JN0-335 Security - Specialist (JNCIS-SEC) Questions and Answers

The vSRX is a virtual firewall that offers the same features as the physical SRX Series firewalls, but in a virtualized form factor for delivering security services that scale to match network demand. It offers the same features as the SRX appliance, including core firewall, robust networking, full next-gen capabilities, and automated life-cycle management1

The vSRX supports Layer 2 and Layer 3 configurations, which means it can operate as a transparent or a routed firewall, depending on the network topology and requirements. The vSRX can also support multiple routing instances, such as virtual routers, virtual switches, and logical systems, to provide logical separation and isolation of traffic2

The vSRX provides clustering, which enables two or more vSRX instances to act as a single, logical device that provides high availability, load balancing, and scalability. The vSRX cluster can synchronize configuration and session information, and support stateful failover and redundancy groups3

The cSRX is a containerized firewall that offers a compact footprint with a high-density firewall for virtualized and cloud environments. It is designed to secure microservices and containerized applications, and provide network visibility and threat prevention4

The cSRX does not support Layer 2 and Layer 3 configurations, as it is intended to be a lightweight and agile firewall that does not perform dynamic routing or networking functions. The cSRX relies on the underlying container orchestration platform, such as Kubernetes or Docker, to provide the network connectivity and management4

The cSRX does not provide clustering, as it is designed to leverage the native resiliency and scalability features of the container orchestration platform. The cSRX can be deployed as a standalone firewall or as part of a service chain, and can be dynamically scaled up or down based on the demand4

The cSRX has faster boot times than the vSRX, as it can be instantiated in seconds, compared to minutes for the vSRX. The cSRX also has a smaller image size and memory requirement than the vSRX, as it is optimized for containerized environments4

The cSRX provides NAT, IPS, and UTM services, similar to the vSRX, but with some limitations. The cSRX does not support IPSec VPN, application identification, user firewall, or SSL proxy. The cSRX also has lower performance and throughput than the vSRX, as it is constrained by the container resources and the orchestration platform4

References: 1: vSRX Virtual Firewall | Juniper Networks US 2: vSRX Virtual Firewall for VMware - TechLibrary - Juniper Networks 3: vSRX Cluster Overview - TechLibrary - Juniper Networks 4: Juniper vSRX versus cSRX - TechLibrary - Juniper Networks

https://www.juniper.net/documentation/us/en/software/csrx/csrx-linux-deployment/topics/concept/security-csrx-docker-overview.html

SRX Series device chassis clusters are created by physically connecting two identical cluster-supported SRX Series devices using a pair of the same type of Ethernet connections. The connection is made for both a control link and a fabric (data) link between the two devices. The chassis cluster data plane is connected with revenue ports, which are the ports that carry user traffic. The chassis cluster can contain a maximum of two devices, as only two nodes can form a cluster. The chassis cluster data plane is not connected with SPC ports, which are the ports that provide services processing. The chassis cluster cannot contain more than two devices, as this would violate the cluster design. References: Chassis Cluster Overview, Connecting SRX Series Firewalls to Create a Chassis Cluster

The Juniper Networks solution that will accomplish the task of alerting if the wrong password is used more than three times on a single device within five minutes is Juniper Secure Analytics (JSA). JSA is a security intelligence platform that collects, analyzes, and correlates network data from various sources, such as firewalls, routers, switches, servers, and applications. JSA can detect and respond to threats, anomalies, and vulnerabilities in real time using rules, offenses, reports, and dashboards. JSA can also integrate with JIMS (Juniper Identity Management Service) to obtain user identity information from Active Directory domains or syslog sources. JSA can use this information to create custom rules that trigger offenses or alerts based on user behavior or activity, such as failed login attempts or password changes.

