JN0-336 Security - Specialist (JNCIS-SEC) Questions and Answers

The correct answer is C. device policy rules. In Junos Space Security Director, a firewall rule that must apply uniquely to one SRX Series device belongs in the device-specific policy layer, not in global or group-level policy. Juniper’s Security Director documentation states that a device can have a device-specific policy and can also be part of multiple group policies; the rule processing order places policies applied before device-specific policies first, then device-specific policies, then policies applied after device-specific policies. Juniper also explains that rules applied before device-specific policies take priority and cannot be overridden, while rules applied after device-specific policies can be overridden by adding a rule in the device-specific policy.

Option A is wrong because all-devices prerules are global mandatory rules applied before device-specific policy, not unique device exceptions. Option B is wrong because group policy prerules apply to a group of devices, not one specific SRX. Option D is wrong because all-devices postrules are still global policy rules, although they can be overridden. For a unique policy requirement on one SRX device, device policy rules are the precise Security Director construct. Reference topics: Security Director, firewall policies, device-specific policies, policy rule precedence, global/group/device rule hierarchy.

The correct answers are B, D, and E. Security Director device onboarding depends on management reachability and valid administrative access. Juniper’s device discovery documentation states that Junos Space discovers network devices using SSH, with optional ping and SNMP, and connects to the physical device to retrieve running configuration and status information. It also explains that device authentication uses administrator login credentials, SSH credentials, SNMP settings, or keys depending on the discovery method.

Option E is required because Security Director must target a reachable management IP address or hostname. Juniper’s discovery-profile workflow explicitly uses the target IP address, hostname, IP range, or subnet to locate devices. Option D is required because invalid username/password or insufficient privileges prevent discovery and management; Juniper’s device-management guidance identifies credentials as required input for discovering devices. Option B is required because onboarding uses SSH, so the correct SSH service and port must be reachable. Juniper’s device access procedure explicitly includes a Port field for the SSH connection.

Option A is wrong because chassis serial number is not the normal troubleshooting field for Security Director discovery. Option C is wrong because active security policies do not determine whether Security Director can initially discover and onboard the device. Reference topics: Security Director, device discovery, SSH access, management IP reachability, authentication credentials.

The correct answers are B and C. Juniper IDP uses attack objects as match conditions inside IDP policy rules. Juniper states that IDP attack objects represent known and unknown attacks and that the predefined attack object database is periodically updated by Juniper Networks. The main IDP attack object types include signature attack objects, protocol anomaly attack objects, and compound attack objects.

Option C is correct because signature attack objects detect known attacks using stateful attack signatures. Juniper defines a signature as a pattern that exists within a specific section of an attack and includes protocol, service, direction, flow, and context information to reduce false positives.

Option B is correct because protocol anomaly attack objects detect abnormal protocol behavior. Juniper explains that protocol anomaly objects identify unusual or ambiguous traffic that violates protocol specifications, RFCs, or common RFC extensions.

Option A is wrong because “statistic-based” is not one of the IDP attack object database types being tested here. Option D is wrong because “vector-based” is not a Juniper IDP attack object type. Reference topics: IDP, attack object database, signature-based attack objects, protocol anomaly attack objects, predefined attack objects.

The correct answers are A and D. Juniper provides predefined IDP policy templates to simplify IDP deployment. These templates are supplied by Juniper Networks and include common templates such as client protection, server protection, DMZ services, DNS server, file server, web server, IDP default, and recommended policies. Juniper’s IDP documentation states that predefined templates are available from a secured Juniper Networks website, and the listed templates are explicitly described as being provided by Juniper Networks.

Option D is correct because these templates are not automatically present as usable policies in a factory-default SRX configuration. Juniper’s procedure says that to use predefined IDP policy templates, you download the policy templates and then install them. The CLI process includes request security idp security-package download policy-templates followed by request security idp security-package install policy-templates; committing then makes them available under the IDP policy hierarchy.

Option B is wrong because Juniper specifically says you should customize these templates for your network and recommends using a copied template so you can safely make changes. Option C is wrong because they must be downloaded and installed, so they are not simply available in the factory-default configuration. Reference topics: IDP, predefined IDP policy templates, security-package download, security-package install, active IDP policy.

