt rules can be configured when an IDP policy generates false positives for a particular attack object, source, destination, or traffic pattern. The exempt rulebase lets the administrator exclude matching traffic from attack detection while still allowing the rest of the IDP policy to inspect other traffic normally.

Option A, IPS, is wrong because the IPS rulebase is the main inspection rulebase used to detect and act on attacks. It is where attack objects and actions are commonly applied, but it is not the rulebase designed to eliminate false positives. Option B, monitor, is not the correct false-positive elimination mechanism. Monitoring can help observe behavior, but it does not exempt traffic from matching an attack object. Option C, signature, is wrong because signatures are attack-detection patterns, not a rulebase type used to suppress false positives. The operational correction for noisy or irrelevant matches is to create an exempt rule for the specific trusted source, destination, or attack object. Reference topics: IDP rulebases, exempt rulebase, false-positive tuning, attack objects, IPS inspection.

The correct answers are A, B, and D. In Security Director, the Shared Objects workspace is used for reusable objects that can be referenced by policies across managed devices. Juniper documentation shows that address objects are created from Configure > Shared Objects > Addresses, and those address objects can be used across devices in firewall, NAT, IPS, and VPN services. This supports option B, because IP address/address objects are classic shared objects.

Option A is correct because Geo IP policies are created from Configure > Shared Objects > Geo IP. Juniper’s procedure explicitly places Geo IP under the Shared Objects path. Option D is also correct because policy enforcement groups are created from Configure > Shared Objects > Policy Enforcement Groups and are used to group endpoints such as IP addresses, subnets, or locations for policy-enforcement workflows.

Option C is wrong because audit logs are monitoring records, not reusable shared objects; Juniper places them under Monitor > Audit Logs, where they track login history and user-initiated tasks. Option E is wrong because policy rules are created and managed inside firewall, NAT, IPS, or threat policies, not as independent Shared Objects. Reference topics: Security Director, Shared Objects, address objects, Geo IP, policy enforcement groups.

The correct answer is B. by using AppID results. Junos SSL proxy does not identify SSL/TLS sessions by assuming that encrypted traffic always uses TCP/443. That would be technically weak because SSL/TLS can run on nonstandard ports, and non-SSL applications can also use common HTTPS ports. Juniper’s SSL proxy documentation explains that SSL proxy works with application security services and that AppID is used in the encrypted-traffic inspection workflow. In earlier wording from Juniper AppSecure material, SSL proxy uses application identification services to determine whether a session is SSL encrypted; in current Junos documentation, SSL proxy and AppID are tightly linked so encrypted sessions can be identified, decrypted, inspected, and then re-encrypted for enforcement.

Option A is wrong because the URL is inside the HTTP payload, and in HTTPS much of the meaningful HTTP content is encrypted before SSL proxy inspection occurs. Option C is wrong because destination port is only a rough hint, not a reliable detection method. Option D is wrong because certificates are used in the SSL/TLS handshake and proxy trust model, but the service’s traffic classification relies on AppID results, not merely reading the server certificate. Reference topics: SSL Proxy, AppID, encrypted session detection, SSL/TLS inspection, application security services.

The correct answers are A, C, and E. Junos Space Security Director supports policy hierarchy and policy management at device, group, and global/all-devices levels. A device policy is created for a specific device and is used when a unique firewall policy must be pushed to one SRX Series Firewall. A group policy is shared across multiple devices and is used when the same policy configuration must be applied consistently to a set of managed firewalls. Juniper’s Security Director documentation explicitly describes device policy and group policy behavior, including the fact that device-specific policies are evaluated within the broader policy-ordering model.

The third correct policy type is global, often represented in Security Director workflows as all-devices/global policy behavior. Juniper Security Director product material describes granular control over global, group, and device-level firewall policies, which maps directly to the options in this question. Option B, local, is not the Security Director policy type being tested; local configuration may exist on an SRX, but it is not one of the Security Director policy hierarchy types listed here. Option D, universal, is also not a Junos Space Security Director policy type. Reference topics: Security Director, global policy, group policy, device policy, firewall policy hierarchy, centralized SRX policy management.