References := Juniper Secure Analytics Troubleshooting Guide, Juniper Identity Management Service User Guide

References:

• [SRX] Behavior of active sessions when modifying a security policy1

 A chassis cluster is a pair of SRX Series devices that are connected and configured to operate as a single node, providing high availability and load balancing for traffic flows1. A chassis cluster consists of two nodes: one primary and one secondary. Each node can host one or more redundancy groups, which are logical entities that group the interfaces and services that need to fail over together in case of a node failure2. Redundancy group 0 is a special group that monitors the control plane of the cluster, such as the routing engine and the control link. Redundancy group 0 is always active on the primary node and standby on the secondary node3. Therefore, option A is false. Each chassis cluster member requires a unique node ID value, which can be either 0 or 1, to identify itself within the cluster4. However, the cluster ID value is the same for both nodes, and it is used to identify the cluster as a whole. Therefore, option B is false. Each chassis cluster member device can host active redundancy groups, depending on the configuration and the status of the nodes. By default, the primary node hosts all the redundancy groups, but you can configure some groups to be preempted by the secondary node if it has a higher priority or load-sharing between the nodes if they have the same priority. Therefore, option C is true. Chassis cluster member devices must be the same model, because different models have different hardware and software specifications that may not be compatible with each other in a cluster. Therefore, option D is true. References:

• Chassis Cluster User Guide for SRX Series Devices
• Understanding Chassis Cluster Redundancy Groups
• Understanding Redundancy Group 0
• Understanding Chassis Cluster Node IDs
• [Understanding Chassis Cluster Cluster IDs]
• [Configuring Chassis Cluster Redundancy Group Settings]
• [Chassis Cluster Feature Guide for SRX Series Devices]

SSL proxy is a feature that allows SRX Series devices to act as an intermediary between the client and the server for SSL/TLS encrypted traffic. SRX Series devices support two types of SSL proxy: SSL forward proxy and SSL reverse proxy. SSL forward proxy is also known as web proxy or client-protection, and SSL reverse proxy is also known as server-protection1.

SSL forward proxy enables the SRX Series device to decrypt the client-side traffic and apply security policies before re-encrypting and forwarding it to the server. This allows the SRX Series device to inspect the application data and identify the applications and threats in the encrypted traffic2.

SSL reverse proxy enables the SRX Series device to decrypt the server-side traffic and apply security policies before re-encrypting and forwarding it to the client. This allows the SRX Series device to protect the server from malicious clients and provide load balancing and high availability for the server3.

References:

• Configuring SSL Proxy
• SSL Forward Proxy Overview
• SSL Reverse Proxy Overview

 To create a security policy that will automatically add infected hosts to the infected hosts feed and block further communication through the SRX Series device, you need to add a security intelligence policy to the permit portion of the security policy. A security intelligence policy is a set of rules that defines the actions to be taken for traffic thatmatches a specific category of threat feeds, such as infected hosts, command and control servers, or botnets. By adding a security intelligence policy to the permit portion of the security policy, you can enable the SRX Series device to dynamically update the infected hosts feed based on the advanced anti-malware policy results, and block the traffic from or to the infected hosts. Options B, C, and D are not correct because they do not enable the automatic addition of infected hosts to the feed or the blocking of their communication. References: The answer can be verified from Juniper’s official documentation on security intelligence and advanced anti-malware available on their website. Here are some relevant links:

• Security Intelligence Feature Guide for Security Devices
• Advanced Anti-Malware Feature Guide for Security Devices
• Configuring Security Intelligence Policy on the SRX Series Device
• [Configuring Advanced Anti-Malware Policy on the SRX Series Device]

Juniper ATP Cloud is the threat intelligence hub for Juniper customers, identifying indicators of compromise for users and devices across the network. It provides security intelligence feeds, such as command and control (C&C) and infected hosts, that can be used to block or log malicious traffic. When you configure the C&C category with Juniper ATP Cloud, you need to specify the authentication token, the URL, and the update interval for the feeds. After you commit the configuration, the feeds are downloaded automatically from the Juniper ATP Cloud server. This may take a few minutes, depending on the network latency and the size of the feeds. Therefore, no action is required from the user, and the feeds will have non-zero objects once the download is complete. You can verify the status of the feeds by using the show services security intelligence category summary command, as shown in the exhibit. References:

• Introduction to Juniper ATP Cloud
• security-intelligence (services)
• Juniper ATP Cloud CLI Reference Guide

Based on the exhibit, Nancy logged in to the juniper.net Active Directory domain, as shown by the domain name in the user identity information. The IP address of the authenticating domain controller is 172.25.11.140, as shown by the domain controller address in the user identity information. The IP address of Nancy’s client PC is not 172.25.11, but 172.25.11.11, as shown by the source IP address in the user identity information. Nancy is not a member of the Active Directory sales group, but of the marketing group, as shown by the group name in the user identity information34 References:

• active-directory-access | Junos OS | Juniper Networks
• 13. Juniper SRX Active Directory Integration - RAYKA
• Configure Juniper Identity Management Service to Obtain User Identity …
• Create an Active Directory Profile | SD Cloud | Juniper Networks

References: Unified Security Policies, Understanding Security Policy Elements, Anyone with good understanding of Unified Security Policies (SRX)

• Referring to the exhibit, we can see that the output of the show chassis cluster status command on both nodes shows that they have the same cluster ID, node ID, priority, and status. The status for both nodes is primary, which means that they are both active and ready to process traffic for all redundancy groups1.
• This situation can occur when the control link between the two nodes is down or not configured properly, and the heartbeat messages cannot be exchanged. Without the heartbeat messages, each node assumes that the other node is down and takes over the primary role for all redundancy groups12.
• This is not a desirable state for the cluster, as it can cause traffic disruption, configuration inconsistency, and split-brain scenarios. To resolve this issue, the control link should be checked and fixed, and the cluster should be synchronized12.

References:

• 1: Troubleshooting an SRX Chassis Cluster with One Node in the Primary State and the Other Node in the Disabled State
• 2: SRX Series Chassis Cluster Configuration Overview

The DNS ALG is an application layer gateway that handles data associated with locating and translating domain names into IP addresses. The DNS ALG supports the following features:

• DDNS: The DNS ALG supports dynamic DNS (DDNS), which allows hosts to update their DNS records dynamically when their IP addresses change. The DNS ALG monitors the DDNS update messages and performs the necessary address transformations2
• DNS doctoring: The DNS ALG performs DNS doctoring, which is a process of modifying the DNS responses to match the NAT address translation. This is done to resolve the problems introduced by NAT, such as the mismatch between the internal and external IP addresses of a host. The DNS ALG performs the IPv4 and IPv6 address transformations for both DNS and DDNS responses2

The DNS ALG does not support VPN tunnels or NAT itself. The DNS ALG works with NAT, but does not perform NAT. The DNS ALG only supports UDP traffic, not TCP traffic2 References:

• 1: Juniper Security Specialist (JNCIS-SEC) (JN0-334) | Study Guide 3
• 2: Junos OS Security Configuration Guide | DNS ALG 1

In a Juniper Networks chassis clustering setup, when you enable chassis clustering on two devices and assign a cluster ID and a node ID to each device, the correct order for rebooting the devices is: C. Reboot the primary device, then the secondary device. Explanation: After assigning the cluster ID and node ID to each device, it is a good practice to reboot the primary device first. This ensures that the primary device comes online with the specified cluster and node IDs. Once the primary device is up and running, you can then reboot the secondary device. The secondary device will recognize the existing cluster and node IDs assigned to the primary device and join the cluster accordingly.

A reth LAG is a redundant Ethernet interface that includes one or more physical interfaces from each node of a chassis cluster. A reth LAG provides increased bandwidth and link availability for the cluster. To configure a reth LAG, you need to follow these steps:

• Configure the physical interfaces on each node as aggregated Ethernet interfaces with the same speed and duplex settings. This is required to ensure that the links can form a LAG andpass traffic correctly. You can use different cable types (such as copper or fiber-optic) for the links, but the speed must be the same.
• Configure the reth interface with the redundant-ether-options statement and specify the aggregated Ethernet interfaces as child links. You should have at least two interfaces (one from each node) in the reth LAG, but you can add more for redundancy and load balancing. You can also specify the minimum-links statement to set the minimum number of child links that must be up for the reth interface to be up. The default value is one, but you can change it to a higher value if needed.
• Configure the reth interface with the appropriate IP address, security zone, and other settings as needed. You can also enable LACP on the reth interface to dynamically negotiate the LAG parameters with the peer devices.