The correct answer is B. Add custom-attack Custom-FTP-Attack to the attacks section and change the action to drop-packet. In the exhibit, the IDP rule is built under rulebase-ips with a match block and a then block. Attack objects belong inside the match attacks hierarchy because they define what malicious pattern the IDP rule is trying to detect. Juniper’s IDP documentation states that attack objects are specified in rules to identify malicious activity and that the rule’s attack objects/groups are the attacks the device matches in monitored traffic.

The enforcement behavior belongs in the then action hierarchy. The current rule uses close-client; to meet the requirement, it must be changed to drop-packet. Juniper defines Drop Packet as an IDP action that drops a matching packet before it reaches its destination without closing the connection. Option A keeps the wrong action. Option C is structurally wrong because a custom attack object is not configured under the action section. Option D is also wrong because the notification section controls logging/alert behavior, not attack matching. Reference topics: IDP rulebase, custom attack objects, match attacks hierarchy, IDP actions, drop-packet behavior.

The correct answers are B and D. In Junos SSL proxy terminology, client protection maps to SSL forward proxy. In a forward-proxy deployment, the SRX sits between internal clients and external SSL/TLS servers. The firewall intercepts the server certificate, generates a substitute certificate, signs it with the configured root CA, decrypts the SSL session for inspection, and then re-encrypts traffic toward the destination server. Juniper’s SSL proxy configuration table shows that a forward-proxy profile uses root-ca configured = Yes and server-certificate configured = No. It also states that configuring neither certificate type fails commit validation, while configuring both root-ca and server-certificate in the same profile is unsupported.

Option A is wrong because a server certificate is required for reverse proxy/server protection, not for client-protection forward proxy. Option C is wrong because without a trusted root CA, client browsers would not trust the certificates generated by the SRX during interception. Juniper separately notes that the root CA certificate is required for client browsers to trust certificates signed by the firewall. Reference topics: SSL Proxy, client protection, SSL forward proxy, root CA, server protection, SSL reverse proxy.

The correct answers are B and C. Adaptive Threat Profiling allows SRX Series Firewalls to act either as inline enforcement devices or as tap-based sensors. In an inline deployment, the SRX is directly in the traffic path and can enforce policy actions such as blocking, denying, or adding threat indicators to Security Intelligence feeds for real-time mitigation. In a tap deployment, the SRX observes copied traffic from a TAP/SPAN-style feed and contributes intelligence without being the active forwarding device. Juniper’s ATP Cloud documentation states that Adaptive Threat Profiling enables SRX devices to be deployed as sensors on Tap ports, identifying and sharing intelligence to inline devices for real-time enforcement. It also describes a “Tap-based SRX Series Firewall sensor” and contrasts it with an inline device.

Option A, bridge, is not the deployment mode being tested here. Bridge/transparent forwarding is a firewall deployment style, not the named Adaptive Threat Profiling mode. Option D, promiscuous, is also wrong; promiscuous mode is an interface behavior, not the ATP Adaptive Threat Profiling deployment model. Reference topics: ATP Cloud, Adaptive Threat Profiling, tap sensors, inline enforcement, Security Intelligence feeds.

The correct answer is A. by granting access based on user roles or identities. Juniper identity-aware firewall moves enforcement beyond simple IP-address-based policy by associating traffic with authenticated users, groups, devices, and roles. Juniper states that identity parameters can be used to configure security policies so that policies provide the appropriate level of access to authenticated users. It further explains that identity helps secure access to resources based on username, roles, and groups, and that firewalls can create and enforce rules based on user identity rather than only an IP address.

This directly supports compliance because regulated environments usually require least-privilege access, auditable user-based control, and role-based authorization. Option B is wrong because identity-aware security might simplify policy operations in some cases, but network architecture simplification is not its compliance function. Option C is wrong because capacity expansion has no direct relationship to identity-based regulatory enforcement. Option D is too vague and not the mechanism being tested; confidentiality is a security goal, but identity-aware firewall enforces access decisions by mapping traffic to users and groups. Reference topics: Identity-Aware Security Policies, user identity, role-based access control, group-based policy enforcement, authentication table.

The correct answers are B and D. On SRX Series Firewalls, SSL proxy is configured by creating an SSL proxy profile and then applying that profile to the relevant security policy as an application service. Juniper’s SSL proxy configuration overview lists the required workflow: configure certificates and CA profile material, configure the SSL proxy profile, create a security policy matching the traffic to be inspected, and apply the SSL proxy profile to that security policy. Juniper further states that SSL proxy is enabled as an application service within a security policy, where the policy match criteria identify the traffic and the SSL proxy profile is applied to that traffic.

Option A is wrong because enabling the SSL ALG is not the required control point for SSL proxy. SSL proxy is a decryption/inspection service applied through policy, not simply an ALG toggle. Option C is wrong because creating a separate SSL application object is not the mandatory SSL proxy configuration action. The policy can match the desired traffic and then invoke SSL proxy through then permit application-services ssl-proxy profile-name. Juniper’s example explicitly shows applying the SSL proxy profile under the security policy action.

Reference topics: SSL Proxy, SSL forward proxy, SSL proxy profiles, security policy application-services, encrypted traffic inspection.

The correct answers are A and D. For identity-aware security policies, Junos can obtain user identity information from supported identity sources such as Active Directory and Juniper Identity Management Service (JIMS). Active Directory is the direct identity-source option where the SRX integrates with Microsoft Windows Active Directory and uses directory information for user and group mapping. Juniper’s identity-aware firewall documentation states that the firewall obtains user information from identity sources including Active Directory and JIMS, and then uses that identity data in policy decisions.

JIMS is also correct because it centralizes identity collection and provides SRX enforcement points with user, device, IP address, and group-mapping information. Juniper describes JIMS as providing SRX firewalls with high-scale identity data so they can make user-firewall policy decisions. Option B, TACACS+, is wrong because TACACS+ is primarily an administrative authentication, authorization, and accounting protocol, not the LDAP identity-source service used for identity-aware firewall mappings. Option C, RADIUS, is also wrong in this context because RADIUS can authenticate users, but it is not the LDAP directory integration service being tested here. Reference topics: Identity-Aware Firewall, Active Directory identity source, JIMS, LDAP user/group mapping, SRX authentication table.

The correct answer is D. You have too many domain controllers. The exhibit shows 15 Active Directory domain controllers. Juniper’s integrated Active Directory identity-source configuration for SRX identity-aware firewall supports a limited number of domain controllers; Juniper documentation states that an SRX Series device can configure a maximum of 10 domain controllers for Active Directory identity-source integration. Because this environment has 15 domain controllers, the direct Active Directory identity-source method exceeds the supported scale and JIMS must be used instead.

Option A is wrong because SRX devices can use Active Directory directly as an identity source; JIMS is not the only possible method. Option B is wrong because 1,500 users does not exceed the relevant identity-source scale shown here; Juniper documentation also notes probe functionality support well above this number. Option C is wrong because the issue being tested is not the Windows Server version. JIMS is designed for larger identity-aware deployments and can centralize identity collection from Active Directory, domain controllers, Exchange servers, and syslog sources, then provide identity mappings to SRX firewalls. Juniper’s JIMS datasheet shows much higher scale, including up to 100 active directories, 25 domains, and 500,000 user entries. Reference topics: Identity-Aware Security Policies, Active Directory identity source limits, JIMS scalability, domain controller scale limitations.

The correct answers are B and C. To form an SRX chassis cluster, both devices must be assigned the same cluster ID and different node IDs. Juniper states that the cluster ID identifies the cluster, while the node ID identifies the individual node within that cluster. A valid two-node SRX chassis cluster uses node 0 on one chassis and node 1 on the other chassis. Juniper’s example shows the operational-mode commands as set chassis cluster cluster-id 1 node 0 reboot on the first device and set chassis cluster cluster-id 1 node 1 reboot on the second device.

Option A is wrong because cluster-id 0 disables clustering rather than forming a cluster. It also shows configuration-mode prompt #, while this chassis cluster node assignment is performed from operational mode. Option D is doubly wrong: cluster-id 0 disables clustering, and node 2 is invalid because SRX chassis cluster node IDs are limited to 0 and 1. The exam options omit the reboot keyword, but the only logically valid pair is still SRX1 as node 0 and SRX2 as node 1 under the same nonzero cluster ID. Reference topics: HA Clustering, chassis cluster ID, node ID, operational-mode cluster enablement.