References:

• [Aggregated Ethernet Interfaces in a Chassis Cluster] 1
• [Chassis Cluster Redundant Ethernet Interfaces] 2
• [LACP / LAG on Chassis Cluster - Interface Monitoring?] 3
• [URGENT (LAG - RETH Interconnect)] 4

JIMS (Juniper Identity Management Service) is a standalone Windows service application that collects and maintains a large database of user, device, and group information from Active Directory domains1. You can use JIMS to obtain user identity information and populate the identity management authentication table on SRX Series devices1. You can then use the username or group name in security policies to identify a user and not rely directly on the IP address of the device used2. JIMS also supports integration with ClearPass, which is another solution for user authentication and enforcement2.

ATP Appliance is a solution for advanced threat prevention and detection, not for user and group information. Network Director is a solution for network management and orchestration, not for user and group information. NETCONF is a protocol for network configuration, not for user and group information. References:

• 2: Configure Juniper Identity Management Service to Obtain User Identity Information | Junos OS | Juniper Networks
• 6: Enforce Security Policies using ClearPass | Junos OS | Juniper Networks
• [7]: Juniper Advanced Threat Prevention Appliance | Juniper Networks
• [8]: Network Director | Juniper Networks
• [9]: NETCONF | Junos OS | Juniper Networks

 The policy rematch feature enables the device to reevaluate an active session when its associated security policy is modified. The session remains open if it still matches the policy that allowed the session initially. The session is closed if its associated policy is renamed, deactivated, or deleted1

When a policy change includes changing the policy’s action from permit to deny, all existing sessions are dropped. This is because the policy rematch feature does not allow a session to continue if it violates the new policy action1

When a policy change includes changing the policy’s source or destination address match condition, all existing sessions are reevaluated. This is because the policy rematch feature tries to find a suitable policy that can still permit the session based on the new address criteria. If no such policy exists, the session is dropped12

References: 1: policy-rematch | Junos OS | Juniper Networks 2: What is session rematch and how to use it to avoid traffic disruption during a policy update via NSM - Juniper Networks

AppTrack is a logging and reporting tool that provides statistics for analyzing bandwidth usage of your network. When enabled, AppTrack collects byte, packet, and duration statistics for application flows in the specified zone. AppTrack sends log messages through syslog, providing application activity update messages. AppTrack can be used to share information for application visibility with devices such as Security Threat Response Manager (STRM)12 References:

• 1: Application Tracking | Junos OS | Juniper Networks
• 2: application-tracking | Junos OS | Juniper Networks

AppTrack: Tracks and reports applications passing through

the device.

• Intrusion Detection and Prevention (IDP): Applies

appropriate attack objects to applications running on

nonstandard ports. Application identification improves IDP

performance by narrowing the scope of attack signatures

for applications without decoders.

• AppFW: Implements an application firewall using

application-based rules.

• AppQoS: Provides quality-of-service (QoS) prioritization

based on application awareness

The AppSecure AppTrack service module is a logging and reporting tool used to share information about application visibility. Once AppID identifies an application, AppTrack notonly monitors and records its usage, it also sends regular application activity update messages. Since these messages are sent by syslog, they can be read by any compatible third-party device, including Juniper Networks JSA Series Secure Analytics Appliances and Contrail Service Orchestration.https://www.juniper.net/content/dam/www/assets/solution-briefs/us/en/appsecure-application-visibility-and-control.pdf

 https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-application-identification-predefined-signatures.html

The cSRX is a containerized version of the SRX Series device that runs on Linux platforms. The cSRX has the following benefits for deploying in a virtual environment:

• The cSRX supports Layer 2 and Layer 3 deployments, which means it can operate as a transparent or a routed firewall. The cSRX can also support multiple routing instances and virtual routers2
• The cSRX supports firewall, NAT, IPS, and UTM services, which means it can provide comprehensive security features for protecting the virtual network. The cSRX can also support application identification, user firewall, and VPN services2

The cSRX default configuration does not contain three default zones: trust, untrust, and management. The cSRX default configuration contains only one zone: junos-host. The cSRX does not have low memory requirements. The cSRX requires at least 2 GB of memory and 2 CPU cores to run2 References:

• 1: Juniper Security Specialist (JNCIS-SEC) (JN0-334) | Study Guide 3
• 2: Junos OS Security Configuration Guide | cSRX Overview 4