The correct answers are A and D. In IKEv1-based IPsec VPNs, there are two distinct negotiation phases. IKEv1 Phase 1 establishes the secure and authenticated IKE channel between peers. That means the IKE SA is built during Phase 1. Juniper describes Phase 1 as the negotiation of proposals for how to authenticate and secure the channel, including encryption algorithms, authentication algorithms, Diffie-Hellman group, and authentication method.

IKEv1 Phase 2 then uses that secure channel to negotiate the IPsec SAs that protect actual user traffic through the VPN. Juniper states that Phase 2 negotiates security associations to secure the data traversing the IPsec tunnel, and that the Phase 2 proposal includes the security protocol, such as ESP or AH, plus the selected encryption and authentication algorithms. Option B is wrong because IKEv1 SAs are not established in Phase 2; Phase 2 creates IPsec SAs. Option C is wrong because Phase 1 does not create the data-plane IPsec SA; it creates the secure IKE control channel used for Phase 2 negotiation. Reference topics: IPsec VPN, IKEv1 Phase 1, IKE SA, IKEv1 Phase 2, IPsec SA, ESP/AH proposals.

The correct answer is B. count. In Junos security policy configuration, count is the policy parameter used for accounting and tabular operational visibility. Juniper’s security policy configuration rules state that accounting and auditing elements can be specified with count and log, while logging itself is enabled at either session-init or session-close.

The operational result is visible through commands such as show security policies hit-count, which displays a table of policy hit counters, including fields such as index, from-zone, to-zone, policy name, policy count, and action. Juniper defines this command as displaying the number of times a security policy rule matches traffic, and the sample output is explicitly tabular. Option A, permit, is an action, not a counter or logging/accounting parameter. Option C, session-init, logs at the beginning of a session, and option D, session-close, logs at session teardown. Those two parameters generate logs, but they do not provide the tabular policy-count view being asked about. Reference topics: security policy accounting, count parameter, hit-count, operational-mode policy monitoring, session-init/session-close logging.

The correct answers are B and C. The exhibit shows the command request security idp security-package install failing with: “Security package installation disabled temporarily due to invalid license.” In the IDP update workflow, the SRX must have a valid IDP/AppSecure-related license to install updated security packages. Juniper’s support guidance for an expired IDP license states that if the IDP license expires, attacks continue to be inspected, but IDP update installation is not allowed. That maps directly to this exhibit: the existing IDP engine and currently installed attack database can continue to inspect traffic, but the device cannot install the newer downloaded package until licensing is corrected.

Option A is wrong because expiration does not immediately stop all IDP inspection; it prevents installing new updates. Option D is not the best answer because the specific operational behavior shown is consistent with an invalid/expired license condition after attempting a package install, not proof that no license was ever installed. The practical remediation is to validate the installed license, renew or reinstall the correct IDP license, then retry the security-package installation. Reference topics: IDP licensing, security-package download/install, attack database updates, installed signature inspection behavior.

The correct answers are A, C, and E. Junos Space Security Director supports policy hierarchy and policy management at device, group, and global/all-devices levels. A device policy is created for a specific device and is used when a unique firewall policy must be pushed to one SRX Series Firewall. A group policy is shared across multiple devices and is used when the same policy configuration must be applied consistently to a set of managed firewalls. Juniper’s Security Director documentation explicitly describes device policy and group policy behavior, including the fact that device-specific policies are evaluated within the broader policy-ordering model.

The third correct policy type is global, often represented in Security Director workflows as all-devices/global policy behavior. Juniper Security Director product material describes granular control over global, group, and device-level firewall policies, which maps directly to the options in this question. Option B, local, is not the Security Director policy type being tested; local configuration may exist on an SRX, but it is not one of the Security Director policy hierarchy types listed here. Option D, universal, is also not a Junos Space Security Director policy type. Reference topics: Security Director, global policy, group policy, device policy, firewall policy hierarchy, centralized SRX policy management.