Adaptive Threat Profiling is a feature that allows SRX Series Firewalls to generate, propagate, and consume threat feeds based on their own advanced detection and policy-match events. This feature enables you to configure security or IDP policies that, when matched, inject the source IP address, destination IP address, source identity, or destination identity into a threat feed, which can be leveraged by other devices as a dynamic-address-group (DAG). With adaptive threat profiling, the Juniper ATP Cloud service acts as a feed-aggregator and consolidates feeds from SRX across your enterprise and shares the deduplicated results back to all SRX Series Firewalls in the realm at regular intervals. SRX Series Firewalls can then use these feeds to perform further actions against the traffic. This feature allows you to find systems running applications that increase the risks on your network and ensure these systems are processed through IPS and Juniper ATP Cloud for malware and virus protection1. References:

• Adaptive Threat Profiling Overview and Configuration
• Adaptive Threat Profiling Overview
• Juniper Launches Adaptive Threat Profiling, New VPN Features
• Juniper Networks Answers Who and What is On the Network with Risk-Based Access Control Capabilities and New VPN Application
• Adaptive Threat Profiling Overview | SD Cloud

References: SSL Proxy Overview Configuring Certificate Authority Profiles Configuring a Root CA Certificate

• JSA Rules
• Custom Rules
• Creating a Custom Rule
• JSA Rules - TechLibrary

Encrypted Traffic Insights is a feature of Juniper ATP Cloud and SRX Series firewalls that can detect malicious threats that are hidden in encrypted traffic without intercepting and decrypting the traffic. It permits organizations greater visibility and policy control over encrypted traffic, without requiring resource-intensive SSL Decryption1.

Encrypted Traffic Insights assesses the threat of the traffic by using two methods:

• It validates the certificates used by the external servers that the internal hosts are trying to connect to. It compares the certificate signatures with a blocklist of known malicious certificates and also checks the certificate validity, issuer, and subject. If the certificate is invalid or matches a malicious signature, the connection is blocked or alerted2.
• It reviews the timing and frequency of the connections to the external servers. It uses behavior analysis and machine learning to identify patterns and anomalies that indicate malicious activity, such as command and control (C&C) communications, botnet traffic, or data exfiltration. It also uses threat intelligence feeds to enrich the analysis and provide additional context2.

Encrypted Traffic Insights does not decrypt the file or the data in a sandbox or to validate the hash, as these methods would require breaking the encryption of the traffic, which would violate data privacy laws and introduce latency and performance issues21. References:

• 3: SRX5400, SRX5600, SRX5800 Firewalls Datasheet - Juniper Networks
• 2: Encrypted Traffic Insights Overview and Benefits | ATP Cloud | Juniper …
• 1: Juniper Networks Expands Connected Security Portfolio with Encrypted …

SRX chassis clustering is a high availability feature that allows two SRX Series devices to operate as a single logical device. The two devices are connected by a control link and a fabric link, which are used to synchronize the configuration, state, and traffic between the nodes. The control plane is responsible for managing the cluster configuration, monitoring the health and status of the nodes, and performing failover operations. The data plane is responsible for processing and forwarding the traffic through the cluster. SRX chassis clustering supports two modes for the data plane: active/passive and active/active. In active/passive mode, only one node is active for each redundancy group, which is a logical grouping of interfaces and services. The active node handles all the traffic for the redundancy group, while the passive node acts as a backup. In active/active mode, both nodes are active for different redundancy groups, and they can share the traffic load for the cluster. SRX chassis clustering supports only one mode for the control plane: active/passive. In this mode, only one node is the primary node, which is the master of the cluster configuration and the source of truth for the cluster state. The primary node also initiates the failover process in case of a node or interface failure. The other node is the secondary node, which is the slave of the cluster configuration and the backup of the cluster state. The secondary node takes over the primary role if the primary node fails or is manually disabled. References: Chassis Cluster Overview, SRX Series Chassis Cluster Configuration Overview, Chassis Cluster Overview

SRX300 Series devices support an on-device antivirus scanning engine, Avira, that scans the data by accessing the virus pattern database. It provides a full file-based antivirus scanning function that is available through a separately licensed subscription service. However, there is a limit on the number of files that can be submitted for scanning per day, depending on the SRX platform size. If you exceed this limit, the files will not be scanned until the next day. The limit for SRX300 Series devices is 1000 files per day1. References: SRX Series On-Device Antivirus Scan Engine Overview